首頁 探索 說明
登入
d3m3vilurr
/
sonyoss-vita-webkit
關註 1
讚好 0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
分支: master
分支列表 標籤列表
sonyoss-vita...
/
Websites
/
bugs.webkit.org
/
editusers.cgi

editusers.cgi 31 KB
永久連結 文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790 
  1. #!/usr/bin/env perl -wT
    2. 

  2. # -*- Mode: perl; indent-tabs-mode: nil -*-
    3. 

  3. #
    4. 

  4. # The contents of this file are subject to the Mozilla Public
    5. 

  5. # License Version 1.1 (the "License"); you may not use this file
    6. 

  6. # except in compliance with the License. You may obtain a copy of
    7. 

  7. # the License at http://www.mozilla.org/MPL/
    8. 

  8. #
    9. 

  9. # Software distributed under the License is distributed on an "AS
    10. 

  10. # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
    11. 

  11. # implied. See the License for the specific language governing
    12. 

  12. # rights and limitations under the License.
    13. 

  13. #
    14. 

  14. # The Original Code is the Bugzilla Bug Tracking System.
    15. 

  15. #
    16. 

  16. # Contributor(s): Marc Schumann <wurblzap@gmail.com>
    17. 

  17. #                 Lance Larsh <lance.larsh@oracle.com>
    18. 

  18. #                 Frédéric Buclin <LpSolit@gmail.com>
    19. 

  19. #                 David Lawrence <dkl@redhat.com>
    20. 

  20. #                 Vlad Dascalu <jocuri@softhome.net>
    21. 

  21. #                 Gavin Shelley  <bugzilla@chimpychompy.org>
    22. 

  22. 

  23. use strict;
    24. 

  24. use lib qw(. lib);
    25. 

  25. 

  26. use Bugzilla;
    27. 

  27. use Bugzilla::Constants;
    28. 

  28. use Bugzilla::Util;
    29. 

  29. use Bugzilla::Error;
    30. 

  30. use Bugzilla::User;
    31. 

  31. use Bugzilla::Bug;
    32. 

  32. use Bugzilla::BugMail;
    33. 

  33. use Bugzilla::Flag;
    34. 

  34. use Bugzilla::Field;
    35. 

  35. use Bugzilla::Group;
    36. 

  36. use Bugzilla::Token;
    37. 

  37. 

  38. my $user = Bugzilla->login(LOGIN_REQUIRED);
    39. 

  39. 

  40. my $cgi       = Bugzilla->cgi;
    41. 

  41. my $template  = Bugzilla->template;
    42. 

  42. my $dbh       = Bugzilla->dbh;
    43. 

  43. my $userid    = $user->id;
    44. 

  44. my $editusers = $user->in_group('editusers');
    45. 

  45. local our $vars     = {};
    46. 

  46. 

  47. # Reject access if there is no sense in continuing.
    48. 

  48. $editusers
    49. 

  49.     || $user->can_bless()
    50. 

  50.     || ThrowUserError("auth_failure", {group  => "editusers",
    51. 

  51.                                        reason => "cant_bless",
    52. 

  52.                                        action => "edit",
    53. 

  53.                                        object => "users"});
    54. 

  54. 

  55. print $cgi->header();
    56. 

  56. 

  57. # Common CGI params
    58. 

  58. my $action         = $cgi->param('action') || 'search';
    59. 

  59. my $otherUserID    = $cgi->param('userid');
    60. 

  60. my $otherUserLogin = $cgi->param('user');
    61. 

  61. my $token          = $cgi->param('token');
    62. 

  62. 

  63. # Prefill template vars with data used in all or nearly all templates
    64. 

  64. $vars->{'editusers'} = $editusers;
    65. 

  65. mirrorListSelectionValues();
    66. 

  66. 

  67. ###########################################################################
    68. 

  68. if ($action eq 'search') {
    69. 

  69.     # Allow to restrict the search to any group the user is allowed to bless.
    70. 

  70.     $vars->{'restrictablegroups'} = $user->bless_groups();
    71. 

  71.     $template->process('admin/users/search.html.tmpl', $vars)
    72. 

  72.        || ThrowTemplateError($template->error());
    73. 

  73. 

  74. ###########################################################################
    75. 

  75. } elsif ($action eq 'list') {
    76. 

  76.     my $matchvalue    = $cgi->param('matchvalue') || '';
    77. 

