editgroups.cgi

   1 #!/usr/bin/perl -T
   2 # This Source Code Form is subject to the terms of the Mozilla Public
   3 # License, v. 2.0. If a copy of the MPL was not distributed with this
   4 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
   5 #
   6 # This Source Code Form is "Incompatible With Secondary Licenses", as
   7 # defined by the Mozilla Public License, v. 2.0.
   8
   9 use 5.10.1;
  10 use strict;
  11 use warnings;
  12
  13 use lib qw(. lib);
  14
  15 use Bugzilla;
  16 use Bugzilla::Constants;
  17 use Bugzilla::Config qw(:admin);
  18 use Bugzilla::Util;
  19 use Bugzilla::Error;
  20 use Bugzilla::Group;
  21 use Bugzilla::Product;
  22 use Bugzilla::User;
  23 use Bugzilla::Token;
  24
  25 my $cgi      = Bugzilla->cgi;
  26 my $dbh      = Bugzilla->dbh;
  27 my $template = Bugzilla->template;
  28 my $vars     = {};
  29
  30 my $user = Bugzilla->login(LOGIN_REQUIRED);
  31
  32 print $cgi->header();
  33
  34 $user->in_group('creategroups')
  35   || ThrowUserError("auth_failure",
  36   {group => "creategroups", action => "edit", object => "groups"});
  37
  38 my $action = trim($cgi->param('action') || '');
  39 my $token = $cgi->param('token');
  40
  41 # CheckGroupID checks that a positive integer is given and is
  42 # actually a valid group ID. If all tests are successful, the
  43 # trimmed group ID is returned.
  44
  45 sub CheckGroupID {
  46   my ($group_id) = @_;
  47   $group_id = trim($group_id || 0);
  48   ThrowUserError("group_not_specified") unless $group_id;
  49   (
  50     detaint_natural($group_id) && Bugzilla->dbh->selectrow_array(
  51       "SELECT id FROM groups WHERE id = ?",
  52       undef, $group_id
  53     )
  54   ) || ThrowUserError("invalid_group_ID");
  55   return $group_id;
  56 }
  57
  58 # CheckGroupRegexp checks that the regular expression is valid
  59 # (the regular expression being optional, the test is successful
  60 # if none is given, as expected). The trimmed regular expression
  61 # is returned.
  62
  63 sub CheckGroupRegexp {
  64   my ($regexp) = @_;
  65   $regexp = trim($regexp || '');
  66   trick_taint($regexp);
  67   ThrowUserError("invalid_regexp") unless (eval {qr/$regexp/});
  68   return $regexp;
  69 }
  70
  71 # A helper for displaying the edit.html.tmpl template.
  72 sub get_current_and_available {
  73   my ($group, $vars) = @_;
  74
  75   my @all_groups         = Bugzilla::Group->get_all;
  76   my @members_current    = @{$group->grant_direct(GROUP_MEMBERSHIP)};
  77   my @member_of_current  = @{$group->granted_by_direct(GROUP_MEMBERSHIP)};
  78   my @bless_from_current = @{$group->grant_direct(GROUP_BLESS)};
  79   my @bless_to_current   = @{$group->granted_by_direct(GROUP_BLESS)};
  80   my (@visible_from_current, @visible_to_me_current);
  81   if (Bugzilla->params->{'usevisibilitygroups'}) {
  82     @visible_from_current  = @{$group->grant_direct(GROUP_VISIBLE)};
  83     @visible_to_me_current = @{$group->granted_by_direct(GROUP_VISIBLE)};
  84   }
  85
  86   # Figure out what groups are not currently a member of this group,
  87   # and what groups this group is not currently a member of.
  88   my (
  89     @members_available,  @member_of_available,    @bless_from_available,
  90     @bless_to_available, @visible_from_available, @visible_to_me_available
  91   );
  92   foreach my $group_option (@all_groups) {
  93     if (Bugzilla->params->{'usevisibilitygroups'}) {
  94       push(@visible_from_available, $group_option)
  95         if !grep($_->id == $group_option->id, @visible_from_current);
  96       push(@visible_to_me_available, $group_option)
  97         if !grep($_->id == $group_option->id, @visible_to_me_current);
  98     }
  99
 100     push(@bless_from_available, $group_option)
 101       if !grep($_->id == $group_option->id, @bless_from_current);
 102
 103     # The group itself should never show up in the membership lists,
 104     # and should show up in only one of the bless lists (otherwise
 105     # you can try to allow it to bless itself twice, leading to a
 106     # database unique constraint error).
