User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to be allowed to add, edit or delete global categories. Prior to this, once a user had been defined as Manager on at least one project, they could freely update global categories. Also prevents such updates through URL manipulation. Fixes #13561
mantisbt · Jan 2, 2012 · 385e0c9 · 385e0c9
1 parent 864b628
commit 385e0c9
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/manage_proj_cat_delete.php b/manage_proj_cat_delete.php
@@ -34,12 +34,12 @@
 	$f_category_id = gpc_get_int( 'id' );
 	$f_project_id = gpc_get_int( 'project_id' );
 
-	access_ensure_project_level( config_get( 'manage_project_threshold' ), $f_project_id );
-
 	$t_row = category_get_row( $f_category_id );
 	$t_name = category_full_name( $f_category_id );
 	$t_project_id = $t_row['project_id'];
 
+	access_ensure_project_level( config_get( 'manage_project_threshold' ), $t_project_id );
+
 	# Get a bug count
 	$t_bug_table = db_get_table( 'mantis_bug_table' );
 	$t_query = "SELECT COUNT(id) FROM $t_bug_table WHERE category_id=" . db_param();

diff --git a/manage_proj_cat_edit_page.php b/manage_proj_cat_edit_page.php
@@ -32,13 +32,13 @@
 	$f_category_id		= gpc_get_int( 'id' );
 	$f_project_id		= gpc_get_int( 'project_id' );
 
-	access_ensure_project_level( config_get( 'manage_project_threshold' ), $f_project_id );
-
 	$t_row = category_get_row( $f_category_id );
 	$t_assigned_to = $t_row['user_id'];
 	$t_project_id = $t_row['project_id'];
 	$t_name = $t_row['name'];
 
+	access_ensure_project_level( config_get( 'manage_project_threshold' ), $t_project_id );
+
 	html_page_top();
 
 	print_manage_menu( 'manage_proj_cat_edit_page.php' );

diff --git a/manage_proj_page.php b/manage_proj_page.php
@@ -166,6 +166,7 @@
 </tr>
 <?php
 	$t_categories = category_get_all_rows( ALL_PROJECTS );
+	$t_can_update_global_cat = access_has_global_level( config_get( 'manage_site_threshold' ) );
 
 	if ( count( $t_categories ) > 0 ) {
 ?>
@@ -176,14 +177,16 @@
 			<td>
 				<?php echo lang_get( 'assign_to' ) ?>
 			</td>
+<?php	if( $t_can_update_global_cat ) { ?>
 			<td class="center">
 				<?php echo lang_get( 'actions' ) ?>
 			</td>
+<?php	} ?>
 		</tr>
 <?php
 	}
 
-	foreach ( $t_categories as $t_category ) {
+	foreach( $t_categories as $t_category ) {
 		$t_id = $t_category['id'];
 ?>
 <!-- Repeated Info Row -->
@@ -194,6 +197,7 @@
 			<td>
 				<?php echo prepare_user_name( $t_category['user_id'] ) ?>
 			</td>
+<?php	if( $t_can_update_global_cat ) { ?>
 			<td class="center">
 				<?php
 					$t_id = urlencode( $t_id );
@@ -204,11 +208,13 @@
 					print_button( "manage_proj_cat_delete.php?id=$t_id&project_id=$t_project_id", lang_get( 'delete_link' ) );
 				?>
 			</td>
+<?php	} ?>
 		</tr>
 <?php
 	} # end for loop
-?>
 
+	if( $t_can_update_global_cat ) {
+?>
 <!-- Add Category Form -->
 <tr>
 	<td class="left" colspan="3">
@@ -220,6 +226,7 @@
 		</form>
 	</td>
 </tr>
+<?php } ?>
 
 </table>
 </div>