summaryrefslogtreecommitdiffstats
path: root/editusers.cgi
diff options
context:
space:
mode:
Diffstat (limited to 'editusers.cgi')
-rwxr-xr-xeditusers.cgi94
1 files changed, 54 insertions, 40 deletions
diff --git a/editusers.cgi b/editusers.cgi
index c71d704fd..e69489ed8 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -81,57 +81,68 @@ if ($action eq 'search') {
'FROM profiles';
my @bindValues;
my $nextCondition;
+ my $visibleGroups;
if (Param('usevisibilitygroups')) {
# Show only users in visible groups.
- my $visibleGroups = visibleGroupsAsString();
- $query .= qq{, user_group_map AS ugm
- WHERE ugm.user_id = profiles.userid
- AND ugm.isbless = 0
- AND ugm.group_id IN ($visibleGroups)
- };
- $nextCondition = 'AND';
+ $visibleGroups = visibleGroupsAsString();
+
+ if ($visibleGroups) {
+ $query .= qq{, user_group_map AS ugm
+ WHERE ugm.user_id = profiles.userid
+ AND ugm.isbless = 0
+ AND ugm.group_id IN ($visibleGroups)
+ };
+ $nextCondition = 'AND';
+ }
} else {
+ $visibleGroups = 1;
if ($grouprestrict eq '1') {
$query .= ', user_group_map AS ugm';
}
$nextCondition = 'WHERE';
}
- # Selection by user name.
- if (defined($matchtype)) {
- $query .= " $nextCondition profiles.login_name ";
- if ($matchtype eq 'regexp') {
- $query .= $dbh->sql_regexp . ' ?';
- $matchstr = '.' unless $matchstr;
- } elsif ($matchtype eq 'notregexp') {
- $query .= $dbh->sql_not_regexp . ' ?';
- $matchstr = '.' unless $matchstr;
- } else { # substr or unknown
- $query .= 'like ?';
- $matchstr = "%$matchstr%";
- }
- $nextCondition = 'AND';
- # We can trick_taint because we use the value in a SELECT only, using
- # a placeholder.
- trick_taint($matchstr);
- push(@bindValues, $matchstr);
+ if (!$visibleGroups) {
+ $vars->{'users'} = {};
}
+ else {
+ # Handle selection by user name.
+ if (defined($matchtype)) {
+ $query .= " $nextCondition profiles.login_name ";
+ if ($matchtype eq 'regexp') {
+ $query .= $dbh->sql_regexp . ' ?';
+ $matchstr = '.' unless $matchstr;
+ } elsif ($matchtype eq 'notregexp') {
+ $query .= $dbh->sql_not_regexp . ' ?';
+ $matchstr = '.' unless $matchstr;
+ } else { # substr or unknown
+ $query .= 'like ?';
+ $matchstr = "%$matchstr%";
+ }
+ $nextCondition = 'AND';
+ # We can trick_taint because we use the value in a SELECT only,
+ # using a placeholder.
+ trick_taint($matchstr);
+ push(@bindValues, $matchstr);
+ }
- # Selection by group.
- if ($grouprestrict eq '1') {
- $query .= " $nextCondition profiles.userid = ugm.user_id " .
- 'AND ugm.group_id = ?';
- # We can trick_taint because we use the value in a SELECT only, using
- # a placeholder.
- trick_taint($groupid);
- push(@bindValues, $groupid);
+ # Handle selection by group.
+ if ($grouprestrict eq '1') {
+ $query .= " $nextCondition profiles.userid = ugm.user_id " .
+ 'AND ugm.group_id = ?';
+ # We can trick_taint because we use the value in a SELECT only,
+ # using a placeholder.
+ trick_taint($groupid);
+ push(@bindValues, $groupid);
+ }
+ $query .= ' ORDER BY profiles.login_name';
+
+ $vars->{'users'} = $dbh->selectall_arrayref($query,
+ {'Slice' => {}},
+ @bindValues);
}
- $query .= ' ORDER BY profiles.login_name';
- $vars->{'users'} = $dbh->selectall_arrayref($query,
- {'Slice' => {}},
- @bindValues);
$template->process('admin/users/list.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
@@ -591,7 +602,7 @@ sub mirrorListSelectionValues {
# Give a list of IDs of groups the user can see.
sub visibleGroupsAsString {
- return join(', ', -1, @{$user->visible_groups_direct()});
+ return join(', ', @{$user->visible_groups_direct()});
}
# Give a list of IDs of groups the user may bless.
@@ -623,7 +634,8 @@ sub groupsUserMayBless {
# If visibilitygroups are used, restrict the set of groups.
if (Param('usevisibilitygroups')) {
- my $visibleGroups = visibleGroupsAsString();
+ # Users need to see a group in order to bless it.
+ my $visibleGroups = visibleGroupsAsString() || return {};
$query .= " $connector id in ($visibleGroups)";
}
@@ -638,7 +650,9 @@ sub canSeeUser {
my $query;
if (Param('usevisibilitygroups')) {
- my $visibleGroups = visibleGroupsAsString();
+ # If the user can see no groups, then no users are visible either.
+ my $visibleGroups = visibleGroupsAsString() || return 0;
+
$query = qq{SELECT COUNT(DISTINCT userid)
FROM profiles, user_group_map
WHERE userid = ?