  77.     my $matchstr      = $cgi->param('matchstr');
    78. 

  78.     my $matchtype     = $cgi->param('matchtype');
    79. 

  79.     my $grouprestrict = $cgi->param('grouprestrict') || '0';
    80. 

  80.     my $query = 'SELECT DISTINCT userid, login_name, realname, disabledtext ' .
    81. 

  81.                 'FROM profiles';
    82. 

  82.     my @bindValues;
    83. 

  83.     my $nextCondition;
    84. 

  84.     my $visibleGroups;
    85. 

  85. 

  86.     # If a group ID is given, make sure it is a valid one.
    87. 

  87.     my $group;
    88. 

  88.     if ($grouprestrict) {
    89. 

  89.         $group = new Bugzilla::Group(scalar $cgi->param('groupid'));
    90. 

  90.         $group || ThrowUserError('invalid_group_ID');
    91. 

  91.     }
    92. 

  92. 

  93.     if (!$editusers && Bugzilla->params->{'usevisibilitygroups'}) {
    94. 

  94.         # Show only users in visible groups.
    95. 

  95.         $visibleGroups = $user->visible_groups_as_string();
    96. 

  96. 

  97.         if ($visibleGroups) {
    98. 

  98.             $query .= qq{, user_group_map AS ugm
    99. 

  99.                          WHERE ugm.user_id = profiles.userid
    100. 

  100.                            AND ugm.isbless = 0
    101. 

  101.                            AND ugm.group_id IN ($visibleGroups)
    102. 

  102.                         };
    103. 

  103.             $nextCondition = 'AND';
    104. 

  104.         }
    105. 

  105.     } else {
    106. 

  106.         $visibleGroups = 1;
    107. 

  107.         if ($grouprestrict eq '1') {
    108. 

  108.             $query .= qq{, user_group_map AS ugm
    109. 

  109.                          WHERE ugm.user_id = profiles.userid
    110. 

  110.                            AND ugm.isbless = 0
    111. 

  111.                         };
    112. 

  112.             $nextCondition = 'AND';
    113. 

  113.         }
    114. 

  114.         else {
    115. 

  115.             $nextCondition = 'WHERE';
    116. 

  116.         }
    117. 

  117.     }
    118. 

  118. 

  119.     if (!$visibleGroups) {
    120. 

  120.         $vars->{'users'} = {};
    121. 

  121.     }
    122. 

  122.     else {
    123. 

  123.         # Handle selection by login name, real name, or userid.
    124. 

  124.         if (defined($matchtype)) {
    125. 

  125.             $query .= " $nextCondition ";
    126. 

  126.             my $expr = "";
    127. 

  127.             if ($matchvalue eq 'userid') {
    128. 

  128.                 if ($matchstr) {
    129. 

  129.                     my $stored_matchstr = $matchstr;
    130. 

  130.                     detaint_natural($matchstr) 
    131. 

  131.                         || ThrowUserError('illegal_user_id', {userid => $stored_matchstr});
    132. 

  132.                 }
    133. 

  133.                 $expr = "profiles.userid";
    134. 

  134.             } elsif ($matchvalue eq 'realname') {
    135. 

  135.                 $expr = "profiles.realname";
    136. 

  136.             } else {
    137. 

  137.                 $expr = "profiles.login_name";
    138. 

  138.             }
    139. 

  139.             if ($matchtype eq 'regexp') {
    140. 

  140.                 $query .= $dbh->sql_regexp($expr, '?');
    141. 

  141.                 $matchstr = '.' unless $matchstr;
    142. 

  142.             } elsif ($matchtype eq 'notregexp') {
    143. 

  143.                 $query .= $dbh->sql_not_regexp($expr, '?');
    144. 

  144.                 $matchstr = '.' unless $matchstr;
    145. 

  145.             } elsif ($matchtype eq 'exact') {
    146. 

  146.                 $query .= $expr . ' = ?';
    147. 

  147.                 $matchstr = '.' unless $matchstr;
    148. 

  148.             } else { # substr or unknown
    149. 

  149.                 $query .= $dbh->sql_istrcmp($expr, '?', 'LIKE');
    150. 

  150.                 $matchstr = "%$matchstr%";
    151. 

  151.             }
    152. 

  152.             $nextCondition = 'AND';
    153. 

  153.             # We can trick_taint because we use the value in a SELECT only,
    154. 

  154.             # using a placeholder.
    155. 

  155.             trick_taint($matchstr);
    156. 

