Commit 1d057f02 authored by's avatar

Bug 180635 - Enhance Bugzilla::User to store additional information

parent 3a843833
......@@ -77,17 +77,15 @@ sub login {
# Compat stuff
$::userid = $userid;
# Evil compat hack. The cookie stores the id now, not the name, but
# old code still looks at this to get the current user's email
# so it needs to be set.
$::COOKIE{'Bugzilla_login'} = $_user->{email};
$::vars->{'user'} = &::GetUserInfo($userid);
$::COOKIE{'Bugzilla_login'} = $_user->login;
} else {
# Old compat stuff
undef $_user;
$::userid = 0;
delete $::COOKIE{'Bugzilla_login'};
delete $::COOKIE{'Bugzilla_logincookie'};
......@@ -97,7 +95,12 @@ sub login {
# - use Bugzilla->user instead!
return $userid || 0;
return $_user;
sub logout {
undef $_user;
$::userid = 0;
my $_dbh;
......@@ -257,8 +260,16 @@ or if the login code has not yet been run.
=item C<login>
Logs in a user, returning the userid, or C<0> if there is no logged in user.
See L<Bugzilla::Auth>.
Logs in a user, returning a C<Bugzilla::User> object, or C<undef> if there is
no logged in user. See L<Bugzilla::Auth|Bugzilla::Auth> and
=item C<logout>
Logs out the current user. For the moment, this will just cause calls to
C<user> to return C<undef>. Eventually this will handle deleting cookies from
the browser and values from the database, which is currently all handled
by C<relogin.cgi>.
=item C<dbh>
......@@ -111,14 +111,6 @@ sub Send($;$) {
# require abuse we do.
# Since any email recipients must be rederived if the user has not
# been rederived since the most recent group change, figure out when that
# is once and determine the need to rederive users using the same DB
# access that gets the user's email address each time a person is
# processed.
SendSQL("SELECT MAX(last_changed) FROM groups");
($last_changed) = FetchSQLData();
# Make sure to clean up _all_ package vars here. Yuck...
$nametoexclude = $recipients->{'changer'} || "";
@{$force{'CClist'}} = (exists $recipients->{'cc'} &&
......@@ -710,19 +702,13 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
SendSQL("SELECT userid, (refreshed_when > " . SqlQuote($last_changed) .
") FROM profiles WHERE login_name = " . SqlQuote($person));
my ($userid, $current) = (FetchSQLData());
# This routine should really get passed a userid
# This rederives groups as a side effect
my $user = Bugzilla::User->new_from_login($person);
my $userid = $user->id;
$seen{$person} = 1;
if (!$current) {
# if this person doesn't have permission to see info on this bug,
# return.
......@@ -733,11 +719,10 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
return unless CanSeeBug($id, $userid);
# Drop any non-insiders if the comment is private
return if (Param("insidergroup") &&
($anyprivate != 0) &&
(!UserInGroup(Param("insidergroup"), $userid)));
# We shouldn't send changedmail if this is a dependency mail, and any of
# the depending bugs is not visible to the user.
......@@ -761,7 +746,7 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
# Don't send estimated_time if user not in the group, or not enabled
if ($f ne 'estimated_time' ||
UserInGroup(Param('timetrackinggroup'), $userid)) {
$user->groups->{Param('timetrackinggroup')}) {
my $desc = $fielddescription{$f};
$head .= FormatDouble($desc, $value);
......@@ -781,7 +766,7 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
($diff->{'fieldname'} eq 'estimated_time' ||
$diff->{'fieldname'} eq 'remaining_time' ||
$diff->{'fieldname'} eq 'work_time')) {
if (UserInGroup(Param("timetrackinggroup"), $userid)) {
if ($user->groups->{Param("timetrackinggroup")}) {
$add_diff = 1;
} else {
......@@ -34,9 +34,6 @@ sub ThrowUserError {
$vars->{error} = $error;
# Need to do this until goes in, so that the footer is correct
$vars->{user} = $::vars->{user};
Bugzilla->dbh->do("UNLOCK TABLES") if $unlock_tables;
print Bugzilla->cgi->header();
......@@ -177,18 +177,14 @@ sub validate {
if ($requestee_email ne $flag->{'requestee'}->{'email'}) {
# We know the requestee exists because we ran
# Bugzilla::User::match_field before getting here.
# ConfirmGroup makes sure their group settings
# are up-to-date or calls DeriveGroups to update them.
my $requestee_id = &::DBname_to_id($requestee_email);
my $requestee = Bugzilla::User->new_from_login($requestee_email);
# Throw an error if the user can't see the bug.
if (!&::CanSeeBug($bug_id, $requestee_id))
if (!&::CanSeeBug($bug_id, $requestee->id))
{ flag_type => $flag->{'type'},
requestee =>
new Bugzilla::User($requestee_id),
requestee => $requestee,
bug_id => $bug_id,
attach_id =>
$flag->{target}->{attachment}->{id} });
