Bug 1237161: Allow users with bless permissions to update users group membership using WebService

r=LpSolit a=dkl
author: Matt Tyson <mtyson@redhat.com> 2016-02-07 13:43:35 +0100
committer: Frédéric Buclin <LpSolit@gmail.com> 2016-02-07 13:43:35 +0100
commit: c81a842c51eb1bd8beddbadc865450bd4e4db0bf (patch)
tree: 024b5a0effa67f83c0ab6fb36d05709e47f4f093 /Bugzilla/API
parent: 8c54443dd24eb15576dd5c2ebfbc6ce174276b3c (diff)
download: bugzilla-c81a842c51eb1bd8beddbadc865450bd4e4db0bf.tar.gz
bugzilla-c81a842c51eb1bd8beddbadc865450bd4e4db0bf.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/Bugzilla/API/1_0/Resource/User.pm b/Bugzilla/API/1_0/Resource/User.pm
index 3f1b6272d..ec81cf66d 100644
--- a/Bugzilla/API/1_0/Resource/User.pm
+++ b/Bugzilla/API/1_0/Resource/User.pm
@@ -326,6 +326,7 @@ sub update {
 
     # Reject access if there is no sense in continuing.
     $user->in_group('editusers')
+        || $user->can_bless()
         || ThrowUserError("auth_failure", {group  => "editusers",
                                            action => "edit",
                                            object => "users"});
@@ -343,6 +344,8 @@ sub update {
     delete $values->{ids};
 
     $dbh->bz_start_transaction();
+
+    $values = { groups => $values->{groups} } unless $user->in_group('editusers');
     foreach my $user (@$user_objects){
         $user->set_all($values);
     }
author	Matt Tyson <mtyson@redhat.com>	2016-02-07 13:43:35 +0100
committer	Frédéric Buclin <LpSolit@gmail.com>	2016-02-07 13:43:35 +0100
commit	c81a842c51eb1bd8beddbadc865450bd4e4db0bf (patch)
tree	024b5a0effa67f83c0ab6fb36d05709e47f4f093 /Bugzilla/API
parent	8c54443dd24eb15576dd5c2ebfbc6ce174276b3c (diff)
download	bugzilla-c81a842c51eb1bd8beddbadc865450bd4e4db0bf.tar.gz bugzilla-c81a842c51eb1bd8beddbadc865450bd4e4db0bf.tar.xz