0013737: mci_issue_get_tags_for_bug_id incorrect access checks

ID	Project	Category	View Status	Date Submitted	Last Update
0013737	mantisbt	security	public	2012-01-07 16:22	2013-07-17 17:32

Reporter	rombert	Assigned To	rombert
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	1.2.8

Summary	0013737: mci_issue_get_tags_for_bug_id incorrect access checks
Description	mci_issue_get_tags_for_bug_id. This call also fails to check whether the issue is private and whether the user has permission to read the private issue. The access check should be changed to access_has_bug_level instead which correctly handles private issues, project specific permissions, etc
Tags	No tags attached.

rombert 2012-03-03 17:27 reporter ~0031372	Reminder sent to: dhx David, in 0013656:0030834 you mentioned that mci_issue_get_tags uses an incorrect access check. I've verified and I use access_has_bug_level for both attach and detach operations ( see https://github.com/mantisbt/mantisbt/blob/master-1.2.x/api/soap/mc_tag_api.php#L151 and https://github.com/mantisbt/mantisbt/blob/master-1.2.x/api/soap/mc_tag_api.php#L157 ). Is there anything else I should do to ensure that access checks are correct?

dhx 2012-06-02 03:54 reporter ~0031975	Sorry, forgot about this one. I'll look into it now.

dhx 2012-06-02 05:48 reporter ~0031976	Those two source code references look OK to me.

rombert 2012-06-04 18:27 reporter ~0032007	Thanks.