  156.             push(@bindValues, $matchstr);
    157. 

  157.         }
    158. 

  158. 

  159.         # Handle selection by group.
    160. 

  160.         if ($grouprestrict eq '1') {
    161. 

  161.             my $grouplist = join(',',
    162. 

  162.                 @{Bugzilla::User->flatten_group_membership($group->id)});
    163. 

  163.             $query .= " $nextCondition ugm.group_id IN($grouplist) ";
    164. 

  164.         }
    165. 

  165.         $query .= ' ORDER BY profiles.login_name';
    166. 

  166. 

  167.         $vars->{'users'} = $dbh->selectall_arrayref($query,
    168. 

  168.                                                     {'Slice' => {}},
    169. 

  169.                                                     @bindValues);
    170. 

  170. 

  171.     }
    172. 

  172. 

  173.     if ($matchtype && $matchtype eq 'exact' && scalar(@{$vars->{'users'}}) == 1) {
    174. 

  174.         my $match_user_id = $vars->{'users'}[0]->{'userid'};
    175. 

  175.         my $match_user = check_user($match_user_id);
    176. 

  176.         edit_processing($match_user);
    177. 

  177.     } else {
    178. 

  178.         $template->process('admin/users/list.html.tmpl', $vars)
    179. 

  179.             || ThrowTemplateError($template->error());
    180. 

  180.     }
    181. 

  181. 

  182. ###########################################################################
    183. 

  183. } elsif ($action eq 'add') {
    184. 

  184.     $editusers || ThrowUserError("auth_failure", {group  => "editusers",
    185. 

  185.                                                   action => "add",
    186. 

  186.                                                   object => "users"});
    187. 

  187. 

  188.     $vars->{'token'} = issue_session_token('add_user');
    189. 

  189. 

  190.     $template->process('admin/users/create.html.tmpl', $vars)
    191. 

  191.        || ThrowTemplateError($template->error());
    192. 

  192. 

  193. ###########################################################################
    194. 

  194. } elsif ($action eq 'new') {
    195. 

  195.     $editusers || ThrowUserError("auth_failure", {group  => "editusers",
    196. 

  196.                                                   action => "add",
    197. 

  197.                                                   object => "users"});
    198. 

  198. 

  199.     check_token_data($token, 'add_user');
    200. 

  200. 

  201.     my $new_user = Bugzilla::User->create({
    202. 

  202.         login_name    => scalar $cgi->param('login'),
    203. 

  203.         cryptpassword => scalar $cgi->param('password'),
    204. 

  204.         realname      => scalar $cgi->param('name'),
    205. 

  205.         disabledtext  => scalar $cgi->param('disabledtext'),
    206. 

  206.         disable_mail  => scalar $cgi->param('disable_mail')});
    207. 

  207. 

  208.     userDataToVars($new_user->id);
    209. 

  209. 

  210.     delete_token($token);
    211. 

  211. 

  212.     # We already display the updated page. We have to recreate a token now.
    213. 

  213.     $vars->{'token'} = issue_session_token('edit_user');
    214. 

  214.     $vars->{'message'} = 'account_created';
    215. 

  215.     $template->process('admin/users/edit.html.tmpl', $vars)
    216. 

  216.        || ThrowTemplateError($template->error());
    217. 

  217. 

  218. ###########################################################################
    219. 

  219. } elsif ($action eq 'edit') {
    220. 

  220.     my $otherUser = check_user($otherUserID, $otherUserLogin);
    221. 

  221.     edit_processing($otherUser);
    222. 

  222. 

  223. ###########################################################################
    224. 

  224. } elsif ($action eq 'update') {
    225. 

  225.     check_token_data($token, 'edit_user');
    226. 

  226.     my $otherUser = check_user($otherUserID, $otherUserLogin);
    227. 

  227.     $otherUserID = $otherUser->id;
    228. 

  228. 

  229.     # Lock tables during the check+update session.
    230. 

  230.     $dbh->bz_start_transaction();
    231. 

  231.  
    232. 

  232.     $editusers || $user->can_see_user($otherUser)
    233. 

  233.         || ThrowUserError('auth_failure', {reason => "not_visible",
    234. 

  234.                                            action => "modify",
    235. 

  235.                                            object => "user"});
    236. 

  236. 

  237.     $vars->{'loginold'} = $otherUser->login;
    238. 

  238. 

