Correct access checks in mc_issue_get_id_from_summary

Fixes #13736: mc_issue_get_id_from_summary incorrectly checks for permissions
mantisbt · Mar 3, 2012 · 35aed24 · 35aed24
1 parent 9a0edf6
commit 35aed24
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
@@ -476,9 +476,9 @@ function mc_issue_get_id_from_summary( $p_username, $p_password, $p_summary ) {
 	if( $t_user_id === false ) {
 		return mci_soap_fault_login_failed();
 	}
-
+	
 	$t_bug_table = db_get_table( 'mantis_bug_table' );
-
+	
 	$query = "SELECT id
 		FROM $t_bug_table
 		WHERE summary = " . db_param();
@@ -492,7 +492,8 @@ function mc_issue_get_id_from_summary( $p_username, $p_password, $p_summary ) {
 			$t_issue_id = (int) $row['id'];
 			$t_project_id = bug_get_field( $t_issue_id, 'project_id' );
 
-			if( mci_has_readonly_access( $t_user_id, $t_project_id ) ) {
+			if( mci_has_readonly_access( $t_user_id, $t_project_id ) &&
+				access_has_bug_level( VIEWER, $t_issue_id, $t_user_id ) ) {
 				return $t_issue_id;
 			}
 		}