From 67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 26 Sep 2005 03:51:52 +0000
Subject: Bug 303784: Visibility can keep admin from administering groups -
 Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave

---
 editusers.cgi | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

(limited to 'editusers.cgi')

diff --git a/editusers.cgi b/editusers.cgi
index 27c16bbe7..049bfabf7 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -85,7 +85,7 @@ if ($action eq 'search') {
     my $nextCondition;
     my $visibleGroups;
 
-    if (Param('usevisibilitygroups')) {
+    if (!$editusers && Param('usevisibilitygroups')) {
         # Show only users in visible groups.
         $visibleGroups = $user->visible_groups_as_string();
 
@@ -233,7 +233,7 @@ if ($action eq 'search') {
                          'group_group_map READ',
                          'group_group_map AS ggm READ');
  
-    $user->can_see_user($otherUser)
+    $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});
@@ -409,11 +409,6 @@ if ($action eq 'search') {
     $editusers || ThrowUserError('auth_failure', {group  => "editusers",
                                                   action => "delete",
                                                   object => "users"});
-    $user->can_see_user($otherUser)
-        || ThrowUserError('auth_failure', {reason => "not_visible",
-                                           action => "delete",
-                                           object => "user"});
-
     $vars->{'otheruser'}      = $otherUser;
     $vars->{'editcomponents'} = UserInGroup('editcomponents');
 
@@ -519,10 +514,6 @@ if ($action eq 'search') {
                                  {group  => "editusers",
                                   action => "delete",
                                   object => "users"});
-    $user->can_see_user($otherUser)
-        || ThrowUserError('auth_failure', {reason => "not_visible",
-                                           action => "delete",
-                                           object => "user"});
     @{$otherUser->product_responsibilities()}
         && ThrowUserError('user_has_responsibility');
 
@@ -785,7 +776,7 @@ sub edit_processing
     $otherUser 
         || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
 
-    $user->can_see_user($otherUser)
+    $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});
-- 
cgit v1.2.3-24-g4f1b