Fixed access checks to see if viewer has permission to view the bug.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@653 f5dc347c-c33d-0410-90a0-b07cc1902cb9

core_user_API.php

@@ -295,20 +295,35 @@ function project_access_check( $p_bug_id, $p_project_id="0" ) {
 
 		project_check( $p_bug_id );
 
+		#if ( 0 == $p_project_id ) {
+		#	$p_project_id = $g_project_cookie_val;
+		#}
+
 		# access_level check
 		$t_project_id = get_bug_field( "project_id", $p_bug_id );
 		$t_user_id = get_current_user_field( "id" );
 		$t_project_access_level = get_project_access_level( $t_project_id );
-		$t_access_level = get_current_user_field( "access_level" );
-		if ( -1 != $t_project_access_level ) {
-			if ( 0 ) {
-				print_header_redirect( $g_login_select_proj_page );
-			} else {
+
+		#echo $t_project_id."<br>";
+		#echo $g_project_cookie_val."<br>";
+		#echo $t_project_access_level."<br>";
+
+		if ( -1 == $t_project_access_level ) {
+			# user is not in the user lists
+			$t_access_level = get_current_user_field( "access_level" );
+			$t_access_threshold = get_project_field( $t_project_id, "access_min" );
+			#echo $t_access_level."<br>";
+			#echo $t_access_threshold."<br>";
+			#exit;
+			if ( $t_access_level >= $t_access_threshold ) {
 				return;
+			} else {
+				print_header_redirect( $g_login_select_proj_page );
 			}
 		} else {
+			# user is in the user lists
+			# being in the lists means they have access
 			return;
-			#print_header_redirect( $g_logout_page );
 		}
 	}
 	# --------------------

doc/ChangeLog

@@ -9,6 +9,7 @@ Mantis
  * Fixed database and file to no longer use TIMESTAMPS.
  * Fixed password reset to blank to work for other encryption types.
  * Fixed admin_upgrade.php to honor the $g_php global.
+ * Fixed access checks to see if viewer has permission to view the bug.
  * Modified many files for extensive use of CSS.
  * Modified BLOB field to LONGBLOB.
  * Modified bug action buttons to be more consistent.