diff options
| author | lpsolit%gmail.com <> | 2005-09-26 05:51:52 +0200 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2005-09-26 05:51:52 +0200 |
| commit | 67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9 (patch) | |
| tree | a970fbeba9ab90bd35a23da9b1d695cf4d605f70 | |
| parent | 5e5715dffe4e217ab4bc669e7e6489e003704920 (diff) | |
| download | bugzilla-67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9.tar.gz bugzilla-67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9.tar.xz | |
Bug 303784: Visibility can keep admin from administering groups - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave
| -rw-r--r-- | Bugzilla/User.pm | 2 | ||||
| -rwxr-xr-x | editusers.cgi | 15 |
2 files changed, 4 insertions, 13 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 8d31414ba..d8749ccb0 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -328,7 +328,7 @@ sub bless_groups { } # If visibilitygroups are used, restrict the set of groups. - if (Param('usevisibilitygroups')) { + if ((!$self->in_group('editusers')) && Param('usevisibilitygroups')) { # Users need to see a group in order to bless it. my $visibleGroups = join(', ', @{$self->visible_groups_direct()}) || return $self->{'bless_groups'} = []; diff --git a/editusers.cgi b/editusers.cgi index 27c16bbe7..049bfabf7 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -85,7 +85,7 @@ if ($action eq 'search') { my $nextCondition; my $visibleGroups; - if (Param('usevisibilitygroups')) { + if (!$editusers && Param('usevisibilitygroups')) { # Show only users in visible groups. $visibleGroups = $user->visible_groups_as_string(); @@ -233,7 +233,7 @@ if ($action eq 'search') { 'group_group_map READ', 'group_group_map AS ggm READ'); - $user->can_see_user($otherUser) + $editusers || $user->can_see_user($otherUser) || ThrowUserError('auth_failure', {reason => "not_visible", action => "modify", object => "user"}); @@ -409,11 +409,6 @@ if ($action eq 'search') { $editusers || ThrowUserError('auth_failure', {group => "editusers", action => "delete", object => "users"}); - $user->can_see_user($otherUser) - || ThrowUserError('auth_failure', {reason => "not_visible", - action => "delete", - object => "user"}); - $vars->{'otheruser'} = $otherUser; $vars->{'editcomponents'} = UserInGroup('editcomponents'); @@ -519,10 +514,6 @@ if ($action eq 'search') { {group => "editusers", action => "delete", object => "users"}); - $user->can_see_user($otherUser) - || ThrowUserError('auth_failure', {reason => "not_visible", - action => "delete", - object => "user"}); @{$otherUser->product_responsibilities()} && ThrowUserError('user_has_responsibility'); @@ -785,7 +776,7 @@ sub edit_processing $otherUser || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')}); - $user->can_see_user($otherUser) + $editusers || $user->can_see_user($otherUser) || ThrowUserError('auth_failure', {reason => "not_visible", action => "modify", object => "user"}); |