request.cgi

#!/usr/bin/perl -T
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

use 5.10.1;
use strict;
use warnings;

use lib qw(. lib);

use Bugzilla;
use Bugzilla::Util;
use Bugzilla::Error;
use Bugzilla::Flag;
use Bugzilla::FlagType;
use Bugzilla::User;
use Bugzilla::Product;
use Bugzilla::Component;

# Make sure the user is logged in.
my $user = Bugzilla->login();
my $cgi  = Bugzilla->cgi;

# Force the script to run against the shadow DB. We already validated credentials.
Bugzilla->switch_to_shadow_db;
my $template = Bugzilla->template;
my $action   = $cgi->param('action') || '';
my $format   = $template->get_format(
  'request/queue',
  scalar($cgi->param('format')),
  scalar($cgi->param('ctype'))
);

$cgi->set_dated_content_disp("inline", "requests", $format->{extension});
print $cgi->header($format->{'ctype'});

my $fields;
$fields->{'requester'}->{'type'} = 'single';

# If the user doesn't restrict their search to requests from the wind
# (requestee ne '-'), include the requestee for completion.
unless (defined $cgi->param('requestee') && $cgi->param('requestee') eq '-') {
  $fields->{'requestee'}->{'type'} = 'single';
}

Bugzilla::User::match_field($fields);

if ($action eq 'queue') {
  queue($format);
}
else {
  my $flagtypes = get_flag_types();
  my @types     = ('all', @$flagtypes);

  my $vars = {};
  $vars->{'types'}    = \@types;
  $vars->{'requests'} = {};

  my %components;
  foreach my $prod (@{$user->get_selectable_products}) {
    foreach my $comp (@{$prod->components}) {
      $components{$comp->name} = 1;
    }
  }
  $vars->{'components'} = [sort { $a cmp $b } keys %components];

  $template->process($format->{'template'}, $vars)
    || ThrowTemplateError($template->error());
}
exit;

################################################################################
# Functions
################################################################################

sub queue {
  my $format   = shift;
  my $cgi      = Bugzilla->cgi;
  my $dbh      = Bugzilla->dbh;
  my $template = Bugzilla->template;
  my $user     = Bugzilla->user;
  my $userid   = $user->id;
  my $vars     = {};

  my $status     = validateStatus($cgi->param('status'));
  my $form_group = validateGroup($cgi->param('group'));

  my $query =

    # Select columns describing each flag, the bug/attachment on which
    # it has been set, who set it, and of whom they are requesting it.
    " SELECT    flags.id, flagtypes.name,
                flags.status,
                flags.bug_id, bugs.short_desc,
                products.name, components.name,
                flags.attach_id, attachments.description,
                requesters.realname, requesters.login_name,
                requestees.realname, requestees.login_name, COUNT(privs.group_id),
    " . $dbh->sql_date_format('flags.modification_date', '%Y.%m.%d %H:%i') .

    # Use the flags and flagtypes tables for information about the flags,
    # the bugs and attachments tables for target info, the profiles tables
    # for setter and requestee info, the products/components tables
    # so we can display product and component names, and the bug_group_map
    # table to help us weed out secure bugs to which the user should not have
    # access.
    "
      FROM           flags 
           LEFT JOIN attachments
                  ON flags.attach_id = attachments.attach_id
          INNER JOIN flagtypes
                  ON flags.type_id = flagtypes.id
          INNER JOIN profiles AS requesters
                  ON flags.setter_id = requesters.userid
           LEFT JOIN profiles AS requestees
                  ON flags.requestee_id  = requestees.userid
          INNER JOIN bugs
                  ON flags.bug_id = bugs.bug_id
          INNER JOIN products
                  ON bugs.product_id = products.id
          INNER JOIN components
                  ON bugs.component_id = components.id
           LEFT JOIN bug_group_map AS privs
                  ON privs.bug_id = bugs.bug_id
           LEFT JOIN cc AS ccmap
                  ON ccmap.who = $userid
                 AND ccmap.bug_id = bugs.bug_id
           LEFT JOIN bug_group_map AS bgmap
                  ON bgmap.bug_id = bugs.bug_id
    ";

  if (Bugzilla->params->{or_groups}) {
    $query .= " AND bgmap.group_id IN (" . $user->groups_as_string . ")";
    $query .= " WHERE     (privs.group_id IS NULL OR bgmap.group_id IS NOT NULL OR";
  }
  else {
    $query .= " AND bgmap.group_id NOT IN (" . $user->groups_as_string . ")";
    $query .= " WHERE     (bgmap.group_id IS NULL OR";
  }

