Permalink
Browse files

SOAP API: proper access checks when deleting bugs

Affects #13656 : Reporters have read/write access to existing data of other users
1 parent 9d3f578 commit df7782a65e96aa1c9639a7625a658102134c7fe0 @rombert rombert committed Dec 8, 2011
Showing with 4 additions and 0 deletions.
  1. +4 −0 api/soap/mc_issue_api.php
@@ -943,6 +943,10 @@ function mc_issue_delete( $p_username, $p_password, $p_issue_id ) {
if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}
+
+ if ( !access_has_bug_level( config_get( 'delete_bug_threshold' ), $p_issue_id, $t_user_id ) ) {
+ return mci_soap_fault_access_denied( $t_user_id );
+ }
return bug_delete( $p_issue_id );
}

0 comments on commit df7782a

Please sign in to comment.