Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 385e0c9

Browse files
dregaddregad
committedJan 2, 2012
User must have global access to update global categories
The user's global access level must be >= $g_manage_site_threshold to be allowed to add, edit or delete global categories. Prior to this, once a user had been defined as Manager on at least one project, they could freely update global categories. Also prevents such updates through URL manipulation. Fixes #13561
·
release-1.2.20release-1.2.9
1 parent 864b628 commit 385e0c9

File tree

3 files changed

+13
-6
lines changed

3 files changed

+13
-6
lines changed
 

‎manage_proj_cat_delete.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -34,12 +34,12 @@
3434
$f_category_id = gpc_get_int( 'id' );
3535
$f_project_id = gpc_get_int( 'project_id' );
3636

37-
access_ensure_project_level( config_get( 'manage_project_threshold' ), $f_project_id );
38-
3937
$t_row = category_get_row( $f_category_id );
4038
$t_name = category_full_name( $f_category_id );
4139
$t_project_id = $t_row['project_id'];
4240

41+
access_ensure_project_level( config_get( 'manage_project_threshold' ), $t_project_id );
42+
4343
# Get a bug count
4444
$t_bug_table = db_get_table( 'mantis_bug_table' );
4545
$t_query = "SELECT COUNT(id) FROM $t_bug_table WHERE category_id=" . db_param();

‎manage_proj_cat_edit_page.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -32,13 +32,13 @@
3232
$f_category_id = gpc_get_int( 'id' );
3333
$f_project_id = gpc_get_int( 'project_id' );
3434

35-
access_ensure_project_level( config_get( 'manage_project_threshold' ), $f_project_id );
36-
3735
$t_row = category_get_row( $f_category_id );
3836
$t_assigned_to = $t_row['user_id'];
3937
$t_project_id = $t_row['project_id'];
4038
$t_name = $t_row['name'];
4139

40+
access_ensure_project_level( config_get( 'manage_project_threshold' ), $t_project_id );
41+
4242
html_page_top();
4343

4444
print_manage_menu( 'manage_proj_cat_edit_page.php' );

‎manage_proj_page.php

+9-2
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,7 @@
166166
</tr>
167167
<?php
168168
$t_categories = category_get_all_rows( ALL_PROJECTS );
169+
$t_can_update_global_cat = access_has_global_level( config_get( 'manage_site_threshold' ) );
169170

170171
if ( count( $t_categories ) > 0 ) {
171172
?>
@@ -176,14 +177,16 @@
176177
<td>
177178
<?php echo lang_get( 'assign_to' ) ?>
178179
</td>
180+
<?php if( $t_can_update_global_cat ) { ?>
179181
<td class="center">
180182
<?php echo lang_get( 'actions' ) ?>
181183
</td>
184+
<?php } ?>
182185
</tr>
183186
<?php
184187
}
185188

186-
foreach ( $t_categories as $t_category ) {
189+
foreach( $t_categories as $t_category ) {
187190
$t_id = $t_category['id'];
188191
?>
189192
<!-- Repeated Info Row -->
@@ -194,6 +197,7 @@
194197
<td>
195198
<?php echo prepare_user_name( $t_category['user_id'] ) ?>
196199
</td>
200+
<?php if( $t_can_update_global_cat ) { ?>
197201
<td class="center">
198202
<?php
199203
$t_id = urlencode( $t_id );
@@ -204,11 +208,13 @@
204208
print_button( "manage_proj_cat_delete.php?id=$t_id&project_id=$t_project_id", lang_get( 'delete_link' ) );
205209
?>
206210
</td>
211+
<?php } ?>
207212
</tr>
208213
<?php
209214
} # end for loop
210-
?>
211215

216+
if( $t_can_update_global_cat ) {
217+
?>
212218
<!-- Add Category Form -->
213219
<tr>
214220
<td class="left" colspan="3">
@@ -220,6 +226,7 @@
220226
</form>
221227
</td>
222228
</tr>
229+
<?php } ?>
223230

224231
</table>
225232
</div>

0 commit comments

Comments
 (0)
Please sign in to comment.