Closed atrol closed 6 years ago
The incorrect behavior has been introduced in MantisBT 2.12.0, which changed the semantics of these 2 configs. The problem is that the plugin generates static text, so we can't dynamically set the name at view time. But always displaying the username may go against the user's settings as well, which could be confusing...
E.g. consider the setup in my previous company, where I had
$g_show_user_realname_threshold = ANYBODY;
I'm tagging this with security because it's a potential information disclosure.
Placeholders for users are replaced by the real name instead of the user name if the following configuration is used and the access level of the current user is >= $g_show_user_realname_threshold
When using such a snippet, real names are published to any user, even those who are not allowed to view real names.