From: mkanat%bugzilla.org <>
Date: Fri, 17 Oct 2008 07:53:23 +0000 (+0000)
Subject: Bug 460379: New user accounts could access editusers and add and remove themselves... 
X-Git-Tag: bugzilla-3.3.1~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50035ffc59885e32f744389e732a12d533ec1e66;p=thirdparty%2Fbugzilla.git

Bug 460379: New user accounts could access editusers and add and remove themselves from groups
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
---

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index aa3baa2438..293b18d3e5 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -453,7 +453,8 @@ sub bless_groups {
     # Get all groups for the user where:
     #    + They have direct bless privileges
     #    + They are a member of a group that inherits bless privs.
-    my @group_ids = (map {$_->id} @{ $self->groups }) || (-1);
+    my @group_ids = map {$_->id} @{ $self->groups };
+    @group_ids = (-1) if !@group_ids;
     my $query =
         'SELECT DISTINCT groups.id
            FROM groups, user_group_map, group_group_map AS ggm