buglist.cgi 51.9 KB
Newer Older
1
#!/usr/bin/perl -wT
2
# -*- Mode: perl; indent-tabs-mode: nil -*-
terry%netscape.com's avatar
terry%netscape.com committed
3
#
4 5 6 7 8 9 10 11 12 13
# The contents of this file are subject to the Mozilla Public
# License Version 1.1 (the "License"); you may not use this file
# except in compliance with the License. You may obtain a copy of
# the License at http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS
# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
# implied. See the License for the specific language governing
# rights and limitations under the License.
#
terry%netscape.com's avatar
terry%netscape.com committed
14
# The Original Code is the Bugzilla Bug Tracking System.
15
#
terry%netscape.com's avatar
terry%netscape.com committed
16
# The Initial Developer of the Original Code is Netscape Communications
17 18 19 20
# Corporation. Portions created by Netscape are
# Copyright (C) 1998 Netscape Communications Corporation. All
# Rights Reserved.
#
terry%netscape.com's avatar
terry%netscape.com committed
21
# Contributor(s): Terry Weissman <terry@mozilla.org>
22
#                 Dan Mosedale <dmose@mozilla.org>
23
#                 Stephan Niemz  <st.n@gmx.net>
24
#                 Andreas Franke <afranke@mathweb.org>
25
#                 Myk Melez <myk@mozilla.org>
26
#                 Max Kanat-Alexander <mkanat@bugzilla.org>
terry%netscape.com's avatar
terry%netscape.com committed
27

28 29 30 31 32
################################################################################
# Script Initialization
################################################################################

# Make it harder for us to do dangerous things in Perl.
33
use strict;
terry%netscape.com's avatar
terry%netscape.com committed
34

35
use lib qw(. lib);
36

37
use Bugzilla;
38 39 40
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Util;
41
use Bugzilla::Search;
42
use Bugzilla::Search::Quicksearch;
43
use Bugzilla::Search::Saved;
44
use Bugzilla::User;
45
use Bugzilla::Bug;
46
use Bugzilla::Product;
47
use Bugzilla::Keyword;
48
use Bugzilla::Field;
49
use Bugzilla::Status;
50

51 52
use Date::Parse;

53
my $cgi = Bugzilla->cgi;
54
my $dbh = Bugzilla->dbh;
55 56
my $template = Bugzilla->template;
my $vars = {};
57
my $buffer = $cgi->query_string();
58

59 60 61 62 63
# We have to check the login here to get the correct footer if an error is
# thrown and to prevent a logged out user to use QuickSearch if 'requirelogin'
# is turned 'on'.
Bugzilla->login();

64
if (length($buffer) == 0) {
65
    print $cgi->header(-refresh=> '10; URL=query.cgi');
66
    ThrowUserError("buglist_parameters_required");
67
}
68

69 70 71 72 73 74 75 76 77
# Determine whether this is a quicksearch query.
my $searchstring = $cgi->param('quicksearch');
if (defined($searchstring)) {
    $buffer = quicksearch($searchstring);
    # Quicksearch may do a redirect, in which case it does not return.
    # If it does return, it has modified $cgi->params so we can use them here
    # as if this had been a normal query from the beginning.
}

78
# If configured to not allow empty words, reject empty searches from the
79 80 81
# Find a Specific Bug search form, including words being a single or 
# several consecutive whitespaces only.
if (!Bugzilla->params->{'specific_search_allow_empty_words'}
82 83
    && defined($cgi->param('content')) && $cgi->param('content') =~ /^\s*$/)
{
84 85 86
    ThrowUserError("buglist_parameters_required");
}

87 88 89
################################################################################
# Data and Security Validation
################################################################################
90

91
# Whether or not the user wants to change multiple bugs.
92
my $dotweak = $cgi->param('tweak') ? 1 : 0;
93 94 95

# Log the user in
if ($dotweak) {
96
    Bugzilla->login(LOGIN_REQUIRED);
97
    Bugzilla->user->in_group("editbugs")
98 99 100
      || ThrowUserError("auth_failure", {group  => "editbugs",
                                         action => "modify",
                                         object => "multiple_bugs"});
101 102
}

103
# Hack to support legacy applications that think the RDF ctype is at format=rdf.
104 105 106 107
if (defined $cgi->param('format') && $cgi->param('format') eq "rdf"
    && !defined $cgi->param('ctype')) {
    $cgi->param('ctype', "rdf");
    $cgi->delete('format');
108
}
109

110 111 112 113 114
# Treat requests for ctype=rss as requests for ctype=atom
if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") {
    $cgi->param('ctype', "atom");
}

115 116 117 118 119 120
# The js ctype presents a security risk; a malicious site could use it  
# to gather information about secure bugs. So, we only allow public bugs to be
# retrieved with this format.
#
# Note that if and when this call clears cookies or has other persistent 
# effects, we'll need to do this another way instead.
121
if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
122
    Bugzilla->logout_request();
123
}
124

125 126 127 128 129 130 131
# An agent is a program that automatically downloads and extracts data
# on its user's behalf.  If this request comes from an agent, we turn off
# various aspects of bug list functionality so agent requests succeed
# and coexist nicely with regular user requests.  Currently the only agent
# we know about is Firefox's microsummary feature.
my $agent = ($cgi->http('X-Moz') && $cgi->http('X-Moz') =~ /\bmicrosummary\b/);

132 133 134
# Determine the format in which the user would like to receive the output.
# Uses the default format if the user did not specify an output format;
# otherwise validates the user's choice against the list of available formats.
135 136
my $format = $template->get_format("list/list", scalar $cgi->param('format'),
                                   scalar $cgi->param('ctype'));
137

138 139 140 141 142 143 144 145
# Use server push to display a "Please wait..." message for the user while
# executing their query if their browser supports it and they are viewing
# the bug list as HTML and they have not disabled it by adding &serverpush=0
# to the URL.
#
# Server push is a Netscape 3+ hack incompatible with MSIE, Lynx, and others. 
# Even Communicator 4.51 has bugs with it, especially during page reload.
# http://www.browsercaps.org used as source of compatible browsers.
146 147
# Safari (WebKit) does not support it, despite a UA that says otherwise (bug 188712)
# MSIE 5+ supports it on Mac (but not on Windows) (bug 190370)
148 149
#
my $serverpush =
150 151 152
  $format->{'extension'} eq "html"
    && exists $ENV{'HTTP_USER_AGENT'} 
      && $ENV{'HTTP_USER_AGENT'} =~ /Mozilla.[3-9]/ 
153
        && (($ENV{'HTTP_USER_AGENT'} !~ /[Cc]ompatible/) || ($ENV{'HTTP_USER_AGENT'} =~ /MSIE 5.*Mac_PowerPC/))
154
          && $ENV{'HTTP_USER_AGENT'} !~ /WebKit/
155 156 157
            && !$agent
              && !defined($cgi->param('serverpush'))
                || $cgi->param('serverpush');
158

159
my $order = $cgi->param('order') || "";
160
my $order_from_cookie = 0;  # True if $order set using the LASTORDER cookie
161

162 163 164
# The params object to use for the actual query itself
my $params;

165 166
# If the user is retrieving the last bug list they looked at, hack the buffer
# storing the query string so that it looks like a query retrieving those bugs.
167
if (defined $cgi->param('regetlastlist')) {
168
    $cgi->cookie('BUGLIST') || ThrowUserError("missing_cookie");
169

