Please sign in to comment.
Prevent reporters from changing issue status to 'new'
Due to a missing access level check in html_button_bug_update(), in some cases reporters had access to the 'Change Status To' button, which could let them change an existing issue's status to 'new' (even if not their own issue). The code now checks that the user has at least 'update_bug_threshold' permissions to display the button. Fixes #15258
- Loading branch information...