  239.     # Update profiles table entry; silently skip doing this if the user
    240. 

  240.     # is not authorized.
    241. 

  241.     my %changes;
    242. 

  242.     if ($editusers) {
    243. 

  243.         $otherUser->set_login($cgi->param('login'));
    244. 

  244.         $otherUser->set_name($cgi->param('name'));
    245. 

  245.         $otherUser->set_password($cgi->param('password'))
    246. 

  246.             if $cgi->param('password');
    247. 

  247.         $otherUser->set_disabledtext($cgi->param('disabledtext'));
    248. 

  248.         $otherUser->set_disable_mail($cgi->param('disable_mail'));
    249. 

  249.         %changes = %{$otherUser->update()};
    250. 

  250.     }
    251. 

  251. 

  252.     # Update group settings.
    253. 

  253.     my $sth_add_mapping = $dbh->prepare(
    254. 

  254.         qq{INSERT INTO user_group_map (
    255. 

  255.                   user_id, group_id, isbless, grant_type
    256. 

  256.                  ) VALUES (
    257. 

  257.                   ?, ?, ?, ?
    258. 

  258.                  )
    259. 

  259.           });
    260. 

  260.     my $sth_remove_mapping = $dbh->prepare(
    261. 

  261.         qq{DELETE FROM user_group_map
    262. 

  262.             WHERE user_id = ?
    263. 

  263.               AND group_id = ?
    264. 

  264.               AND isbless = ?
    265. 

  265.               AND grant_type = ?
    266. 

  266.           });
    267. 

  267. 

  268.     my @groupsAddedTo;
    269. 

  269.     my @groupsRemovedFrom;
    270. 

  270.     my @groupsGrantedRightsToBless;
    271. 

  271.     my @groupsDeniedRightsToBless;
    272. 

  272. 

  273.     # Regard only groups the user is allowed to bless and skip all others
    274. 

  274.     # silently.
    275. 

  275.     # XXX: checking for existence of each user_group_map entry
    276. 

  276.     #      would allow to display a friendlier error message on page reloads.
    277. 

  277.     userDataToVars($otherUserID);
    278. 

  278.     my $permissions = $vars->{'permissions'};
    279. 

  279.     foreach (@{$user->bless_groups()}) {
    280. 

  280.         my $id = $$_{'id'};
    281. 

  281.         my $name = $$_{'name'};
    282. 

  282. 

  283.         # Change memberships.
    284. 

  284.         my $groupid = $cgi->param("group_$id") || 0;
    285. 

  285.         if ($groupid != $permissions->{$id}->{'directmember'}) {
    286. 

  286.             if (!$groupid) {
    287. 

  287.                 $sth_remove_mapping->execute(
    288. 

  288.                     $otherUserID, $id, 0, GRANT_DIRECT);
    289. 

  289.                 push(@groupsRemovedFrom, $name);
    290. 

  290.             } else {
    291. 

  291.                 $sth_add_mapping->execute(
    292. 

  292.                     $otherUserID, $id, 0, GRANT_DIRECT);
    293. 

  293.                 push(@groupsAddedTo, $name);
    294. 

  294.             }
    295. 

  295.         }
    296. 

  296. 

  297.         # Only members of the editusers group may change bless grants.
    298. 

  298.         # Skip silently if this is not the case.
    299. 

  299.         if ($editusers) {
    300. 

  300.             my $groupid = $cgi->param("bless_$id") || 0;
    301. 

  301.             if ($groupid != $permissions->{$id}->{'directbless'}) {
    302. 

  302.                 if (!$groupid) {
    303. 

  303.                     $sth_remove_mapping->execute(
    304. 

  304.                         $otherUserID, $id, 1, GRANT_DIRECT);
    305. 

  305.                     push(@groupsDeniedRightsToBless, $name);
    306. 

  306.                 } else {
    307. 

  307.                     $sth_add_mapping->execute(
    308. 

  308.                         $otherUserID, $id, 1, GRANT_DIRECT);
    309. 

  309.                     push(@groupsGrantedRightsToBless, $name);
    310. 

  310.                 }
    311. 

  311.             }
    312. 

  312.         }
    313. 

  313.     }
    314. 

  314.     if (@groupsAddedTo || @groupsRemovedFrom) {
    315. 

  315.         $dbh->do(qq{INSERT INTO profiles_activity (
    316. 

  316.                            userid, who,
    317. 

  317.                            profiles_when, fieldid,
    318. 