170
    $order = "reuse last sort" unless $order;
171 172
    my $bug_id = $cgi->cookie('BUGLIST');
    $bug_id =~ s/:/,/g;
173 174
    # set up the params for this new query
    $params = new Bugzilla::CGI({
175
                                 bug_id => $bug_id,
176 177
                                 order => $order,
                                });
178 179
}

180 181
if ($buffer =~ /&cmd-/) {
    my $url = "query.cgi?$buffer#chart";
182
    print $cgi->redirect(-location => $url);
183
    # Generate and return the UI (HTML page) from the appropriate template.
184
    $vars->{'message'} = "buglist_adding_field";
185 186
    $vars->{'url'} = $url;
    $template->process("global/message.html.tmpl", $vars)
187
      || ThrowTemplateError($template->error());
188 189
    exit;
}
190

191 192 193 194
# Figure out whether or not the user is doing a fulltext search.  If not,
# we'll remove the relevance column from the lists of columns to display
# and order by, since relevance only exists when doing a fulltext search.
my $fulltext = 0;
195
if ($cgi->param('content')) { $fulltext = 1 }
196
my @charts = map(/^field(\d-\d-\d)$/ ? $1 : (), $cgi->param());
197
foreach my $chart (@charts) {
198
    if ($cgi->param("field$chart") eq 'content' && $cgi->param("value$chart")) {
199 200 201 202 203
        $fulltext = 1;
        last;
    }
}

204 205 206 207
################################################################################
# Utilities
################################################################################

208
local our @weekday= qw( Sun Mon Tue Wed Thu Fri Sat );
209 210 211 212 213 214 215 216 217 218 219 220 221 222
sub DiffDate {
    my ($datestr) = @_;
    my $date = str2time($datestr);
    my $age = time() - $date;
    my ($s,$m,$h,$d,$mo,$y,$wd)= localtime $date;
    if( $age < 18*60*60 ) {
        $date = sprintf "%02d:%02d:%02d", $h,$m,$s;
    } elsif( $age < 6*24*60*60 ) {
        $date = sprintf "%s %02d:%02d", $weekday[$wd],$h,$m;
    } else {
        $date = sprintf "%04d-%02d-%02d", 1900+$y,$mo+1,$d;
    }
    return $date;
}
223

224
sub LookupNamedQuery {
225
    my ($name, $sharer_id, $query_type, $throw_error) = @_;
226
    my $user = Bugzilla->login(LOGIN_REQUIRED);
227
    my $dbh = Bugzilla->dbh;
228
    my $owner_id;
229
    $throw_error = 1 unless defined $throw_error;
230 231 232

    # $name and $sharer_id are safe -- we only use them below in SELECT
    # placeholders and then in error messages (which are always HTML-filtered).
233
    $name || ThrowUserError("query_name_missing");
234
    trick_taint($name);
235 236
    if ($sharer_id) {
        $owner_id = $sharer_id;
237 238
        detaint_natural($owner_id);
        $owner_id || ThrowUserError('illegal_user_id', {'userid' => $sharer_id});
239 240 241 242 243
    }
    else {
        $owner_id = $user->id;
    }

244 245 246 247 248 249 250 251 252
    my @args = ($owner_id, $name);
    my $extra = '';
    # If $query_type is defined, then we restrict our search.
    if (defined $query_type) {
        $extra = ' AND query_type = ? ';
        detaint_natural($query_type);
        push(@args, $query_type);
    }
    my ($id, $result) = $dbh->selectrow_array("SELECT id, query
253
                                                 FROM namedqueries
254 255 256
                                                WHERE userid = ? AND name = ?
                                                      $extra",
                                               undef, @args);
257 258 259 260 261
    if (!defined($result)) {
        return 0 unless $throw_error;
        ThrowUserError("missing_query", {'queryname' => $name,
                                         'sharer_id' => $sharer_id});
    }
262 263 264 265 266 267 268 269 270 271 272

    if ($sharer_id) {
        my $group = $dbh->selectrow_array('SELECT group_id
                                             FROM namedquery_group_map
                                            WHERE namedquery_id = ?',
                                          undef, $id);
        if (!grep {$_ == $group} values(%{$user->groups()})) {
            ThrowUserError("missing_query", {'queryname' => $name,
                                             'sharer_id' => $sharer_id});
        }
    }
273 274 275 276
    
    $result
       || ThrowUserError("buglist_parameters_required", {'queryname' => $name});

277 278 279
    return $result;
}

280 281 282 283 284 285 286 287 288 289 290 291 292
# Inserts a Named Query (a "Saved Search") into the database, or
# updates a Named Query that already exists..
# Takes four arguments:
# userid - The userid who the Named Query will belong to.
# query_name - A string that names the new Named Query, or the name
#              of an old Named Query to update. If this is blank, we
#              will throw a UserError. Leading and trailing whitespace
#              will be stripped from this value before it is inserted
#              into the DB.
# query - The query part of the buglist.cgi URL, unencoded. Must not be 
#         empty, or we will throw a UserError.
# link_in_footer (optional) - 1 if the Named Query should be 
# displayed in the user's footer, 0 otherwise.
293 294
# query_type (optional) - 1 if the Named Query contains a list of
# bug IDs only, 0 otherwise (default).
295 296 297 298 299
#
# All parameters are validated before passing them into the database.
#
# Returns: A boolean true value if the query existed in the database 
# before, and we updated it. A boolean false value otherwise.
300
sub InsertNamedQuery {
301
    my ($query_name, $query, $link_in_footer, $query_type) = @_;
302
    my $dbh = Bugzilla->dbh;
303 304 305 306 307 308 309 310

    $query_name = trim($query_name);
    my ($query_obj) = grep {$_->name eq $query_name} @{Bugzilla->user->queries};

    if ($query_obj) {
        $query_obj->set_url($query);
        $query_obj->set_query_type($query_type);
        $query_obj->update();
311
    } else {
312 313 314 315 316 317
        Bugzilla::Search::Saved->create({
            name           => $query_name,
            query          => $query,
            query_type     => $query_type,
            link_in_footer => $link_in_footer
        });
318 319
    }

320
    return $query_obj ? 1 : 0;
321 322
}

323 324 325 326 327 328
sub LookupSeries {
    my ($series_id) = @_;
    detaint_natural($series_id) || ThrowCodeError("invalid_series_id");
    
    my $dbh = Bugzilla->dbh;
    my $result = $dbh->selectrow_array("SELECT query FROM series " .
329 330
                                       "WHERE series_id = ?"
                                       , undef, ($series_id));
331 332 333 334 335
    $result
           || ThrowCodeError("invalid_series_id", {'series_id' => $series_id});
    return $result;
}

336
sub GetQuip {
337
    my $dbh = Bugzilla->dbh;
338 339
    # COUNT is quick because it is cached for MySQL. We may want to revisit
    # this when we support other databases.
340 341
    my $count = $dbh->selectrow_array("SELECT COUNT(quip)"
                                    . " FROM quips WHERE approved = 1");
342
    my $random = int(rand($count));
343
    my $quip = 
344 345
        $dbh->selectrow_array("SELECT quip FROM quips WHERE approved = 1 " . 
                              $dbh->sql_limit(1, $random));
346
    return $quip;
347
}
348

