SOAP API: correct access checks for bugnote editing

rombert · rombert · commit 9b6ee5c57cb5 · 2012-06-05T22:32:36.000+03:00
Commit 508cab0 introduced a check for bugnote_allow_user_edit_delete, but the actual configuration setting in master is bugnote_user_edit_threshold . Affects #14340: Reporters can update notes of other users by using SOAP API
diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
@@ -1109,7 +1109,7 @@ function mc_issue_note_update( $p_username, $p_password, $p_note ) {
 	# Check if the user owns the bugnote and is allowed to update their own bugnotes
 	# regardless of the update_bugnote_threshold level.
 	$t_user_owns_the_bugnote = bugnote_is_user_reporter( $t_issue_note_id, $t_user_id );
-	$t_user_can_update_own_bugnote = config_get( 'bugnote_allow_user_edit_delete', null, $t_user_id, $t_project_id );
+	$t_user_can_update_own_bugnote = config_get( 'bugnote_user_edit_threshold', null, $t_user_id, $t_project_id );
 	if ( $t_user_owns_the_bugnote && !$t_user_can_update_own_bugnote ) {
 		return mci_soap_fault_access_denied( $t_user_id );
 	}

Original file line number	Diff line number	Diff line change
`@@ -1109,7 +1109,7 @@ function mc_issue_note_update( $p_username, $p_password, $p_note ) {`
`1109`	`1109`	`# Check if the user owns the bugnote and is allowed to update their own bugnotes`
`1110`	`1110`	`# regardless of the update_bugnote_threshold level.`
`1111`	`1111`	`$t_user_owns_the_bugnote = bugnote_is_user_reporter( $t_issue_note_id, $t_user_id );`
`1112`		`- $t_user_can_update_own_bugnote = config_get( 'bugnote_allow_user_edit_delete', null, $t_user_id, $t_project_id );`
	`1112`	`+ $t_user_can_update_own_bugnote = config_get( 'bugnote_user_edit_threshold', null, $t_user_id, $t_project_id );`
`1113`	`1113`	`if ( $t_user_owns_the_bugnote && !$t_user_can_update_own_bugnote ) {`
`1114`	`1114`	`return mci_soap_fault_access_denied( $t_user_id );`
`1115`	`1115`	`}`