From: lpsolit%gmail.com <>
Date: Mon, 26 Sep 2005 03:51:52 +0000 (+0000)
Subject: Bug 303784: Visibility can keep admin from administering groups - Patch by Joel Peshk... 
X-Git-Tag: bugzilla-2.21.1~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67cb0c3f70d5b3d98e30a9e3ce7ac3b00766f9d9;p=thirdparty%2Fbugzilla.git

Bug 303784: Visibility can keep admin from administering groups - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave
---

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 8d31414ba0..d8749ccb00 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -328,7 +328,7 @@ sub bless_groups {
     }
 
     # If visibilitygroups are used, restrict the set of groups.
-    if (Param('usevisibilitygroups')) {
+    if ((!$self->in_group('editusers')) && Param('usevisibilitygroups')) {
         # Users need to see a group in order to bless it.
         my $visibleGroups = join(', ', @{$self->visible_groups_direct()})
             || return $self->{'bless_groups'} = [];
diff --git a/editusers.cgi b/editusers.cgi
index 27c16bbe72..049bfabf7b 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -85,7 +85,7 @@ if ($action eq 'search') {
     my $nextCondition;
     my $visibleGroups;
 
-    if (Param('usevisibilitygroups')) {
+    if (!$editusers && Param('usevisibilitygroups')) {
         # Show only users in visible groups.
         $visibleGroups = $user->visible_groups_as_string();
 
@@ -233,7 +233,7 @@ if ($action eq 'search') {
                          'group_group_map READ',
                          'group_group_map AS ggm READ');
  
-    $user->can_see_user($otherUser)
+    $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});
@@ -409,11 +409,6 @@ if ($action eq 'search') {
     $editusers || ThrowUserError('auth_failure', {group  => "editusers",
                                                   action => "delete",
                                                   object => "users"});
-    $user->can_see_user($otherUser)
-        || ThrowUserError('auth_failure', {reason => "not_visible",
-                                           action => "delete",
-                                           object => "user"});
-
     $vars->{'otheruser'}      = $otherUser;
     $vars->{'editcomponents'} = UserInGroup('editcomponents');
 
@@ -519,10 +514,6 @@ if ($action eq 'search') {
                                  {group  => "editusers",
                                   action => "delete",
                                   object => "users"});
-    $user->can_see_user($otherUser)
-        || ThrowUserError('auth_failure', {reason => "not_visible",
-                                           action => "delete",
-                                           object => "user"});
     @{$otherUser->product_responsibilities()}
         && ThrowUserError('user_has_responsibility');
 
@@ -785,7 +776,7 @@ sub edit_processing
     $otherUser 
         || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
 
-    $user->can_see_user($otherUser)
+    $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});