349
# Return groups available for at least one product of the buglist.
350
sub GetGroups {
351
    my $product_names = shift;
352
    my $user = Bugzilla->user;
353 354 355 356 357 358 359 360 361 362 363 364 365
    my %legal_groups;

    foreach my $product_name (@$product_names) {
        my $product = new Bugzilla::Product({name => $product_name});

        foreach my $gid (keys %{$product->group_controls}) {
            # The user can only edit groups he belongs to.
            next unless $user->in_group_id($gid);

            # The user has no control on groups marked as NA or MANDATORY.
            my $group = $product->group_controls->{$gid};
            next if ($group->{membercontrol} == CONTROLMAPMANDATORY
                     || $group->{membercontrol} == CONTROLMAPNA);
366

367 368 369 370 371 372 373
            # It's fine to include inactive groups. Those will be marked
            # as "remove only" when editing several bugs at once.
            $legal_groups{$gid} ||= $group->{group};
        }
    }
    # Return a list of group objects.
    return [values %legal_groups];
374
}
375

376

377 378 379
################################################################################
# Command Execution
################################################################################
380

381 382
$cgi->param('cmdtype', "") if !defined $cgi->param('cmdtype');
$cgi->param('remaction', "") if !defined $cgi->param('remaction');
383

384 385
# Backwards-compatibility - the old interface had cmdtype="runnamed" to run
# a named command, and we can't break this because it's in bookmarks.
386 387 388
if ($cgi->param('cmdtype') eq "runnamed") {  
    $cgi->param('cmdtype', "dorem");
    $cgi->param('remaction', "run");
389 390
}

391 392 393 394 395 396
# Now we're going to be running, so ensure that the params object is set up,
# using ||= so that we only do so if someone hasn't overridden this 
# earlier, for example by setting up a named query search.

# This will be modified, so make a copy.
$params ||= new Bugzilla::CGI($cgi);
397

398 399 400 401 402 403 404 405
# Generate a reasonable filename for the user agent to suggest to the user
# when the user saves the bug list.  Uses the name of the remembered query
# if available.  We have to do this now, even though we return HTTP headers 
# at the end, because the fact that there is a remembered query gets 
# forgotten in the process of retrieving it.
my @time = localtime(time());
my $date = sprintf "%04d-%02d-%02d", 1900+$time[5],$time[4]+1,$time[3];
my $filename = "bugs-$date.$format->{extension}";
406 407
if ($cgi->param('cmdtype') eq "dorem" && $cgi->param('remaction') =~ /^run/) {
    $filename = $cgi->param('namedcmd') . "-$date.$format->{extension}";
408 409 410 411
    # Remove white-space from the filename so the user cannot tamper
    # with the HTTP headers.
    $filename =~ s/\s/_/g;
}
412 413
$filename =~ s/\\/\\\\/g; # escape backslashes
$filename =~ s/"/\\"/g; # escape quotes
414

415
# Take appropriate action based on user's request.
416 417
if ($cgi->param('cmdtype') eq "dorem") {  
    if ($cgi->param('remaction') eq "run") {
418 419 420 421
        $buffer = LookupNamedQuery(scalar $cgi->param("namedcmd"),
                                   scalar $cgi->param('sharer_id'));
        # If this is the user's own query, remember information about it
        # so that it can be modified easily.
422
        $vars->{'searchname'} = $cgi->param('namedcmd');
423 424 425 426
        if (!$cgi->param('sharer_id') ||
            $cgi->param('sharer_id') == Bugzilla->user->id) {
            $vars->{'searchtype'} = "saved";
        }
427
        $params = new Bugzilla::CGI($buffer);
428
        $order = $params->param('order') || $order;
429

430
    }
431
    elsif ($cgi->param('remaction') eq "runseries") {
432
        $buffer = LookupSeries(scalar $cgi->param("series_id"));
433
        $vars->{'searchname'} = $cgi->param('namedcmd');
434
        $vars->{'searchtype'} = "series";
435
        $params = new Bugzilla::CGI($buffer);
436 437
        $order = $params->param('order') || $order;
    }
438
    elsif ($cgi->param('remaction') eq "forget") {
439
        my $user = Bugzilla->login(LOGIN_REQUIRED);
440 441 442
        # Copy the name into a variable, so that we can trick_taint it for
        # the DB. We know it's safe, because we're using placeholders in 
        # the SQL, and the SQL is only a DELETE.
443
        my $qname = $cgi->param('namedcmd');
444
        trick_taint($qname);
445 446 447 448 449 450 451 452 453 454 455 456

        # Do not forget the saved search if it is being used in a whine
        my $whines_in_use = 
            $dbh->selectcol_arrayref('SELECT DISTINCT whine_events.subject
                                                 FROM whine_events
                                           INNER JOIN whine_queries
                                                   ON whine_queries.eventid
                                                      = whine_events.id
                                                WHERE whine_events.owner_userid
                                                      = ?
                                                  AND whine_queries.query_name
                                                      = ?
457
                                      ', undef, $user->id, $qname);
458 459 460 461 462 463 464 465
        if (scalar(@$whines_in_use)) {
            ThrowUserError('saved_search_used_by_whines', 
                           { subjects    => join(',', @$whines_in_use),
                             search_name => $qname                      }
            );
        }

        # If we are here, then we can safely remove the saved search
466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483
        my ($query_id) = $dbh->selectrow_array('SELECT id FROM namedqueries
                                                    WHERE userid = ?
                                                      AND name   = ?',
                                                  undef, ($user->id, $qname));
        if (!$query_id) {
            # The user has no query of this name. Play along.
        }
        else {
            $dbh->do('DELETE FROM namedqueries
                            WHERE id = ?',
                     undef, $query_id);
            $dbh->do('DELETE FROM namedqueries_link_in_footer
                            WHERE namedquery_id = ?',
                     undef, $query_id);
            $dbh->do('DELETE FROM namedquery_group_map
                            WHERE namedquery_id = ?',
                     undef, $query_id);
        }
484 485

        # Now reset the cached queries
486
        $user->flush_queries_cache();
487

488
        print $cgi->header();
489
        # Generate and return the UI (HTML page) from the appropriate template.
490
        $vars->{'message'} = "buglist_query_gone";
491
        $vars->{'namedcmd'} = $qname;
492 493
        $vars->{'url'} = "query.cgi";
        $template->process("global/message.html.tmpl", $vars)
494
          || ThrowTemplateError($template->error());
495
        exit;
496 497
    }
}
498 499
elsif (($cgi->param('cmdtype') eq "doit") && defined $cgi->param('remtype')) {
    if ($cgi->param('remtype') eq "asdefault") {
500
        my $user = Bugzilla->login(LOGIN_REQUIRED);
501
        InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer);
502
        $vars->{'message'} = "buglist_new_default_query";
503
    }
504
    elsif ($cgi->param('remtype') eq "asnamed") {
505
        my $user = Bugzilla->login(LOGIN_REQUIRED);
506
        my $query_name = $cgi->param('newqueryname');
507 508
        my $new_query = $cgi->param('newquery');
        my $query_type = QUERY_LIST;
509 510 511 512 513 514 515 516 517 518 519 520 521
        # If list_of_bugs is true, we are adding/removing individual bugs
        # to a saved search. We get the existing list of bug IDs (if any)
        # and add/remove the passed ones.
        if ($cgi->param('list_of_bugs')) {
            # We add or remove bugs based on the action choosen.
            my $action = trim($cgi->param('action') || '');
            $action =~ /^(add|remove)$/
              || ThrowCodeError('unknown_action', {'action' => $action});

