From 88d7ced2b3871564e7e84dd8ec3be5bd39e8f999 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sat, 1 Oct 2005 05:25:49 +0000
Subject: Bug 308662: [SECURITY] User matching bypasses 'usevisibilitygroups'
 restrictions - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit
 a=justdave

---
 Bugzilla/User.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 1abc16d35..3fca325b6 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -711,10 +711,10 @@ sub match {
         if (&::Param('usevisibilitygroups')) {
             $query .= ", user_group_map";
         }
-        $query     .= " WHERE " .
+        $query     .= " WHERE (" .
                 $dbh->sql_position($sqlstr, 'LOWER(login_name)') . " > 0" .
                       " OR " .
-                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0";
+                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0)";
         if (&::Param('usevisibilitygroups')) {
             $query .= " AND user_group_map.user_id = userid" .
                       " AND isbless = 0" .
-- 
cgit v1.2.3-24-g4f1b