View Issue Details

IDProjectCategoryView StatusLast Update
0026893mantisbtsecuritypublic2020-05-03 04:38
Reportervboctor Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.24.0 
Target Version2.24.1Fixed in Version2.24.1 
Summary0026893: APIs expose private attachments to users who has access to issue but not private notes
Description

This applies to both SOAP and REST API.

Impacted REST APIs:

  • {{url}}/api/rest/issues/:issue_id
  • {{url}}/api/rest/issues/:issue_id/files
  • {{url}}/api/rest/issues/:issue_id/files/:file_id

Note that the UI enforced access checks correctly since the attachments were grouped with the private notes and the private notes were not rendered.

TagsNo tags attached.

Relationships

related to 0026631 closedvboctor file_get_visible_attachments shows private files that should be invisible to the user 
related to 0026894 assignedvboctor Issue note files should show up within the notes in REST API 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-2.24 f1f236f9

2020-04-19 17:36:47

vboctor

Details Diff
Fix attachments API access checks

- Fix attachment access checks for private attachments. (REST and SOAP)
- Include note attachments within notes (REST)

Fixes 0026893
Affected Issues
0026893
mod - api/soap/mc_issue_api.php Diff File
mod - core/file_api.php Diff File

MantisBT: master 4b436c4c

2020-04-19 17:36:47

vboctor

Details Diff
Fix attachments API access checks

- Fix attachment access checks for private attachments. (REST and SOAP)
- Include note attachments within notes (REST)

Fixes 0026893
Affected Issues
0026893
mod - api/soap/mc_issue_api.php Diff File
mod - core/file_api.php Diff File

Issue History

Date Modified Username Field Change
2020-04-19 17:39 vboctor New Issue
2020-04-19 17:39 vboctor Status new => assigned
2020-04-19 17:39 vboctor Assigned To => vboctor
2020-04-19 17:40 vboctor Description Updated View Revisions
2020-04-19 17:48 vboctor Description Updated View Revisions
2020-04-20 01:46 atrol Relationship added related to 0026631
2020-04-21 19:02 vboctor Relationship added related to 0026894
2020-05-03 03:35 vboctor Changeset attached => MantisBT master-2.24 f1f236f9
2020-05-03 03:35 vboctor Status assigned => resolved
2020-05-03 03:35 vboctor Resolution open => fixed
2020-05-03 03:35 vboctor Fixed in Version => 2.24.1
2020-05-03 04:34 vboctor Status resolved => closed
2020-05-03 04:35 vboctor View Status private => public
2020-05-03 04:38 vboctor Changeset attached => MantisBT master 4b436c4c