I just stumbled across this error: I have a project in Mantis with a project-manager assigned. While this manager can add new categories alright, whenever he tries to update an existing category he gets an ACCESS_DENIED error (see issue 9728).

I figured, that in the manage_proj_cat_edit_page.php the project_id field is missing, so the:

access_ensure_project_level( config_get( 'manage_project_threshold' ), $f_project_id );

always tests for the permission on ALL_PROJECTS (because of:

$f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS );

However, by adding:

<input type="hidden" name="project_id" value="<?php echo $f_project_id ?>" />

to the manage_proj_cat_edit_page.php the problem could be resolved 🙂