gecko-dev/webtools/bugzilla/editusers.cgi

790 lines
31 KiB
Perl
Executable File

#!/usr/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
# License Version 1.1 (the "License"); you may not use this file
# except in compliance with the License. You may obtain a copy of
# the License at http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS
# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
# implied. See the License for the specific language governing
# rights and limitations under the License.
#
# The Original Code is the Bugzilla Bug Tracking System.
#
# Contributor(s): Marc Schumann <wurblzap@gmail.com>
# Lance Larsh <lance.larsh@oracle.com>
use strict;
use lib ".";
require "globals.pl";
use vars qw( $vars );
use Bugzilla;
use Bugzilla::User;
use Bugzilla::Bug;
use Bugzilla::Flag;
use Bugzilla::Config;
use Bugzilla::Constants;
use Bugzilla::Util;
use Bugzilla::Field;
Bugzilla->login(LOGIN_REQUIRED);
my $cgi = Bugzilla->cgi;
my $template = Bugzilla->template;
my $dbh = Bugzilla->dbh;
my $user = Bugzilla->user;
my $userid = $user->id;
my $editusers = $user->in_group('editusers');
# Reject access if there is no sense in continuing.
$editusers
|| $user->can_bless()
|| ThrowUserError("auth_failure", {group => "editusers",
reason => "cant_bless",
action => "edit",
object => "users"});
print Bugzilla->cgi->header();
# Common CGI params
my $action = $cgi->param('action') || 'search';
my $login = $cgi->param('login');
my $password = $cgi->param('password');
my $groupid = $cgi->param('groupid');
my $otherUser = new Bugzilla::User($cgi->param('userid'));
my $realname = trim($cgi->param('name') || '');
my $disabledtext = trim($cgi->param('disabledtext') || '');
# Directly from common CGI params derived values
my $otherUserID = $otherUser->id();
# Prefill template vars with data used in all or nearly all templates
$vars->{'editusers'} = $editusers;
mirrorListSelectionValues();
###########################################################################
if ($action eq 'search') {
# Allow to restrict the search to any group the user is allowed to bless.
$vars->{'restrictablegroups'} = $user->bless_groups();
$template->process('admin/users/search.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
###########################################################################
} elsif ($action eq 'list') {
my $matchstr = $cgi->param('matchstr');
my $matchtype = $cgi->param('matchtype');
my $grouprestrict = $cgi->param('grouprestrict') || '0';
my $query = 'SELECT DISTINCT userid, login_name, realname, disabledtext ' .
'FROM profiles';
my @bindValues;
my $nextCondition;
my $visibleGroups;
if (!$editusers && Param('usevisibilitygroups')) {
# Show only users in visible groups.
$visibleGroups = $user->visible_groups_as_string();
if ($visibleGroups) {
$query .= qq{, user_group_map AS ugm
WHERE ugm.user_id = profiles.userid
AND ugm.isbless = 0
AND ugm.group_id IN ($visibleGroups)
};
$nextCondition = 'AND';
}
} else {
$visibleGroups = 1;
if ($grouprestrict eq '1') {
$query .= ', user_group_map AS ugm';
}
$nextCondition = 'WHERE';
}
if (!$visibleGroups) {
$vars->{'users'} = {};
}
else {
# Handle selection by user name.
if (defined($matchtype)) {
$query .= " $nextCondition ";
my $expr = "profiles.login_name";
if ($matchtype eq 'regexp') {
$query .= $dbh->sql_regexp($expr, '?');
$matchstr = '.' unless $matchstr;
} elsif ($matchtype eq 'notregexp') {
$query .= $dbh->sql_not_regexp($expr, '?');
$matchstr = '.' unless $matchstr;
} elsif ($matchtype eq 'exact') {
$query .= $expr . ' = ?';
$matchstr = '.' unless $matchstr;
} else { # substr or unknown
$query .= $expr . ' like ?';
$matchstr = "%$matchstr%";
}
$nextCondition = 'AND';
# We can trick_taint because we use the value in a SELECT only,
# using a placeholder.
trick_taint($matchstr);
push(@bindValues, $matchstr);
}
# Handle selection by group.
if ($grouprestrict eq '1') {
detaint_natural($groupid);
my $grouplist = join(',',
@{Bugzilla::User->flatten_group_membership($groupid)});
$query .= " $nextCondition profiles.userid = ugm.user_id " .
