Bug 308662: [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions...

author lpsolit%gmail.com <>

Sat, 1 Oct 2005 05:25:49 +0000 (05:25 +0000)

committer lpsolit%gmail.com <>

Sat, 1 Oct 2005 05:25:49 +0000 (05:25 +0000)
author lpsolit%gmail.com <>
Sat, 1 Oct 2005 05:25:49 +0000 (05:25 +0000)
committer lpsolit%gmail.com <>
Sat, 1 Oct 2005 05:25:49 +0000 (05:25 +0000)
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm

index 1abc16d3516115cfdf07eb5969d1be232a0203fa..3fca325b6f7ac769973e0557a42240f24ad1fd1f 100644 (file)
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -711,10 +711,10 @@ sub match {
          if (&::Param('usevisibilitygroups')) {
              $query .= ", user_group_map";
          }
-        $query     .= " WHERE " .
+        $query     .= " WHERE (" .
                  $dbh->sql_position($sqlstr, 'LOWER(login_name)') . " > 0" .
                        " OR " .
-                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0";
+                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0)";
          if (&::Param('usevisibilitygroups')) {
              $query .= " AND user_group_map.user_id = userid" .
                        " AND isbless = 0" .
author	lpsolit%gmail.com <>
	Sat, 1 Oct 2005 05:25:49 +0000 (05:25 +0000)
committer	lpsolit%gmail.com <>
	Sat, 1 Oct 2005 05:25:49 +0000 (05:25 +0000)