......@@ -198,13 +194,12 @@ sub validate {
# the requestee isn't in the group of insiders who can see it.
if ($flag->{target}->{attachment}->{exists}
&& $data->{'isprivate'}
&& &::Param("insidergroup")
&& !&::UserInGroup(&::Param("insidergroup"), $requestee_id))
&& Param("insidergroup")
&& !$requestee->in_group(Param("insidergroup")))
{ flag_type => $flag->{'type'},
requestee =>
new Bugzilla::User($requestee_id),
requestee => $requestee,
bug_id => $bug_id,
attach_id =>
$flag->{target}->{attachment}->{id} });
......@@ -236,7 +231,7 @@ sub process {
my @old_summaries;
foreach my $flag (@$flags) {
my $summary = $flag->{'type'}->{'name'} . $flag->{'status'};
$summary .= "($flag->{'requestee'}->{'email'})" if $flag->{'requestee'};
$summary .= "(" . $flag->{'requestee'}->login . ")" if $flag->{'requestee'};
push(@old_summaries, $summary);
......@@ -275,7 +270,7 @@ sub process {
my @new_summaries;
foreach my $flag (@$flags) {
my $summary = $flag->{'type'}->{'name'} . $flag->{'status'};
$summary .= "($flag->{'requestee'}->{'email'})" if $flag->{'requestee'};
$summary .= "(" . $flag->{'requestee'}->login . ")" if $flag->{'requestee'};
push(@new_summaries, $summary);
......@@ -307,7 +302,7 @@ sub create {
# Insert a record for the flag into the flags table.
my $attach_id = $flag->{'target'}->{'attachment'}->{'id'} || "NULL";
my $requestee_id = $flag->{'requestee'} ? $flag->{'requestee'}->{'id'} : "NULL";
my $requestee_id = $flag->{'requestee'} ? $flag->{'requestee'}->id : "NULL";
&::SendSQL("INSERT INTO flags (id, type_id,
bug_id, attach_id,
requestee_id, setter_id, status,
......@@ -317,7 +312,7 @@ sub create {
" . $flag->{'setter'}->id . ",
......@@ -380,7 +375,7 @@ sub modify {
# the flag isn't specifically requestable
|| $status ne "?" # or the flag isn't being requested
|| ($flag->{'requestee'} # or the requestee hasn't changed
&& ($requestee_email eq $flag->{'requestee'}->{'email'})));
&& ($requestee_email eq $flag->{'requestee'}->login)));
# Since the status is validated, we know it's safe, but it's still
# tainted, so we have to detaint it before using it in a query.
......@@ -568,14 +563,15 @@ sub notify {
my @new_cc_list;
foreach my $cc (split(/[, ]+/, $flag->{'type'}->{'cc_list'})) {
my $user_id = &::DBname_to_id($cc) || next;
# re-derive permissions if necessary
&::ConfirmGroup($user_id, TABLES_ALREADY_LOCKED);
my $ccuser = Bugzilla::User->new_from_login($cc,
|| next;
next if $flag->{'target'}->{'bug'}->{'restricted'}
&& !&::CanSeeBug($flag->{'target'}->{'bug'}->{'id'}, $user_id);
&& !&::CanSeeBug($flag->{'target'}->{'bug'}->{'id'}, $ccuser->id);
next if $flag->{'target'}->{'attachment'}->{'isprivate'}
&& Param("insidergroup")
&& !&::UserInGroup(Param("insidergroup"), $user_id);
&& !$ccuser->in_group(Param("insidergroup"));
push(@new_cc_list, $cc);
$flag->{'type'}->{'cc_list'} = join(", ", @new_cc_list);
......@@ -646,7 +642,7 @@ sub perlify_record {
id => $id ,
type => Bugzilla::FlagType::get($type_id) ,
target => GetTarget($bug_id, $attach_id) ,
requestee => new Bugzilla::User($requestee_id) ,
requestee => $requestee_id ? new Bugzilla::User($requestee_id) : undef,
setter => new Bugzilla::User($setter_id) ,
status => $status ,
......@@ -219,20 +219,17 @@ sub validate {
&& trim($data->{"requestee_type-$id"}))
my $requestee_email = trim($data->{"requestee_type-$id"});
my $requestee_id = &::DBname_to_id($requestee_email);
# We know the requestee exists because we ran
# Bugzilla::User::match_field before getting here.
# ConfirmGroup makes sure their group settings
# are up-to-date or calls DeriveGroups to update them.
my $requestee = Bugzilla::User->new_from_login($requestee_email);
# Throw an error if the user can't see the bug.
if (!&::CanSeeBug($bug_id, $requestee_id))
if (!&::CanSeeBug($bug_id, $requestee->id))
{ flag_type => $flag_type,
requestee => new Bugzilla::User($requestee_id),
requestee => $requestee,
bug_id => $bug_id,
attach_id => $attach_id });
......@@ -240,13 +237,13 @@ sub validate {
# Throw an error if the target is a private attachment and
# the requestee isn't in the group of insiders who can see it.
if ($attach_id
&& &::Param("insidergroup")
&& Param("insidergroup")
&& $data->{'isprivate'}
&& !&::UserInGroup(&::Param("insidergroup"), $requestee_id))
&& !$requestee->in_group(Param("insidergroup")))
{ flag_type => $flag_type,
requestee => new Bugzilla::User($requestee_id),
requestee => $requestee,
bug_id => $bug_id,
attach_id => $attach_id });
......@@ -926,28 +926,31 @@ sub init {
# Make sure we create a legal SQL query.
@andlist = ("1 = 1") if !@andlist;
my $user = Bugzilla->user;
my $query = "SELECT " . join(', ', @fields) .
