Skip to content

bugzilla
bugzilla
Commit 09bdfab6 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 284264: Move canSeeUser from editusers.cgi to User.pm - Patch by Marc…

Bug 284264: Move canSeeUser from editusers.cgi to User.pm - Patch by Marc Schumann <wurblzap@gmail.com> r=mkanat,joel a=justdave
parent e7d2b86c
Show whitespace changes
Inline Side-by-side
Showing with 58 additions and 51 deletions
Bugzilla/User.pm
View file @ 09bdfab6
...@@ -344,6 +344,29 @@ sub in_group { ...@@ -344,6 +344,29 @@ sub in_group {
return defined($res); return defined($res);
} }
sub can_see_user {
my ($self, $otherUser) = @_;
my $query;
if (Param('usevisibilitygroups')) {
# If the user can see no groups, then no users are visible either.
my $visibleGroups = $self->visible_groups_as_string() || return 0;
$query = qq{SELECT COUNT(DISTINCT userid)
FROM profiles, user_group_map
WHERE userid = ?
AND user_id = userid
AND isbless = 0
AND group_id IN ($visibleGroups)
};
} else {
$query = qq{SELECT COUNT(userid)
FROM profiles
WHERE userid = ?
};
}
return Bugzilla->dbh->selectrow_array($query, undef, $otherUser->id);
}
sub can_see_bug { sub can_see_bug {
my ($self, $bugid) = @_; my ($self, $bugid) = @_;
my $dbh = Bugzilla->dbh; my $dbh = Bugzilla->dbh;
...@@ -455,6 +478,11 @@ sub visible_groups_direct { ...@@ -455,6 +478,11 @@ sub visible_groups_direct {
return $self->{visible_groups_direct}; return $self->{visible_groups_direct};
} }
sub visible_groups_as_string {
my $self = shift;
return join(', ', @{$self->visible_groups_inherited()});
}
sub derive_groups { sub derive_groups {
my ($self, $already_locked) = @_; my ($self, $already_locked) = @_;
...@@ -1403,6 +1431,11 @@ are the names of the groups, whilst the values are the respective group ids. ...@@ -1403,6 +1431,11 @@ are the names of the groups, whilst the values are the respective group ids.
(This is so that a set of all groupids for groups the user can bless can be (This is so that a set of all groupids for groups the user can bless can be
obtained by C<values(%{$user-E<gt>bless_groups})>.) obtained by C<values(%{$user-E<gt>bless_groups})>.)
=item C<can_see_user(user)>
Returns 1 if the specified user account exists and is visible to the user,
0 otherwise.
=item C<can_see_bug(bug_id)> =item C<can_see_bug(bug_id)>
Determines if the user can see the specified bug. Determines if the user can see the specified bug.
...@@ -1446,6 +1479,11 @@ be have derived groups up-to-date to select the users meeting this criteria. ...@@ -1446,6 +1479,11 @@ be have derived groups up-to-date to select the users meeting this criteria.
Returns a list of groups that the user is aware of. Returns a list of groups that the user is aware of.
=item C<visible_groups_as_string>
Returns the result of C<visible_groups_direct> as a string (a comma-separated
list).
=begin undocumented =begin undocumented
This routine takes an optional argument. If true, then this routine will not This routine takes an optional argument. If true, then this routine will not
......
editusers.cgi
View file @ 09bdfab6
...@@ -84,7 +84,7 @@ if ($action eq 'search') { ...@@ -84,7 +84,7 @@ if ($action eq 'search') {