            # If we are removing bugs, then we must have an existing
            # saved search selected.
            if ($action eq 'remove') {
                $query_name && ThrowUserError('no_bugs_to_remove');
522 523
            }

524
            my %bug_ids;
525
            my $is_new_name = 0;
526 527 528 529 530
            if ($query_name) {
                # Make sure this name is not already in use by a normal saved search.
                if (LookupNamedQuery($query_name, undef, QUERY_LIST, !THROW_ERROR)) {
                    ThrowUserError('query_name_exists', {'name' => $query_name});
                }
531
                $is_new_name = 1;
532
            }
533 534 535 536 537 538 539 540
            # If no new tag name has been given, use the selected one.
            $query_name ||= $cgi->param('oldqueryname');

            # Don't throw an error if it's a new tag name: if the tag already
            # exists, add/remove bugs to it, else create it. But if we are
            # considering an existing tag, then it has to exist and we throw
            # an error if it doesn't (hence the usage of !$is_new_name).
            if (my $old_query = LookupNamedQuery($query_name, undef, LIST_OF_BUGS, !$is_new_name)) {
541 542 543
                # We get the encoded query. We need to decode it.
                my $old_cgi = new Bugzilla::CGI($old_query);
                foreach my $bug_id (split /[\s,]+/, scalar $old_cgi->param('bug_id')) {
544 545 546
                    $bug_ids{$bug_id} = 1 if detaint_natural($bug_id);
                }
            }
547 548 549 550 551 552 553 554 555

            my $keep_bug = ($action eq 'add') ? 1 : 0;
            my $changes = 0;
            foreach my $bug_id (split(/[\s,]+/, $cgi->param('bug_ids'))) {
                next unless $bug_id;
                ValidateBugID($bug_id);
                $bug_ids{$bug_id} = $keep_bug;
                $changes = 1;
            }
556 557 558 559
            ThrowUserError('no_bug_ids',
                           {'action' => $action,
                            'tag' => $query_name})
              unless $changes;
560 561 562 563

            # Only keep bug IDs we want to add/keep. Disregard deleted ones.
            my @bug_ids = grep { $bug_ids{$_} == 1 } keys %bug_ids;
            # If the list is now empty, we could as well delete it completely.
564
            ThrowUserError('no_bugs_in_list', {'tag' => $query_name})
565 566 567
              unless scalar(@bug_ids);

            $new_query = "bug_id=" . join(',', sort {$a <=> $b} @bug_ids);
568 569
            $query_type = LIST_OF_BUGS;
        }
570
        my $tofooter = 1;
571
        my $existed_before = InsertNamedQuery($query_name, $new_query,
572
                                              $tofooter, $query_type);
573
        if ($existed_before) {
574 575
            $vars->{'message'} = "buglist_updated_named_query";
        }
576
        else {
577
            $vars->{'message'} = "buglist_new_named_query";
578
        }
579 580 581

        # Make sure to invalidate any cached query data, so that the footer is
        # correctly displayed
582
        $user->flush_queries_cache();
583

584
        $vars->{'queryname'} = $query_name;
585
        
586
        print $cgi->header();
587 588 589
        $template->process("global/message.html.tmpl", $vars)
          || ThrowTemplateError($template->error());
        exit;
590
    }
terry%netscape.com's avatar
terry%netscape.com committed
591 592
}

593 594 595 596 597
# backward compatibility hack: if the saved query doesn't say which
# form was used to create it, assume it was on the advanced query
# form - see bug 252295
if (!$params->param('query_format')) {
    $params->param('query_format', 'advanced');
598
    $buffer = $params->query_string;
599
}
terry%netscape.com's avatar
terry%netscape.com committed
600

601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617
################################################################################
# Column Definition
################################################################################

# Define the columns that can be selected in a query and/or displayed in a bug
# list.  Column records include the following fields:
#
# 1. ID: a unique identifier by which the column is referred in code;
#
# 2. Name: The name of the column in the database (may also be an expression
#          that returns the value of the column);
#
# 3. Title: The title of the column as displayed to users.
# 
# Note: There are a few hacks in the code that deviate from these definitions.
#       In particular, when the list is sorted by the "votes" field the word 
#       "DESC" is added to the end of the field to sort in descending order, 
618
#       and the redundant short_desc column is removed when the client
619
#       requests "all" columns.
620 621
# Note: For column names using aliasing (SQL "<field> AS <alias>"), the column
#       ID needs to be identical to the field ID for list ordering to work.
622

623
local our $columns = {};
624 625 626
sub DefineColumn {
    my ($id, $name, $title) = @_;
    $columns->{$id} = { 'name' => $name , 'title' => $title };
627
}
628

629
# Column:     ID                    Name                           Title
630
DefineColumn("bug_id"            , "bugs.bug_id"                , "ID"               );
631
DefineColumn("alias"             , "bugs.alias"                 , "Alias"            );
632 633
DefineColumn("opendate"          , "bugs.creation_ts"           , "Opened"           );
DefineColumn("changeddate"       , "bugs.delta_ts"              , "Changed"          );
634
DefineColumn("bug_severity"      , "bugs.bug_severity"          , "Severity"         );
635
DefineColumn("priority"          , "bugs.priority"              , "Priority"         );
636 637
DefineColumn("rep_platform"      , "bugs.rep_platform"          , "Hardware"         );
DefineColumn("assigned_to"       , "map_assigned_to.login_name" , "Assignee"         );
638 639
DefineColumn("reporter"          , "map_reporter.login_name"    , "Reporter"         );
DefineColumn("qa_contact"        , "map_qa_contact.login_name"  , "QA Contact"       );
640
if ($format->{'extension'} eq 'html') {
641 642 643
    DefineColumn("assigned_to_realname", "CASE WHEN map_assigned_to.realname = '' THEN map_assigned_to.login_name ELSE map_assigned_to.realname END AS assigned_to_realname", "Assignee"  );
    DefineColumn("reporter_realname"   , "CASE WHEN map_reporter.realname    = '' THEN map_reporter.login_name    ELSE map_reporter.realname    END AS reporter_realname"   , "Reporter"  );
    DefineColumn("qa_contact_realname" , "CASE WHEN map_qa_contact.realname  = '' THEN map_qa_contact.login_name  ELSE map_qa_contact.realname  END AS qa_contact_realname" , "QA Contact");
644
} else {
645 646 647
    DefineColumn("assigned_to_realname", "map_assigned_to.realname AS assigned_to_realname", "Assignee"  );
    DefineColumn("reporter_realname"   , "map_reporter.realname AS reporter_realname"      , "Reporter"  );
    DefineColumn("qa_contact_realname" , "map_qa_contact.realname AS qa_contact_realname"  , "QA Contact");
648
}
649
DefineColumn("bug_status"        , "bugs.bug_status"            , "Status"           );
650
DefineColumn("resolution"        , "bugs.resolution"            , "Resolution"       );
651 652
DefineColumn("short_short_desc"  , "bugs.short_desc"            , "Summary"          );
DefineColumn("short_desc"        , "bugs.short_desc"            , "Summary"          );
653
DefineColumn("status_whiteboard" , "bugs.status_whiteboard"     , "Whiteboard"       );
654 655
DefineColumn("component"         , "map_components.name"        , "Component"        );
DefineColumn("product"           , "map_products.name"          , "Product"          );
656
DefineColumn("classification"    , "map_classifications.name"   , "Classification"   );
657
DefineColumn("version"           , "bugs.version"               , "Version"          );
658
DefineColumn("op_sys"            , "bugs.op_sys"                , "OS"               );
659 660 661
DefineColumn("target_milestone"  , "bugs.target_milestone"      , "Target Milestone" );
DefineColumn("votes"             , "bugs.votes"                 , "Votes"            );
DefineColumn("keywords"          , "bugs.keywords"              , "Keywords"         );
662 663 664
DefineColumn("estimated_time"    , "bugs.estimated_time"        , "Estimated Hours"  );
DefineColumn("remaining_time"    , "bugs.remaining_time"        , "Remaining Hours"  );
DefineColumn("actual_time"       , "(SUM(ldtime.work_time)*COUNT(DISTINCT ldtime.bug_when)/COUNT(bugs.bug_id)) AS actual_time", "Actual Hours");
665 666 667 668 669 670 671
DefineColumn("percentage_complete",
    "(CASE WHEN (SUM(ldtime.work_time)*COUNT(DISTINCT ldtime.bug_when)/COUNT(bugs.bug_id)) " .
    "            + bugs.remaining_time = 0.0 " .
    "THEN 0.0 " .
    "ELSE 100*((SUM(ldtime.work_time)*COUNT(DISTINCT ldtime.bug_when)/COUNT(bugs.bug_id)) " .
    "     /((SUM(ldtime.work_time)*COUNT(DISTINCT ldtime.bug_when)/COUNT(bugs.bug_id)) + bugs.remaining_time)) " .
    "END) AS percentage_complete"                               , "% Complete"); 
672
DefineColumn("relevance"         , "relevance"                  , "Relevance"        );
673
DefineColumn("deadline"          , $dbh->sql_date_format('bugs.deadline', '%Y-%m-%d') . " AS deadline", "Deadline");
674