"AND ugm.group_id IN($grouplist)";
}
$query .= ' ORDER BY profiles.login_name';
$vars->{'users'} = $dbh->selectall_arrayref($query,
{'Slice' => {}},
@bindValues);
}
if ($matchtype eq 'exact' && scalar(@{$vars->{'users'}}) == 1) {
$otherUserID = $vars->{'users'}[0]->{'userid'};
$otherUser = new Bugzilla::User($otherUserID);
edit_processing();
} else {
$template->process('admin/users/list.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
}
###########################################################################
} elsif ($action eq 'add') {
$editusers || ThrowUserError("auth_failure", {group => "editusers",
action => "add",
object => "users"});
$template->process('admin/users/create.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
###########################################################################
} elsif ($action eq 'new') {
$editusers || ThrowUserError("auth_failure", {group => "editusers",
action => "add",
object => "users"});
# Lock tables during the check+creation session.
$dbh->bz_lock_tables('profiles WRITE',
'profiles_activity WRITE',
'email_setting WRITE',
'namedqueries READ',
'whine_queries READ',
'tokens READ');
# Validity checks
$login || ThrowUserError('user_login_required');
validate_email_syntax($login)
|| ThrowUserError('illegal_email_address', {addr => $login});
is_available_username($login)
|| ThrowUserError('account_exists', {email => $login});
ValidatePassword($password);
# Login and password are validated now, and realname and disabledtext
# are allowed to contain anything
trick_taint($login);
trick_taint($realname);
trick_taint($password);
trick_taint($disabledtext);
insert_new_user($login, $realname, $password, $disabledtext);
$otherUserID = $dbh->bz_last_key('profiles', 'userid');
$dbh->bz_unlock_tables();
my $newprofile = new Bugzilla::User($otherUserID);
$newprofile->derive_regexp_groups();
userDataToVars($otherUserID);
$vars->{'message'} = 'account_created';
$template->process('admin/users/edit.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
###########################################################################
} elsif ($action eq 'edit') {
edit_processing();
###########################################################################
} elsif ($action eq 'update') {
$otherUser
|| ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
my $logoutNeeded = 0;
my @changedFields;
# Lock tables during the check+update session.
$dbh->bz_lock_tables('profiles WRITE',
'profiles_activity WRITE',
'fielddefs READ',
'namedqueries READ',
'whine_queries READ',
'tokens WRITE',
'logincookies WRITE',
'groups READ',
'user_group_map WRITE',
'user_group_map AS ugm READ',
'group_group_map READ',
'group_group_map AS ggm READ');
$editusers || $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible",
action => "modify",
object => "user"});
# Cleanups
my $loginold = $cgi->param('loginold') || '';
my $realnameold = $cgi->param('nameold') || '';
my $password = $cgi->param('password') || '';
my $disabledtextold = $cgi->param('disabledtextold') || '';
# Update profiles table entry; silently skip doing this if the user
# is not authorized.
if ($editusers) {
my @values;
if ($login ne $loginold) {
# Validate, then trick_taint.
$login || ThrowUserError('user_login_required');
validate_email_syntax($login)
|| ThrowUserError('illegal_email_address', {addr => $login});
is_available_username($login)
|| ThrowUserError('account_exists', {email => $login});
trick_taint($login);
push(@changedFields, 'login_name');
push(@values, $login);
$logoutNeeded = 1;
# Since we change the login, silently delete any tokens.
$dbh->do('DELETE FROM tokens WHERE userid = ?', {}, $otherUserID);
}
if ($realname ne $realnameold) {
# The real name may be anything; we use a placeholder for our
# INSERT, and we rely on displaying code to FILTER html.
trick_taint($realname);
push(@changedFields, 'realname');
push(@values, $realname);
}
if ($password) {
# Validate, then trick_taint.
ValidatePassword($password) if $password;
trick_taint($password);
push(@changedFields, 'cryptpassword');
push(@values, bz_crypt($password));
$logoutNeeded = 1;
}
if ($disabledtext ne $disabledtextold) {
# The disable text may be anything; we use a placeholder for our
# INSERT, and we rely on displaying code to FILTER html.
trick_taint($disabledtext);
push(@changedFields, 'disabledtext');
push(@values, $disabledtext);
$logoutNeeded = 1;
}
if (@changedFields) {
push (@values, $otherUserID);
$logoutNeeded && Bugzilla->logout_user_by_id($otherUserID);
$dbh->do('UPDATE profiles SET ' .
join(' = ?,', @changedFields).' = ? ' .
