From 76bb64383a8417f538433770ae6851103cac8f0d Fri, 9 Dec 2011 00:55:06 +0200
From: Robert Munteanu <robert.munteanu@gmail.com>
Date: Fri, 9 Dec 2011 00:46:34 +0200
Subject: [PATCH] SOAP API: proper access checks when deleting bugnotes

Affects #13656 : Reporters have read/write access to existing data of other users


diff --git a/api/soap/mc_issue_api.php b/api/soap/mc_issue_api.php
index 27ae499..1752ba1 100644
--- a/api/soap/mc_issue_api.php
+++ b/api/soap/mc_issue_api.php
@@ -1030,6 +1030,15 @@
 	if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
 		return mci_soap_fault_access_denied( $t_user_id );
 	}
+	
+	$t_reporter_id = bugnote_get_field( $p_issue_note_id, 'reporter_id' );	
+	
+	// mirrors check from bugnote_delete.php
+	if ( ( $t_user_id != $t_reporter_id ) || ( OFF == config_get( 'bugnote_allow_user_edit_delete' ) ) ) {
+	    if ( !access_has_bugnote_level( config_get( 'delete_bugnote_threshold' ), $p_issue_note_id ) ) {
+	        return mci_soap_fault_access_denied( $t_user_id );
+	    }
+	}
 
 	return bugnote_delete( $p_issue_note_id );
 }