if (Param('usevisibilitygroups')) { if (Param('usevisibilitygroups')) {
# Show only users in visible groups. # Show only users in visible groups.
$visibleGroups = visibleGroupsAsString(); $visibleGroups = $user->visible_groups_as_string();
if ($visibleGroups) { if ($visibleGroups) {
$query .= qq{, user_group_map AS ugm $query .= qq{, user_group_map AS ugm
...@@ -183,9 +183,9 @@ if ($action eq 'search') { ...@@ -183,9 +183,9 @@ if ($action eq 'search') {
trick_taint($disabledtext); trick_taint($disabledtext);
insert_new_user($login, $realname, $password, $disabledtext); insert_new_user($login, $realname, $password, $disabledtext);
my $userid = $dbh->bz_last_key('profiles', 'userid'); $otherUserID = $dbh->bz_last_key('profiles', 'userid');
$dbh->bz_unlock_tables(); $dbh->bz_unlock_tables();
userDataToVars($userid); userDataToVars($otherUserID);
$vars->{'message'} = 'account_created'; $vars->{'message'} = 'account_created';
$template->process('admin/users/edit.html.tmpl', $vars) $template->process('admin/users/edit.html.tmpl', $vars)
...@@ -196,7 +196,7 @@ if ($action eq 'search') { ...@@ -196,7 +196,7 @@ if ($action eq 'search') {
$otherUser $otherUser
|| ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')}); || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
canSeeUser($otherUserID) $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible", || ThrowUserError('auth_failure', {reason => "not_visible",
action => "modify", action => "modify",
object => "user"}); object => "user"});
...@@ -227,7 +227,7 @@ if ($action eq 'search') { ...@@ -227,7 +227,7 @@ if ($action eq 'search') {
'group_group_map READ', 'group_group_map READ',
'group_group_map AS ggm READ'); 'group_group_map AS ggm READ');
canSeeUser($otherUserID) $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible", || ThrowUserError('auth_failure', {reason => "not_visible",
action => "modify", action => "modify",
object => "user"}); object => "user"});
...@@ -395,8 +395,8 @@ if ($action eq 'search') { ...@@ -395,8 +395,8 @@ if ($action eq 'search') {
$editusers || ThrowUserError('auth_failure', {group => "editusers", $editusers || ThrowUserError('auth_failure', {group => "editusers",
action => "delete", action => "delete",
object => "users"}); object => "users"});
canSeeUser($otherUserID) || ThrowUserError('auth_failure', $user->can_see_user($otherUser)
{reason => "not_visible", || ThrowUserError('auth_failure', {reason => "not_visible",
action => "delete", action => "delete",
object => "user"}); object => "user"});
...@@ -495,8 +495,8 @@ if ($action eq 'search') { ...@@ -495,8 +495,8 @@ if ($action eq 'search') {
{group => "editusers", {group => "editusers",
action => "delete", action => "delete",
object => "users"}); object => "users"});
canSeeUser($otherUserID) || ThrowUserError('auth_failure', $user->can_see_user($otherUser)
{reason => "not_visible", || ThrowUserError('auth_failure', {reason => "not_visible",
action => "delete", action => "delete",
object => "user"}); object => "user"});
@{$otherUser->product_responsibilities()} @{$otherUser->product_responsibilities()}
...@@ -597,11 +597,6 @@ sub mirrorListSelectionValues { ...@@ -597,11 +597,6 @@ sub mirrorListSelectionValues {
} }
} }
# Give a list of IDs of groups the user can see.
sub visibleGroupsAsString {
return join(', ', @{$user->visible_groups_direct()});
}
# Give a list of IDs of groups the user may bless. # Give a list of IDs of groups the user may bless.
sub groupsUserMayBless { sub groupsUserMayBless {
my $user = shift; my $user = shift;
...@@ -633,7 +628,7 @@ sub groupsUserMayBless { ...@@ -633,7 +628,7 @@ sub groupsUserMayBless {