  # Weed out bug the user does not have access to
  $query .= "            (ccmap.who IS NOT NULL AND cclist_accessible = 1) OR
                 (bugs.reporter = $userid AND bugs.reporter_accessible = 1) OR
                 (bugs.assigned_to = $userid) " . (
    Bugzilla->params->{'useqacontact'}
    ? "OR
                 (bugs.qa_contact = $userid))"
    : ")"
  );

  unless ($user->is_insider) {
    $query .= " AND (attachments.attach_id IS NULL
                         OR attachments.isprivate = 0
                         OR attachments.submitter_id = $userid)";
  }

  # Limit query to pending requests.
  $query .= " AND flags.status = '?' " unless $status;

  # The set of criteria by which we filter records to display in the queue.
  my @criteria = ();

  # A list of columns to exclude from the report because the report conditions
  # limit the data being displayed to exact matches for those columns.
  # In other words, if we are only displaying "pending" , we don't
  # need to display a "status" column in the report because the value for that
  # column will always be the same.
  my @excluded_columns = ();
  my $do_union         = $cgi->param('do_union');

  # Filter results by exact email address of requester or requestee.
  if (defined $cgi->param('requester') && $cgi->param('requester') ne "") {
    my $requester = $dbh->quote($cgi->param('requester'));
    trick_taint($requester);    # Quoted above
    push(@criteria, $dbh->sql_istrcmp('requesters.login_name', $requester));
    push(@excluded_columns, 'requester') unless $do_union;
  }
  if (defined $cgi->param('requestee') && $cgi->param('requestee') ne "") {
    if ($cgi->param('requestee') ne "-") {
      my $requestee = $dbh->quote($cgi->param('requestee'));
      trick_taint($requestee);    # Quoted above
      push(@criteria, $dbh->sql_istrcmp('requestees.login_name', $requestee));
    }
    else {
      push(@criteria, "flags.requestee_id IS NULL");
    }
    push(@excluded_columns, 'requestee') unless $do_union;
  }

  # If the user wants requester = foo OR requestee = bar, we have to join
  # these criteria separately as all other criteria use AND.
  if (@criteria == 2 && $do_union) {
    my $union = join(' OR ', @criteria);
    @criteria = ("($union)");
  }

  # Filter requests by status: "pending", "granted", "denied", "all"
  # (which means any), or "fulfilled" (which means "granted" or "denied").
  if ($status) {
    if ($status eq "+-") {
      push(@criteria,         "flags.status IN ('+', '-')");
      push(@excluded_columns, 'status');
    }
    elsif ($status ne "all") {
      push(@criteria,         "flags.status = '$status'");
      push(@excluded_columns, 'status');
    }
  }

  # Filter results by exact product or component.
  if (defined $cgi->param('product') && $cgi->param('product') ne "") {
    my $product = Bugzilla::Product->check(scalar $cgi->param('product'));
    push(@criteria,         "bugs.product_id = " . $product->id);
    push(@excluded_columns, 'product');
    if (defined $cgi->param('component') && $cgi->param('component') ne "") {
      my $component
        = Bugzilla::Component->check({
        product => $product, name => scalar $cgi->param('component')
        });
      push(@criteria,         "bugs.component_id = " . $component->id);
      push(@excluded_columns, 'component');
    }
  }

  # Filter results by flag types.
  my $form_type = $cgi->param('type');
  if (defined $form_type && !grep($form_type eq $_, ("", "all"))) {

    # Check if any matching types are for attachments.  If not, don't show
    # the attachment column in the report.
    my $has_attachment_type = Bugzilla::FlagType::count(
      {'name' => $form_type, 'target_type' => 'attachment'});

    if (!$has_attachment_type) { push(@excluded_columns, 'attachment') }

    my $quoted_form_type = $dbh->quote($form_type);
    trick_taint($quoted_form_type);    # Already SQL quoted
    push(@criteria,         "flagtypes.name = " . $quoted_form_type);
    push(@excluded_columns, 'type');
  }

  $query .= ' AND ' . join(' AND ', @criteria) if scalar(@criteria);

