mc_issue_note_update passing wrong param to access check function

Commit edc8142 introduced proper logic to avoid unauthorized update of bugnotes, but was passing incorrect parameters to access_has_bugnote_level() so unprivileged users could still update them. Fixes #14340
mantisbt · Jun 3, 2012 · 15a5d6a · 15a5d6a
1 parent 473542e
commit 15a5d6a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
@@ -1117,7 +1117,7 @@ function mc_issue_note_update( $p_username, $p_password, $p_note ) {
 	# Check if the user has an access level beyond update_bugnote_threshold for the
 	# project containing the bugnote to update.
 	$t_update_bugnote_threshold = config_get( 'update_bugnote_threshold', null, $t_user_id, $t_project_id );
-	if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_user_id, $t_project_id ) ) {
+	if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_issue_note_id, $t_user_id ) ) {
 		return mci_soap_fault_access_denied( $t_user_id );
 	}