Skip to content
Permalink
Browse files Browse the repository at this point in the history
mc_issue_note_update passing wrong param to access check function
Commit edc8142 introduced proper logic
to avoid unauthorized update of bugnotes, but was passing incorrect
parameters to access_has_bugnote_level() so unprivileged users could
still update them.

Fixes #14340
  • Loading branch information
dregad committed Jun 3, 2012
1 parent 5654252 commit 175d973
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion api/soap/mc_issue_api.php
Expand Up @@ -1113,7 +1113,7 @@ function mc_issue_note_update( $p_username, $p_password, $p_note ) {
# Check if the user has an access level beyond update_bugnote_threshold for the
# project containing the bugnote to update.
$t_update_bugnote_threshold = config_get( 'update_bugnote_threshold', null, $t_user_id, $t_project_id );
if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_user_id, $t_project_id ) ) {
if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_issue_note_id, $t_user_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

Expand Down

0 comments on commit 175d973

Please sign in to comment.