Prevent unprivileged users from viewing private Issues

If a Private Issue is attached to an existing Changeset, then any user can view the Issue's Summary field. The information is visible on view.php, as well as on list.php (via pop-up on Affected Issues id hyperlink). Filtering accessible issues before display fixes the problem. Thanks to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting this. Fixes #344 # Conflicts: # Source/Source.ViewAPI.php # Source/pages/view.php
mantisbt-plugins · Jan 18, 2021 · 2f96a4a · 2f96a4a
1 parent c888810
commit 2f96a4a
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/Source/Source.ViewAPI.php b/Source/Source.ViewAPI.php
@@ -29,6 +29,8 @@ function Source_View_Changesets( $p_changesets, $p_repos=null, $p_show_repos=tru
 		$t_changeset->load_bugs();
 		$t_changeset->load_files();
 
+		bug_cache_array_rows( $t_changeset->bugs );
+
 		$t_author = Source_View_Author( $t_changeset, false );
 		$t_committer = Source_View_Committer( $t_changeset, false );
 		?>
@@ -65,7 +67,22 @@ function Source_View_Changesets( $p_changesets, $p_repos=null, $p_show_repos=tru
 		<?php }
 		?>
 </td>
-<td colspan="2"><?php
+
+<?php
+		# Build list of related issues the user has access to, with link
+		$t_view_bug_threshold = config_get('view_bug_threshold');
+		$t_bugs = array_map(
+			'string_get_bug_view_link',
+			array_filter(
+				$t_changeset->bugs,
+				function( $p_bug_id ) use ( $t_view_bug_threshold ) {
+					return bug_exists( $p_bug_id )
+						&& access_has_bug_level( $t_view_bug_threshold, $p_bug_id );
+				}
+			)
+		);
+?>
+<td colspan=2><?php
 	# The commit message is manually transformed (adding href, bug and bugnote
 	# links + nl2br) instead of calling string_display_links(), which avoids
 	# unwanted html tags processing by the MantisCoreFormatting plugin.
@@ -81,9 +98,6 @@ function Source_View_Changesets( $p_changesets, $p_repos=null, $p_show_repos=tru
 </td>
 <td>
 <?php
-		# Build list of related issues with link
-		$t_bugs = array_map( 'string_get_bug_view_link', $t_changeset->bugs );
-
 		if( $t_bugs ) {
 			echo '<span class="bold">',
 				plugin_lang_get( 'affected_issues', 'Source' ),

diff --git a/Source/pages/view.php b/Source/pages/view.php
@@ -14,16 +14,23 @@
 $t_changeset = SourceChangeset::load( $f_changeset_id );
 $t_changeset->load_files();
 $t_changeset->load_bugs();
-bug_cache_array_rows( $t_changeset->bugs );
 
+# Get the list of related bugs the user has access to
+$t_view_bug_threshold = config_get('view_bug_threshold');
+$t_visible_bugs = array_filter(
+	$t_changeset->bugs,
+	function( $p_bug_id ) use ( $t_view_bug_threshold ) {
+		return bug_exists( $p_bug_id)
+			&& access_has_bug_level( $t_view_bug_threshold, $p_bug_id );
+	}
+);
+bug_cache_array_rows( $t_visible_bugs );
 $t_bug_rows = array();
-foreach( $t_changeset->bugs as $t_bug_id ) {
-	$t_bug_row = bug_cache_row( $t_bug_id, false );
-	if ( false === $t_bug_row ) { continue; }
-
-	$t_bug_rows[$t_bug_id] = $t_bug_row;
+foreach( $t_visible_bugs as $t_bug_id ) {
+	$t_bug_rows[$t_bug_id] = bug_get_row( $t_bug_id );
 }
-$t_affected_rowspan = count( $t_bug_rows ) + ( $t_can_update ? 1 : 0 );
+
+$t_affected_rowspan = count( $t_visible_bugs ) + ( $t_can_update ? 1 : 0 );
 
 $t_repos = SourceRepo::load_by_changesets( $t_changeset );
 if ( count( $t_repos ) < 1 ) {
@@ -149,6 +156,7 @@
 <?php
 $t_first = true;
 $t_user_id = auth_get_current_user_id();
+
 foreach ( $t_bug_rows as $t_bug_id => $t_bug_row ) {
 	$t_color_class = html_get_status_css_class(
 		$t_bug_row['status'],