From 54d93c06dce9220e2f50c90086a8ab86b1e08366 Mon Sep 17 00:00:00 2001
From: eileen <emcnaughton@wikimedia.org>
Date: Fri, 14 Oct 2016 15:05:51 +0100
Subject: [PATCH] CRM-19311  limit hidden groups to those passed in if  is set

---
 CRM/ACL/BAO/ACL.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/CRM/ACL/BAO/ACL.php b/CRM/ACL/BAO/ACL.php
index 7bb97cf4f6..dec06a6ae5 100644
--- a/CRM/ACL/BAO/ACL.php
+++ b/CRM/ACL/BAO/ACL.php
@@ -920,13 +920,18 @@ ORDER BY a.object_id
       $ids = $includedGroups;
     }
     if ($contactID) {
+      $groupWhere = '';
+      if (!empty($allGroups)) {
+        $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")";
+      }
       // Contacts create hidden groups from search results. They should be able to retrieve their own.
       $ownHiddenGroupsList = CRM_Core_DAO::singleValueQuery("
         SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID
+        $groupWhere
       ");
       if ($ownHiddenGroupsList) {
         $ownHiddenGroups = explode(',', $ownHiddenGroupsList);
-        $ids = array_merge($ids, $ownHiddenGroups);
+        $ids = array_merge((array) $ids, $ownHiddenGroups);
       }
 
     }
-- 
2.25.1