675 676 677 678
foreach my $field (Bugzilla->get_fields({ custom => 1, obsolete => 0})) {
    DefineColumn($field->name, 'bugs.' . $field->name, $field->description);
}

679 680 681 682 683 684 685
################################################################################
# Display Column Determination
################################################################################

# Determine the columns that will be displayed in the bug list via the 
# columnlist CGI parameter, the user's preferences, or the default.
my @displaycolumns = ();
686 687
if (defined $params->param('columnlist')) {
    if ($params->param('columnlist') eq "all") {
688
        # If the value of the CGI parameter is "all", display all columns,
689 690
        # but remove the redundant "short_desc" column.
        @displaycolumns = grep($_ ne 'short_desc', keys(%$columns));
terry%netscape.com's avatar
terry%netscape.com committed
691
    }
692
    else {
693
        @displaycolumns = split(/[ ,]+/, $params->param('columnlist'));
694
    }
terry%netscape.com's avatar
terry%netscape.com committed
695
}
696
elsif (defined $cgi->cookie('COLUMNLIST')) {
697
    # 2002-10-31 Rename column names (see bug 176461)
698
    my $columnlist = $cgi->cookie('COLUMNLIST');
699 700 701 702 703 704 705
    $columnlist =~ s/\bowner\b/assigned_to/;
    $columnlist =~ s/\bowner_realname\b/assigned_to_realname/;
    $columnlist =~ s/\bplatform\b/rep_platform/;
    $columnlist =~ s/\bseverity\b/bug_severity/;
    $columnlist =~ s/\bstatus\b/bug_status/;
    $columnlist =~ s/\bsummaryfull\b/short_desc/;
    $columnlist =~ s/\bsummary\b/short_short_desc/;
706

707
    # Use the columns listed in the user's preferences.
708
    @displaycolumns = split(/ /, $columnlist);
terry%netscape.com's avatar
terry%netscape.com committed
709
}
710 711
else {
    # Use the default list of columns.
712
    @displaycolumns = DEFAULT_COLUMN_LIST;
713 714
}

715 716 717 718
# Weed out columns that don't actually exist to prevent the user 
# from hacking their column list cookie to grab data to which they 
# should not have access.  Detaint the data along the way.
@displaycolumns = grep($columns->{$_} && trick_taint($_), @displaycolumns);
719

720 721
# Remove the "ID" column from the list because bug IDs are always displayed
# and are hard-coded into the display templates.
722
@displaycolumns = grep($_ ne 'bug_id', @displaycolumns);
terry%netscape.com's avatar
terry%netscape.com committed
723

724 725 726
# Add the votes column to the list of columns to be displayed
# in the bug list if the user is searching for bugs with a certain
# number of votes and the votes column is not already on the list.
727 728

# Some versions of perl will taint 'votes' if this is done as a single
729 730 731 732
# statement, because the votes param is tainted at this point
my $votes = $params->param('votes');
$votes ||= "";
if (trim($votes) && !grep($_ eq 'votes', @displaycolumns)) {
733 734
    push(@displaycolumns, 'votes');
}
terry%netscape.com's avatar
terry%netscape.com committed
735

736 737
# Remove the timetracking columns if they are not a part of the group
# (happens if a user had access to time tracking and it was revoked/disabled)
738
if (!Bugzilla->user->in_group(Bugzilla->params->{"timetrackinggroup"})) {
739 740 741 742
   @displaycolumns = grep($_ ne 'estimated_time', @displaycolumns);
   @displaycolumns = grep($_ ne 'remaining_time', @displaycolumns);
   @displaycolumns = grep($_ ne 'actual_time', @displaycolumns);
   @displaycolumns = grep($_ ne 'percentage_complete', @displaycolumns);
743
   @displaycolumns = grep($_ ne 'deadline', @displaycolumns);
744
}
terry%netscape.com's avatar
terry%netscape.com committed
745

746 747 748 749 750 751
# Remove the relevance column if the user is not doing a fulltext search.
if (grep('relevance', @displaycolumns) && !$fulltext) {
    @displaycolumns = grep($_ ne 'relevance', @displaycolumns);
}


752 753 754
################################################################################
# Select Column Determination
################################################################################
terry%netscape.com's avatar
terry%netscape.com committed
755

756
# Generate the list of columns that will be selected in the SQL query.
terry%netscape.com's avatar
terry%netscape.com committed
757

758
# The bug ID is always selected because bug IDs are always displayed.
759 760 761 762
# Severity, priority, resolution and status are required for buglist
# CSS classes.
my @selectcolumns = ("bug_id", "bug_severity", "priority", "bug_status",
                     "resolution");
763

764
# if using classification, we also need to look in product.classification_id
765
if (Bugzilla->params->{"useclassification"}) {
766 767 768
    push (@selectcolumns,"product");
}

769
# remaining and actual_time are required for percentage_complete calculation:
770
if (lsearch(\@displaycolumns, "percentage_complete") >= 0) {
771 772 773 774
    push (@selectcolumns, "remaining_time");
    push (@selectcolumns, "actual_time");
}

775 776
# Display columns are selected because otherwise we could not display them.
push (@selectcolumns, @displaycolumns);
terry%netscape.com's avatar
terry%netscape.com committed
777