 107     next if $group_option->id == $group->id;
 108
 109     push(@members_available, $group_option)
 110       if !grep($_->id == $group_option->id, @members_current);
 111     push(@member_of_available, $group_option)
 112       if !grep($_->id == $group_option->id, @member_of_current);
 113     push(@bless_to_available, $group_option)
 114       if !grep($_->id == $group_option->id, @bless_to_current);
 115   }
 116
 117   $vars->{'members_current'}     = \@members_current;
 118   $vars->{'members_available'}   = \@members_available;
 119   $vars->{'member_of_current'}   = \@member_of_current;
 120   $vars->{'member_of_available'} = \@member_of_available;
 121
 122   $vars->{'bless_from_current'}   = \@bless_from_current;
 123   $vars->{'bless_from_available'} = \@bless_from_available;
 124   $vars->{'bless_to_current'}     = \@bless_to_current;
 125   $vars->{'bless_to_available'}   = \@bless_to_available;
 126
 127   if (Bugzilla->params->{'usevisibilitygroups'}) {
 128     $vars->{'visible_from_current'}    = \@visible_from_current;
 129     $vars->{'visible_from_available'}  = \@visible_from_available;
 130     $vars->{'visible_to_me_current'}   = \@visible_to_me_current;
 131     $vars->{'visible_to_me_available'} = \@visible_to_me_available;
 132   }
 133 }
 134
 135 # If no action is specified, get a list of all groups available.
 136
 137 unless ($action) {
 138   my @groups = Bugzilla::Group->get_all;
 139   $vars->{'groups'} = \@groups;
 140
 141   $template->process("admin/groups/list.html.tmpl", $vars)
 142     || ThrowTemplateError($template->error());
 143   exit;
 144 }
 145
 146 #
 147 # action='changeform' -> present form for altering an existing group
 148 #
 149 # (next action will be 'postchanges')
 150 #
 151
 152 if ($action eq 'changeform') {
 153
 154   # Check that an existing group ID is given
 155   my $group_id = CheckGroupID($cgi->param('group'));
 156   my $group    = new Bugzilla::Group($group_id);
 157
 158   get_current_and_available($group, $vars);
 159   $vars->{'group'} = $group;
 160   $vars->{'token'} = issue_session_token('edit_group');
 161
 162   $template->process("admin/groups/edit.html.tmpl", $vars)
 163     || ThrowTemplateError($template->error());
 164   exit;
 165 }
 166
 167 #
 168 # action='add' -> present form for parameters for new group
 169 #
 170 # (next action will be 'new')
 171 #
 172
 173 if ($action eq 'add') {
 174   $vars->{'token'} = issue_session_token('add_group');
 175
 176   $template->process("admin/groups/create.html.tmpl", $vars)
 177     || ThrowTemplateError($template->error());
 178   exit;
 179 }
 180
 181
 182 #
 183 # action='new' -> add group entered in the 'action=add' screen
 184 #
 185
 186 if ($action eq 'new') {
 187   check_token_data($token, 'add_group');
 188   my $group = Bugzilla::Group->create({
 189     name                => scalar $cgi->param('name'),
 190     description         => scalar $cgi->param('desc'),
 191     userregexp          => scalar $cgi->param('regexp'),
 192     isactive            => scalar $cgi->param('isactive'),
 193     icon_url            => scalar $cgi->param('icon_url'),
 194     isbuggroup          => 1,
 195     use_in_all_products => scalar $cgi->param('insertnew'),
 196   });
 197
 198   delete_token($token);
 199
 200   $vars->{'message'} = 'group_created';
 201   $vars->{'group'}   = $group;
 202   get_current_and_available($group, $vars);
 203   $vars->{'token'} = issue_session_token('edit_group');
 204
 205   $template->process("admin/groups/edit.html.tmpl", $vars)
 206     || ThrowTemplateError($template->error());
 207   exit;
 208 }
 209
 210 #
 211 # action='del' -> ask if user really wants to delete
 212 #
 213 # (next action would be 'delete')
 214 #
 215
 216 if ($action eq 'del') {
 217
 218   # Check that an existing group ID is given
 219   my $group = Bugzilla::Group->check({id => scalar $cgi->param('group')});
 220   $group->check_remove({test_only => 1});
 221   $vars->{'shared_queries'} = $dbh->selectrow_array(
 222     'SELECT COUNT(*)
 223                                  FROM namedquery_group_map
