View Issue Details

IDProjectCategoryView StatusLast Update
0023087mantisbtfilterspublic2017-09-03 18:41
Reporterpsbarron Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.5 
Target Version2.6.0Fixed in Version2.6.0 
Summary0023087: Removing "Report an issue" permission removes user from Monitoring filter dropdown
Description

I have set the Updater profile so that an Updater is not permitted to report an issue. (The specific use case is that an outside vendor has access to read and update existing issues but not create new ones.) Certain Updaters are also added as monitors on issues.
When I try to filter by specific monitors in the View Issues screen, these users with the revised Updater profile are not on the dropdown to select.
There is no problem in assigning these users as monitors as they still have permissions set to allow monitoring.
We have MantisBT 2.4.0 in our test environment and I have been able to replicate the issue there.

Steps To Reproduce
  1. Assign user to a project with Updater access level
  2. Uncheck "Report an issue" for Updater access level
  3. Go to View Issues screen
  4. Click on Monitored By filter
  5. User will no longer be available on the dropdown
Additional Information

Expected Behavior: User should still appear on dropdown and be available to filter by

TagsNo tags attached.

Activities

atrol

atrol

2017-07-07 03:09

developer   ~0057197

I have no time to try myself at the moment.

Could you check if changing filter_form_api.php around line 288 (latest 2.6.0 developer code)

from

        print_reporter_option_list( $p_filter[FILTER_PROPERTY_MONITOR_USER_ID] );

to

        print_user_option_list( $p_filter[FILTER_PROPERTY_MONITOR_USER_ID], null, config_get( 'monitor_bug_threshold' ) );

fixes the issue?

For version 1.3.x it should be filter_api.php around line 3721 (latest 1.3.11 version)

BTW, you really should not go on using 1.3.5 as there are serious security issues in it.
I recommend to upgrade at least to 1.3.11 in a first step.

atrol

atrol

2017-07-23 06:09

developer   ~0057292

@psbarron can you confirm that the proposed change fixes the issue?

psbarron

psbarron

2017-07-25 10:51

reporter   ~0057320

@atrol - For some reason I have not been able to add a note to this issue to update it. I've added it but it disappears. I even cloned this issue to a new report in the hopes that you would see my update, but that doesn't appear to be visible either. So let's try again...

We made the suggested code change in our test environment running 2.4.0: it was successful and resolved the problem.

We then upgraded our production environment to 1.3.11 as you recommended and made the second code change there. Unfortunately, that did not work. When we clicked on the Monitor By filter we received an error message in the field that read (as best I can remember at this point) "Error: Bed Request".

Any further suggestions would be appreciated.

Thanks.

atrol

atrol

2017-07-25 15:33

developer   ~0057322

There is a small difference in 1.3.x code.
This should work in 1.3.11.

        print_user_option_list( $g_filter[FILTER_PROPERTY_MONITOR_USER_ID], null, config_get( 'monitor_bug_threshold' ) );
psbarron

psbarron

2017-07-25 16:38

reporter   ~0057326

@atrol - We made the change in 1.3.11 and it has now resolved the problem.

You can now mark this issue resolved.

Thank you again!

atrol

atrol

2017-07-25 16:48

developer   ~0057327

Fix will be included in versions >= 2.6.0

PR https://github.com/mantisbt/mantisbt/pull/1134

Related Changesets

MantisBT: master df80e3a0

2017-07-25 16:41:16

atrol

Details Diff
Display "Monitored By" user list based on monitor_bug_threshold

Fixes 0023087
Affected Issues
0023087
mod - core/filter_form_api.php Diff File