'WHERE userid = ?',
undef, @values);
# XXX: should create profiles_activity entries.
#
# We create a new user object here because it needs to
# read information that may have changed since this
# script started.
my $newprofile = new Bugzilla::User($otherUserID);
$newprofile->derive_regexp_groups();
}
}
# Update group settings.
my $sth_add_mapping = $dbh->prepare(
qq{INSERT INTO user_group_map (
user_id, group_id, isbless, grant_type
) VALUES (
?, ?, ?, ?
)
});
my $sth_remove_mapping = $dbh->prepare(
qq{DELETE FROM user_group_map
WHERE user_id = ?
AND group_id = ?
AND isbless = ?
AND grant_type = ?
});
my @groupsAddedTo;
my @groupsRemovedFrom;
my @groupsGrantedRightsToBless;
my @groupsDeniedRightsToBless;
# Regard only groups the user is allowed to bless and skip all others
# silently.
# XXX: checking for existence of each user_group_map entry
# would allow to display a friendlier error message on page reloads.
foreach (@{$user->bless_groups()}) {
my $id = $$_{'id'};
my $name = $$_{'name'};
# Change memberships.
my $oldgroupid = $cgi->param("oldgroup_$id") || '0';
my $groupid = $cgi->param("group_$id") || '0';
if ($groupid ne $oldgroupid) {
if ($groupid eq '0') {
$sth_remove_mapping->execute(
$otherUserID, $id, 0, GRANT_DIRECT);
push(@groupsRemovedFrom, $name);
} else {
$sth_add_mapping->execute(
$otherUserID, $id, 0, GRANT_DIRECT);
push(@groupsAddedTo, $name);
}
}
# Only members of the editusers group may change bless grants.
# Skip silently if this is not the case.
if ($editusers) {
my $oldgroupid = $cgi->param("oldbless_$id") || '0';
my $groupid = $cgi->param("bless_$id") || '0';
if ($groupid ne $oldgroupid) {
if ($groupid eq '0') {
$sth_remove_mapping->execute(
$otherUserID, $id, 1, GRANT_DIRECT);
push(@groupsDeniedRightsToBless, $name);
} else {
$sth_add_mapping->execute(
$otherUserID, $id, 1, GRANT_DIRECT);
push(@groupsGrantedRightsToBless, $name);
}
}
}
}
if (@groupsAddedTo || @groupsRemovedFrom) {
$dbh->do(qq{INSERT INTO profiles_activity (
userid, who,
profiles_when, fieldid,
oldvalue, newvalue
) VALUES (
?, ?, now(), ?, ?, ?
)
},
undef,
($otherUserID, $userid,
get_field_id('bug_group'),
join(', ', @groupsRemovedFrom), join(', ', @groupsAddedTo)));
$dbh->do('UPDATE profiles SET refreshed_when=? WHERE userid = ?',
undef, ('1900-01-01 00:00:00', $otherUserID));
}
# XXX: should create profiles_activity entries for blesser changes.
$dbh->bz_unlock_tables();
# XXX: userDataToVars may be off when editing ourselves.
userDataToVars($otherUserID);
$vars->{'message'} = 'account_updated';
$vars->{'loginold'} = $loginold;
$vars->{'changed_fields'} = \@changedFields;
$vars->{'groups_added_to'} = \@groupsAddedTo;
$vars->{'groups_removed_from'} = \@groupsRemovedFrom;
$vars->{'groups_granted_rights_to_bless'} = \@groupsGrantedRightsToBless;
$vars->{'groups_denied_rights_to_bless'} = \@groupsDeniedRightsToBless;
$template->process('admin/users/edit.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
###########################################################################
} elsif ($action eq 'del') {
$otherUser
|| ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
Param('allowuserdeletion') || ThrowUserError('users_deletion_disabled');
$editusers || ThrowUserError('auth_failure', {group => "editusers",
action => "delete",
object => "users"});
$vars->{'otheruser'} = $otherUser;
$vars->{'editcomponents'} = UserInGroup('editcomponents');
