View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0019964mantisbtauthenticationpublic2015-07-23 07:532021-01-05 18:59
Reporterbadfiles Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Target Version2.26.0 
Summary0019964: Wrong anonymous rights application
Description

Anonymous users have different rights depending on the way they 'login'

Steps To Reproduce

Setup Mantis for anonymous login.
Allow reporting for anonymous user access level.
Delete all cookies.
Login as anonymous with /login_anon.php
You are detected as anonymous.
You can report an issue.
Delete all cookies.
Go to, say, /my_view_page.php
You are detected as anonymous.
You cannot submit an issue.

Additional Information

This also affects on page contents: anonymous that has not truly logged in has no access to the bugs he should not have access to but he sees them in lists.

TagsNo tags attached.

Activities

atrol

atrol

2015-07-23 08:53

developer   ~0051119

Last edited: 2015-07-23 08:56

I don't understand the problem at the moment.
Is there a reason (e.g. security) that you set Severity to major?

There is a difference between anonymous visiting the bugtracker (web crawlers, users just viewing, ...) and beeing logged in as anonymous user.
e.g. you will also notice that the current selected project is stored if you are logged in.

We would not need the "Login Anonymously" link if there is no difference.

As a side note: We don't recommend to use another access level than VIEWER for the anonymous account.
http://www.mantisbt.org/docs/master/en-US/Admin_Guide/html-single/#admin.config.misc
badfiles

badfiles

2015-07-25 05:16

reporter   ~0051134

We would not need the "Login Anonymously" link if there is no difference.

In this case user should not be detected as 'anonymous' if he did not login as 'anonymous'
dregad

dregad

2015-08-02 17:36

developer   ~0051176

Last edited: 2015-08-03 02:14

I believe the root cause for this is that when a page is browsed anonymously without prior login, the anonymous user's cookies are not actually set. This causes MantisBT API functions such as config_get() to return a generic value.

In this case, it returns whatever value is defined for $g_report_bug_threshold in config file instead of what might be defined in the database (global or project-specific).

PR https://github.com/mantisbt/mantisbt/pull/623

EDIT: for the record, removed the "git trunk" product version as the issue likely exists since a very long time.
vboctor

vboctor

2015-09-01 01:48

manager   ~0051337

Reducing severity to minor since this is a corner case and we likely had this bug for a long time.
dregad

dregad

2015-09-07 18:51

developer   ~0051395

Last edited: 2015-09-08 04:34

EDIT: please ignore me - I posted this note in the wrong issue...