" FROM $suppstring" .
" LEFT JOIN bug_group_map " .
" ON bug_group_map.bug_id = bugs.bug_id ";
if (defined @{$::vars->{user}{groupids}} && @{$::vars->{user}{groupids}} > 0) {
$query .= " AND bug_group_map.group_id NOT IN (" . join(',', @{$::vars->{user}{groupids}}) . ") ";
if ($user) {
if (%{$user->groups}) {
$query .= " AND bug_group_map.group_id NOT IN (" . join(',', values(%{$user->groups})) . ") ";
if ($::vars->{user}{userid}) {
$query .= " LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = $::userid ";
$query .= " LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = " . $user->id;
$query .= " WHERE " . join(' AND ', (@wherepart, @andlist)) .
" AND ((bug_group_map.group_id IS NULL)";
if ($::vars->{user}{userid}) {
$query .= " OR (bugs.reporter_accessible = 1 AND bugs.reporter = $::userid) " .
if ($user) {
my $userid = $user->id;
$query .= " OR (bugs.reporter_accessible = 1 AND bugs.reporter = $userid) " .
" OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL) " .
" OR (bugs.assigned_to = $::userid) ";
" OR (bugs.assigned_to = $userid) ";
if (Param('useqacontact')) {
$query .= "OR (bugs.qa_contact = $::userid) ";
$query .= "OR (bugs.qa_contact = $userid) ";
......@@ -256,7 +256,10 @@ sub create {
# Generic linear search function
'lsearch' => \&Bugzilla::Util::lsearch,
# UserInGroup - you probably want to cache this
# Currently logged in user, if any
'user' => sub { return Bugzilla->user; },
# UserInGroup. Deprecated - use the user.* functions instead
'UserInGroup' => \&::UserInGroup,
# SendBugMail - sends mail about a bug, using
......@@ -202,53 +202,6 @@ sub quietly_check_login {
return Bugzilla->login($_[0] ? LOGIN_OPTIONAL : LOGIN_NORMAL);
# Populate a hash with information about this user.
sub GetUserInfo {
my ($userid) = (@_);
my %user;
my @queries;
my %groups;
my @groupids;
# No info if not logged in
return \%user if ($userid == 0);
$user{'login'} = $::COOKIE{"Bugzilla_login"};
$user{'userid'} = $userid;
SendSQL("SELECT mybugslink, realname " .
"FROM profiles WHERE userid = $userid");
($user{'showmybugslink'}, $user{'realname'}) = FetchSQLData();
SendSQL("SELECT name, query, linkinfooter FROM namedqueries " .
"WHERE userid = $userid");
while (MoreSQLData()) {
my %query;
($query{'name'}, $query{'query'}, $query{'linkinfooter'}) =
push(@queries, \%query);
$user{'queries'} = \@queries;
$user{'canblessany'} = UserCanBlessAnything();
SendSQL("SELECT DISTINCT id, name FROM groups, user_group_map " .
"WHERE = user_group_map.group_id " .
"AND user_id = $userid " .
"AND NOT isbless");
while (MoreSQLData()) {
my ($id, $name) = FetchSQLData();
$groups{$name} = 1;
$user{'groups'} = \%groups;
$user{'groupids'} = \@groupids;
return \%user;
sub CheckEmailSyntax {
my ($addr) = (@_);
my $match = Param('emailregexp');
......@@ -693,11 +693,11 @@ sub update
"flaginclusions AS i READ, flagexclusions AS e READ, " .
# cc, bug_group_map, user_group_map, and groups are in here so we
# can check the permissions of flag requestees and email addresses
# on the flag type cc: lists via the ConfirmGroup and CanSeeBug
# function calls in Flag::notify. group_group_map is in here in case
# ConfirmGroup needs to call DeriveGroup. profiles and user_group_map
# would be READ locks instead of WRITE locks if it weren't for
# DeriveGroup, which needs to write to those tables.
# on the flag type cc: lists via the CanSeeBug
# function call in Flag::notify. group_group_map is in here in case
# Bugzilla::User needs to rederive groups. profiles and
# user_group_map would be READ locks instead of WRITE locks if it
# weren't for derive_groups, which needs to write to those tables.
"bugs READ, profiles WRITE, " .
"cc READ, bug_group_map READ, user_group_map WRITE, " .
"group_group_map READ, groups READ");
......@@ -272,15 +272,9 @@ if ($::FORM{'cmdtype'} eq "dorem") {
my $userid = DBNameToIdAndCheck($::COOKIE{"Bugzilla_login"});
my $qname = SqlQuote($::FORM{'namedcmd'});
SendSQL("DELETE FROM namedqueries WHERE userid = $userid AND name = $qname");
# Now remove this query from the footer
my $count = 0;
foreach my $q (@{$::vars->{'user'}{'queries'}}) {
if ($q->{'name'} eq $::FORM{'namedcmd'}) {
splice(@{$::vars->{'user'}{'queries'}}, $count, 1);
# Now reset the cached queries
print $cgi->header();
