Only attach Issues to changeset if authorized

A user having Update threshold can attach *any* Issue to a Changeset,
even if they do not have access to it (i.e. private Issue), by entering
the Issue's Id.

Fixes #344

Author: dregad

Source/pages/attach.php

@@ -16,10 +16,14 @@
 $t_user_id = auth_get_current_user_id();
 
 $t_bug_ids = explode( ',', $f_bug_ids );
+$t_view_bug_threshold = config_get('view_bug_threshold');
 foreach( $t_bug_ids as $t_bug_id ) {
 	$t_bug_id = (int) $t_bug_id;
 
-	if ( $t_bug_id < 1 || !bug_exists( $t_bug_id ) ) {
+	if ( $t_bug_id < 1
+		|| !bug_exists( $t_bug_id )
+		|| !access_has_bug_level( $t_view_bug_threshold, $t_bug_id )
+	) {
 		continue;
 	}