 224                                 WHERE group_id = ?', undef, $group->id
 225   );
 226
 227   $vars->{'group'} = $group;
 228   $vars->{'token'} = issue_session_token('delete_group');
 229
 230   $template->process("admin/groups/delete.html.tmpl", $vars)
 231     || ThrowTemplateError($template->error());
 232   exit;
 233 }
 234
 235 #
 236 # action='delete' -> really delete the group
 237 #
 238
 239 if ($action eq 'delete') {
 240   check_token_data($token, 'delete_group');
 241
 242   # Check that an existing group ID is given
 243   my $group = Bugzilla::Group->check({id => scalar $cgi->param('group')});
 244   $vars->{'name'} = $group->name;
 245   $group->remove_from_db({
 246     remove_from_users    => scalar $cgi->param('removeusers'),
 247     remove_from_bugs     => scalar $cgi->param('removebugs'),
 248     remove_from_flags    => scalar $cgi->param('removeflags'),
 249     remove_from_products => scalar $cgi->param('unbind'),
 250   });
 251   delete_token($token);
 252
 253   $vars->{'message'} = 'group_deleted';
 254   $vars->{'groups'}  = [Bugzilla::Group->get_all];
 255
 256   $template->process("admin/groups/list.html.tmpl", $vars)
 257     || ThrowTemplateError($template->error());
 258   exit;
 259 }
 260
 261 #
 262 # action='postchanges' -> update the groups
 263 #
 264
 265 if ($action eq 'postchanges') {
 266   check_token_data($token, 'edit_group');
 267   my $changes = doGroupChanges();
 268   delete_token($token);
 269
 270   my $group = new Bugzilla::Group($cgi->param('group_id'));
 271   get_current_and_available($group, $vars);
 272   $vars->{'message'} = 'group_updated';
 273   $vars->{'group'}   = $group;
 274   $vars->{'changes'} = $changes;
 275   $vars->{'token'}   = issue_session_token('edit_group');
 276
 277   $template->process("admin/groups/edit.html.tmpl", $vars)
 278     || ThrowTemplateError($template->error());
 279   exit;
 280 }
 281
 282 if ($action eq 'confirm_remove') {
 283   my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id')));
 284   $vars->{'group'}  = $group;
 285   $vars->{'regexp'} = CheckGroupRegexp($cgi->param('regexp'));
 286   $vars->{'token'}  = issue_session_token('remove_group_members');
 287
 288   $template->process('admin/groups/confirm-remove.html.tmpl', $vars)
 289     || ThrowTemplateError($template->error());
 290   exit;
 291 }
 292
 293 if ($action eq 'remove_regexp') {
 294   check_token_data($token, 'remove_group_members');
 295
 296   # remove all explicit users from the group with
 297   # gid = $cgi->param('group') that match the regular expression
 298   # stored in the DB for that group or all of them period
 299
 300   my $group  = new Bugzilla::Group(CheckGroupID($cgi->param('group_id')));
 301   my $regexp = CheckGroupRegexp($cgi->param('regexp'));
 302
 303   $dbh->bz_start_transaction();
 304
 305   my $users      = $group->members_direct();
 306   my $sth_delete = $dbh->prepare(
 307     "DELETE FROM user_group_map
 308            WHERE user_id = ? AND isbless = 0 AND group_id = ?"
 309   );
 310
 311   my @deleted;
 312   foreach my $member (@$users) {
 313     if ($regexp eq '' || $member->login =~ m/$regexp/i) {
 314       $sth_delete->execute($member->id, $group->id);
 315       push(@deleted, $member);
 316     }
 317   }
 318   $dbh->bz_commit_transaction();
 319
 320   $vars->{'users'}  = \@deleted;
 321   $vars->{'regexp'} = $regexp;
 322   delete_token($token);
 323
 324   $vars->{'message'} = 'group_membership_removed';
 325   $vars->{'group'}   = $group->name;
 326   $vars->{'groups'}  = [Bugzilla::Group->get_all];
 327
 328   $template->process("admin/groups/list.html.tmpl", $vars)
 329     || ThrowTemplateError($template->error());
 330   exit;
 331 }
 332
 333 # No valid action found
 334 ThrowUserError('unknown_action', {action => $action});
 335
 336 # Helper sub to handle the making of changes to a group
 337 sub doGroupChanges {
 338   my $cgi = Bugzilla->cgi;
 339   my $dbh = Bugzilla->dbh;
 340
 341   $dbh->bz_start_transaction();
 342
 343   # Check that the given group ID is valid and make a Group.
