forward port of becoming illegal userId bugfix

lib/WebGUI/Operation/User.pm

@@ -222,6 +222,7 @@ Allows an administrator to assume another user.
 sub www_becomeUser {
 	my $session = shift;
 	return $session->privilege->adminOnly() unless ($session->user->isInGroup(3));
+	return unless WebGUI::User->validUserId($session, $session->form->process("uid"));
 	$session->user({userId=>$session->form->process("uid")});
 	$session->var->end($session->var->get("sessionId"));
 	$session->var->start($session->form->process("uid"),$session->getId);

lib/WebGUI/User.pm

@@ -45,6 +45,8 @@ This package provides an object-oriented way of managing WebGUI users as well as
  $u->deleteFromGroups(\@arr);
  $u->delete;
 
+ WebGUI::User->validUserId($session, $userId);
+
 =head1 METHODS
 
 These methods are available from this class:
@@ -654,4 +656,18 @@ sub userId {
         return $_[0]->{_userId};
 }
 
+#-------------------------------------------------------------------
+
+=head2 validUserId ( userId )
+
+Returns true if the userId exists in the users table. 
+
+=cut
+
+sub validUserId {
+	my ($class, $session, $userId) = @_;
+	my $sth = $session->db->read('select userId from users where userId='.$session->db->quote($userId));
+	return ($sth->rows == 1);
+}
+
 1;