request.cgi 13.3 KB
Newer Older
1
#!/usr/bin/perl -wT
2 3 4
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
5
#
6 7
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.
8

9
use 5.10.1;
10
use strict;
11
use lib qw(. lib);
12

13
use Bugzilla;
14 15
use Bugzilla::Util;
use Bugzilla::Error;
16 17 18
use Bugzilla::Flag;
use Bugzilla::FlagType;
use Bugzilla::User;
19 20
use Bugzilla::Product;
use Bugzilla::Component;
21 22

# Make sure the user is logged in.
23 24
my $user = Bugzilla->login();
my $cgi = Bugzilla->cgi;
25 26
# Force the script to run against the shadow DB. We already validated credentials.
Bugzilla->switch_to_shadow_db;
27 28
my $template = Bugzilla->template;
my $action = $cgi->param('action') || '';
29 30 31
my $format = $template->get_format('request/queue', 
                                   scalar($cgi->param('format')),
                                   scalar($cgi->param('ctype')));
32

33 34
$cgi->set_dated_content_disp("inline", "requests", $format->{extension});
print $cgi->header($format->{'ctype'});
35

36 37 38 39 40 41 42 43 44 45
my $fields;
$fields->{'requester'}->{'type'} = 'single';
# If the user doesn't restrict his search to requests from the wind
# (requestee ne '-'), include the requestee for completion.
unless (defined $cgi->param('requestee')
        && $cgi->param('requestee') eq '-')
{
    $fields->{'requestee'}->{'type'} = 'single';
}

46
Bugzilla::User::match_field($fields);
47

48
if ($action eq 'queue') {
49
    queue($format);
50 51
}
else {
52
    my $flagtypes = get_flag_types();
53 54 55 56 57
    my @types = ('all', @$flagtypes);

    my $vars = {};
    $vars->{'types'} = \@types;
    $vars->{'requests'} = {};
58 59

    my %components;
60
    foreach my $prod (@{$user->get_selectable_products}) {
61 62 63 64 65 66
        foreach my $comp (@{$prod->components}) {
            $components{$comp->name} = 1;
        }
    }
    $vars->{'components'} = [ sort { $a cmp $b } keys %components ];

67
    $template->process($format->{'template'}, $vars)
68 69
      || ThrowTemplateError($template->error());
}
70 71 72 73 74 75 76
exit;

################################################################################
# Functions
################################################################################

sub queue {
77
    my $format = shift;
78
    my $cgi = Bugzilla->cgi;
79
    my $dbh = Bugzilla->dbh;
80 81 82
    my $template = Bugzilla->template;
    my $user = Bugzilla->user;
    my $userid = $user->id;
83
    my $vars = {};
84 85 86 87

    my $status = validateStatus($cgi->param('status'));
    my $form_group = validateGroup($cgi->param('group'));

88 89 90 91 92 93 94 95 96
    my $query = 
    # Select columns describing each flag, the bug/attachment on which
    # it has been set, who set it, and of whom they are requesting it.
    " SELECT    flags.id, flagtypes.name,
                flags.status,
                flags.bug_id, bugs.short_desc,
                products.name, components.name,
                flags.attach_id, attachments.description,
                requesters.realname, requesters.login_name,
97
                requestees.realname, requestees.login_name, COUNT(privs.group_id),
98
    " . $dbh->sql_date_format('flags.modification_date', '%Y.%m.%d %H:%i') .
99 100 101 102
    # Use the flags and flagtypes tables for information about the flags,
    # the bugs and attachments tables for target info, the profiles tables
    # for setter and requestee info, the products/components tables
    # so we can display product and component names, and the bug_group_map
103 104 105 106 107
    # table to help us weed out secure bugs to which the user should not have
    # access.
    "
      FROM           flags 
           LEFT JOIN attachments
108
                  ON flags.attach_id = attachments.attach_id
109
          INNER JOIN flagtypes
110
                  ON flags.type_id = flagtypes.id
111
          INNER JOIN profiles AS requesters
112
                  ON flags.setter_id = requesters.userid
113
           LEFT JOIN profiles AS requestees
114
                  ON flags.requestee_id  = requestees.userid
115
          INNER JOIN bugs
116
                  ON flags.bug_id = bugs.bug_id
117
          INNER JOIN products
118
                  ON bugs.product_id = products.id
119
          INNER JOIN components
120
                  ON bugs.component_id = components.id
121
           LEFT JOIN bug_group_map AS bgmap
122
                  ON bgmap.bug_id = bugs.bug_id
123
                 AND bgmap.group_id NOT IN (" .
124
                     $user->groups_as_string . ")
125 126
           LEFT JOIN bug_group_map AS privs
                  ON privs.bug_id = bugs.bug_id
127
           LEFT JOIN cc AS ccmap
128 129
                  ON ccmap.who = $userid
                 AND ccmap.bug_id = bugs.bug_id
130 131 132 133 134
    " .

