From dc534964ff92b84eb783bcefb10048abc705c837 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <lpsolit%gmail.com>
Date: Sun, 25 Sep 2005 20:51:52 +0000
Subject: [PATCH] Bug 303784: Visibility can keep admin from administering
 groups - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave

---
 webtools/bugzilla/Bugzilla/User.pm |  2 +-
 webtools/bugzilla/editusers.cgi    | 15 +++------------
 2 files changed, 4 insertions(+), 13 deletions(-)

diff --git a/webtools/bugzilla/Bugzilla/User.pm b/webtools/bugzilla/Bugzilla/User.pm
index 8d31414ba04..d8749ccb009 100644
--- a/webtools/bugzilla/Bugzilla/User.pm
+++ b/webtools/bugzilla/Bugzilla/User.pm
@@ -328,7 +328,7 @@ sub bless_groups {
     }
 
     # If visibilitygroups are used, restrict the set of groups.
-    if (Param('usevisibilitygroups')) {
+    if ((!$self->in_group('editusers')) && Param('usevisibilitygroups')) {
         # Users need to see a group in order to bless it.
         my $visibleGroups = join(', ', @{$self->visible_groups_direct()})
             || return $self->{'bless_groups'} = [];
diff --git a/webtools/bugzilla/editusers.cgi b/webtools/bugzilla/editusers.cgi
index 27c16bbe720..049bfabf7b0 100755
--- a/webtools/bugzilla/editusers.cgi
+++ b/webtools/bugzilla/editusers.cgi
@@ -85,7 +85,7 @@ if ($action eq 'search') {
     my $nextCondition;
     my $visibleGroups;
 
-    if (Param('usevisibilitygroups')) {
+    if (!$editusers && Param('usevisibilitygroups')) {
         # Show only users in visible groups.
         $visibleGroups = $user->visible_groups_as_string();
 
@@ -233,7 +233,7 @@ if ($action eq 'search') {
                          'group_group_map READ',
                          'group_group_map AS ggm READ');
  
-    $user->can_see_user($otherUser)
+    $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});
@@ -409,11 +409,6 @@ if ($action eq 'search') {
     $editusers || ThrowUserError('auth_failure', {group  => "editusers",
                                                   action => "delete",
                                                   object => "users"});
-    $user->can_see_user($otherUser)
-        || ThrowUserError('auth_failure', {reason => "not_visible",
-                                           action => "delete",
-                                           object => "user"});
-
     $vars->{'otheruser'}      = $otherUser;
     $vars->{'editcomponents'} = UserInGroup('editcomponents');
 
@@ -519,10 +514,6 @@ if ($action eq 'search') {
                                  {group  => "editusers",
                                   action => "delete",
                                   object => "users"});
-    $user->can_see_user($otherUser)
-        || ThrowUserError('auth_failure', {reason => "not_visible",
-                                           action => "delete",
-                                           object => "user"});
     @{$otherUser->product_responsibilities()}
         && ThrowUserError('user_has_responsibility');
 
@@ -785,7 +776,7 @@ sub edit_processing
     $otherUser 
         || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
 
-    $user->can_see_user($otherUser)
+    $editusers || $user->can_see_user($otherUser)
         || ThrowUserError('auth_failure', {reason => "not_visible",
                                            action => "modify",
                                            object => "user"});