  318.                            oldvalue, newvalue
    319. 

  319.                           ) VALUES (
    320. 

  320.                            ?, ?, now(), ?, ?, ?
    321. 

  321.                           )
    322. 

  322.                    },
    323. 

  323.                  undef,
    324. 

  324.                  ($otherUserID, $userid,
    325. 

  325.                   get_field_id('bug_group'),
    326. 

  326.                   join(', ', @groupsRemovedFrom), join(', ', @groupsAddedTo)));
    327. 

  327.     }
    328. 

  328.     # XXX: should create profiles_activity entries for blesser changes.
    329. 

  329. 

  330.     $dbh->bz_commit_transaction();
    331. 

  331. 

  332.     # XXX: userDataToVars may be off when editing ourselves.
    333. 

  333.     userDataToVars($otherUserID);
    334. 

  334.     delete_token($token);
    335. 

  335. 

  336.     $vars->{'message'} = 'account_updated';
    337. 

  337.     $vars->{'changed_fields'} = [keys %changes];
    338. 

  338.     $vars->{'groups_added_to'} = \@groupsAddedTo;
    339. 

  339.     $vars->{'groups_removed_from'} = \@groupsRemovedFrom;
    340. 

  340.     $vars->{'groups_granted_rights_to_bless'} = \@groupsGrantedRightsToBless;
    341. 

  341.     $vars->{'groups_denied_rights_to_bless'} = \@groupsDeniedRightsToBless;
    342. 

  342.     # We already display the updated page. We have to recreate a token now.
    343. 

  343.     $vars->{'token'} = issue_session_token('edit_user');
    344. 

  344. 

  345.     $template->process('admin/users/edit.html.tmpl', $vars)
    346. 

  346.        || ThrowTemplateError($template->error());
    347. 

  347. 

  348. ###########################################################################
    349. 

  349. } elsif ($action eq 'del') {
    350. 

  350.     my $otherUser = check_user($otherUserID, $otherUserLogin);
    351. 

  351.     $otherUserID = $otherUser->id;
    352. 

  352. 

  353.     Bugzilla->params->{'allowuserdeletion'} 
    354. 

  354.         || ThrowUserError('users_deletion_disabled');
    355. 

  355.     $editusers || ThrowUserError('auth_failure', {group  => "editusers",
    356. 

  356.                                                   action => "delete",
    357. 

  357.                                                   object => "users"});
    358. 

  358.     $vars->{'otheruser'}      = $otherUser;
    359. 

  359. 

  360.     # Find other cross references.
    361. 

  361.     $vars->{'attachments'} = $dbh->selectrow_array(
    362. 

  362.         'SELECT COUNT(*) FROM attachments WHERE submitter_id = ?',
    363. 

  363.         undef, $otherUserID);
    364. 

  364.     $vars->{'assignee_or_qa'} = $dbh->selectrow_array(
    365. 

  365.         qq{SELECT COUNT(*)
    366. 

  366.            FROM bugs
    367. 

  367.            WHERE assigned_to = ? OR qa_contact = ?},
    368. 

  368.         undef, ($otherUserID, $otherUserID));
    369. 

  369.     $vars->{'reporter'} = $dbh->selectrow_array(
    370. 

  370.         'SELECT COUNT(*) FROM bugs WHERE reporter = ?',
    371. 

  371.         undef, $otherUserID);
    372. 

  372.     $vars->{'cc'} = $dbh->selectrow_array(
    373. 

  373.         'SELECT COUNT(*) FROM cc WHERE who = ?',
    374. 

  374.         undef, $otherUserID);
    375. 

  375.     $vars->{'bugs_activity'} = $dbh->selectrow_array(
    376. 

  376.         'SELECT COUNT(*) FROM bugs_activity WHERE who = ?',
    377. 

  377.         undef, $otherUserID);
    378. 

  378.     $vars->{'component_cc'} = $dbh->selectrow_array(
    379. 

  379.         'SELECT COUNT(*) FROM component_cc WHERE user_id = ?',
    380. 

  380.         undef, $otherUserID);
    381. 

  381.     $vars->{'email_setting'} = $dbh->selectrow_array(
    382. 

  382.         'SELECT COUNT(*) FROM email_setting WHERE user_id = ?',
    383. 

  383.         undef, $otherUserID);
    384. 

  384.     $vars->{'flags'}{'requestee'} = $dbh->selectrow_array(
    385. 

