View Issue Details

IDProjectCategoryView StatusLast Update
0023031mantisbtauditingpublic2020-12-03 11:19
Reporteraavagyan Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version2.3.1 
Summary0023031: "Issue History" not showing certain data
Description

We have noticed that sometimes users receive email alerts that note was added to the ticket, but when looking on that ticket in Mantis UI they cannot find such a note. "Issue History" also not showing that note was added or deleted. Even with ADMIN account you are not seeing this in "Issue History".

While digging I discovered these details:

User A adds note. User B (monitoring the ticket) receives email alert that note was added to the ticket. Then User A deletes the note. User A can see in the "Issue History" that s/he added and then removed the note. User B goes to Mantis UI and cannot see the note and cannot see lines in "Issue History" about addition and deletion of note.

This is confusing experience. People feel that there is something happening in Mantis, which there are unable to see. The other strange thing is that even with ADMIN rights one cannot see these lines in "Issue History".

I then went to the code and found this in core/history_api.php:

                # bugnotes
                if( $t_user_id != $v_user_id ) {
                        # bypass if user originated note
                        if( ( $v_type == BUGNOTE_ADDED ) || ( $v_type == BUGNOTE_UPDATED ) || ( $v_type == BUGNOTE_DELETED ) ) {
                                if( !bugnote_exists( $v_old_value ) ) {
                                        continue;
                                }
...

Can this be changed so users see that note was added and removed? Otherwise "puzzle" of getting email alerts and then not seeing what was that will continue.

Thank you.

EDIT: dregad fix markdown

TagsNo tags attached.

Relationships

related to 0021878 closedvboctor Improve issue note caching 
has duplicate 0023457 closedatrol Administrators can't see deleted notes 

Activities

atrol

atrol

2017-06-19 07:48

developer   ~0057096

The checking for bugnote existence has been added when implementing 0021878.
This is needed, as we need to get the privateflag information of the note later on.
I see no clean way to get what you want, at least as long as notes are deleted and not marked as deleted.

aavagyan

aavagyan

2017-06-19 10:38

reporter   ~0057099

I understand the complexity and that it is mostly caused by the fact that information on PUBLIC-PRIVATE is gone when bugnote is deleted. In this regards, can we at least show relevant lines in "Issue History" when user has rights to see PRIVATE notes? I understand this is not very clean, but at least power users (and admins) will be able to "solve" puzzle for lower-right users. Otherwise even with admin account there is no way to figure out what is going on.

PantsManUK

PantsManUK

2018-01-26 09:30

reporter   ~0058617

@atrol: Yes, this is the issue we noticed as well (I'm "MLCrane" on the forum).

Would I be correct in assuming that this affects all bugnote actions in history when a bugnote has been deleted? Given there is no direct link in the history to the note in question (in 1.3.X, certainly), what harm could there be in (effectively) removing the "if( !bugnote_exists( $v_old_value ) ) {" test entirely? That reinstates the "missing" history lines for the users that should be able to see it, and as far as I can tell has no adverse side-effects.

atrol

atrol

2018-01-26 10:16

developer   ~0058618

what harm could there

See 0023031:0057096
You could see history entries for deleted private notes even if you are not allowed to view private notes.
Probably for most of the users just a minor security issue.

PantsManUK

PantsManUK

2018-01-26 10:32

reporter   ~0058620

@atrol many thanks. We've commented out the "continue"s for now and left the calls to bugnote_exists() intact, and for us that's a workable solution; our installation is behind our firewall, so we don't need to hide things overly. I'll keep thinking on a better solution; "extra pair of eyes" and all that.

polzin

polzin

2020-05-28 12:13

reporter   ~0064032

What about the solution suggested in 0023031:0057099: show relevant lines in "Issue History" when user has rights to see PRIVATE notes

This would be a helpful workaround.

maturbet

maturbet

2020-06-02 04:28

reporter   ~0064053

We also are wating for it !

stevecharon

stevecharon

2020-12-03 11:19

reporter   ~0064740

I removed the part
|| ( $v_type == BUGNOTE_DELETED )
from the code so that everyone can see who deleted the entries.
Private or not, on deletion there is only the mention of the gone bugnote.
This is not a security issue but a requirement to have a proper work audit for an entry to understand who did what and when.
Definitely a TODO in my view.