From 1af3e6dce4d595be0b13cf6e948ca635ff0aea16 Fri, 9 Dec 2011 00:50:58 +0200
From: Robert Munteanu <robert.munteanu@gmail.com>
Date: Fri, 9 Dec 2011 00:49:17 +0200
Subject: [PATCH] SOAP API: proper access checks when deleting bugs

Affects #13656 : Reporters have read/write access to existing data of other users

diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
index 1254039..2be49bb 100644
--- a/api/soap/mc_issue_api.php
+++ b/api/soap/mc_issue_api.php
@@ -943,6 +943,10 @@
 	if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
 		return mci_soap_fault_access_denied( $t_user_id );
 	}
+	
+	if ( !access_has_bug_level( config_get( 'delete_bug_threshold' ), $p_issue_id, $t_user_id ) ) {
+	    return mci_soap_fault_access_denied( $t_user_id );
+	}
 
 	return bug_delete( $p_issue_id );
 }