Skip to content
Permalink
Browse files Browse the repository at this point in the history
SOAP API: proper access checks when deleting bugs
Affects #13656 : Reporters have read/write access to existing data of other users
  • Loading branch information
rombert committed Jan 6, 2012
1 parent 9d3f578 commit df7782a
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions api/soap/mc_issue_api.php
Expand Up @@ -943,6 +943,10 @@ function mc_issue_delete( $p_username, $p_password, $p_issue_id ) {
if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

if ( !access_has_bug_level( config_get( 'delete_bug_threshold' ), $p_issue_id, $t_user_id ) ) {
return mci_soap_fault_access_denied( $t_user_id );
}

return bug_delete( $p_issue_id );
}
Expand Down

0 comments on commit df7782a

Please sign in to comment.