# Generate and return the UI (HTML page) from the appropriate template.
......@@ -317,6 +311,14 @@ elsif ($::FORM{'cmdtype'} eq "doit" && $::FORM{'remember'}) {
my $tofooter = $::FORM{'tofooter'} ? 1 : 0;
$vars->{'message'} = "buglist_new_named_query";
# We want to display the correct message. Check if it existed before
# we insert, because ->queries may fetch from the db anyway
if (grep { $_->{name} eq $name } @{Bugzilla->user->queries()}) {
$vars->{'message'} = "buglist_updated_named_query";
SendSQL("SELECT query FROM namedqueries WHERE userid = $userid AND name = $qname");
if (FetchOneColumn()) {
SendSQL("UPDATE namedqueries
......@@ -328,26 +330,9 @@ elsif ($::FORM{'cmdtype'} eq "doit" && $::FORM{'remember'}) {
VALUES ($userid, $qname, $qbuffer, $tofooter)");
my $new_in_footer = $tofooter;
$vars->{'message'} = "buglist_new_named_query";
# Don't add it to the list if they are reusing an existing query name.
foreach my $query (@{$vars->{'user'}{'queries'}}) {
if ($query->{'name'} eq $name) {
$vars->{'message'} = "buglist_updated_named_query";
if ($query->{'linkinfooter'} == 1) {
$new_in_footer = 0;
if ($new_in_footer) {
my %query = (name => $name,
query => $::buffer,
linkinfooter => $tofooter);
push(@{$vars->{'user'}{'queries'}}, \%query);
# Make sure to invalidate any cached query data, so that the footer is
# correctly displayed
$vars->{'queryname'} = $name;
......@@ -1385,7 +1385,7 @@ skip-networking
positive check, which returns 1 (allow) if certain conditions are true,
or a negative check, which returns 0 (deny.) E.g.:
<programlisting> if ($field eq "qacontact") {
if (UserInGroup("quality_assurance")) {
if (Bugzilla->user->groups("quality_assurance")) {
return 1;
else {
......@@ -1395,7 +1395,7 @@ skip-networking
This says that only users in the group "quality_assurance" can change
the QA Contact field of a bug. Getting more weird:
<programlisting> if (($field eq "priority") &&
($vars->{'user'}{'login'} =~ /.*\@example\.com$/))
(Bugzilla->user->email =~ /.*\@example\.com$/))
if ($oldvalue eq "P1") {
return 1;
......@@ -34,6 +34,8 @@ use lib ".";
require "";
require "";
use Bugzilla::User;
# Shut up misguided -w warnings about "used only once". "use vars" just
# doesn't work for me.
......@@ -241,7 +243,7 @@ print Bugzilla->cgi->header();
$editall = UserInGroup("editusers");
if (!$editall) {
if (!UserCanBlessAnything()) {
if (!Bugzilla->user->can_bless) {
PutHeader("Not allowed");
print "Sorry, you aren't a member of the 'editusers' group, and you\n";
print "don't have permissions to put people in or out of any group.\n";
......@@ -483,7 +485,7 @@ if ($action eq 'new') {
print "OK, done.<br>\n";
SendSQL("SELECT last_insert_id()");
my ($newuserid) = FetchSQLData();
print "To change ${user}'s permissions, go back and <a href=\"editusers.cgi?action=edit&user=" . url_quote($user)."\">edit this user</A>";
print "<p>\n";
......@@ -682,7 +684,9 @@ if ($action eq 'edit') {
my ($thisuserid, $realname, $disabledtext) = FetchSQLData();
if ($thisuserid > 0) {
# Force groups to be up to date
my $changeduser = new Bugzilla::User($thisuserid);
print "<FORM METHOD=POST ACTION=editusers.cgi>\n";
......@@ -844,7 +848,8 @@ if ($action eq 'update') {
print "Updated user's name.<BR>\n";
my $changeduser = new Bugzilla::User($thisuserid);
......@@ -510,10 +510,9 @@ sub CanEditProductId {
my $query = "SELECT group_id FROM group_control_map " .
"WHERE product_id = $productid " .
"AND canedit != 0 ";
if ((defined @{$::vars->{user}{groupids}})
&& (@{$::vars->{user}{groupids}} > 0)) {
if (defined Bugzilla->user && %{Bugzilla->user->groups}) {
$query .= "AND group_id NOT IN(" .
join(',',@{$::vars->{user}{groupids}}) . ") ";
join(',', values(%{Bugzilla->user->groups})) . ") ";
$query .= "LIMIT 1";
......@@ -533,10 +532,9 @@ sub CanEnterProduct {
"LEFT JOIN group_control_map " .
"ON group_control_map.product_id = " .
