From 51fee3fe459d94277e0a85060c821c227badbf17 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Thu, 16 Sep 2010 05:21:42 +0000
Subject: [PATCH] BUGFIX Don't suggest members in SecurityAdmin->autocomplete()
 that the current user doesn't have rights to edit (fixes #5651)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/branches/2.4@110858 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 code/SecurityAdmin.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index bc69a293..8d00e0be 100644
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -283,7 +283,9 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		if($matches) {
 			$result .= "<ul>";
 			foreach($matches as $match) {
-				if(!$match->canView()) continue;
+				// If the current user doesnt have permissions on the target user,
+				// he's not allowed to add it to a group either: Don't include it in the suggestions.
+				if(!$match->canView() || !$match->canEdit()) continue;
 
 				$data = $match->FirstName;
 				$data .= ",$match->Surname";