summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/API/1_0/Resource/User.pm3
-rw-r--r--Bugzilla/WebService/User.pm10
-rw-r--r--docs/en/rst/api/core/v1/user.rst4
3 files changed, 16 insertions, 1 deletions
diff --git a/Bugzilla/API/1_0/Resource/User.pm b/Bugzilla/API/1_0/Resource/User.pm
index 3f1b6272d..ec81cf66d 100644
--- a/Bugzilla/API/1_0/Resource/User.pm
+++ b/Bugzilla/API/1_0/Resource/User.pm
@@ -326,6 +326,7 @@ sub update {
# Reject access if there is no sense in continuing.
$user->in_group('editusers')
+ || $user->can_bless()
|| ThrowUserError("auth_failure", {group => "editusers",
action => "edit",
object => "users"});
@@ -343,6 +344,8 @@ sub update {
delete $values->{ids};
$dbh->bz_start_transaction();
+
+ $values = { groups => $values->{groups} } unless $user->in_group('editusers');
foreach my $user (@$user_objects){
$user->set_all($values);
}
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 0ae76d70f..bacd08ba1 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -275,6 +275,7 @@ sub update {
# Reject access if there is no sense in continuing.
$user->in_group('editusers')
+ || $user->can_bless()
|| ThrowUserError("auth_failure", {group => "editusers",
action => "edit",
object => "users"});
@@ -292,6 +293,8 @@ sub update {
delete $values->{ids};
$dbh->bz_start_transaction();
+
+ $values = { groups => $values->{groups} } unless $user->in_group('editusers');
foreach my $user (@$user_objects){
$user->set_all($values);
}
@@ -709,7 +712,12 @@ B<EXPERIMENTAL>
=item B<Description>
-Updates user accounts in Bugzilla.
+Updates user accounts in Bugzilla. To use this method, you must be a member
+of the C<editusers> group.
+
+If you are not in the C<editusers> group, you may
+add or remove users from groups if you have bless permissions for the groups
+you wish to modify. All other changes will be ignored.
=item B<REST>
diff --git a/docs/en/rst/api/core/v1/user.rst b/docs/en/rst/api/core/v1/user.rst
index e27211a7f..b6aaa43e1 100644
--- a/docs/en/rst/api/core/v1/user.rst
+++ b/docs/en/rst/api/core/v1/user.rst
@@ -162,6 +162,10 @@ Update User
Updates an existing user account in Bugzilla. You must be authenticated and be
in the *editusers* group to perform this action.
+If you are not in the *editusers* group, you may add or remove users from groups
+if you have bless permissions for the groups you wish to modify. All other changes
+will be ignored.
+
**Request**
.. code-block:: text