MantisBT: master f82f98cc
Author | Committer | Branch | Timestamp | Parent |
---|---|---|---|---|
dhx | dhx | master | 2012-06-02 00:10 | master 8208170b |
Affected Issues | 0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON; | |||
0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment | ||||
Changeset | Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following In a default installation delete_attachments_threshold is set to MantisBT was not checking the access level of the user requesting The new access control logic for deleting an issue attachment is now:
Also refer to issue 0014015 for discussion on whether The relevant SOAP API call has also been updated. Conflicts: |
|||
mod - api/soap/mc_issue_attachment_api.php | Diff File | |||
mod - bug_file_delete.php | Diff File |