diff options
-rw-r--r-- | Bugzilla/API/1_0/Resource/User.pm | 3 | ||||
-rw-r--r-- | Bugzilla/WebService/User.pm | 10 | ||||
-rw-r--r-- | docs/en/rst/api/core/v1/user.rst | 4 |
3 files changed, 16 insertions, 1 deletions
diff --git a/Bugzilla/API/1_0/Resource/User.pm b/Bugzilla/API/1_0/Resource/User.pm index 3f1b6272d..ec81cf66d 100644 --- a/Bugzilla/API/1_0/Resource/User.pm +++ b/Bugzilla/API/1_0/Resource/User.pm @@ -326,6 +326,7 @@ sub update { # Reject access if there is no sense in continuing. $user->in_group('editusers') + || $user->can_bless() || ThrowUserError("auth_failure", {group => "editusers", action => "edit", object => "users"}); @@ -343,6 +344,8 @@ sub update { delete $values->{ids}; $dbh->bz_start_transaction(); + + $values = { groups => $values->{groups} } unless $user->in_group('editusers'); foreach my $user (@$user_objects){ $user->set_all($values); } diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index 0ae76d70f..bacd08ba1 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -275,6 +275,7 @@ sub update { # Reject access if there is no sense in continuing. $user->in_group('editusers') + || $user->can_bless() || ThrowUserError("auth_failure", {group => "editusers", action => "edit", object => "users"}); @@ -292,6 +293,8 @@ sub update { delete $values->{ids}; $dbh->bz_start_transaction(); + + $values = { groups => $values->{groups} } unless $user->in_group('editusers'); foreach my $user (@$user_objects){ $user->set_all($values); } @@ -709,7 +712,12 @@ B<EXPERIMENTAL> =item B<Description> -Updates user accounts in Bugzilla. +Updates user accounts in Bugzilla. To use this method, you must be a member +of the C<editusers> group. + +If you are not in the C<editusers> group, you may +add or remove users from groups if you have bless permissions for the groups +you wish to modify. All other changes will be ignored. =item B<REST> diff --git a/docs/en/rst/api/core/v1/user.rst b/docs/en/rst/api/core/v1/user.rst index e27211a7f..b6aaa43e1 100644 --- a/docs/en/rst/api/core/v1/user.rst +++ b/docs/en/rst/api/core/v1/user.rst @@ -162,6 +162,10 @@ Update User Updates an existing user account in Bugzilla. You must be authenticated and be in the *editusers* group to perform this action. +If you are not in the *editusers* group, you may add or remove users from groups +if you have bless permissions for the groups you wish to modify. All other changes +will be ignored. + **Request** .. code-block:: text |