Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_page.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue.

Fixes #27727, #27357, CVE-2020-29605

bug_actiongroup_page.php

@@ -73,16 +73,17 @@
 $t_project_id = ALL_PROJECTS;
 $t_multiple_projects = false;
 $t_projects = array();
-
-# Array of parameters to be used with plugin event
-$t_event_params = array();
-$t_event_params['bug_ids'] = $f_bug_arr;
-$t_event_params['action'] = $f_action;
-$t_event_params['has_bugnote'] = false;
+$t_view_bug_threshold = config_get( 'view_bug_threshold' );
 
 bug_cache_array_rows( $f_bug_arr );
 
-foreach( $f_bug_arr as $t_bug_id ) {
+foreach( $f_bug_arr as $t_key => $t_bug_id ) {
+	# Remove any issues the user doesn't have access to
+	if( !access_has_bug_level( $t_view_bug_threshold, $t_bug_id ) ) {
+		unset( $f_bug_arr[$t_key] );
+		continue;
+	}
+
 	$t_bug = bug_get( $t_bug_id );
 	if( $t_project_id != $t_bug->project_id ) {
 		if( ( $t_project_id != ALL_PROJECTS ) && !$t_multiple_projects ) {
@@ -93,6 +94,12 @@
 		}
 	}
 }
+
+# Array of parameters to be used with plugin event
+$t_event_params = array();
+$t_event_params['bug_ids'] = $f_bug_arr;
+$t_event_params['action'] = $f_action;
+$t_event_params['has_bugnote'] = false;
 $t_event_params['multiple_projects'] = $t_multiple_projects;
 
 if( $t_multiple_projects ) {