"AND group_control_map.entry != 0 ";
if ((defined @{$::vars->{user}{groupids}})
&& (@{$::vars->{user}{groupids}} > 0)) {
if (defined Bugzilla->user && %{Bugzilla->user->groups}) {
$query .= "AND group_id NOT IN(" .
join(',',@{$::vars->{user}{groupids}}) . ") ";
join(',', values(%{Bugzilla->user->groups})) . ") ";
$query .= "WHERE = " . SqlQuote($productname) . " LIMIT 1";
......@@ -566,10 +564,9 @@ sub GetSelectableProducts {
$query .= "AND group_control_map.membercontrol = " .
if ((defined @{$::vars->{user}{groupids}})
&& (@{$::vars->{user}{groupids}} > 0)) {
if (defined Bugzilla->user && %{Bugzilla->user->groups}) {
$query .= "AND group_id NOT IN(" .
join(',',@{$::vars->{user}{groupids}}) . ") ";
join(',', values(%{Bugzilla->user->groups})) . ") ";
$query .= "WHERE group_id IS NULL ORDER BY name";
......@@ -722,99 +719,6 @@ sub Crypt {
return $cryptedpassword;
# ConfirmGroup(userid) is called prior to any activity that relies
# on user_group_map to ensure that derived group permissions are up-to-date.
# Permissions must be rederived if ANY groups have a last_changed newer
# than the profiles.refreshed_when value.
sub ConfirmGroup {
my ($user, $locked) = (@_);
SendSQL("SELECT userid FROM profiles, groups WHERE userid = $user " .
"AND profiles.refreshed_when <= groups.last_changed ");
my $ret = FetchSQLData();
if ($ret) {
DeriveGroup($user, $locked);
# DeriveGroup removes and rederives all derived group permissions for
# the specified user. If $locked is true, Bugzilla has already locked
# the necessary tables as part of a larger transaction, so this function
# shouldn't lock them again (since then tables not part of this function's
# lock will get unlocked).
sub DeriveGroup {
my ($user, $locked) = (@_);
SendSQL("LOCK TABLES profiles WRITE, user_group_map WRITE, group_group_map READ, groups READ")
unless $locked;
# avoid races, we are only as up to date as the BEGINNING of this process
SendSQL("SELECT login_name, NOW() FROM profiles WHERE userid = $user");
my ($login, $starttime) = FetchSQLData();
# first remove any old derived stuff for this user
SendSQL("DELETE FROM user_group_map WHERE user_id = $user " .
"AND isderived = 1");
my %groupidsadded = ();
# add derived records for any matching regexps
SendSQL("SELECT id, userregexp FROM groups WHERE userregexp != ''");
while (MoreSQLData()) {
my ($groupid, $rexp) = FetchSQLData();
if ($login =~ m/$rexp/i) {
$groupidsadded{$groupid} = 1;
SendSQL("INSERT INTO user_group_map " .
"(user_id, group_id, isbless, isderived) " .
"VALUES ($user, $groupid, 0, 1)");
# Get a list of the groups of which the user is a member.
my %groupidschecked = ();
my @groupidstocheck = ();
SendSQL("SELECT group_id FROM user_group_map WHERE user_id = $user
AND NOT isbless");
while (MoreSQLData()) {
my ($groupid) = FetchSQLData();
# Each group needs to be checked for inherited memberships once.
while (@groupidstocheck) {
my $group = shift @groupidstocheck;
if (!defined($groupidschecked{"$group"})) {
$groupidschecked{"$group"} = 1;
SendSQL("SELECT grantor_id FROM group_group_map WHERE"
. " member_id = $group AND NOT isbless");
while (MoreSQLData()) {
my ($groupid) = FetchSQLData();
if (!defined($groupidschecked{"$groupid"})) {
if (!$groupidsadded{$groupid}) {
$groupidsadded{$groupid} = 1;
SendSQL("INSERT INTO user_group_map"
. " (user_id, group_id, isbless, isderived)"
. " VALUES ($user, $groupid, 0, 1)");
SendSQL("UPDATE profiles SET refreshed_when = " .
SqlQuote($starttime) . "WHERE userid = $user");
sub DBID_to_real_or_loginname {
my ($id) = (@_);
......@@ -1189,23 +1093,8 @@ sub SplitEnumType {
return @result;
# UserInGroup returns information aboout the current user if no second
# parameter is specified
sub UserInGroup {
my ($groupname, $userid) = (@_);
if (!$userid) {
return $::vars->{'user'}{'groups'}{$_[0]};
$userid ||= $::userid;
SendSQL("SELECT FROM groups, user_group_map
WHERE = user_group_map.group_id
AND user_group_map.user_id = $userid
AND isbless = 0
AND = " . SqlQuote($groupname));
my $result = FetchOneColumn();
return defined($result);
return defined Bugzilla->user && defined Bugzilla->user->groups->{$_[0]};
sub UserCanBlessGroup {
......@@ -1238,32 +1127,6 @@ sub UserCanBlessGroup {
return $result;
sub UserCanBlessAnything {
# check if user explicitly can bless a group
SendSQL("SELECT group_id FROM user_group_map
WHERE user_id = $::userid AND isbless = 1");
my $result = FetchOneColumn();
if ($result) {
return 1;
# check if user is a member of a group that can bless this group
SendSQL("SELECT FROM groups, user_group_map,
WHERE = grantor_id
AND user_group_map.user_id = $::userid
AND group_group_map.isbless = 1
AND user_group_map.group_id = member_id");
$result = FetchOneColumn();
if ($result) {
return 1;
return 0;
sub BugInGroup {
my ($bugid, $groupname) = (@_);
......@@ -54,7 +54,7 @@ sub sillyness {
use vars qw($vars $template);
my $whoid = confirm_login();
my $user = confirm_login();
my $cgi = Bugzilla->cgi;
......@@ -454,7 +454,7 @@ if (UserInGroup("editbugs")) {
"($id, $i)");
push(@all_deps, $i); # list for mailing dependent bugs
# Log the activity for the other bug:
LogActivityEntry($i, $me, "", $id, $whoid, $timestamp);
LogActivityEntry($i, $me, "", $id, $user->id, $timestamp);
my $tmp = $me;
$me = $target;
......@@ -57,7 +57,8 @@ use vars qw(%versions
my $whoid = confirm_login();
my $user = confirm_login();
my $whoid = $user->id;
my $cgi = Bugzilla->cgi;
......@@ -1093,9 +1094,10 @@ foreach my $id (@idlist) {
"keywords $write, longdescs $write, fielddefs $write, " .
