From dd86c9c004a8bf25a747a4107aee8d37996a5bec Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sun, 20 Sep 2020 16:24:12 +0200
Subject: [PATCH] Prevent assignment of categories to non-handler users

manage_proj_cat_update.php did not perform the necessary checks on the
provided user id (assigned_to parameter), allowing users with an access
level below handle_bug_threshold to be assigned to a category, and
subsequently to bugs created in that category.

Also added a check to ensure the provided user id is valid.

As suggested by @atrol, the checks are performed in Category API.

Fixes #27268
---
 core/category_api.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/core/category_api.php b/core/category_api.php
index cc843774fa..4309b72321 100644
--- a/core/category_api.php
+++ b/core/category_api.php
@@ -173,6 +173,20 @@ function category_update( $p_category_id, $p_name, $p_assigned_to ) {
 	}
 
 	$t_old_category = category_get_row( $p_category_id );
+	$t_project_id = (int)$t_old_category['project_id'];
+
+	# Ensure target user exists and is allowed to handle bugs
+	if( $p_assigned_to != NO_USER ) {
+		if( user_exists( $p_assigned_to ) ) {
+			$t_handle_bugs = config_get( 'handle_bug_threshold' );
+			if( !access_has_project_level( $t_handle_bugs, $t_project_id, $p_assigned_to ) ) {
+				trigger_error( ERROR_USER_DOES_NOT_HAVE_REQ_ACCESS, ERROR );
+			}
+		} else {
+			error_parameters( $p_assigned_to );
+			trigger_error( ERROR_USER_BY_ID_NOT_FOUND, ERROR );
+		}
+	}
 
 	db_param_push();
 	$t_query = 'UPDATE {category} SET name=' . db_param() . ', user_id=' . db_param() . '