# Find other cross references.
$vars->{'assignee_or_qa'} = $dbh->selectrow_array(
qq{SELECT COUNT(*)
FROM bugs
WHERE assigned_to = ? OR qa_contact = ?},
undef, ($otherUserID, $otherUserID));
$vars->{'reporter'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM bugs WHERE reporter = ?',
undef, $otherUserID);
$vars->{'cc'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM cc WHERE who = ?',
undef, $otherUserID);
$vars->{'bugs_activity'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM bugs_activity WHERE who = ?',
undef, $otherUserID);
$vars->{'flags'}{'requestee'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM flags WHERE requestee_id = ? AND is_active = 1',
undef, $otherUserID);
$vars->{'flags'}{'setter'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM flags WHERE setter_id = ?',
undef, $otherUserID);
$vars->{'longdescs'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM longdescs WHERE who = ?',
undef, $otherUserID);
$vars->{'namedqueries'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM namedqueries WHERE userid = ?',
undef, $otherUserID);
$vars->{'profiles_activity'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM profiles_activity WHERE who = ? AND userid != ?',
undef, ($otherUserID, $otherUserID));
$vars->{'series'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM series WHERE creator = ?',
undef, $otherUserID);
$vars->{'votes'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM votes WHERE who = ?',
undef, $otherUserID);
$vars->{'watch'}{'watched'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM watch WHERE watched = ?',
undef, $otherUserID);
$vars->{'watch'}{'watcher'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM watch WHERE watcher = ?',
undef, $otherUserID);
$vars->{'whine_events'} = $dbh->selectrow_array(
'SELECT COUNT(*) FROM whine_events WHERE owner_userid = ?',
undef, $otherUserID);
$vars->{'whine_schedules'} = $dbh->selectrow_array(
qq{SELECT COUNT(distinct eventid)
FROM whine_schedules
WHERE mailto = ?
AND mailto_type = ?
},
undef, ($otherUserID, MAILTO_USER));
$template->process('admin/users/confirm-delete.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
###########################################################################
} elsif ($action eq 'delete') {
$otherUser
|| ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
my $otherUserLogin = $otherUser->login();
# Cache for user accounts.
my %usercache = (0 => new Bugzilla::User());
my %updatedbugs;
# Lock tables during the check+removal session.
# XXX: if there was some change on these tables after the deletion
# confirmation checks, we may do something here we haven't warned
# about.
$dbh->bz_lock_tables('bugs WRITE',
'bugs_activity WRITE',
'attachments READ',
'fielddefs READ',
'products READ',
'components READ',
'logincookies WRITE',
'profiles WRITE',
'profiles_activity WRITE',
'groups READ',
'bug_group_map READ',
'user_group_map WRITE',
'group_group_map READ',
'flags WRITE',
'flagtypes READ',
'cc WRITE',
'namedqueries WRITE',
'tokens WRITE',
'votes WRITE',
'watch WRITE',
'series WRITE',
'series_data WRITE',
'whine_schedules WRITE',
'whine_queries WRITE',
'whine_events WRITE');
Param('allowuserdeletion')
|| ThrowUserError('users_deletion_disabled');
$editusers || ThrowUserError('auth_failure',
{group => "editusers",
action => "delete",
object => "users"});
@{$otherUser->product_responsibilities()}
&& ThrowUserError('user_has_responsibility');
Bugzilla->logout_user_by_id($otherUserID);
# Get the timestamp for LogActivityEntry.
my $timestamp = $dbh->selectrow_array('SELECT NOW()');
# When we update a bug_activity entry, we update the bug timestamp, too.
my $sth_set_bug_timestamp =
$dbh->prepare('UPDATE bugs SET delta_ts = ? WHERE bug_id = ?');
# Reference removals which need LogActivityEntry.
my $statement_flagupdate = 'UPDATE flags set requestee_id = NULL
WHERE bug_id = ?
AND attach_id %s
AND requestee_id = ?';
my $sth_flagupdate_attachment =
$dbh->prepare(sprintf($statement_flagupdate, '= ?'));
my $sth_flagupdate_bug =
$dbh->prepare(sprintf($statement_flagupdate, 'IS NULL'));
my $buglist = $dbh->selectall_arrayref('SELECT DISTINCT bug_id, attach_id
FROM flags
WHERE requestee_id = ?',
undef, $otherUserID);
foreach (@$buglist) {
my ($bug_id, $attach_id) = @$_;
my @old_summaries = Bugzilla::Flag::snapshot($bug_id, $attach_id);
if ($attach_id) {
$sth_flagupdate_attachment->execute($bug_id, $attach_id, $otherUserID);
}
else {
$sth_flagupdate_bug->execute($bug_id, $otherUserID);
}
my @new_summaries = Bugzilla::Flag::snapshot($bug_id, $attach_id);
