Prevent unauthorized users setting handler when reporting issue

Adding a security check to block the update when access level is insufficient. Fixes #17878 Signed-off-by: Damien Regad <dregad@mantisbt.org>
mantisbt · Nov 15, 2014 · b2f91c0 · b2f91c0
1 parent f001e06
commit b2f91c0
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/bug_report.php b/bug_report.php
@@ -94,6 +94,11 @@
 		$t_bug_data->target_version = gpc_get_string( 'target_version', '' );
 	}
 
+	# Prevent unauthorized users setting handler when reporting issue
+	if( $t_bug_data->handler_id > 0 ) {
+		access_ensure_project_level( config_get( 'update_bug_assign_threshold' ) );
+	}
+
 	# if a profile was selected then let's use that information
 	if ( 0 != $t_bug_data->profile_id ) {
 		if ( profile_is_global( $t_bug_data->profile_id ) ) {