Permalink
Browse files

Fix bug in access_has_bug_level() for private issues

When private_bug_threshold is defined as an array instead of a single
access level, e.g. array(0=>40, 1=>70, 2=>90) to prevent developers
from seeing private bugs while granting that privilege to updaters,
access_has_bug_level() incorrectly returned true.

The consequence is that unwanted access to Private bugs was granted to
users who are allowed to view them, e.g. allowing them to delete or
perform other restricted actions.

Fixes #10124
  • Loading branch information...
dregad committed Jan 23, 2012
1 parent 4ba2187 commit eb803ed02105fc919cf5f789e939f2b824162927
Showing with 5 additions and 3 deletions.
  1. +5 −3 core/access_api.php
View
@@ -420,10 +420,12 @@ function access_has_bug_level( $p_access_level, $p_bug_id, $p_user_id = null ) {
return false;
}
- # If the bug is private and the user is not the reporter, then the
- # the user must also have higher access than private_bug_threshold
+ # If the bug is private and the user is not the reporter, then
+ # they must also have higher access than private_bug_threshold
if( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) && !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
- $p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
+ $t_access_level = access_get_project_level( $t_project_id, $p_user_id );
+ return access_compare_level( $t_access_level, config_get( 'private_bug_threshold' ) )
+ && access_compare_level( $t_access_level, $p_access_level );
}
return access_has_project_level( $p_access_level, $t_project_id, $p_user_id );

0 comments on commit eb803ed

Please sign in to comment.