  385.         'SELECT COUNT(*) FROM flags WHERE requestee_id = ?',
    386. 

  386.         undef, $otherUserID);
    387. 

  387.     $vars->{'flags'}{'setter'} = $dbh->selectrow_array(
    388. 

  388.         'SELECT COUNT(*) FROM flags WHERE setter_id = ?',
    389. 

  389.         undef, $otherUserID);
    390. 

  390.     $vars->{'longdescs'} = $dbh->selectrow_array(
    391. 

  391.         'SELECT COUNT(*) FROM longdescs WHERE who = ?',
    392. 

  392.         undef, $otherUserID);
    393. 

  393.     my $namedquery_ids = $dbh->selectcol_arrayref(
    394. 

  394.         'SELECT id FROM namedqueries WHERE userid = ?',
    395. 

  395.         undef, $otherUserID);
    396. 

  396.     $vars->{'namedqueries'} = scalar(@$namedquery_ids);
    397. 

  397.     if (scalar(@$namedquery_ids)) {
    398. 

  398.         $vars->{'namedquery_group_map'} = $dbh->selectrow_array(
    399. 

  399.             'SELECT COUNT(*) FROM namedquery_group_map WHERE namedquery_id IN' .
    400. 

  400.             ' (' . join(', ', @$namedquery_ids) . ')');
    401. 

  401.     }
    402. 

  402.     else {
    403. 

  403.         $vars->{'namedquery_group_map'} = 0;
    404. 

  404.     }
    405. 

  405.     $vars->{'profile_setting'} = $dbh->selectrow_array(
    406. 

  406.         'SELECT COUNT(*) FROM profile_setting WHERE user_id = ?',
    407. 

  407.         undef, $otherUserID);
    408. 

  408.     $vars->{'profiles_activity'} = $dbh->selectrow_array(
    409. 

  409.         'SELECT COUNT(*) FROM profiles_activity WHERE who = ? AND userid != ?',
    410. 

  410.         undef, ($otherUserID, $otherUserID));
    411. 

  411.     $vars->{'quips'} = $dbh->selectrow_array(
    412. 

  412.         'SELECT COUNT(*) FROM quips WHERE userid = ?',
    413. 

  413.         undef, $otherUserID);
    414. 

  414.     $vars->{'series'} = $dbh->selectrow_array(
    415. 

  415.         'SELECT COUNT(*) FROM series WHERE creator = ?',
    416. 

  416.         undef, $otherUserID);
    417. 

  417.     $vars->{'votes'} = $dbh->selectrow_array(
    418. 

  418.         'SELECT COUNT(*) FROM votes WHERE who = ?',
    419. 

  419.         undef, $otherUserID);
    420. 

  420.     $vars->{'watch'}{'watched'} = $dbh->selectrow_array(
    421. 

  421.         'SELECT COUNT(*) FROM watch WHERE watched = ?',
    422. 

  422.         undef, $otherUserID);
    423. 

  423.     $vars->{'watch'}{'watcher'} = $dbh->selectrow_array(
    424. 

  424.         'SELECT COUNT(*) FROM watch WHERE watcher = ?',
    425. 

  425.         undef, $otherUserID);
    426. 

  426.     $vars->{'whine_events'} = $dbh->selectrow_array(
    427. 

  427.         'SELECT COUNT(*) FROM whine_events WHERE owner_userid = ?',
    428. 

  428.         undef, $otherUserID);
    429. 

  429.     $vars->{'whine_schedules'} = $dbh->selectrow_array(
    430. 

  430.         qq{SELECT COUNT(distinct eventid)
    431. 

  431.            FROM whine_schedules
    432. 

  432.            WHERE mailto = ?
    433. 

  433.            AND mailto_type = ?
    434. 

  434.           },
    435. 

  435.         undef, ($otherUserID, MAILTO_USER));
    436. 

  436.     $vars->{'token'} = issue_session_token('delete_user');
    437. 

  437. 

  438.     $template->process('admin/users/confirm-delete.html.tmpl', $vars)
    439. 

  439.        || ThrowTemplateError($template->error());
    440. 

  440. 

  441. ###########################################################################
    442. 

  442. } elsif ($action eq 'delete') {
    443. 

  443.     check_token_data($token, 'delete_user');
    444. 

  444.     my $otherUser = check_user($otherUserID, $otherUserLogin);
    445. 

  445.     $otherUserID = $otherUser->id;
    446. 

