From ad5a8e0fcef9f1d976035092efe8b927eaa4e816 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Tue, 19 Oct 2010 01:02:41 +0000
Subject: [PATCH] BUGFIX Don't suggest members in SecurityAdmin->autocomplete()
 that the current user doesn't have rights to edit (fixes #5651) (from
 r110858)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@112796 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 code/SecurityAdmin.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index 50acf493..692c42b2 100644
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -259,7 +259,9 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		if($matches) {
 			$result .= "<ul>";
 			foreach($matches as $match) {
-				if(!$match->canView()) continue;
+				// If the current user doesnt have permissions on the target user,
+				// he's not allowed to add it to a group either: Don't include it in the suggestions.
+				if(!$match->canView() || !$match->canEdit()) continue;
 
 				$data = $match->FirstName;
 				$data .= ",$match->Surname";