Skip to content

Commit

Permalink
Fix #14342: mc_issue_api functions do not perform read only checks
Browse files Browse the repository at this point in the history 
Various SOAP functions in mc_issue_api.php did not perform checks to
ensure that read only issues are unmodifiable.
  • Loading branch information
@davidhicks
davidhicks committed Jun 2, 2012
1 parent edc8142 commit 804f6ed
Showing 1 changed file with 17 additions and 2 deletions.
19 changes: 17 additions & 2 deletions api/soap/mc_issue_api.php
View file
Expand Up @@ -342,7 +342,10 @@ function mci_issue_get_notes( $p_issue_id ) {
* of the users which should monitor this issue.
*/
function mci_issue_set_monitors( $p_issue_id , $p_user_id, $p_monitors ) {

if ( bug_is_readonly( $p_issue_id ) ) {
return mci_soap_fault_access_denied( $p_user_id, "Issue '$p_issue_id' is readonly" );
}

$t_existing_monitors = bug_get_monitors( $p_issue_id );

$t_monitors = array();
Expand Down Expand Up @@ -710,6 +713,10 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, $p_issue ) {
return new soap_fault( 'Client', '', "Issue '$p_issue_id' does not exist." );
}

if( bug_is_readonly( $p_issue_id ) ) {
return mci_soap_fault_access_denied( $t_user_id, "Issue '$p_issue_id' is readonly" );
}

$t_project_id = bug_get_field( $p_issue_id, 'project_id' );

if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
Expand Down Expand Up @@ -917,7 +924,11 @@ function mc_issue_set_tags ( $p_username, $p_password, $p_issue_id, $p_tags ) {
if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}


if( bug_is_readonly( $p_issue_id ) ) {
return mci_soap_fault_access_denied( $t_user_id, "Issue '$p_issue_id' is readonly" );
}

mci_tag_set_for_issue( $p_issue_id, $p_tags, $t_user_id );

return true;
Expand Down Expand Up @@ -1046,6 +1057,10 @@ function mc_issue_note_delete( $p_username, $p_password, $p_issue_note_id ) {
}
}

if( bug_is_readonly( $t_issue_id ) ) {
return mci_soap_fault_access_denied( $t_user_id, "Issue '$t_issue_id' is readonly" );
}

return bugnote_delete( $p_issue_note_id );
}

Expand Down

0 comments on commit 804f6ed

Please sign in to comment.