View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0004341mantisbtsecuritypublic2004-08-17 12:392004-11-06 06:26
Reporterhacker Assigned ToDGtlRift  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformAnyOSAnyOS VersionAny
Product Versiongit trunk 
Fixed in Version0.19.1 
Summary0004341: Users removed from projects are still listed as 'monitoring' bugs
Description

If you add a user to a project, and that user sets himself to monitor some bugs filed against that project, and you remove that user from that project.. they are still listed as monitoring the bugs they set themselves to.

This is an enormous security risk, because emails go out, including to the user who has been listed as monitoring that bug, but is no longer a user on the project itself. There is a disconnect here.

One of our project managers left the company, to work for a competitor, and he was assigned to a very high-level project before he left, and he was monitoring several incidents filed on that project. When he left, we took him out of the project, and disabled his account.. but only recently realized that he was still getting emails sent to him from the project. EEK!

Steps To Reproduce

1.) Add a user
2.) Add that user to a project
3.) Set that user's preferences to monitor bugs in that project
4.) Disable the user's account
5.) Remove their account from the project

TagsNo tags attached.
Attached Files
mantisbt.4341.patch.txt (1,087 bytes)    
? mantisbt.4341.patch.txt
Index: bug_monitor_list_view_inc.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/bug_monitor_list_view_inc.php,v
retrieving revision 1.11
diff -u -r1.11 bug_monitor_list_view_inc.php
--- bug_monitor_list_view_inc.php	29 Jun 2004 08:38:43 -0000	1.11
+++ bug_monitor_list_view_inc.php	4 Oct 2004 11:34:01 -0000
@@ -20,7 +20,7 @@
 	$t_user_table = config_get( 'mantis_user_table' );
 
 	# get the bugnote data
-	$query = "SELECT user_id
+	$query = "SELECT user_id, enabled
 			FROM $t_bug_monitor_table m, $t_user_table u
 			WHERE m.bug_id=$c_bug_id AND m.user_id = u.id
 			ORDER BY u.realname, u.username";
@@ -71,7 +71,17 @@
  		for ( $i = 0; $i < $num_users; $i++ ) {
  			$row = db_fetch_array( $result );
 			echo ($i > 0) ? ', ' : '';
+			if ( FALSE == $row['enabled'] ) {
+				?>
+		<font STYLE="text-decoration: line-through">
+				<?php } else { ?>
+		<font STYLE="text-decoration: none">
+				<?php
+			}
 			echo print_user( $row['user_id'] );
+			?>
+		</font>
+			<?php
  		}
 ?>
 	</td>
mantisbt.4341.patch.txt (1,087 bytes)   

Relationships

Relationship GraphDependency Graph
child of 0004297 closedvboctor Mantis 0.19.1 release 

Activities

thraxisp

thraxisp

2004-08-17 13:54

reporter   ~0007032

I can't reproduce this with the current CVS HEAD (0.19rc1). The recipient generator explicitly excludes users who are non-existent or disabled.
vboctor

vboctor

2004-08-17 17:44

manager   ~0007039

I thought the emails were not sent for disabled user accounts.

The problem you are describing is not limited to monitored issues, what about issues that the user is handling, or the user reported, or contributed notes to. All these will cause the same issue you are describing.

Also note that at the moment to change the access level of a user, the user has to be removed and added. So unless this changes, we will need a separate feature to remove all references to a user from a specific project. This feature will make sense if the user is being removed from one project and not others. This can be done by creating a new user account that is disabled by default and using it to replace the original one. The user name for the new account will be based on the original one. For example, vboctor_deleted rather than vboctor.
thraxisp

thraxisp

2004-08-17 21:33

reporter   ~0007040

I probably wasn't clear enough. Although the user is listed as monitoring the bug, or having contributed a bug note, or even originating a problem, they are not sent an email if they are disabled. It may appear as if they are, but their names are removed from the email recipient list before it is sent (silently).

I would not want to delete the records of people who contributed or raised issues. Disabling them leaves the history, but blocks login or email.
vboctor

vboctor

2004-08-19 08:14

manager   ~0007066

Maybe if users are removed from the projects and are not going to get anymore notifications we should display their names in the monitor list and next to the bugnotes with a strikethrough, the same for the users with disabled accounts.

What do you think?
thraxisp

thraxisp

2004-08-19 10:09

reporter   ~0007069

I agree. I linked this to 0.19.1 with the intent of differentiating a disabled user from other users in the display or email.
DGtlRift

DGtlRift

2004-10-04 06:43

reporter   ~0007883

Patch has been added that has a line through disabled users montioring issue.
grangeway

grangeway

2004-10-04 09:34

reporter   ~0007888

This patch isn't in CVS (yet), so reopening.
thraxisp

thraxisp

2004-10-04 10:00

reporter   ~0007891

change not applied to CVS
thraxisp

thraxisp

2004-10-04 10:09

reporter   ~0007892

fix submitted to CVS