"bug_group_map $write, flags $write, duplicates $write," .
# user_group_map would be a READ lock except that Flag::process
# may call Flag::notify, which calls ConfirmGroup, which might
# call DeriveGroup, which wants a WRITE lock on that table.
# group_group_map is in here at all because DeriveGroups needs it.
# may call Flag::notify, which creates a new user object,
# which might call derive_groups, which wants a WRITE lock on that
# table. group_group_map is in here at all because derive_groups
# needs it.
"user_group_map $write, group_group_map READ, flagtypes READ, " .
"flaginclusions AS i READ, flagexclusions AS e READ, " .
"keyworddefs READ, groups READ, attachments READ, " .
......@@ -53,19 +53,21 @@ ConnectToDatabase();
my $cgi = Bugzilla->cgi;
my $userid = 0;
if (defined $::FORM{"GoAheadAndLogIn"}) {
# We got here from a login page, probably from relogin.cgi. We better
# make sure the password is legit.
$userid = confirm_login();
} else {
$userid = quietly_check_login();
my $user = Bugzilla->user;
my $userid = $user ? $user->id : 0;
# Backwards compatibility hack -- if there are any of the old QUERY_*
# cookies around, and we are logged in, then move them into the database
# and nuke the cookie. This is required for Bugzilla 2.8 and earlier.
if ($userid) {
if ($user) {
my @oldquerycookies;
foreach my $i (keys %::COOKIE) {
if ($i =~ /^QUERY_(.*)$/) {
......@@ -97,7 +99,7 @@ if ($userid) {
if ($::FORM{'nukedefaultquery'}) {
if ($userid) {
if ($user) {
SendSQL("DELETE FROM namedqueries " .
"WHERE userid = $userid AND name = '$::defaultqueryname'");
......@@ -105,7 +107,7 @@ if ($::FORM{'nukedefaultquery'}) {
my $userdefaultquery;
if ($userid) {
if ($user) {
SendSQL("SELECT query FROM namedqueries " .
"WHERE userid = $userid AND name = '$::defaultqueryname'");
$userdefaultquery = FetchOneColumn();
......@@ -308,7 +310,6 @@ $vars->{'rep_platform'} = \@::legal_platform;
$vars->{'op_sys'} = \@::legal_opsys;
$vars->{'priority'} = \@::legal_priority;
$vars->{'bug_severity'} = \@::legal_severity;
$vars->{'userid'} = $userid;
# Boolean charts
my @fields;
......@@ -362,7 +363,7 @@ for (my $chart = 0; $::FORM{"field$chart-0-0"}; $chart++) {
$default{'charts'} = \@charts;
# Named queries
if ($userid) {
if ($user) {
my @namedqueries;
SendSQL("SELECT name FROM namedqueries " .
"WHERE userid = $userid AND name != '$::defaultqueryname' " .
......@@ -59,7 +59,9 @@ $cgi->send_cookie(-name => "Bugzilla_logincookie",
delete $::COOKIE{"Bugzilla_login"};
$vars->{'message'} = "logged_out";
$vars->{'user'} = {};
# This entire script should eventually just become a call to Bugzilla->logout
print $cgi->header();
$template->process("global/message.html.tmpl", $vars)
......@@ -106,12 +106,16 @@ if (exists $::FORM{'rederivegroups'}) {
# rederivegroupsnow is REALLY only for testing.
# If it wasn't, then we'd do this the faster way as a per-group
# thing rather than per-user for group inheritance
if (exists $::FORM{'rederivegroupsnow'}) {
require Bugzilla::User;
Status("OK, now rederiving groups.");
SendSQL("SELECT userid FROM profiles");
while ((my $id) = FetchSQLData()) {
Status("Group $id");
my $user = new Bugzilla::User($id);
Status("User $id");
......@@ -35,26 +35,6 @@ my $cgi = Bugzilla->cgi;
# Main Body Execution
$vars->{'username'} = $::COOKIE{'Bugzilla_login'} || '';
if (defined $::COOKIE{'Bugzilla_login'}) {
SendSQL("SELECT mybugslink, userid FROM profiles " .