# If visibilitygroups are used, restrict the set of groups. # If visibilitygroups are used, restrict the set of groups.
if (Param('usevisibilitygroups')) { if (Param('usevisibilitygroups')) {
# Users need to see a group in order to bless it. # Users need to see a group in order to bless it.
my $visibleGroups = visibleGroupsAsString() || return {}; my $visibleGroups = $user->visible_groups_as_string() || return {};
$query .= " $connector id in ($visibleGroups)"; $query .= " $connector id in ($visibleGroups)";
} }
...@@ -642,45 +637,18 @@ sub groupsUserMayBless { ...@@ -642,45 +637,18 @@ sub groupsUserMayBless {
return $dbh->selectall_arrayref($query, {'Slice' => {}}, @bindValues); return $dbh->selectall_arrayref($query, {'Slice' => {}}, @bindValues);
} }
# Determine whether the user can see a user. (Checks for existence, too.)
sub canSeeUser {
my $otherUserID = shift;
my $query;
if (Param('usevisibilitygroups')) {
# If the user can see no groups, then no users are visible either.
my $visibleGroups = visibleGroupsAsString() || return 0;
$query = qq{SELECT COUNT(DISTINCT userid)
FROM profiles, user_group_map
WHERE userid = ?
AND user_id = userid
AND isbless = 0
AND group_id IN ($visibleGroups)
};
} else {
$query = qq{SELECT COUNT(userid)
FROM profiles
WHERE userid = ?
};
}
return $dbh->selectrow_array($query, undef, $otherUserID);
}
# Retrieve user data for the user editing form. User creation and user # Retrieve user data for the user editing form. User creation and user
# editing code rely on this to call derive_groups(). # editing code rely on this to call derive_groups().
sub userDataToVars { sub userDataToVars {
my $userid = shift; my $otheruserid = shift;
my $user = new Bugzilla::User($userid); my $otheruser = new Bugzilla::User($otheruserid);
my $query; my $query;
my $dbh = Bugzilla->dbh; my $dbh = Bugzilla->dbh;
$user->derive_groups(); $otheruser->derive_groups();
$vars->{'otheruser'} = $user; $vars->{'otheruser'} = $otheruser;
$vars->{'groups'} = groupsUserMayBless($user, 'id', 'name', 'description'); $vars->{'groups'} = groupsUserMayBless($user, 'id', 'name', 'description');
$vars->{'disabledtext'} = $dbh->selectrow_array(
'SELECT disabledtext FROM profiles WHERE userid = ?', undef, $userid);
$vars->{'permissions'} = $dbh->selectall_hashref( $vars->{'permissions'} = $dbh->selectall_hashref(
qq{SELECT id, qq{SELECT id,
...@@ -711,10 +679,10 @@ sub userDataToVars { ...@@ -711,10 +679,10 @@ sub userDataToVars {
AND directbless.grant_type = ? AND directbless.grant_type = ?
} . $dbh->sql_group_by('id'), } . $dbh->sql_group_by('id'),
'id', undef, 'id', undef,
($userid, GRANT_DIRECT, ($otheruserid, GRANT_DIRECT,
$userid, GRANT_REGEXP, $otheruserid, GRANT_REGEXP,
$userid, GRANT_DERIVED, $otheruserid, GRANT_DERIVED,
$userid, GRANT_DIRECT)); $otheruserid, GRANT_DIRECT));
# Find indirect bless permission. # Find indirect bless permission.
$query = qq{SELECT groups.id $query = qq{SELECT groups.id
...@@ -725,7 +693,8 @@ sub userDataToVars { ...@@ -725,7 +693,8 @@ sub userDataToVars {
AND ugm.isbless = 0 AND ugm.isbless = 0
AND ggm.grant_type = ? AND ggm.grant_type = ?
} . $dbh->sql_group_by('id'); } . $dbh->sql_group_by('id');
foreach (@{$dbh->selectall_arrayref($query, undef, ($userid, GROUP_BLESS))}) { foreach (@{$dbh->selectall_arrayref($query, undef,
($otheruserid, GROUP_BLESS))}) {
# Merge indirect bless permissions into permission variable. # Merge indirect bless permissions into permission variable.
$vars->{'permissions'}{${$_}[0]}{'indirectbless'} = 1; $vars->{'permissions'}{${$_}[0]}{'indirectbless'} = 1;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment