Thanks Paul for the quick patch.

I'm interested to know how you are planning for the soap-api re-factoring. 

In our organisation, only the developers use mantis directly and the end-users just report and comment on the bugs through the EmailReporting plugin. We have several users who doesn't have a password set in mantis.

We are now planning to provide them simple bug reporting forms in our custom application, so that users can directly report and check the status of the issues without logging into mantis or emailing the support team. The custom application supports composite authentication which  uses different LDAP, AD servers. Since the accounts in mantis are not linked to the accounts in LDAP or AD, the password based authentication will not work in our SOAP client.

So it would be nice if you could explain how you plan to re-factor the SOAP API so that we can also derive our strategy for authentication.

thanks in advance


From: "Robert Munteanu" <>
To: "developer discussions" <>
Sent: Thursday, February 16, 2012 3:53:50 PM
Subject: Re: [mantisbt-dev] Security in Mantis SOAP-API

Thanks, Paul!

On Thu, Feb 16, 2012 at 11:48 AM, Paul Richards <> wrote:

For our next release we'll re-look at this properly.


[and before anyone asks, the commit username was due to setting up a vm quickly just to fix this as i'm at work atm]