Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: c8a62a0
Choose a base ref
...
head repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: a09e0a5
Choose a head ref
  • 2 commits
  • 1 file changed
  • 1 contributor

Commits on Jan 5, 2012

  1. SOAP API: proper access checks when deleting bugnotes 

    Affects #13656 : Reporters have read/write access to existing data of other users
    @rombert
    rombert committed Jan 5, 2012
    Copy the full SHA
    0a7e866 View commit details

  2. SOAP API: proper access checks when deleting bugs 

    Affects #13656 : Reporters have read/write access to existing data of other users
    @rombert
    rombert committed Jan 5, 2012

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    a09e0a5 View commit details
Showing with 17 additions and 0 deletions.
  1. +17 −0 api/soap/mc_issue_api.php
17 changes: 17 additions & 0 deletions api/soap/mc_issue_api.php
View file
Original file line number Diff line number Diff line change
@@ -943,6 +943,10 @@ function mc_issue_delete( $p_username, $p_password, $p_issue_id ) {
if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

if ( !access_has_bug_level( config_get( 'delete_bug_threshold' ), $p_issue_id, $t_user_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

return bug_delete( $p_issue_id );
}
@@ -1030,6 +1034,19 @@ function mc_issue_note_delete( $p_username, $p_password, $p_issue_note_id ) {
if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

$t_reporter_id = bugnote_get_field( $p_issue_note_id, 'reporter_id' );

// mirrors check from bugnote_delete.php
if ( $t_user_id == $t_reporter_id ) {
$t_threshold_config_name = 'bugnote_user_delete_threshold';
} else {
$t_threshold_config_name = 'delete_bugnote_threshold';
}

if ( !access_has_bugnote_level( config_get ( $t_threshold_config_name ) , $p_issue_note_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

return bugnote_delete( $p_issue_note_id );
}