Source Control Integration - MantisBT - Signup temporarily disabled due to spam

Author	Committer	Branch	Timestamp	Parent
dhx	dhx	master-1.2.x	2012-06-02 00:35	master-1.2.x ceafe6f0
Affected Issues	0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON;
Affected Issues	0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment
Changeset	Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely. Conflicts: bug_file_delete.php
	mod - api/soap/mc_issue_attachment_api.php			Diff File
	mod - bug_file_delete.php			Diff File