Bug 255606: Do not let buglist.cgi return all bugs by default

r/a=mkanat

Bug 255606: Do not let buglist.cgi return all bugs by default
c9aaffd4 · Frédéric Buclin · 92cb17e0 · c9aaffd4 · c9aaffd4 · c9aaffd4
Commit c9aaffd4 authored Nov 26, 2011 by Frédéric Buclin
9 changed files
--- a/Bugzilla/Config.pm
+++ b/Bugzilla/Config.pm
@@ -193,6 +193,11 @@ sub update_params {
        $new_params{'ssl_redirect'} = 1;
    }
+    # "specific_search_allow_empty_words" has been renamed to "search_allow_no_criteria".
+    if (exists $param->{'specific_search_allow_empty_words'}) {
+        $new_params{'search_allow_no_criteria'} = $param->{'specific_search_allow_empty_words'};
+    }
    # --- DEFAULTS FOR NEW PARAMS ---
    _load_params unless %params;

--- a/Bugzilla/Config/Query.pm
+++ b/Bugzilla/Config/Query.pm
@@ -68,7 +68,7 @@ sub get_param_list {
  },
  {
-   name => 'specific_search_allow_empty_words',
+   name => 'search_allow_no_criteria',
   type => 'b',
   default => 1
  },

--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1168,6 +1168,11 @@ sub _sql_where {
    if ($clause_sql) {
        $where .= "\n   AND " . $clause_sql;
    }
+    elsif (!Bugzilla->params->{'search_allow_no_criteria'}
+           && !$self->{allow_unlimited})
+    {
+        ThrowUserError('buglist_parameters_required');
+    }
    return $where;
 }

--- a/buglist.cgi
+++ b/buglist.cgi
@@ -82,7 +82,7 @@ if (defined($searchstring)) {
 # If configured to not allow empty words, reject empty searches from the
 # Find a Specific Bug search form, including words being a single or 
 # several consecutive whitespaces only.
-if (!Bugzilla->params->{'specific_search_allow_empty_words'}
+if (!Bugzilla->params->{'search_allow_no_criteria'}
    && defined($cgi->param('content')) && $cgi->param('content') =~ /^\s*$/)
 {
    ThrowUserError("buglist_parameters_required");

--- a/collectstats.pl
+++ b/collectstats.pl
@@ -507,6 +507,7 @@ sub CollectSeriesData {
        eval {
            my $search = new Bugzilla::Search('params' => scalar $cgi->Vars,
                                              'fields' => ["bug_id"],
+                                              'allow_unlimited' => 1,
                                              'user'   => $user);
            my $sql = $search->sql;
            $data = $shadow_dbh->selectall_arrayref($sql);

--- a/template/en/default/admin/params/query.html.tmpl
+++ b/template/en/default/admin/params/query.html.tmpl
@@ -51,9 +51,14 @@
                  "access the advanced query page. It's in URL parameter " _
                  "format, which makes it hard to read. Sorry!",
-  specific_search_allow_empty_words => 
+  search_allow_no_criteria =>
-    "Whether to allow a search on the 'Simple Search' page with an empty"
+    "Unless the code explicitly allows all $terms.bugs to be returned, this " _
-    _ " 'Words' field.",
+    "parameter permits to block the execution of queries with no criteria. " _
+    "When turned off, a query must have some criteria specified to limit " _
+    "the number of $terms.bugs returned to the user. When turned on, a user " _
+    "is allowed to run a query with no criteria and get all $terms.bugs he can " _
+    "see in his list. Turning this parameter on is not recommended on large " _
+    "installations.",
  default_search_limit =>
    "By default, $terms.Bugzilla limits searches done in the web"

--- a/template/en/default/global/messages.html.tmpl
+++ b/template/en/default/global/messages.html.tmpl
@@ -920,6 +920,10 @@
      No changes made to version <em>[% version.name FILTER html %]</em>.
    [% END %]
+  [% ELSIF message_tag == "whine_query_failed" %]
+    The query '[% query_name FILTER html %]' from [% author.login FILTER html %]
+    failed: [% reason FILTER html %]
  [% ELSIF message_tag == "workflow_updated" %]
    The workflow has been updated.
  [% END %]

--- a/template/en/default/search/search-specific.html.tmpl
+++ b/template/en/default/search/search-specific.html.tmpl
@@ -108,7 +108,7 @@ for "crash secure SSL flash".
    <td></td>
    <td>
-      [% IF Param('specific_search_allow_empty_words') %]
+      [% IF Param('search_allow_no_criteria') %]
        <input type="submit" id="search" value="Search">
      [% ELSE %]
        <input type="submit" id="search" value="Search"

--- a/whine.pl
+++ b/whine.pl
@@ -452,7 +452,15 @@ sub run_queries {
            'params' => scalar $searchparams->Vars,
            'user'   => $args->{'recipient'}, # the search runs as the recipient
        );
-        my $sqlquery = $search->sql;
+        # If a query fails for whatever reason, it shouldn't kill the script.
+        my $sqlquery = eval { $search->sql };
+        if ($@) {
+            say get_text('whine_query_failed', { query_name => $thisquery->{'name'},
+                                                 author => $args->{'author'},
+                                                 reason => $@ });
+            next;
+        }
        $sth = $dbh->prepare($sqlquery);
        $sth->execute;