When a group becomes disabled in RT, we mark all CGM rows that existed
because of that group as 'Disabled'.  Unfortunately, many joins through
CGM neglected to take the Disabled column into account, leading to users
possibly having rights that they should not, due to having them by way
of a disabled group.

This addresses CVE-2011-4459.