From dd4e3e22ef2ee53766c449c287cb9a2a96eb4452 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Fri, 15 May 2026 16:43:29 -0700
Subject: [PATCH] Allow global permissions to be set for new users

---
 acl/edit_user.cgi |  4 ++--
 acl/save_user.cgi |  2 +-
 web-lib-funcs.pl  | 10 ++++++----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/acl/edit_user.cgi b/acl/edit_user.cgi
index c2871f2ce..a59f89ea1 100755
--- a/acl/edit_user.cgi
+++ b/acl/edit_user.cgi
@@ -450,11 +450,11 @@ print &ui_hidden_table_end("mods");
 
 # Add global ACL section, but only if not set from the group
 my $groupglobal = $memg && -r "$config_directory/$memg->{'name'}.acl";
-if ($access{'acl'} && !$groupglobal && $in{'user'} && !$safe) {
+if ($access{'acl'} && !$groupglobal && !$safe) {
 	print &ui_hidden_table_start($text{'edit_global'}, "width=100%", 2,
 				     "global", 0, [ "width=30%" ]);
 	my %uaccess;
-	%uaccess = &get_module_acl($in{'user'}, "", 1);
+	%uaccess = &get_module_acl($in{'user'} || "", "", 1);
 	print &ui_hidden("acl_security_form", 1);
 	&foreign_require("", "acl_security.pl");
 	&foreign_call("", "acl_security_form", \%uaccess);
diff --git a/acl/save_user.cgi b/acl/save_user.cgi
index 0649646f3..ec9799463 100755
--- a/acl/save_user.cgi
+++ b/acl/save_user.cgi
@@ -374,7 +374,7 @@ else {
 	}
 
 my $aclfile = "$config_directory/$in{'name'}.acl";
-if ($in{'old'} && $in{'acl_security_form'} && !$newgroup && !$in{'safe'}) {
+if ($in{'acl_security_form'} && !$newgroup && !$in{'safe'}) {
 	# Update user's global ACL
 	&foreign_require("", "acl_security.pl");
 	my %uaccess;
diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 56d521016..930906577 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -4819,10 +4819,12 @@ if (!$nodef) {
 
 	# If this isn't a master admin user, apply the negative permissions
 	# so that he doesn't un-expectedly gain access to new features
-	my %gacccess;
-	&read_file_cached("$config_directory/$u.acl", \%gaccess);
-	if ($gaccess{'negative'}) {
-		&read_file_cached("$mdir/negativeacl", \%rv);
+	if ($u ne '') {
+		my %gacccess;
+		&read_file_cached("$config_directory/$u.acl", \%gaccess);
+		if ($gaccess{'negative'}) {
+			&read_file_cached("$mdir/negativeacl", \%rv);
+			}
 		}
 	}
 my %usersacl;