From 7765acb130eafc8b0bc01afdc2c6aeeedf5b7dde Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Sun, 1 Sep 2013 05:22:51 -0700
Subject: [PATCH] Merge pull request #124 from AndyButland/wip-u4-2759

U4-2759 - member authorise attribute was not restricting for group
---
 src/Umbraco.Web/Security/WebSecurity.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Umbraco.Web/Security/WebSecurity.cs b/src/Umbraco.Web/Security/WebSecurity.cs
index f45ff9c30e..a7a57c3c32 100644
--- a/src/Umbraco.Web/Security/WebSecurity.cs
+++ b/src/Umbraco.Web/Security/WebSecurity.cs
@@ -70,15 +70,15 @@ namespace Umbraco.Web.Security
                 var allowGroupsList = allowGroups as IList<string> ?? allowGroups.ToList();
                 if (allowAction && allowGroupsList.Any(allowGroup => allowGroup != string.Empty))
                 {
-                    // Allow only if member's type is in list
+                    // Allow only if member is assigned to a group in the list
                     var groups = Roles.GetRolesForUser(member.LoginName);
-                    allowAction = groups.Select(s => s.ToLowerInvariant()).Intersect(groups.Select(myGroup => myGroup.ToLowerInvariant())).Any();
+                    allowAction = allowGroupsList.Select(s => s.ToLowerInvariant()).Intersect(groups.Select(myGroup => myGroup.ToLowerInvariant())).Any();
                 }
 
                 // If specific members defined, check member is of one of those
                 if (allowAction && allowMembers.Any())
                 {
-                    // Allow only if member's type is in list
+                    // Allow only if member's Id is in the list
                     allowAction = allowMembers.Contains(member.Id);
                 }
             }