  # Group the records by flag ID so we don't get multiple rows of data
  # for each flag.  This is only necessary because of the code that
  # removes flags on bugs the user is unauthorized to access.
  $query .= ' ' . $dbh->sql_group_by(
    'flags.id', 'flagtypes.name, flags.status, flags.bug_id, bugs.short_desc,
                products.name, components.name, flags.attach_id,
                attachments.description, requesters.realname,
                requesters.login_name, requestees.realname,
                requestees.login_name, flags.modification_date,
                cclist_accessible, bugs.reporter, bugs.reporter_accessible,
                bugs.assigned_to'
  );

  # Group the records, in other words order them by the group column
  # so the loop in the display template can break them up into separate
  # tables every time the value in the group column changes.

  $form_group ||= "requestee";
  if ($form_group eq "requester") {
    $query .= " ORDER BY requesters.realname, requesters.login_name";
  }
  elsif ($form_group eq "requestee") {
    $query .= " ORDER BY requestees.realname, requestees.login_name";
  }
  elsif ($form_group eq "category") {
    $query .= " ORDER BY products.name, components.name";
  }
  elsif ($form_group eq "type") {
    $query .= " ORDER BY flagtypes.name";
  }

  # Order the records (within each group).
  $query .= " , flags.modification_date";

  # Pass the query to the template for use when debugging this script.
  $vars->{'query'} = $query;
  $vars->{'debug'} = $cgi->param('debug') ? 1 : 0;

  my $results  = $dbh->selectall_arrayref($query);
  my @requests = ();
  foreach my $result (@$results) {
    my @data    = @$result;
    my $request = {
      'id'             => $data[0],
      'type'           => $data[1],
      'status'         => $data[2],
      'bug_id'         => $data[3],
      'bug_summary'    => $data[4],
      'category'       => "$data[5]: $data[6]",
      'attach_id'      => $data[7],
      'attach_summary' => $data[8],
      'requester'      => ($data[9] ? "$data[9] <$data[10]>" : $data[10]),
      'requestee'      => ($data[11] ? "$data[11] <$data[12]>" : $data[12]),
      'restricted'     => $data[13] ? 1 : 0,
      'created'        => $data[14]
    };
    push(@requests, $request);
  }

  # Get a list of request type names to use in the filter form.
  my @types     = ("all");
  my $flagtypes = get_flag_types();
  push(@types, @$flagtypes);

  $vars->{'excluded_columns'} = \@excluded_columns;
  $vars->{'group_field'}      = $form_group;
  $vars->{'requests'}         = \@requests;
  $vars->{'types'}            = \@types;

  # This code is needed to populate the Product and Component select fields.
  my ($products, %components);
  if (Bugzilla->params->{useclassification}) {
    foreach my $class (@{$user->get_selectable_classifications}) {
      push @$products, @{$user->get_selectable_products($class->id)};
    }
  }
  else {
    $products = $user->get_selectable_products;
  }

  foreach my $product (@$products) {
    $components{$_->name} = 1 foreach @{$product->components};
  }
  $vars->{'products'}   = $products;
  $vars->{'components'} = [sort keys %components];

  $vars->{'urlquerypart'} = $cgi->canonicalise_query('ctype');

  # Generate and return the UI (HTML page) from the appropriate template.
  $template->process($format->{'template'}, $vars)
    || ThrowTemplateError($template->error());
}

################################################################################
# Data Validation / Security Authorization
################################################################################

sub validateStatus {
  my $status = shift;
  return if !defined $status;

  grep($status eq $_, qw(? +- + - all))
    || ThrowUserError("flag_status_invalid", {status => $status});
  trick_taint($status);
  return $status;
}

sub validateGroup {
  my $group = shift;
  return if !defined $group;

  grep($group eq $_, qw(requester requestee category type))
    || ThrowUserError("request_queue_group_invalid", {group => $group});
  trick_taint($group);
  return $group;
}

# Returns all flag types which have at least one flag of this type.
# If a flag type is inactive but still has flags, we want it.
sub get_flag_types {
  my $dbh        = Bugzilla->dbh;
  my $flag_types = $dbh->selectcol_arrayref(
    'SELECT DISTINCT name
                                                 FROM flagtypes
                                                WHERE flagtypes.id IN
                                                      (SELECT DISTINCT type_id FROM flags)
                                             ORDER BY name'
  );
  return $flag_types;
}