View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004341 | mantisbt | security | public | 2004-08-17 12:39 | 2004-11-06 06:26 |
Reporter | hacker | Assigned To | DGtlRift | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Any | OS | Any | OS Version | Any |
Product Version | git trunk | ||||
Fixed in Version | 0.19.1 | ||||
Summary | 0004341: Users removed from projects are still listed as 'monitoring' bugs | ||||
Description | If you add a user to a project, and that user sets himself to monitor some bugs filed against that project, and you remove that user from that project.. they are still listed as monitoring the bugs they set themselves to. This is an enormous security risk, because emails go out, including to the user who has been listed as monitoring that bug, but is no longer a user on the project itself. There is a disconnect here. One of our project managers left the company, to work for a competitor, and he was assigned to a very high-level project before he left, and he was monitoring several incidents filed on that project. When he left, we took him out of the project, and disabled his account.. but only recently realized that he was still getting emails sent to him from the project. EEK! | ||||
Steps To Reproduce | 1.) Add a user | ||||
Tags | No tags attached. | ||||
Attached Files | mantisbt.4341.patch.txt (1,087 bytes)
? mantisbt.4341.patch.txt Index: bug_monitor_list_view_inc.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/bug_monitor_list_view_inc.php,v retrieving revision 1.11 diff -u -r1.11 bug_monitor_list_view_inc.php --- bug_monitor_list_view_inc.php 29 Jun 2004 08:38:43 -0000 1.11 +++ bug_monitor_list_view_inc.php 4 Oct 2004 11:34:01 -0000 @@ -20,7 +20,7 @@ $t_user_table = config_get( 'mantis_user_table' ); # get the bugnote data - $query = "SELECT user_id + $query = "SELECT user_id, enabled FROM $t_bug_monitor_table m, $t_user_table u WHERE m.bug_id=$c_bug_id AND m.user_id = u.id ORDER BY u.realname, u.username"; @@ -71,7 +71,17 @@ for ( $i = 0; $i < $num_users; $i++ ) { $row = db_fetch_array( $result ); echo ($i > 0) ? ', ' : ''; + if ( FALSE == $row['enabled'] ) { + ?> + <font STYLE="text-decoration: line-through"> + <?php } else { ?> + <font STYLE="text-decoration: none"> + <?php + } echo print_user( $row['user_id'] ); + ?> + </font> + <?php } ?> </td> | ||||
I can't reproduce this with the current CVS HEAD (0.19rc1). The recipient generator explicitly excludes users who are non-existent or disabled. |
|
I thought the emails were not sent for disabled user accounts. The problem you are describing is not limited to monitored issues, what about issues that the user is handling, or the user reported, or contributed notes to. All these will cause the same issue you are describing. Also note that at the moment to change the access level of a user, the user has to be removed and added. So unless this changes, we will need a separate feature to remove all references to a user from a specific project. This feature will make sense if the user is being removed from one project and not others. This can be done by creating a new user account that is disabled by default and using it to replace the original one. The user name for the new account will be based on the original one. For example, vboctor_deleted rather than vboctor. |
|
I probably wasn't clear enough. Although the user is listed as monitoring the bug, or having contributed a bug note, or even originating a problem, they are not sent an email if they are disabled. It may appear as if they are, but their names are removed from the email recipient list before it is sent (silently). I would not want to delete the records of people who contributed or raised issues. Disabling them leaves the history, but blocks login or email. |
|
Maybe if users are removed from the projects and are not going to get anymore notifications we should display their names in the monitor list and next to the bugnotes with a strikethrough, the same for the users with disabled accounts. What do you think? |
|
I agree. I linked this to 0.19.1 with the intent of differentiating a disabled user from other users in the display or email. |
|
Patch has been added that has a line through disabled users montioring issue. |
|
This patch isn't in CVS (yet), so reopening. |
|
change not applied to CVS |
|
fix submitted to CVS |
|