"WHERE login_name = " . SqlQuote($::COOKIE{'Bugzilla_login'}));
my ($mybugslink, $userid) = (FetchSQLData());
$vars->{'userid'} = $userid;
$vars->{'canblessanything'} = UserCanBlessAnything();
if ($mybugslink) {
my $mybugstemplate = Param("mybugstemplate");
my %substs = ( 'userid' => url_quote($::COOKIE{'Bugzilla_login'}) );
$vars->{'mybugsurl'} = PerformSubsts($mybugstemplate, \%substs);
SendSQL("SELECT name FROM namedqueries WHERE userid = $userid AND linkinfooter");
while (MoreSQLData()) {
my ($name) = FetchSQLData();
push(@{$vars->{'namedqueries'}}, $name);
# This sidebar is currently for use with Mozilla based web browsers.
# Internet Explorer 6 is supposed to have a similar feature, but it
# most likely won't support XUL ;) When that does come out, this
......@@ -123,7 +123,8 @@
[% END %]
[% IF (user.userid != bugassignee_id) AND UserInGroup("editbugs") %]
[% IF ( != bugassignee_id) AND user.groups.editbugs %]
......@@ -25,7 +25,7 @@
<bugzilla version="[% VERSION %]"
urlbase="[% Param('urlbase') %]"
maintainer="[% Param('maintainer') FILTER xml %]"
[% IF user.login %]
[% IF user %]
exporter="[% user.login FILTER xml %]"
[% END %]
......@@ -116,7 +116,7 @@
id="requestee-[% %]"
name="requestee-[% %]"
[% IF flag.status == "?" && flag.requestee %]
value="[% FILTER html %]"
value="[% flag.requestee.login FILTER html %]"
[% END %]
......@@ -19,19 +19,6 @@
# Contributor(s): Gervase Markham <>
# user: hash. Information about the user. If the user is not logged in,
# user.login is undefined.
# login: string. The user's Bugzilla login email address.
# showmybugslink: boolean. True if user wants My Bugs in the footer.
# queries: list of strings. The names of those of the user's named
# queries which should be displayed in the footer.
# groups: hash. Keys are group names, values are true if user in that group.
# The keys used in this template are
# tweakparams, editcomponents, creategroups, editkeywords, confirm,
# editbugs, editusers.
[%# Migration note: this whole file corresponds to the old %commandmenu%
substitution param in 'footerhtml' %]
......@@ -51,14 +38,14 @@
<a href="report.cgi">Reports</a>
[% IF user.login %]
[% IF user %]
[% email = user.login FILTER url_quote %]
| <a href="request.cgi?requester=[% email %]&amp;requestee=[% email %]&amp;do_union=1&amp;group=type">My Requests</a>
[% ELSE %]
| <a href="request.cgi">Requests</a>
[% END %]
[% IF user.login && Param('usevotes') %]
[% IF user && Param('usevotes') %]
| <a href="votes.cgi?action=show_user">My Votes</a>
[% END %]
......@@ -72,7 +59,7 @@
[% ', <a href="editparams.cgi">parameters</a>'
IF user.groups.tweakparams %]
[% ', <a href="editusers.cgi">users</a>' IF user.groups.editusers
|| user.canblessany %]
|| user.can_bless %]
[% ', <a href="editproducts.cgi">products</a>'
IF user.groups.editcomponents %]
[% ', <a href="editflagtypes.cgi">flags</a>'
......@@ -91,8 +78,13 @@
[%# Preset queries %]
[% preset_queries = user.showmybugslink %]
[% IF NOT preset_queries %]
[% FOREACH q = user.queries %]
[% SET preset_queries = 1 IF q.linkinfooter %]
[% IF q.linkinfooter %]
[% preset_queries = 1 %]
[% LAST %]
[% END %]
[% END %]
[% END %]
......@@ -35,7 +35,7 @@
<font color="red">
Your quip '<tt>[% added_quip FILTER html %]</tt>' has been added.
[% IF Param("enablequips") == "approved" AND !UserInGroup('admin') %]
[% IF Param("enablequips") == "approved" AND !user.groups.admin %]
It will be used as soon as it gets approved.
[% END %]
......@@ -58,7 +58,7 @@
Bugzilla will pick a random quip for the headline on each bug list, and
you can extend the quip list. Type in something clever or funny or boring
(but not obscene or offensive, please) and bonk on the button.
[% IF Param("enablequips") == "approved" AND !UserInGroup('admin') %]
[% IF Param("enablequips") == "approved" AND !user.groups.admin %]
Note that your quip has to be approved before it is used.