  446. 

  447.     # Cache for user accounts.
    448. 

  448.     my %usercache = (0 => new Bugzilla::User());
    449. 

  449.     my %updatedbugs;
    450. 

  450. 

  451.     # Lock tables during the check+removal session.
    452. 

  452.     # XXX: if there was some change on these tables after the deletion
    453. 

  453.     #      confirmation checks, we may do something here we haven't warned
    454. 

  454.     #      about.
    455. 

  455.     $dbh->bz_start_transaction();
    456. 

  456. 

  457.     Bugzilla->params->{'allowuserdeletion'}
    458. 

  458.         || ThrowUserError('users_deletion_disabled');
    459. 

  459.     $editusers || ThrowUserError('auth_failure',
    460. 

  460.                                  {group  => "editusers",
    461. 

  461.                                   action => "delete",
    462. 

  462.                                   object => "users"});
    463. 

  463.     @{$otherUser->product_responsibilities()}
    464. 

  464.         && ThrowUserError('user_has_responsibility');
    465. 

  465. 

  466.     Bugzilla->logout_user($otherUser);
    467. 

  467. 

  468.     # Get the named query list so we can delete namedquery_group_map entries.
    469. 

  469.     my $namedqueries_as_string = join(', ', @{$dbh->selectcol_arrayref(
    470. 

  470.         'SELECT id FROM namedqueries WHERE userid = ?', undef, $otherUserID)});
    471. 

  471. 

  472.     # Get the timestamp for LogActivityEntry.
    473. 

  473.     my $timestamp = $dbh->selectrow_array('SELECT NOW()');
    474. 

  474. 

  475.     # When we update a bug_activity entry, we update the bug timestamp, too.
    476. 

  476.     my $sth_set_bug_timestamp =
    477. 

  477.         $dbh->prepare('UPDATE bugs SET delta_ts = ? WHERE bug_id = ?');
    478. 

  478. 

  479.     # Reference removals which need LogActivityEntry.
    480. 

  480.     my $statement_flagupdate = 'UPDATE flags set requestee_id = NULL
    481. 

  481.                                  WHERE bug_id = ?
    482. 

  482.                                    AND attach_id %s
    483. 

  483.                                    AND requestee_id = ?';
    484. 

  484.     my $sth_flagupdate_attachment =
    485. 

  485.         $dbh->prepare(sprintf($statement_flagupdate, '= ?'));
    486. 

  486.     my $sth_flagupdate_bug =
    487. 

  487.         $dbh->prepare(sprintf($statement_flagupdate, 'IS NULL'));
    488. 

  488. 

  489.     my $buglist = $dbh->selectall_arrayref('SELECT DISTINCT bug_id, attach_id
    490. 

  490.                                               FROM flags
    491. 

  491.                                              WHERE requestee_id = ?',
    492. 

  492.                                            undef, $otherUserID);
    493. 

  493. 

  494.     foreach (@$buglist) {
    495. 

  495.         my ($bug_id, $attach_id) = @$_;
    496. 

  496.         my @old_summaries = Bugzilla::Flag->snapshot($bug_id, $attach_id);
    497. 

  497.         if ($attach_id) {
    498. 

  498.             $sth_flagupdate_attachment->execute($bug_id, $attach_id, $otherUserID);
    499. 

  499.         }
    500. 

  500.         else {
    501. 

  501.             $sth_flagupdate_bug->execute($bug_id, $otherUserID);
    502. 

  502.         }
    503. 

  503.         my @new_summaries = Bugzilla::Flag->snapshot($bug_id, $attach_id);
    504. 

  504.         # Let update_activity do all the dirty work, including setting
    505. 

  505.         # the bug timestamp.
    506. 

  506.         Bugzilla::Flag::update_activity($bug_id, $attach_id, $timestamp,
    507. 

  507.                                         \@old_summaries, \@new_summaries);
    508. 

  508.         $updatedbugs{$bug_id} = 1;
    509. 

  509.     }
    510. 

  510. 

  511.     # Simple deletions in referred tables.
    512. 

  512.     $dbh->do('DELETE FROM email_setting WHERE user_id = ?', undef,
    513. 

  513.              $otherUserID);
    514. 

  514.     $dbh->do('DELETE FROM logincookies WHERE userid = ?', undef, $otherUserID);
    515. 

  515.     $dbh->do('DELETE FROM namedqueries WHERE userid = ?', undef, $otherUserID);
    516. 

