Prevent setting category not belonging to project

When retrieving a category for a given project, make sure that it is available in the project's hierarchy, taking inheritance into account. Fixes #27361
mantisbt · Dec 30, 2020 · a4c4865 · a4c4865
1 parent c6bf4f2
commit a4c4865
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php
@@ -1014,6 +1014,16 @@ function mci_get_category_id( $p_category, $p_project_id ) {
 			"Category '{$t_cat_desc}' not found." );
 	}
 
+	# Make sure the category belongs to the given project's hierarchy
+	$t_categories = array_column( category_get_all_rows( $p_project_id ), 'id' );
+	if( !in_array( $t_category_id, $t_categories ) ) {
+		throw new ClientException(
+			"Category '$t_category_id' not available in project '$p_project_id'.",
+			ERROR_CATEGORY_NOT_FOUND_FOR_PROJECT,
+			array( $t_category_id, $p_project_id )
+		);
+	}
+
 	return $t_category_id;
 }