# Let update_activity do all the dirty work, including setting
# the bug timestamp.
Bugzilla::Flag::update_activity($bug_id, $attach_id,
$dbh->quote($timestamp),
\@old_summaries, \@new_summaries);
$updatedbugs{$bug_id} = 1;
}
# Simple deletions in referred tables.
$dbh->do('DELETE FROM logincookies WHERE userid = ?', undef, $otherUserID);
$dbh->do('DELETE FROM namedqueries WHERE userid = ?', undef, $otherUserID);
$dbh->do('DELETE FROM profiles_activity WHERE userid = ? OR who = ?', undef,
($otherUserID, $otherUserID));
$dbh->do('DELETE FROM tokens WHERE userid = ?', undef, $otherUserID);
$dbh->do('DELETE FROM user_group_map WHERE user_id = ?', undef,
$otherUserID);
$dbh->do('DELETE FROM votes WHERE who = ?', undef, $otherUserID);
$dbh->do('DELETE FROM watch WHERE watcher = ? OR watched = ?', undef,
($otherUserID, $otherUserID));
# Deletions in referred tables which need LogActivityEntry.
$buglist = $dbh->selectcol_arrayref('SELECT bug_id FROM cc
WHERE who = ?',
undef, $otherUserID);
$dbh->do('DELETE FROM cc WHERE who = ?', undef, $otherUserID);
foreach my $bug_id (@$buglist) {
LogActivityEntry($bug_id, 'cc', $otherUser->login, '', $userid,
$timestamp);
$sth_set_bug_timestamp->execute($timestamp, $bug_id);
$updatedbugs{$bug_id} = 1;
}
# Even more complex deletions in referred tables.
my $id;
# 1) Series
my $sth_seriesid = $dbh->prepare(
'SELECT series_id FROM series WHERE creator = ?');
my $sth_deleteSeries = $dbh->prepare(
'DELETE FROM series WHERE series_id = ?');
my $sth_deleteSeriesData = $dbh->prepare(
'DELETE FROM series_data WHERE series_id = ?');
$sth_seriesid->execute($otherUserID);
while ($id = $sth_seriesid->fetchrow_array()) {
$sth_deleteSeriesData->execute($id);
$sth_deleteSeries->execute($id);
}
# 2) Whines
my $sth_whineidFromSchedules = $dbh->prepare(
qq{SELECT eventid FROM whine_schedules
WHERE mailto = ? AND mailto_type = ?});
my $sth_whineidFromEvents = $dbh->prepare(
'SELECT id FROM whine_events WHERE owner_userid = ?');
my $sth_deleteWhineEvent = $dbh->prepare(
'DELETE FROM whine_events WHERE id = ?');
my $sth_deleteWhineQuery = $dbh->prepare(
'DELETE FROM whine_queries WHERE eventid = ?');
my $sth_deleteWhineSchedule = $dbh->prepare(
'DELETE FROM whine_schedules WHERE eventid = ?');
$sth_whineidFromSchedules->execute($otherUserID, MAILTO_USER);
while ($id = $sth_whineidFromSchedules->fetchrow_array()) {
$sth_deleteWhineQuery->execute($id);
$sth_deleteWhineSchedule->execute($id);
$sth_deleteWhineEvent->execute($id);
}
$sth_whineidFromEvents->execute($otherUserID);
while ($id = $sth_whineidFromEvents->fetchrow_array()) {
$sth_deleteWhineQuery->execute($id);
$sth_deleteWhineSchedule->execute($id);
$sth_deleteWhineEvent->execute($id);
}
# 3) Bugs
# 3.1) fall back to the default assignee
$buglist = $dbh->selectall_arrayref(
'SELECT bug_id, initialowner
FROM bugs
INNER JOIN components ON components.id = bugs.component_id
WHERE assigned_to = ?', undef, $otherUserID);
my $sth_updateAssignee = $dbh->prepare(
'UPDATE bugs SET assigned_to = ?, delta_ts = ? WHERE bug_id = ?');
foreach my $bug (@$buglist) {
my ($bug_id, $default_assignee_id) = @$bug;
$sth_updateAssignee->execute($default_assignee_id,
$timestamp, $bug_id);
$updatedbugs{$bug_id} = 1;
$default_assignee_id ||= 0;
$usercache{$default_assignee_id} ||=
new Bugzilla::User($default_assignee_id);
LogActivityEntry($bug_id, 'assigned_to', $otherUser->login,
$usercache{$default_assignee_id}->login,
$userid, $timestamp);
}
# 3.2) fall back to the default QA contact
$buglist = $dbh->selectall_arrayref(
'SELECT bug_id, initialqacontact
FROM bugs
INNER JOIN components ON components.id = bugs.component_id
WHERE qa_contact = ?', undef, $otherUserID);
my $sth_updateQAcontact = $dbh->prepare(
'UPDATE bugs SET qa_contact = ?, delta_ts = ? WHERE bug_id = ?');
foreach my $bug (@$buglist) {
my ($bug_id, $default_qa_contact_id) = @$bug;
$sth_updateQAcontact->execute($default_qa_contact_id,
$timestamp, $bug_id);
$updatedbugs{$bug_id} = 1;
$default_qa_contact_id ||= 0;
$usercache{$default_qa_contact_id} ||=
new Bugzilla::User($default_qa_contact_id);
LogActivityEntry($bug_id, 'qa_contact', $otherUser->login,
$usercache{$default_qa_contact_id}->login,
$userid, $timestamp);
