Bug 303784: Visibility can keep admin from administering groups - Patch by Joel Peshk...

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 639da0c371821a5d24dc67ae6b138cd137d595f2..cb3ac3dba2c910ce16684ba899d7a9fde0441887 100644 (file)
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -325,7 +325,7 @@ sub bless_groups {
     }
 
     # If visibilitygroups are used, restrict the set of groups.
-    if (Param('usevisibilitygroups')) {
+    if ((!$self->in_group('editusers')) && Param('usevisibilitygroups')) {
         # Users need to see a group in order to bless it.
         my $visibleGroups = join(', ', @{$self->visible_groups_direct()})
             || return $self->{'bless_groups'} = [];

diff --git a/editusers.cgi b/editusers.cgi
index f4eb5afae5d70499fd83c1cf890507f2014a034d..3eb0061e0533adcf995cddea7fe065e6acaa9be3 100755 (executable)
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -83,7 +83,7 @@ if ($action eq 'search') {
     my $nextCondition;
     my $visibleGroups;
 
-    if (Param('usevisibilitygroups')) {
+    if (!$editusers && Param('usevisibilitygroups')) {
         # Show only users in visible groups.
         $visibleGroups = visibleGroupsAsString();
 
@@ -197,7 +197,7 @@ if ($action eq 'search') {
     $otherUser 
         || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
 
-    canSeeUser($otherUserID)
+    $editusers || canSeeUser($otherUserID)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});
@@ -228,7 +228,7 @@ if ($action eq 'search') {
                          'group_group_map READ',
                          'group_group_map AS ggm READ');
  
-    canSeeUser($otherUserID)
+    $editusers || canSeeUser($otherUserID)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});
@@ -396,11 +396,6 @@ if ($action eq 'search') {
     $editusers || ThrowUserError('auth_failure', {group  => "editusers",
                                                   action => "delete",
                                                   object => "users"});
-    canSeeUser($otherUserID) || ThrowUserError('auth_failure',
-                                               {reason => "not_visible",
-                                                action => "delete",
-                                                object => "user"});
-
     $vars->{'otheruser'}      = $otherUser;
     $vars->{'editcomponents'} = UserInGroup('editcomponents');
 
@@ -506,10 +501,6 @@ if ($action eq 'search') {
                                  {group  => "editusers",
                                   action => "delete",
                                   object => "users"});
-    canSeeUser($otherUserID) || ThrowUserError('auth_failure',
-                                               {reason => "not_visible",
-                                                action => "delete",
-                                                object => "user"});
     @{$otherUser->product_responsibilities()}
         && ThrowUserError('user_has_responsibility');