MantisBT: master-1.2.x 628e9370

Author Committer Branch Timestamp Parent
dhx dhx master-1.2.x 2012-06-02 04:35:19 master-1.2.x ceafe6f0
Affected Issues  0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON;
 0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment
Changeset

Fix 0014015: attachment deletion: remove update_bug_threshold check

As reported by Roland Becker (MantisBT developer):

Although configuration option allow_delete_own_attachments is set to ON
reporters cannot delete their own attachments. After pushing the delete
button you get "Access Denied"

Issue 0014016 implemented correct attachment deletion access control
checks against delete_attachments_threshold. We should be using this
threshold instead of update_bug_threshold because attachments aren't
linked to the core fields of an issue -- they are frequently related to
comments (bugnotes) provided by less privileged users.

$g_allow_delete_own_attachments should now work again... safely.

Conflicts:
bug_file_delete.php

mod - api/soap/mc_issue_attachment_api.php Diff File
mod - bug_file_delete.php Diff File