[% END %]
......@@ -43,7 +43,7 @@ Subject: [% %] [%+ subject_status %]: [Bug [%
[%+ USE wrap -%]
[%- FILTER bullet = wrap(80) -%]
[% user.realname %] <[% user.login %]> has [% statuses.${flag.status} %] [%+ to_identity %] for [% %]:
[% user.identity %] has [% statuses.${flag.status} %] [%+ to_identity %] for [% %]:
Bug [% bugidsummary %]
[% END %]
......@@ -58,7 +58,7 @@ Attachment [% attidsummary %]
[%- FILTER bullet = wrap(80) %]
[% IF form.comment.length > 0 %]
------- Additional Comments from [% user.realname %] <[% user.login %]>
------- Additional Comments from [% user.identity %]
[%+ form.comment %]
[% END %]
......@@ -30,7 +30,7 @@
"Last Changed" => "Last Changed" } %]
[% IF NOT userid %]
[% IF NOT user %]
<input type="hidden" name="cmdtype" value="doit">
[% ELSE %]
<script type="text/javascript"> <!--
......@@ -72,37 +72,38 @@ function normal_keypress_handler( aEvent ) {
<text class="text-link" onclick="load_relative_url('enter_bug.cgi')" value="new bug"/>
<separator class="thin"/>
[% IF username %]
[% IF user %]
<text class="text-link" onclick="load_relative_url('userprefs.cgi')" value="edit prefs"/>
[%- IF UserInGroup('tweakparams') %]
[%- IF user.groups.tweakparams %]
<text class="text-link" onclick="load_relative_url('editparams.cgi')" value="edit params"/>
[%- END %]
[%- IF UserInGroup('editusers') || canblessany %]
[%- IF user.groups.editusers || user.can_bless %]
<text class="text-link" onclick="load_relative_url('editusers.cgi')" value="edit users"/>
[%- END %]
[%- IF UserInGroup('editcomponents') %]
[%- IF user.groups.editcomponents %]
<text class="text-link" onclick="load_relative_url('editcomponents.cgi')" value="edit components"/>
[%- END %]
[%- IF UserInGroup('creategroups') %]
[%- IF user.groups.creategroups %]
<text class="text-link" onclick="load_relative_url('editgroups.cgi')" value="edit groups"/>
[%- END %]
[%- IF UserInGroup('editkeywords') %]
[%- IF user.groups.editkeywords %]
<text class="text-link" onclick="load_relative_url('editkeywords.cgi')" value="edit keywords"/>
[%- END %]
[%- IF UserInGroup('tweakparams') %]
[%- IF user.groups.tweakparams %]
<text class="text-link" onclick="load_relative_url('sanitycheck.cgi')" value="sanity check"/>
[%- END %]
<text class="text-link" onclick="load_relative_url('relogin.cgi')" value="logout [% username FILTER html %]"/>
<text class="text-link" onclick="load_relative_url('relogin.cgi')" value="logout [% user.login FILTER html %]"/>
<separator class="thin"/>
[%- IF mybugsurl %]
<text class="text-link" onclick="load_relative_url('[% mybugsurl FILTER html %]')" value="my bugs"/>
[%- IF user.showmybugslink %]
[% filtered_username = user.login FILTER url_quote %]
<text class="text-link" onclick="load_relative_url('[% Param('mybugstemplate').replace('%userid%', filtered_username) FILTER js FILTER html %]')" value="my bugs"/>
[%- END %]
[%- IF Param('usevotes') %]
<text class="text-link" onclick="load_relative_url('votes.cgi?action=show_user')" value="my votes"/>
[%- END %]
[%- FOREACH name = namedqueries %]
<text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER url_quote %]')" value="[% name FILTER html %]"/>
[%- FOREACH q = user.queries %]
<text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% FILTER url_quote %]')" value="[% FILTER html %]"/>
[% END %]
[% ELSE %]
......@@ -44,6 +44,8 @@ quietly_check_login('permit_anonymous');
# token-related tasks.
use Token;
use Bugzilla::User;
# Data Validation / Security Authorization
......@@ -248,7 +250,10 @@ sub changeEmail {
SendSQL("DELETE FROM tokens WHERE userid = $userid
AND tokentype = 'emailnew'");
# The email address has been changed, so we need to rederive the groups
my $user = new Bugzilla::User($userid);
# Return HTTP response headers.
print Bugzilla->cgi->header();
......@@ -283,7 +288,16 @@ sub cancelChangeEmail {
SET login_name = $quotedoldemail
WHERE userid = $userid");
# email has changed, so rederive groups
# Note that this is done _after_ the tables are unlocked
# This is sort of a race condition (given the lack of transactions)
# but the user had access to it just now, so it's not a security
# issue
my $user = new Bugzilla::User($userid);
$vars->{'message'} = "email_change_cancelled_reinstated";
......@@ -314,8 +314,13 @@ sub SaveFooter {
SendSQL("UPDATE profiles SET mybugslink = " .
SqlQuote($::FORM{'mybugslink'}) . " WHERE userid = $userid");
# Regenerate cached info about queries in footer.
$vars->{'user'} = GetUserInfo($::userid);
# Make sure that cached queries in the user object are invalidated
# so that the footer is correct
my $user = Bugzilla->user;
# Also need to update showmybugslink
$user->{showmybugslink} = $::FORM{'mybugslink'} ? 1 : 0;
......@@ -127,7 +127,7 @@ sub show_user {
# If a bug_id is given, and we're editing, we'll add it to the votes list.
my $bug_id = $::FORM{'bug_id'} || "";
my $name = $::FORM{'user'} || $::COOKIE{'Bugzilla_login'};
my $name = $::FORM{'user'} || Bugzilla->user->login;
my $who = DBname_to_id($name);
# After DBNameToIdAndCheck is templatised and prints a Content-Type,
......@@ -135,7 +135,7 @@ sub show_user {
# special error handling should go away.
$who || ThrowUserError("invalid_username", {name => $name});
my $canedit = 1 if ($name eq $::COOKIE{'Bugzilla_login'});
my $canedit = 1 if ($name eq Bugzilla->user->login);
SendSQL("LOCK TABLES bugs READ, products READ, votes WRITE,
cc READ, bug_group_map READ, user_group_map READ,
......@@ -270,7 +270,7 @@ sub record_votes {
my $who = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'});
my $who = Bugzilla->user->id;
# If the user is voting for bugs, make sure they aren't overstuffing
# the ballot box.
