From c81a842c51eb1bd8beddbadc865450bd4e4db0bf Mon Sep 17 00:00:00 2001
From: Matt Tyson <mtyson@redhat.com>
Date: Sun, 7 Feb 2016 13:43:35 +0100
Subject: Bug 1237161: Allow users with bless permissions to update users group
 membership using WebService r=LpSolit a=dkl

---
 Bugzilla/WebService/User.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/WebService')

diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 0ae76d70f..bacd08ba1 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -275,6 +275,7 @@ sub update {
 
     # Reject access if there is no sense in continuing.
     $user->in_group('editusers')
+        || $user->can_bless()
         || ThrowUserError("auth_failure", {group  => "editusers",
                                            action => "edit",
                                            object => "users"});
@@ -292,6 +293,8 @@ sub update {
     delete $values->{ids};
 
     $dbh->bz_start_transaction();
+
+    $values = { groups => $values->{groups} } unless $user->in_group('editusers');
     foreach my $user (@$user_objects){
         $user->set_all($values);
     }
@@ -709,7 +712,12 @@ B<EXPERIMENTAL>
 
 =item B<Description>
 
-Updates user accounts in Bugzilla.
+Updates user accounts in Bugzilla. To use this method, you must be a member
+of the C<editusers> group.
+
+If you are not in the C<editusers> group, you may
+add or remove users from groups if you have bless permissions for the groups
+you wish to modify. All other changes will be ignored.
 
 =item B<REST>
 
-- 
cgit v1.2.3-24-g4f1b