summaryrefslogtreecommitdiffstats
path: root/editusers.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-09-26 05:51:52 +0200
committerlpsolit%gmail.com <>2005-09-26 05:51:52 +0200
commit67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9 (patch)
treea970fbeba9ab90bd35a23da9b1d695cf4d605f70 /editusers.cgi
parent5e5715dffe4e217ab4bc669e7e6489e003704920 (diff)
downloadbugzilla-67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9.tar.gz
bugzilla-67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9.tar.xz
Bug 303784: Visibility can keep admin from administering groups - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave
Diffstat (limited to 'editusers.cgi')
-rwxr-xr-xeditusers.cgi15
1 files changed, 3 insertions, 12 deletions
diff --git a/editusers.cgi b/editusers.cgi
index 27c16bbe7..049bfabf7 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -85,7 +85,7 @@ if ($action eq 'search') {
my $nextCondition;
my $visibleGroups;
- if (Param('usevisibilitygroups')) {
+ if (!$editusers && Param('usevisibilitygroups')) {
# Show only users in visible groups.
$visibleGroups = $user->visible_groups_as_string();
@@ -233,7 +233,7 @@ if ($action eq 'search') {
'group_group_map READ',
'group_group_map AS ggm READ');
- $user->can_see_user($otherUser)
+ $editusers || $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible",
action => "modify",
object => "user"});
@@ -409,11 +409,6 @@ if ($action eq 'search') {
$editusers || ThrowUserError('auth_failure', {group => "editusers",
action => "delete",
object => "users"});
- $user->can_see_user($otherUser)
- || ThrowUserError('auth_failure', {reason => "not_visible",
- action => "delete",
- object => "user"});
-
$vars->{'otheruser'} = $otherUser;
$vars->{'editcomponents'} = UserInGroup('editcomponents');
@@ -519,10 +514,6 @@ if ($action eq 'search') {
{group => "editusers",
action => "delete",
object => "users"});
- $user->can_see_user($otherUser)
- || ThrowUserError('auth_failure', {reason => "not_visible",
- action => "delete",
- object => "user"});
@{$otherUser->product_responsibilities()}
&& ThrowUserError('user_has_responsibility');
@@ -785,7 +776,7 @@ sub edit_processing
$otherUser
|| ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
- $user->can_see_user($otherUser)
+ $editusers || $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible",
action => "modify",
object => "user"});