Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix #14015: attachment deletion: remove update_bug_threshold check

As reported by Roland Becker (MantisBT developer):

Although configuration option allow_delete_own_attachments is set to ON
reporters cannot delete their own attachments. After pushing the delete
button you get "Access Denied"

Issue #14016 implemented correct attachment deletion access control
checks against delete_attachments_threshold. We should be using this
threshold instead of update_bug_threshold because attachments aren't
linked to the core fields of an issue -- they are frequently related to
comments (bugnotes) provided by less privileged users.

$g_allow_delete_own_attachments should now work again... safely.

Conflicts:
	bug_file_delete.php
  • Loading branch information...
commit 628e93708fa7e35e751fd23863d207423a25c408 1 parent ceafe6f
@davidhicks davidhicks authored
Showing with 1 addition and 7 deletions.
  1. +1 −5 api/soap/mc_issue_attachment_api.php
  2. +0 −2  bug_file_delete.php
View
6 api/soap/mc_issue_attachment_api.php
@@ -71,11 +71,7 @@ function mc_issue_attachment_delete( $p_username, $p_password, $p_issue_attachme
$t_bug_id = file_get_field( $p_issue_attachment_id, 'bug_id' );
- # Check access against update_bug_threshold
- if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id, $t_user_id ) ) {
- return mci_soap_fault_access_denied( $t_user_id );
- }
-
+ # Perform access control checks
$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
$t_current_user_is_attachment_owner = $t_attachment_owner == $t_user_id;
# Factor in allow_delete_own_attachments=ON|OFF
View
2  bug_file_delete.php
@@ -42,8 +42,6 @@
$g_project_override = $t_bug->project_id;
}
- access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id );
-
$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
$t_current_user_is_attachment_owner = $t_attachment_owner == auth_get_current_user_id();
if ( !$t_current_user_is_attachment_owner || ( $t_current_user_is_attachment_owner && !config_get( 'allow_delete_own_attachments' ) ) ) {
Please sign in to comment.
Something went wrong with that request. Please try again.