Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug in access_has_bug_level() for private issues
When private_bug_threshold is defined as an array instead of a single
access level, e.g. array(0=>40, 1=>70, 2=>90) to prevent developers
from seeing private bugs while granting that privilege to updaters,
access_has_bug_level() incorrectly returned true.

The consequence is that unwanted access to Private bugs was granted to
users who are allowed to view them, e.g. allowing them to delete or
perform other restricted actions.

Fixes #10124
  • Loading branch information
dregad committed Feb 28, 2012
1 parent 4ba2187 commit eb803ed
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions core/access_api.php
Expand Up @@ -420,10 +420,12 @@ function access_has_bug_level( $p_access_level, $p_bug_id, $p_user_id = null ) {
return false;
}

# If the bug is private and the user is not the reporter, then the
# the user must also have higher access than private_bug_threshold
# If the bug is private and the user is not the reporter, then
# they must also have higher access than private_bug_threshold
if( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) && !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
$p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
$t_access_level = access_get_project_level( $t_project_id, $p_user_id );
return access_compare_level( $t_access_level, config_get( 'private_bug_threshold' ) )
&& access_compare_level( $t_access_level, $p_access_level );
}

return access_has_project_level( $p_access_level, $t_project_id, $p_user_id );
Expand Down

0 comments on commit eb803ed

Please sign in to comment.