From d0f4e150d0b47a3ef9d2ec66db5c1083b31bb574 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Thu, 16 Oct 2025 09:40:23 +0200
Subject: [PATCH] Add access check when copying column settings

Fixes #36502
---
 manage_columns_copy.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/manage_columns_copy.php b/manage_columns_copy.php
index f6d0d740b..cec694954 100644
--- a/manage_columns_copy.php
+++ b/manage_columns_copy.php
@@ -75,6 +75,11 @@ if( $f_manage_page && $t_dst_project_id != ALL_PROJECTS ) {
 	access_ensure_project_level( MANAGER, $t_dst_project_id );
 }
 
+# only MANAGERS can read global defaults of a project
+if( $f_manage_page && $t_src_project_id != ALL_PROJECTS ) {
+	access_ensure_project_level( MANAGER, $t_src_project_id );
+}
+
 # user should only be able to set columns for a project that is accessible.
 if( $t_dst_project_id != ALL_PROJECTS ) {
 	access_ensure_project_level( config_get( 'view_bug_threshold', null, null, $t_dst_project_id ), $t_dst_project_id );
-- 
2.45.1.windows.1