778 779 780 781 782
# If the user is editing multiple bugs, we also make sure to select the product
# and status because the values of those fields determine what options the user
# has for modifying the bugs.
if ($dotweak) {
    push(@selectcolumns, "product") if !grep($_ eq 'product', @selectcolumns);
783
    push(@selectcolumns, "bug_status") if !grep($_ eq 'bug_status', @selectcolumns);
784 785
}

786 787 788
if ($format->{'extension'} eq 'ics') {
    push(@selectcolumns, "opendate") if !grep($_ eq 'opendate', @selectcolumns);
}
789

790 791
if ($format->{'extension'} eq 'atom') {
    # The title of the Atom feed will be the same one as for the bug list.
792 793
    $vars->{'title'} = $cgi->param('title');

794 795
    # This is the list of fields that are needed by the Atom filter.
    my @required_atom_columns = (
796 797 798 799 800 801 802
      'short_desc',
      'opendate',
      'changeddate',
      'reporter_realname',
      'priority',
      'bug_severity',
      'assigned_to_realname',
803 804 805 806
      'bug_status',
      'product',
      'component',
      'resolution'
807
    );
808
    push(@required_atom_columns, 'target_milestone') if Bugzilla->params->{'usetargetmilestone'};
809

810
    foreach my $required (@required_atom_columns) {
811 812 813 814
        push(@selectcolumns, $required) if !grep($_ eq $required,@selectcolumns);
    }
}

815 816 817
################################################################################
# Query Generation
################################################################################
terry%netscape.com's avatar
terry%netscape.com committed
818

819 820
# Convert the list of columns being selected into a list of column names.
my @selectnames = map($columns->{$_}->{'name'}, @selectcolumns);
821

822 823 824 825
# Remove columns with no names, such as percentage_complete
#  (or a removed *_time column due to permissions)
@selectnames = grep($_ ne '', @selectnames);

826 827 828
################################################################################
# Sort Order Determination
################################################################################
829

830
# Add to the query some instructions for sorting the bug list.
831 832 833 834 835 836

# First check if we'll want to reuse the last sorting order; that happens if
# the order is not defined or its value is "reuse last sort"
if (!$order || $order =~ /^reuse/i) {
    if ($cgi->cookie('LASTORDER')) {
        $order = $cgi->cookie('LASTORDER');
837 838 839 840 841
       
        # Cookies from early versions of Specific Search included this text,
        # which is now invalid.
        $order =~ s/ LIMIT 200//;
        
842 843 844 845 846
        $order_from_cookie = 1;
    }
    else {
        $order = '';  # Remove possible "reuse" identifier as unnecessary
    }
847
}
848

849
my $db_order = "";  # Modified version of $order for use with SQL query
850 851 852 853
if ($order) {
    # Convert the value of the "order" form field into a list of columns
    # by which to sort the results.
    ORDER: for ($order) {
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871
        /^Bug Number$/ && do {
            $order = "bugs.bug_id";
            last ORDER;
        };
        /^Importance$/ && do {
            $order = "bugs.priority, bugs.bug_severity";
            last ORDER;
        };
        /^Assignee$/ && do {
            $order = "map_assigned_to.login_name, bugs.bug_status, bugs.priority, bugs.bug_id";
            last ORDER;
        };
        /^Last Changed$/ && do {
            $order = "bugs.delta_ts, bugs.bug_status, bugs.priority, map_assigned_to.login_name, bugs.bug_id";
            last ORDER;
        };
        do {
            my @order;
872
            my @columnnames = map($columns->{lc($_)}->{'name'}, keys(%$columns));
873
            # A custom list of columns.  Make sure each column is valid.
874 875
            foreach my $fragment (split(/,/, $order)) {
                $fragment = trim($fragment);
876
                next unless $fragment;
877 878
                # Accept an order fragment matching a column name, with
                # asc|desc optionally following (to specify the direction)
879
                if (grep($fragment =~ /^\Q$_\E(\s+(asc|desc))?$/, @columnnames, keys(%$columns))) {
880 881 882 883
                    next if $fragment =~ /\brelevance\b/ && !$fulltext;
                    push(@order, $fragment);
                }
                else {
884
                    my $vars = { fragment => $fragment };
885
                    if ($order_from_cookie) {
886
                        $cgi->remove_cookie('LASTORDER');
887
                        ThrowCodeError("invalid_column_name_cookie", $vars);
888 889
                    }
                    else {
890
                        ThrowCodeError("invalid_column_name_form", $vars);
891
                    }
892 893
                }
            }
894
            $order = join(",", @order);
895 896
            # Now that we have checked that all columns in the order are valid,
            # detaint the order string.
897
            trick_taint($order) if $order;
898
        };
terry%netscape.com's avatar
terry%netscape.com committed
899
    }
900
}
901 902

if (!$order) {
903 904 905
    # DEFAULT
    $order = "bugs.bug_status, bugs.priority, map_assigned_to.login_name, bugs.bug_id";
}
906

907
# Make sure ORDER BY columns are included in the field list.
908 909 910 911 912 913
foreach my $fragment (split(/,/, $order)) {
    $fragment = trim($fragment);
    if (!grep($fragment =~ /^\Q$_\E(\s+(asc|desc))?$/, @selectnames)) {
        # Add order columns to selectnames
        # The fragment has already been validated
        $fragment =~ s/\s+(asc|desc)$//;
914 915 916 917

        # While newer fragments contain IDs for aliased columns, older
        # LASTORDER cookies (or bookmarks) may contain full names.
        # Convert them to an ID here.
918
        if ($fragment =~ / AS (\w+)/) {
919
            $fragment = $1;
920
        }
921 922 923 924 925 926 927

        $fragment =~ tr/a-zA-Z\.0-9\-_//cd;

        # If the order fragment is an ID, we need its corresponding name
        # to be in the field list.
        if (exists($columns->{$fragment})) {
            $fragment = $columns->{$fragment}->{'name'};
928
        }
929

930 931 932
        push @selectnames, $fragment;
    }
}
933

934
$db_order = $order;  # Copy $order into $db_order for use with SQL query
935

936 937 938 939 940 941 942 943
# If we are sorting by votes, sort in descending order if no explicit
# sort order was given
$db_order =~ s/bugs.votes\s*(,|$)/bugs.votes desc$1/i;
                             
# the 'actual_time' field is defined as an aggregate function, but 
# for order we just need the column name 'actual_time'
my $aggregate_search = quotemeta($columns->{'actual_time'}->{'name'});
$db_order =~ s/$aggregate_search/actual_time/g;
944

945 946 947
# the 'percentage_complete' field is defined as an aggregate too
$aggregate_search = quotemeta($columns->{'percentage_complete'}->{'name'});
$db_order =~ s/$aggregate_search/percentage_complete/g;
948

949 950 951
# Now put $db_order into a format that Bugzilla::Search can use.
# (We create $db_order as a string first because that's the way
# we did it before Bugzilla::Search took an "order" argument.)
952
my @orderstrings = split(/,\s*/, $db_order);
953

954 955
# Generate the basic SQL query that will be used to generate the bug list.
my $search = new Bugzilla::Search('fields' => \@selectnames, 
956 957
                                  'params' => $params,
                                  'order' => \@orderstrings);
958 959
my $query = $search->getSQL();

