MantisBT: master 5376d2a2

Author Committer Branch Timestamp Parent
dregad dregad master 2020-12-13 07:08 master 889c8d24
Affected Issues  0027361: Private category can be access/used by a non member of a private project (IDOR)
Changeset

Prevent setting category not belonging to project

When retrieving a category for a given project, make sure that it is
available in the project's hierarchy, taking inheritance into account.

This is a follow-up on commit b77859901050b558bfcd28050cff1599d60e45fa
which only covered bug_report.php, when in fact the same problem was
also present in bug_update.php.

Fixes 0027361

mod - bug_update.php Diff File