Fix #14015: attachment deletion: remove update_bug_threshold check

As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue #14016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely.
mantisbt · Jun 2, 2012 · 31d1156 · 31d1156
1 parent f82f98c
commit 31d1156
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 7 deletions.
diff --git a/api/soap/mc_issue_attachment_api.php b/api/soap/mc_issue_attachment_api.php
@@ -71,11 +71,7 @@ function mc_issue_attachment_delete( $p_username, $p_password, $p_issue_attachme
 
 	$t_bug_id = file_get_field( $p_issue_attachment_id, 'bug_id' );
 
-	# Check access against update_bug_threshold
-	if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id, $t_user_id ) ) {
-		return mci_soap_fault_access_denied( $t_user_id );
-	}
-
+	# Perform access control checks
 	$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
 	$t_current_user_is_attachment_owner = $t_attachment_owner == $t_user_id;
 	# Factor in allow_delete_own_attachments=ON|OFF

diff --git a/bug_file_delete.php b/bug_file_delete.php
@@ -61,8 +61,6 @@
 	$g_project_override = $t_bug->project_id;
 }
 
-access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id );
-
 $t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
 $t_current_user_is_attachment_owner = $t_attachment_owner == auth_get_current_user_id();
 if ( !$t_current_user_is_attachment_owner || ( $t_current_user_is_attachment_owner && !config_get( 'allow_delete_own_attachments' ) ) ) {