960 961 962 963 964
if (defined $cgi->param('limit')) {
    my $limit = $cgi->param('limit');
    if (detaint_natural($limit)) {
        $query .= " " . $dbh->sql_limit($limit);
    }
965 966
}
elsif ($fulltext) {
967
    $query .= " " . $dbh->sql_limit(FULLTEXT_BUGLIST_LIMIT);
968
    $vars->{'sorted_by_relevance'} = 1;
969 970
}

971

972 973 974
################################################################################
# Query Execution
################################################################################
975

976
if ($cgi->param('debug')) {
977 978
    $vars->{'debug'} = 1;
    $vars->{'query'} = $query;
979
    $vars->{'debugdata'} = $search->getDebugData();
980 981
}

982 983 984
# Time to use server push to display an interim message to the user until
# the query completes and we can display the bug list.
if ($serverpush) {
985 986
    print $cgi->multipart_init();
    print $cgi->multipart_start(-type => 'text/html');
987

988
    # Generate and return the UI (HTML page) from the appropriate template.
989 990
    $template->process("list/server-push.html.tmpl", $vars)
      || ThrowTemplateError($template->error());
991

992 993 994 995 996 997
    # Under mod_perl, flush stdout so that the page actually shows up.
    if ($ENV{MOD_PERL}) {
        require Apache2::RequestUtil;
        Apache2::RequestUtil->request->rflush();
    }

998 999 1000
    # Don't do multipart_end() until we're ready to display the replacement
    # page, otherwise any errors that happen before then (like SQL errors)
    # will result in a blank page being shown to the user instead of the error.
terry%netscape.com's avatar
terry%netscape.com committed
1001 1002
}

1003 1004
# Connect to the shadow database if this installation is using one to improve
# query performance.
1005
$dbh = Bugzilla->switch_to_shadow_db();
terry%netscape.com's avatar
terry%netscape.com committed
1006

1007
# Normally, we ignore SIGTERM and SIGPIPE, but we need to
1008 1009 1010 1011 1012
# respond to them here to prevent someone DOSing us by reloading a query
# a large number of times.
$::SIG{TERM} = 'DEFAULT';
$::SIG{PIPE} = 'DEFAULT';

1013
# Execute the query.
1014 1015
my $buglist_sth = $dbh->prepare($query);
$buglist_sth->execute();
1016

terry%netscape.com's avatar
terry%netscape.com committed
1017

1018 1019 1020
################################################################################
# Results Retrieval
################################################################################
terry%netscape.com's avatar
terry%netscape.com committed
1021

1022 1023
# Retrieve the query results one row at a time and write the data into a list
# of Perl records.
terry%netscape.com's avatar
terry%netscape.com committed
1024

1025 1026 1027
my $bugowners = {};
my $bugproducts = {};
my $bugstatuses = {};
1028
my @bugidlist;
terry%netscape.com's avatar
terry%netscape.com committed
1029

1030
my @bugs; # the list of records
1031

1032
while (my @row = $buglist_sth->fetchrow_array()) {
1033
    my $bug = {}; # a record
1034

1035
    # Slurp the row of data into the record.
1036 1037
    # The second from last column in the record is the number of groups
    # to which the bug is restricted.
1038
    foreach my $column (@selectcolumns) {
1039
        $bug->{$column} = shift @row;
1040
    }
terry%netscape.com's avatar
terry%netscape.com committed
1041

1042 1043 1044
    # Process certain values further (i.e. date format conversion).
    if ($bug->{'changeddate'}) {
        $bug->{'changeddate'} =~ 
1045
            s/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/$1-$2-$3 $4:$5:$6/;
1046 1047

        # Put in the change date as a time, so that the template date plugin
1048
        # can format the date in any way needed by the template. ICS and Atom
1049
        # have specific, and different, date and time formatting.
1050
        $bug->{'changedtime'} = str2time($bug->{'changeddate'}, Bugzilla->params->{'timezone'});
1051
        $bug->{'changeddate'} = DiffDate($bug->{'changeddate'});        
1052 1053 1054
    }

    if ($bug->{'opendate'}) {
1055
        # Put in the open date as a time for the template date plugin.
1056
        $bug->{'opentime'} = str2time($bug->{'opendate'}, Bugzilla->params->{'timezone'});
1057
        $bug->{'opendate'} = DiffDate($bug->{'opendate'});
1058
    }
terry%netscape.com's avatar
terry%netscape.com committed
1059

1060
    # Record the assignee, product, and status in the big hashes of those things.
1061
    $bugowners->{$bug->{'assigned_to'}} = 1 if $bug->{'assigned_to'};
1062
    $bugproducts->{$bug->{'product'}} = 1 if $bug->{'product'};
1063
    $bugstatuses->{$bug->{'bug_status'}} = 1 if $bug->{'bug_status'};
terry%netscape.com's avatar
terry%netscape.com committed
1064

1065
    $bug->{'secure_mode'} = undef;
1066

1067 1068
    # Add the record to the list.
    push(@bugs, $bug);
1069 1070

    # Add id to list for checking for bug privacy later
1071
    push(@bugidlist, $bug->{'bug_id'});
1072 1073
}

1074 1075 1076 1077
# Check for bug privacy and set $bug->{'secure_mode'} to 'implied' or 'manual'
# based on whether the privacy is simply product implied (by mandatory groups)
# or because of human choice
my %min_membercontrol;
1078
if (@bugidlist) {
1079
    my $sth = $dbh->prepare(
1080 1081 1082 1083 1084 1085 1086 1087
        "SELECT DISTINCT bugs.bug_id, MIN(group_control_map.membercontrol) " .
          "FROM bugs " .
    "INNER JOIN bug_group_map " .
            "ON bugs.bug_id = bug_group_map.bug_id " .
     "LEFT JOIN group_control_map " .
            "ON group_control_map.product_id = bugs.product_id " .
           "AND group_control_map.group_id = bug_group_map.group_id " .
         "WHERE bugs.bug_id IN (" . join(',',@bugidlist) . ") " .
1088
            $dbh->sql_group_by('bugs.bug_id'));
1089 1090
    $sth->execute();
    while (my ($bug_id, $min_membercontrol) = $sth->fetchrow_array()) {
1091
        $min_membercontrol{$bug_id} = $min_membercontrol || CONTROLMAPNA;
1092 1093
    }
    foreach my $bug (@bugs) {
1094
        next unless defined($min_membercontrol{$bug->{'bug_id'}});
1095
        if ($min_membercontrol{$bug->{'bug_id'}} == CONTROLMAPMANDATORY) {
1096
            $bug->{'secure_mode'} = 'implied';
1097
        }
1098 1099 1100
        else {
            $bug->{'secure_mode'} = 'manual';
        }
1101 1102
    }
}
1103

1104 1105 1106
################################################################################
# Template Variable Definition
################################################################################
1107

1108
# Define the variables and functions that will be passed to the UI template.
1109

1110
$vars->{'bugs'} = \@bugs;
1111
$vars->{'buglist'} = \@bugidlist;
1112
$vars->{'buglist_joined'} = join(',', @bugidlist);
1113 1114
$vars->{'columns'} = $columns;
$vars->{'displaycolumns'} = \@displaycolumns;
1115

1116
$vars->{'openstates'} = [BUG_STATE_OPEN];
1117
$vars->{'closedstates'} = [map {$_->name} closed_bug_statuses()];
1118

