forward porting secondary admin group access privileges when creating users

docs/changelog/7.x.x.txt

@@ -14,6 +14,8 @@
    requestAutoCommit
  - fix: Some urls cause an asset to be inaccessible after creation/editing (perlDreamer Consulting, LLC.)
      http://www.plainblack.com/bugs/tracker/some-urls-cause-an-asset-to-be-inaccessible-after-creation/editing
+ - fix: Secondary Admin can create user with Admin Privilege (IRC:blacksilver)
+     http://www.plainblack.com/bugs/tracker/secondary-admin-can-create-user-with-admin-privilege
 
 7.4.17
  - fix: double width characters encoded incorrectly in Collaboration RSS feed

lib/WebGUI/Operation/User.pm

@@ -404,12 +404,18 @@ sub www_editUser {
 		$tabform->getTab("profile")->fieldSetEnd($category->getLabel);
 	}
 	my @groupsToAdd = $session->form->group("groupsToAdd");
-	my @exclude = $session->db->buildArray("select groupId from groupings where userId=".$session->db->quote($u->userId));
+	my @exclude = $session->db->buildArray("select groupId from groupings where userId=?",[$u->userId]);
 	@exclude = (@exclude,"1","2","7");
+    my $secondaryAdmin = $session->user->isInGroup('11');
+    my @extraExclude = ();
+    if ($secondaryAdmin && !$session->user->isInGroup(3)) {
+        @extraExclude = $session->db->buildArray('select groupId from groups where groupId not in (select groupId from groupings where userId=?)',[$session->user->userId]);
+    }
+    push @extraExclude, @exclude;
 	$tabform->getTab("groups")->group(
 		-name=>"groupsToAdd",
 		-label=>$i18n->get("groups to add"),
-		-excludeGroups=>\@exclude,
+		-excludeGroups=>\@extraExclude,
 		-size=>15,
 		-multiple=>1,
 		-value=>\@groupsToAdd