}
# Finally, remove the user account itself.
$dbh->do('DELETE FROM profiles WHERE userid = ?', undef, $otherUserID);
$dbh->bz_unlock_tables();
$vars->{'message'} = 'account_deleted';
$vars->{'otheruser'}{'login'} = $otherUserLogin;
$vars->{'restrictablegroups'} = $user->bless_groups();
$template->process('admin/users/search.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
# Send mail about what we've done to bugs.
# The deleted user is not notified of the changes.
foreach (keys(%updatedbugs)) {
Bugzilla::BugMail::Send($_);
}
###########################################################################
} else {
$vars->{'action'} = $action;
ThrowCodeError('action_unrecognized', $vars);
}
exit;
###########################################################################
# Helpers
###########################################################################
# Copy incoming list selection values from CGI params to template variables.
sub mirrorListSelectionValues {
if (defined($cgi->param('matchtype'))) {
foreach ('matchstr', 'matchtype', 'grouprestrict', 'groupid') {
$vars->{'listselectionvalues'}{$_} = $cgi->param($_);
}
}
}
# Retrieve user data for the user editing form. User creation and user
# editing code rely on this to call derive_groups().
sub userDataToVars {
my $otheruserid = shift;
my $otheruser = new Bugzilla::User($otheruserid);
my $query;
my $dbh = Bugzilla->dbh;
my $grouplist = $otheruser->groups_as_string;
$vars->{'otheruser'} = $otheruser;
$vars->{'groups'} = $user->bless_groups();
$vars->{'permissions'} = $dbh->selectall_hashref(
qq{SELECT id,
COUNT(directmember.group_id) AS directmember,
COUNT(regexpmember.group_id) AS regexpmember,
(CASE WHEN (groups.id IN ($grouplist)
AND COUNT(directmember.group_id) = 0
AND COUNT(regexpmember.group_id) = 0
) THEN 1 ELSE 0 END)
AS derivedmember,
COUNT(directbless.group_id) AS directbless
FROM groups
LEFT JOIN user_group_map AS directmember
ON directmember.group_id = id
AND directmember.user_id = ?
AND directmember.isbless = 0
AND directmember.grant_type = ?
LEFT JOIN user_group_map AS regexpmember
ON regexpmember.group_id = id
AND regexpmember.user_id = ?
AND regexpmember.isbless = 0
AND regexpmember.grant_type = ?
LEFT JOIN user_group_map AS directbless
ON directbless.group_id = id
AND directbless.user_id = ?
AND directbless.isbless = 1
AND directbless.grant_type = ?
} . $dbh->sql_group_by('id'),
'id', undef,
($otheruserid, GRANT_DIRECT,
$otheruserid, GRANT_REGEXP,
$otheruserid, GRANT_DIRECT));
# Find indirect bless permission.
$query = qq{SELECT groups.id
FROM groups, group_group_map AS ggm
WHERE groups.id = ggm.grantor_id
AND ggm.member_id IN ($grouplist)
AND ggm.grant_type = ?
} . $dbh->sql_group_by('id');
foreach (@{$dbh->selectall_arrayref($query, undef,
(GROUP_BLESS))}) {
# Merge indirect bless permissions into permission variable.
$vars->{'permissions'}{${$_}[0]}{'indirectbless'} = 1;
}
}
sub edit_processing
{
$otherUser
|| ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});
$editusers || $user->can_see_user($otherUser)
|| ThrowUserError('auth_failure', {reason => "not_visible",
action => "modify",
object => "user"});
userDataToVars($otherUserID);
$template->process('admin/users/edit.html.tmpl', $vars)
|| ThrowTemplateError($template->error());
}