Fix #3421: Users except admin can 'see' the projects disabled on the …

…project bar

M code/user_api.php
(user_get_accessible_projects) Check project enabled flag for non-admins.


git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2272 f5dc347c-c33d-0410-90a0-b07cc1902cb9

core/user_api.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: user_api.php,v 1.61 2003-10-28 10:37:15 vboctor Exp $
+	# $Id: user_api.php,v 1.62 2003-11-20 10:38:07 vboctor Exp $
 	# --------------------------------------------------------
 
 	$t_core_dir = dirname( __FILE__ ).DIRECTORY_SEPARATOR;
@@ -516,11 +516,13 @@ function user_get_accessible_projects( $p_user_id ) {
 			$query = "SELECT DISTINCT( p.id )
 					  FROM $t_project_table p
 					  LEFT JOIN $t_project_user_list_table u
-					    ON p.id=u.project_id AND p.enabled=1
-					  WHERE p.view_state='$t_public'
-					    OR (p.view_state='$t_private'
-						    AND
-					        u.user_id='$c_user_id')
+					    ON p.id=u.project_id
+					  WHERE ( p.enabled = 1 ) AND 
+						( p.view_state='$t_public'
+						    OR (p.view_state='$t_private'
+							    AND
+						        u.user_id='$c_user_id' )
+						)
 					  ORDER BY p.name";
 		}
 

doc/ChangeLog

@@ -11,6 +11,7 @@ Mantis ChangeLog
  * Fix #3353: History not updated in bug deletion email.
  * Fix #3389: Problems upgrading existing users to administrator.
  * Fix #3417: Setting $g_manage_news_threshold to 'DEVELOPER' can't add new news.
+ * Fix #3421: Users except admin can 'see' the projects disabled on the project bar.
  * Sec #0000: Various Cross-Site Scripting vulnerabilities fixed (thanks to Paul Richards).
  * Languages: Updated French localisation.