From 15a5d6a37f8e31813e3b9ba1c3eee07b08bc99aa Mon Sep 17 00:00:00 2001
From: Damien Regad <damien.regad@merckgroup.com>
Date: Mon, 4 Jun 2012 00:29:44 +0200
Subject: [PATCH] mc_issue_note_update passing wrong param to access check
 function

Commit edc8142bb8ac0ac0df1a3824d78c15f4015d959e introduced proper logic
to avoid unauthorized update of bugnotes, but was passing incorrect
parameters to access_has_bugnote_level() so unprivileged users could
still update them.

Fixes #14340
---
 api/soap/mc_issue_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
index 143c089bfd..548cf3e55a 100644
--- a/api/soap/mc_issue_api.php
+++ b/api/soap/mc_issue_api.php
@@ -1117,7 +1117,7 @@ function mc_issue_note_update( $p_username, $p_password, $p_note ) {
 	# Check if the user has an access level beyond update_bugnote_threshold for the
 	# project containing the bugnote to update.
 	$t_update_bugnote_threshold = config_get( 'update_bugnote_threshold', null, $t_user_id, $t_project_id );
-	if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_user_id, $t_project_id ) ) {
+	if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_issue_note_id, $t_user_id ) ) {
 		return mci_soap_fault_access_denied( $t_user_id );
 	}