Fix #12443: Moving bugs - check for reporter permissions in destinati…

…on project The user with enough rights to move a bug into another project, is allowed to move it into a project in which he has only 'viewer' rights. Steps to reproduce this bug: 1. User has full rights in project A (enough to report and move bugs) 2. User has 'viewer' right in project B 3. User creates a bug in project A and is allowed to move it into project B Signed-off-by: David Hicks <d@hx.id.au>
mantisbt · Jul 12, 2011 · 822e50d · 822e50d
1 parent 208b59f
commit 822e50d
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/bug_actiongroup.php b/bug_actiongroup.php
@@ -98,9 +98,10 @@
 			break;
 
 		case 'MOVE':
-			if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) ) {
+			$f_project_id = gpc_get_int( 'project_id' );
+			if ( access_has_bug_level( config_get( 'move_bug_threshold' ), $t_bug_id ) &&
+			     access_has_project_level( config_get( 'report_bug_threshold' ), $f_project_id ) ) {
 				/** @todo we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); */
-				$f_project_id = gpc_get_int( 'project_id' );
 				bug_move( $t_bug_id, $f_project_id );
 				helper_call_custom_function( 'issue_update_notify', array( $t_bug_id ) );
 			} else {