return $class->dbh_main;
}
+sub log_user_request {
+ my ($class, $bug_id, $attach_id, $action) = @_;
+
+ return unless Bugzilla->params->{log_user_requests};
+
+ my $cgi = $class->cgi;
+ my $user_id = $class->user->id;
+ my $request_url = $cgi->request_uri // '';
+ my $method = $cgi->request_method;
+ my $user_agent = $cgi->user_agent // '';
+ my $script_name = $cgi->script_name;
+ my $server = "web";
+
+ if ($script_name =~ /rest\.cgi/) {
+ $server = $script_name =~ /BzAPI/ ? "bzapi" : "rest";
+ }
+ elsif ($script_name =~ /xmlrpc\.cgi/) {
+ $server = "xmlrpc";
+ }
+ elsif ($script_name =~ /jsonrpc\.cgi/) {
+ $server = "jsonrpc";
+ }
+
+ my @params = ($user_id, remote_ip(), $user_agent, $request_url, $method, $bug_id, $attach_id, $action, $server);
+ foreach my $param (@params) {
+ trick_taint($param) if defined $param;
+ }
+
+ eval {
+ local $class->request_cache->{dbh};
+ $class->switch_to_main_db();
+ $class->dbh->do("INSERT INTO user_request_log
+ (user_id, ip_address, user_agent, request_url,
+ method, timestamp, bug_id, attach_id, action, server)
+ VALUES (?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?)", undef, @params);
+ };
+ warn $@ if $@;
+}
+
sub is_shadow_db {
my $class = shift;
return $class->request_cache->{dbh} != $class->dbh_main;
if ($format eq 'raw') {
require Bugzilla::PatchReader::DiffPrinter::raw;
$last_reader->sends_data_to(new Bugzilla::PatchReader::DiffPrinter::raw());
+
+ Bugzilla->log_user_request($attachment->bug_id, $attachment->id, "attachment-get")
+ if Bugzilla->user->id;
# Actually print out the patch.
print $cgi->header(-type => 'text/plain',
-expires => '+3M');
my $lc = Bugzilla->localconfig;
my $vars = {};
+ if (Bugzilla->user->id) {
+ foreach my $attachment ($old_attachment, $new_attachment) {
+ Bugzilla->log_user_request($attachment->bug_id, $attachment->id, "attachment-get");
+ }
+ }
+
# Encode attachment data as utf8 if it's going to be displayed in a HTML
# page using the UTF-8 encoding.
if ($format ne 'raw' && Bugzilla->params->{'utf8'}) {
type => 't',
default => 10,
checker => \&check_numeric
+ },
+
+ {
+ name => 'log_user_requests',
+ type => 'b',
+ default => 0,
});
return @param_list;
}
return $self->{data} if $self->{data};
my $dbh = Bugzilla->dbh;
+ Bugzilla->log_user_request(undef, undef, "search") if Bugzilla->user->id;
# If all fields belong to the 'bugs' table, there is no need to split
# the original query into two pieces. Else we override the 'fields'
# argument to first get bug IDs based on the search criteria defined
$self->_add_update_tokens($params, \@bugs, \@hashes);
+ if (Bugzilla->user->id) {
+ foreach my $bug (@bugs) {
+ Bugzilla->log_user_request($bug->id, undef, 'bug-get');
+ }
+ }
return { bugs => \@hashes, faults => \@faults };
}
}
my %attachments;
+ my @log_attachments;
foreach my $attach (@{Bugzilla::Attachment->new_from_list($attach_ids)}) {
Bugzilla::Bug->check($attach->bug_id);
if ($attach->isprivate && !Bugzilla->user->is_insider) {
object => 'attachment',
attach_id => $attach->id});
}
+ push @log_attachments, $attach;
+
$attachments{$attach->id} =
$self->_attachment_to_hash($attach, $params);
}
+ if (Bugzilla->user->id) {
+ foreach my $attachment (@log_attachments) {
+ Bugzilla->log_user_request($attachment->bug_id, $attachment->id, "attachment-get");
+ }
+ }
+
return { bugs => \%bugs, attachments => \%attachments };
}
}
}
}
+ Bugzilla->log_user_request($attachment->bug_id, $attachment->id, "attachment-get")
+ if Bugzilla->user->id;
print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
-content_disposition=> "$disposition; filename=\"$filename\"",
-content_length => $attachment->datasize);
$vars->{'attachment'} = $attachment;
$vars->{'attachments'} = $bugattachments;
+ Bugzilla->log_user_request($attachment->bug_id, $attachment->id, "attachment-get")
+ if Bugzilla->user->id;
print $cgi->header();
# Generate and return the UI (HTML page) from the appropriate template.
$vars->{'displayfields'} = \%displayfields;
+if ($user->id) {
+ foreach my $bug_id (@bugids) {
+ Bugzilla->log_user_request($bug_id, undef, 'bug-get');
+ }
+}
print $cgi->header($format->{'ctype'});
$template->process($format->{'template'}, $vars)
"will ever happen."
last_visit_keep_days => "This option controls how many days $terms.Bugzilla will " _
- "remember when users visit specific ${terms.bugs}."}
+ "remember when users visit specific ${terms.bugs}.",
+
+ log_user_requests => "This option controls logging of authenticated requests in the user_request_log table"}
%]
revoked => $revoked,
});
$api_key->update();
+ if ($revoked) {
+ Bugzilla->log_user_request(undef, undef, 'api-key-revoke')
+ }
+ else {
+ Bugzilla->log_user_request(undef, undef, 'api-key-unrevoke')
+ }
}
}
}
revoked => 0,
});
$api_key->update();
+ Bugzilla->log_user_request(undef, undef, 'api-key-unrevoke');
$dbh->bz_commit_transaction;
}
}
description => $description,
});
+ Bugzilla->log_user_request(undef, undef, 'api-key-create');
+
# As a security precaution, we always sent out an e-mail when
# an API key is created
my $template = Bugzilla->template_inner($user->setting('lang'));
projects / thirdparty / bugzilla.git / commitdiff
