MantisBT: master-2.24 dd86c9c0

Author Committer Branch Timestamp Parent
dregad dregad master-2.24 2020-09-20 06:24 master-2.24 42fc49d5
Affected Issues  0027268: Admin can get issues assigned to users not allowed to handle them
Changeset

Prevent assignment of categories to non-handler users

manage_proj_cat_update.php did not perform the necessary checks on the
provided user id (assigned_to parameter), allowing users with an access
level below handle_bug_threshold to be assigned to a category, and
subsequently to bugs created in that category.

Also added a check to ensure the provided user id is valid.

As suggested by @atrol, the checks are performed in Category API.

Fixes 0027268

mod - core/category_api.php Diff File