MantisBT: master-1.2.x c8813734

Author Committer Branch Timestamp Parent
dregad dregad master-1.2.x 2012-12-06 03:39 master-1.2.x 179bfc01
Affected Issues  0015258: CVE-2013-1811 Reporter can change issue status to 'new'
Changeset

Prevent reporters from changing issue status to 'new'

Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes 0015258

mod - core/html_api.php Diff File