1119 1120 1121
# The list of query fields in URL query string format, used when creating
# URLs to the same query results page with different parameters (such as
# a different sort order or when taking some action on the set of query
1122 1123 1124 1125 1126
# results).  To get this string, we call the Bugzilla::CGI::canoncalise_query
# function with a list of elements to be removed from the URL.
$vars->{'urlquerypart'} = $params->canonicalise_query('order',
                                                      'cmdtype',
                                                      'query_based_on');
1127
$vars->{'order'} = $order;
1128
$vars->{'caneditbugs'} = Bugzilla->user->in_group('editbugs');
terry%netscape.com's avatar
terry%netscape.com committed
1129

1130
my @bugowners = keys %$bugowners;
1131
if (scalar(@bugowners) > 1 && Bugzilla->user->in_group('editbugs')) {
1132
    my $suffix = Bugzilla->params->{'emailsuffix'};
1133 1134 1135
    map(s/$/$suffix/, @bugowners) if $suffix;
    my $bugowners = join(",", @bugowners);
    $vars->{'bugowners'} = $bugowners;
terry%netscape.com's avatar
terry%netscape.com committed
1136 1137
}

1138 1139
# Whether or not to split the column titles across two rows to make
# the list more compact.
1140
$vars->{'splitheader'} = $cgi->cookie('SPLITHEADER') ? 1 : 0;
terry%netscape.com's avatar
terry%netscape.com committed
1141

1142
$vars->{'quip'} = GetQuip();
1143
$vars->{'currenttime'} = time();
1144 1145

# The following variables are used when the user is making changes to multiple bugs.
1146
if ($dotweak) {
1147
    $vars->{'dotweak'} = 1;
1148
    $vars->{'valid_keywords'} = [map($_->name, Bugzilla::Keyword->get_all)];
1149
    $vars->{'use_keywords'} = 1 if Bugzilla::Keyword::keyword_count();
1150

1151
    $vars->{'products'} = Bugzilla->user->get_enterable_products;
1152 1153 1154 1155 1156
    $vars->{'platforms'} = get_legal_field_values('rep_platform');
    $vars->{'op_sys'} = get_legal_field_values('op_sys');
    $vars->{'priorities'} = get_legal_field_values('priority');
    $vars->{'severities'} = get_legal_field_values('bug_severity');
    $vars->{'resolutions'} = Bugzilla::Bug->settable_resolutions;
1157

1158
    $vars->{'unconfirmedstate'} = 'UNCONFIRMED';
1159

1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179
    # Convert bug statuses to their ID.
    my @bug_statuses = map {$dbh->quote($_)} keys %$bugstatuses;
    my $bug_status_ids =
      $dbh->selectcol_arrayref('SELECT id FROM bug_status
                                WHERE value IN (' . join(', ', @bug_statuses) .')');

    # This query collects new statuses which are common to all current bug statuses.
    # It also accepts transitions where the bug status doesn't change.
    $bug_status_ids =
      $dbh->selectcol_arrayref('SELECT DISTINCT new_status
                                FROM status_workflow sw1
                                WHERE NOT EXISTS (SELECT * FROM status_workflow sw2
                                                  WHERE sw2.old_status != sw1.new_status
                                                  AND sw2.old_status IN (' . join(', ', @$bug_status_ids) . ')
                                                  AND NOT EXISTS (SELECT * FROM status_workflow sw3
                                                                  WHERE sw3.new_status = sw1.new_status
                                                                  AND sw3.old_status = sw2.old_status))');

    $vars->{'current_bug_statuses'} = [keys %$bugstatuses];
    $vars->{'new_bug_statuses'} = Bugzilla::Status->new_from_list($bug_status_ids);
1180 1181 1182 1183

    # The groups the user belongs to and which are editable for the given buglist.
    my @products = keys %$bugproducts;
    $vars->{'groups'} = GetGroups(\@products);
1184 1185 1186 1187 1188

    # If all bugs being changed are in the same product, the user can change
    # their version and component, so generate a list of products, a list of
    # versions for the product (if there is only one product on the list of
    # products), and a list of components for the product.
1189 1190
    if (scalar(@products) == 1) {
        my $product = new Bugzilla::Product({name => $products[0]});
1191 1192 1193
        $vars->{'versions'} = [map($_->name ,@{$product->versions})];
        $vars->{'components'} = [map($_->name, @{$product->components})];
        $vars->{'targetmilestones'} = [map($_->name, @{$product->milestones})]
1194
            if Bugzilla->params->{'usetargetmilestone'};
terry%netscape.com's avatar
terry%netscape.com committed
1195 1196
    }
}
1197

1198 1199 1200 1201
# If we're editing a stored query, use the existing query name as default for
# the "Remember search as" field.
$vars->{'defaultsavename'} = $cgi->param('query_based_on');

1202

1203 1204 1205
################################################################################
# HTTP Header Generation
################################################################################
1206

1207
# Generate HTTP headers
terry%netscape.com's avatar
terry%netscape.com committed
1208

1209
my $contenttype;
1210
my $disposition = "inline";
terry%netscape.com's avatar
terry%netscape.com committed
1211

1212
if ($format->{'extension'} eq "html" && !$agent) {
1213
    if ($order) {
1214
        $cgi->send_cookie(-name => 'LASTORDER',
1215
                          -value => $order,
1216
                          -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
1217
    }
1218
    my $bugids = join(":", @bugidlist);
1219
    # See also Bug 111999
1220 1221 1222 1223
    if (length($bugids) == 0) {
        $cgi->remove_cookie('BUGLIST');
    }
    elsif (length($bugids) < 4000) {
1224 1225 1226
        $cgi->send_cookie(-name => 'BUGLIST',
                          -value => $bugids,
                          -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
1227
    }
1228
    else {
1229
        $cgi->remove_cookie('BUGLIST');
1230
        $vars->{'toolong'} = 1;
terry%netscape.com's avatar
terry%netscape.com committed
1231
    }
1232 1233

    $contenttype = "text/html";
1234 1235
}
else {
1236
    $contenttype = $format->{'ctype'};
terry%netscape.com's avatar
terry%netscape.com committed
1237 1238
}

1239 1240 1241
if ($format->{'extension'} eq "csv") {
    # We set CSV files to be downloaded, as they are designed for importing
    # into other programs.
1242
    $disposition = "attachment";
1243 1244
}

1245 1246 1247
# Suggest a name for the bug list if the user wants to save it as a file.
$disposition .= "; filename=\"$filename\"";

1248
if ($serverpush) {
1249
    # Close the "please wait" page, then open the buglist page
1250
    print $cgi->multipart_end();
1251 1252 1253 1254 1255 1256
    print $cgi->multipart_start(-type                => $contenttype,
                                -content_disposition => $disposition);
}
else {
    print $cgi->header(-type                => $contenttype,
                       -content_disposition => $disposition);
1257
}
terry%netscape.com's avatar
terry%netscape.com committed
1258

1259

1260 1261 1262
################################################################################
# Content Generation
################################################################################
1263

1264
# Generate and return the UI (HTML page) from the appropriate template.
1265
$template->process($format->{'template'}, $vars)
1266
  || ThrowTemplateError($template->error());
1267

1268

1269 1270 1271 1272
################################################################################
# Script Conclusion
################################################################################

1273
print $cgi->multipart_final() if $serverpush;