diff options
author | Byron Jones <glob@mozilla.com> | 2015-08-24 06:35:33 +0200 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2015-08-24 06:35:33 +0200 |
commit | 0b05719fc8029a128c9b8e8e85109f3f8c13f47a (patch) | |
tree | 04f332d79e895b69fe9f362d69b934ae202adf1d /editusers.cgi | |
parent | 4cc64c90c53eaa910c4564f146d4cd804ccf485f (diff) | |
download | bugzilla-0b05719fc8029a128c9b8e8e85109f3f8c13f47a.tar.gz bugzilla-0b05719fc8029a128c9b8e8e85109f3f8c13f47a.tar.xz |
Bug 1196614 - restrict the ability for users with editusers/creategroups to alter admins and the admin group
Diffstat (limited to 'editusers.cgi')
-rwxr-xr-x | editusers.cgi | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/editusers.cgi b/editusers.cgi index e153cfbbc..a55fd04a7 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -761,6 +761,18 @@ sub check_user { } ($otherUser && $otherUser->id) || ThrowCodeError('invalid_user', $vars); + if (!$user->in_group('admin')) { + my $insider_group = Bugzilla->params->{insidergroup}; + if ($otherUser->in_group('admin') + || ($otherUser->in_group($insider_group) && !$user->in_group($insider_group)) + ) { + ThrowUserError('auth_failure', { + action => 'modify', + object => 'user' + }); + } + } + return $otherUser; } |