    # Weed out bug the user does not have access to
    " WHERE     ((bgmap.group_id IS NULL) OR
                 (ccmap.who IS NOT NULL AND cclist_accessible = 1) OR
135
                 (bugs.reporter = $userid AND bugs.reporter_accessible = 1) OR
136
                 (bugs.assigned_to = $userid) " .
137
                 (Bugzilla->params->{'useqacontact'} ? "OR
138
                 (bugs.qa_contact = $userid))" : ")");
139 140 141 142 143 144 145

    unless ($user->is_insider) {
        $query .= " AND (attachments.attach_id IS NULL
                         OR attachments.isprivate = 0
                         OR attachments.submitter_id = $userid)";
    }

146
    # Limit query to pending requests.
147
    $query .= " AND flags.status = '?' " unless $status;
148 149 150

    # The set of criteria by which we filter records to display in the queue.
    my @criteria = ();
151

152 153 154 155 156 157
    # A list of columns to exclude from the report because the report conditions
    # limit the data being displayed to exact matches for those columns.
    # In other words, if we are only displaying "pending" , we don't
    # need to display a "status" column in the report because the value for that
    # column will always be the same.
    my @excluded_columns = ();
158 159
    my $do_union = $cgi->param('do_union');

160
    # Filter results by exact email address of requester or requestee.
161
    if (defined $cgi->param('requester') && $cgi->param('requester') ne "") {
162 163 164
        my $requester = $dbh->quote($cgi->param('requester'));
        trick_taint($requester); # Quoted above
        push(@criteria, $dbh->sql_istrcmp('requesters.login_name', $requester));
165
        push(@excluded_columns, 'requester') unless $do_union;
166
    }
167
    if (defined $cgi->param('requestee') && $cgi->param('requestee') ne "") {
168
        if ($cgi->param('requestee') ne "-") {
169 170
            my $requestee = $dbh->quote($cgi->param('requestee'));
            trick_taint($requestee); # Quoted above
171 172 173 174
            push(@criteria, $dbh->sql_istrcmp('requestees.login_name', $requestee));
        }
        else {
            push(@criteria, "flags.requestee_id IS NULL");
175
        }
176
        push(@excluded_columns, 'requestee') unless $do_union;
177
    }
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198

    # If the user wants requester = foo OR requestee = bar, we have to join
    # these criteria separately as all other criteria use AND.
    if (@criteria == 2 && $do_union) {
        my $union = join(' OR ', @criteria);
        @criteria = ("($union)");
    }

    # Filter requests by status: "pending", "granted", "denied", "all"
    # (which means any), or "fulfilled" (which means "granted" or "denied").
    if ($status) {
        if ($status eq "+-") {
            push(@criteria, "flags.status IN ('+', '-')");
            push(@excluded_columns, 'status');
        }
        elsif ($status ne "all") {
            push(@criteria, "flags.status = '$status'");
            push(@excluded_columns, 'status');
        }
    }

199
    # Filter results by exact product or component.
200
    if (defined $cgi->param('product') && $cgi->param('product') ne "") {
201
        my $product = Bugzilla::Product->check(scalar $cgi->param('product'));
202
        push(@criteria, "bugs.product_id = " . $product->id);
203
        push(@excluded_columns, 'product');
204
        if (defined $cgi->param('component') && $cgi->param('component') ne "") {
205 206
            my $component = Bugzilla::Component->check({ product => $product,
                                                         name => scalar $cgi->param('component') });
207
            push(@criteria, "bugs.component_id = " . $component->id);
208
            push(@excluded_columns, 'component');
209 210
        }
    }
211

212
    # Filter results by flag types.
213 214
    my $form_type = $cgi->param('type');
    if (defined $form_type && !grep($form_type eq $_, ("", "all"))) {
215 216
        # Check if any matching types are for attachments.  If not, don't show
        # the attachment column in the report.
217 218 219 220
        my $has_attachment_type =
            Bugzilla::FlagType::count({ 'name' => $form_type,
                                        'target_type' => 'attachment' });

221
        if (!$has_attachment_type) { push(@excluded_columns, 'attachment') }
222 223 224 225

        my $quoted_form_type = $dbh->quote($form_type);
        trick_taint($quoted_form_type); # Already SQL quoted
        push(@criteria, "flagtypes.name = " . $quoted_form_type);
226
        push(@excluded_columns, 'type');
227
    }
228 229 230

    $query .= ' AND ' . join(' AND ', @criteria) if scalar(@criteria);

