Bug 308662: [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave

author: lpsolit%gmail.com <> 2005-10-01 07:25:49 +0200
committer: lpsolit%gmail.com <> 2005-10-01 07:25:49 +0200
commit: 88d7ced2b3871564e7e84dd8ec3be5bd39e8f999 (patch)
tree: 0e3a81644b777f8850b0e5c38038a1b875272560 /Bugzilla/User.pm
parent: 9910fc71adca449eeec373ffab40815aeb01776d (diff)
download: bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.tar.gz
bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 1abc16d35..3fca325b6 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -711,10 +711,10 @@ sub match {
         if (&::Param('usevisibilitygroups')) {
             $query .= ", user_group_map";
         }
-        $query     .= " WHERE " .
+        $query     .= " WHERE (" .
                 $dbh->sql_position($sqlstr, 'LOWER(login_name)') . " > 0" .
                       " OR " .
-                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0";
+                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0)";
         if (&::Param('usevisibilitygroups')) {
             $query .= " AND user_group_map.user_id = userid" .
                       " AND isbless = 0" .
author	lpsolit%gmail.com <>	2005-10-01 07:25:49 +0200
committer	lpsolit%gmail.com <>	2005-10-01 07:25:49 +0200
commit	88d7ced2b3871564e7e84dd8ec3be5bd39e8f999 (patch)
tree	0e3a81644b777f8850b0e5c38038a1b875272560 /Bugzilla/User.pm
parent	9910fc71adca449eeec373ffab40815aeb01776d (diff)
download	bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.tar.gz bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.tar.xz