SOAP API: ensure that the user has a proper access level

Fixes #12517: Users can view private bugs Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com>
mantisbt · Feb 7, 2011 · bde76f1 · bde76f1
1 parent d8d14a6
commit bde76f1
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
@@ -61,6 +61,10 @@ function mc_issue_get( $p_username, $p_password, $p_issue_id ) {
 		return mci_soap_fault_access_denied( $t_user_id );
 	}
 
+	if( !access_has_bug_level( VIEWER, $p_issue_id, $t_user_id ) ){
+	    return mci_soap_fault_access_denied( $t_user_id );
+	}
+
 	$t_bug = bug_get( $p_issue_id, true );
 	$t_issue_data = array();