MantisBT: master-1.2.x 628e9370
Author | Committer | Branch | Timestamp | Parent |
---|---|---|---|---|
dhx | dhx | master-1.2.x | 2012-06-02 00:35 | master-1.2.x ceafe6f0 |
Affected Issues | 0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON; | |||
0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment | ||||
Changeset | Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON Issue 0014016 implemented correct attachment deletion access control $g_allow_delete_own_attachments should now work again... safely. Conflicts: |
|||
mod - api/soap/mc_issue_attachment_api.php | Diff File | |||
mod - bug_file_delete.php | Diff File |