 344   my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id')));
 345
 346   if (defined $cgi->param('regexp')) {
 347     $group->set_user_regexp($cgi->param('regexp'));
 348   }
 349
 350   if ($group->is_bug_group) {
 351     if (defined $cgi->param('name')) {
 352       $group->set_name($cgi->param('name'));
 353     }
 354     if (defined $cgi->param('desc')) {
 355       $group->set_description($cgi->param('desc'));
 356     }
 357
 358     # Only set isactive if we came from the right form.
 359     if (defined $cgi->param('regexp')) {
 360       $group->set_is_active($cgi->param('isactive'));
 361     }
 362   }
 363
 364   if (defined $cgi->param('icon_url')) {
 365     $group->set_icon_url($cgi->param('icon_url'));
 366   }
 367
 368   my $changes = $group->update();
 369
 370   my $sth_insert = $dbh->prepare(
 371     'INSERT INTO group_group_map
 372                                     (member_id, grantor_id, grant_type)
 373                                     VALUES (?, ?, ?)'
 374   );
 375
 376   my $sth_delete = $dbh->prepare(
 377     'DELETE FROM group_group_map
 378                                      WHERE member_id = ?
 379                                            AND grantor_id = ?
 380                                            AND grant_type = ?'
 381   );
 382
 383   # First item is the type, second is whether or not it's "reverse"
 384   # (granted_by) (see _do_add for more explanation).
 385   my %fields = (
 386     members       => [GROUP_MEMBERSHIP, 0],
 387     bless_from    => [GROUP_BLESS,      0],
 388     visible_from  => [GROUP_VISIBLE,    0],
 389     member_of     => [GROUP_MEMBERSHIP, 1],
 390     bless_to      => [GROUP_BLESS,      1],
 391     visible_to_me => [GROUP_VISIBLE,    1]
 392   );
 393   while (my ($field, $data) = each %fields) {
 394     _do_add($group, $changes, $sth_insert, "${field}_add", $data->[0], $data->[1]);
 395     _do_remove($group, $changes, $sth_delete, "${field}_remove", $data->[0],
 396       $data->[1]);
 397   }
 398
 399   $dbh->bz_commit_transaction();
 400   return $changes;
 401 }
 402
 403 sub _do_add {
 404   my ($group, $changes, $sth_insert, $field, $type, $reverse) = @_;
 405   my $cgi = Bugzilla->cgi;
 406
 407   my $current;
 408
 409   # $reverse means we're doing a granted_by--that is, somebody else
 410   # is granting us something.
 411   if ($reverse) {
 412     $current = $group->granted_by_direct($type);
 413   }
 414   else {
 415     $current = $group->grant_direct($type);
 416   }
 417
 418   my $add_items = Bugzilla::Group->new_from_list([$cgi->param($field)]);
 419
 420   foreach my $add (@$add_items) {
 421     next if grep($_->id == $add->id, @$current);
 422
 423     $changes->{$field} ||= [];
 424     push(@{$changes->{$field}}, $add->name);
 425
 426     # They go this direction for a normal "This group is granting
 427     # $add something."
 428     my @ids = ($add->id, $group->id);
 429
 430     # But they get reversed for "This group is being granted something
 431     # by $add."
 432     @ids = reverse @ids if $reverse;
 433     $sth_insert->execute(@ids, $type);
 434   }
 435 }
 436
 437 sub _do_remove {
 438   my ($group, $changes, $sth_delete, $field, $type, $reverse) = @_;
 439   my $cgi          = Bugzilla->cgi;
 440   my $remove_items = Bugzilla::Group->new_from_list([$cgi->param($field)]);
 441
 442   foreach my $remove (@$remove_items) {
 443     my @ids = ($remove->id, $group->id);
 444
 445     # See _do_add for an explanation of $reverse
 446     @ids = reverse @ids if $reverse;
 447
 448     # Deletions always succeed and are harmless if they fail, so we
 449     # don't need to do any checks.
 450     $sth_delete->execute(@ids, $type);
 451     $changes->{$field} ||= [];
 452     push(@{$changes->{$field}}, $remove->name);
 453   }
 454 }