0005610: Actiongroup assign action: wrong permissions check

ID	Project	Category	View Status	Date Submitted	Last Update
0005610	mantisbt	bugtracker	public	2005-05-16 15:27	2005-05-31 11:27

Reporter	masc	Assigned To	thraxisp
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	X86	OS	Windows	OS Version	Win2K
Product Version	1.0.0a2
Fixed in Version	1.0.0a3

Summary	0005610: Actiongroup assign action: wrong permissions check
Description	The permissions check is based on the assigner user access level instead of the current user. This means the current user have rights to assign issues to someone but this someone has no the same access level, the action is refused. On the contrary the same action is accepted if made using the single bug view. The following line: access_has_bug_level( $t_threshold , $t_bug_id, $f_assign ) should be modified in: access_has_bug_level( $t_threshold , $t_bug_id ) where the permissions check is based on the current user.
Tags	No tags attached.

masc 2005-05-16 15:29 reporter ~0010145	Fixed in CVS

thraxisp 2005-05-17 22:07 reporter ~0010162	There is a problem here, but the solution is not correct. The check should be that new handler has rights to handle the issue, and that current user has rights to assign the issue.

thraxisp 2005-05-17 22:25 reporter ~0010163	Fixed in CVS. bug_actiongroup.php -> 1.45 bug_assign.php -> 1.41 (added comments)