From e2a3d7a42271ffd58ebbe7bf75803e0c60efc71d Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sat, 1 Oct 2005 05:28:04 +0000
Subject: [PATCH] Bug 308662: [SECURITY] User matching bypasses
 'usevisibilitygroups' restrictions - Patch by Joel Peshkin
 <bugreport@peshkin.net> r=LpSolit a=justdave

---
 Bugzilla/User.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 3a3cace197..cfa3429206 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -713,10 +713,10 @@ sub match {
         if (&::Param('usevisibilitygroups')) {
             $query .= ", user_group_map";
         }
-        $query     .= " WHERE " .
+        $query     .= " WHERE (" .
                 $dbh->sql_position($sqlstr, 'LOWER(login_name)') . " > 0" .
                       " OR " .
-                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0";
+                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0)";
         if (&::Param('usevisibilitygroups')) {
             $query .= " AND user_group_map.user_id = userid" .
                       " AND isbless = 0" .
-- 
2.47.2