231 232 233
    # Group the records by flag ID so we don't get multiple rows of data
    # for each flag.  This is only necessary because of the code that
    # removes flags on bugs the user is unauthorized to access.
234 235 236 237 238
    $query .= ' ' . $dbh->sql_group_by('flags.id',
               'flagtypes.name, flags.status, flags.bug_id, bugs.short_desc,
                products.name, components.name, flags.attach_id,
                attachments.description, requesters.realname,
                requesters.login_name, requestees.realname,
239
                requestees.login_name, flags.modification_date,
240 241
                cclist_accessible, bugs.reporter, bugs.reporter_accessible,
                bugs.assigned_to');
242 243 244 245

    # Group the records, in other words order them by the group column
    # so the loop in the display template can break them up into separate
    # tables every time the value in the group column changes.
246 247 248

    $form_group ||= "requestee";
    if ($form_group eq "requester") {
249 250
        $query .= " ORDER BY requesters.realname, requesters.login_name";
    }
251
    elsif ($form_group eq "requestee") {
252 253
        $query .= " ORDER BY requestees.realname, requestees.login_name";
    }
254
    elsif ($form_group eq "category") {
255 256
        $query .= " ORDER BY products.name, components.name";
    }
257
    elsif ($form_group eq "type") {
258 259 260 261
        $query .= " ORDER BY flagtypes.name";
    }

    # Order the records (within each group).
262 263
    $query .= " , flags.modification_date";

264 265
    # Pass the query to the template for use when debugging this script.
    $vars->{'query'} = $query;
266
    $vars->{'debug'} = $cgi->param('debug') ? 1 : 0;
267

268
    my $results = $dbh->selectall_arrayref($query);
269
    my @requests = ();
270 271
    foreach my $result (@$results) {
        my @data = @$result;
272 273 274 275 276 277 278 279 280 281 282
        my $request = {
          'id'              => $data[0] , 
          'type'            => $data[1] , 
          'status'          => $data[2] , 
          'bug_id'          => $data[3] , 
          'bug_summary'     => $data[4] , 
          'category'        => "$data[5]: $data[6]" , 
          'attach_id'       => $data[7] , 
          'attach_summary'  => $data[8] ,
          'requester'       => ($data[9] ? "$data[9] <$data[10]>" : $data[10]) , 
          'requestee'       => ($data[11] ? "$data[11] <$data[12]>" : $data[12]) , 
283 284
          'restricted'      => $data[13] ? 1 : 0,
          'created'         => $data[14]
285 286 287 288 289 290
        };
        push(@requests, $request);
    }

    # Get a list of request type names to use in the filter form.
    my @types = ("all");
291
    my $flagtypes = get_flag_types();
292
    push(@types, @$flagtypes);
293

294
    $vars->{'excluded_columns'} = \@excluded_columns;
295
    $vars->{'group_field'} = $form_group;
296 297 298
    $vars->{'requests'} = \@requests;
    $vars->{'types'} = \@types;

299
    my %components;
300
    foreach my $prod (@{$user->get_selectable_products}) {
301 302 303 304 305 306
        foreach my $comp (@{$prod->components}) {
            $components{$comp->name} = 1;
        }
    }
    $vars->{'components'} = [ sort { $a cmp $b } keys %components ];

307 308
    $vars->{'urlquerypart'} = $cgi->canonicalise_query('ctype');

309
    # Generate and return the UI (HTML page) from the appropriate template.
310
    $template->process($format->{'template'}, $vars)
311 312 313 314 315 316 317 318
      || ThrowTemplateError($template->error());
}

################################################################################
# Data Validation / Security Authorization
################################################################################

sub validateStatus {
319
    my $status = shift;
320
    return if !defined $status;
321

322
    grep($status eq $_, qw(? +- + - all))
323
      || ThrowUserError("flag_status_invalid", { status => $status });
324 325
    trick_taint($status);
    return $status;
326 327 328
}

sub validateGroup {
329
    my $group = shift;
330
    return if !defined $group;
331

332
    grep($group eq $_, qw(requester requestee category type))
333
      || ThrowUserError("request_queue_group_invalid", { group => $group });
334 335
    trick_taint($group);
    return $group;
336 337
}

338 339 340 341 342 343 344 345 346 347 348
# Returns all flag types which have at least one flag of this type.
# If a flag type is inactive but still has flags, we want it.
sub get_flag_types {
    my $dbh = Bugzilla->dbh;
    my $flag_types = $dbh->selectcol_arrayref('SELECT DISTINCT name
                                                 FROM flagtypes
                                                WHERE flagtypes.id IN
                                                      (SELECT DISTINCT type_id FROM flags)
                                             ORDER BY name');
    return $flag_types;
}