  516.     $dbh->do('DELETE FROM namedqueries_link_in_footer WHERE user_id = ?', undef,
    517. 

  517.              $otherUserID);
    518. 

  518.     if ($namedqueries_as_string) {
    519. 

  519.         $dbh->do('DELETE FROM namedquery_group_map WHERE namedquery_id IN ' .
    520. 

  520.                  "($namedqueries_as_string)");
    521. 

  521.     }
    522. 

  522.     $dbh->do('DELETE FROM profile_setting WHERE user_id = ?', undef,
    523. 

  523.              $otherUserID);
    524. 

  524.     $dbh->do('DELETE FROM profiles_activity WHERE userid = ? OR who = ?', undef,
    525. 

  525.              ($otherUserID, $otherUserID));
    526. 

  526.     $dbh->do('UPDATE quips SET userid = NULL where userid = ?', undef, $otherUserID);
    527. 

  527.     $dbh->do('DELETE FROM tokens WHERE userid = ?', undef, $otherUserID);
    528. 

  528.     $dbh->do('DELETE FROM user_group_map WHERE user_id = ?', undef,
    529. 

  529.              $otherUserID);
    530. 

  530.     $dbh->do('DELETE FROM votes WHERE who = ?', undef, $otherUserID);
    531. 

  531.     $dbh->do('DELETE FROM watch WHERE watcher = ? OR watched = ?', undef,
    532. 

  532.              ($otherUserID, $otherUserID));
    533. 

  533. 

  534.     # Deletions in referred tables which need LogActivityEntry.
    535. 

  535.     $buglist = $dbh->selectcol_arrayref('SELECT bug_id FROM cc
    536. 

  536.                                           WHERE who = ?',
    537. 

  537.                                         undef, $otherUserID);
    538. 

  538.     $dbh->do('DELETE FROM cc WHERE who = ?', undef, $otherUserID);
    539. 

  539.     foreach my $bug_id (@$buglist) {
    540. 

  540.         LogActivityEntry($bug_id, 'cc', $otherUser->login, '', $userid,
    541. 

  541.                          $timestamp);
    542. 

  542.         $sth_set_bug_timestamp->execute($timestamp, $bug_id);
    543. 

  543.         $updatedbugs{$bug_id} = 1;
    544. 

  544.     }
    545. 

  545. 

  546.     # Even more complex deletions in referred tables.
    547. 

  547.     my $id;
    548. 

  548. 

  549.     # 1) Series
    550. 

  550.     my $sth_seriesid = $dbh->prepare(
    551. 

  551.            'SELECT series_id FROM series WHERE creator = ?');
    552. 

  552.     my $sth_deleteSeries = $dbh->prepare(
    553. 

  553.            'DELETE FROM series WHERE series_id = ?');
    554. 

  554.     my $sth_deleteSeriesData = $dbh->prepare(
    555. 

  555.            'DELETE FROM series_data WHERE series_id = ?');
    556. 

  556. 

  557.     $sth_seriesid->execute($otherUserID);
    558. 

  558.     while ($id = $sth_seriesid->fetchrow_array()) {
    559. 

  559.         $sth_deleteSeriesData->execute($id);
    560. 

  560.         $sth_deleteSeries->execute($id);
    561. 

  561.     }
    562. 

  562. 

  563.     # 2) Whines
    564. 

  564.     my $sth_whineidFromEvents = $dbh->prepare(
    565. 

  565.            'SELECT id FROM whine_events WHERE owner_userid = ?');
    566. 

  566.     my $sth_deleteWhineEvent = $dbh->prepare(
    567. 

  567.            'DELETE FROM whine_events WHERE id = ?');
    568. 

  568.     my $sth_deleteWhineQuery = $dbh->prepare(
    569. 

  569.            'DELETE FROM whine_queries WHERE eventid = ?');
    570. 

  570.     my $sth_deleteWhineSchedule = $dbh->prepare(
    571. 

  571.            'DELETE FROM whine_schedules WHERE eventid = ?');
    572. 

  572. 

  573.     $dbh->do('DELETE FROM whine_schedules WHERE mailto = ? AND mailto_type = ?',
    574. 

  574.              undef, ($otherUserID, MAILTO_USER));
    575. 

  575. 

  576.     $sth_whineidFromEvents->execute($otherUserID);
    577. 

  577.     while ($id = $sth_whineidFromEvents->fetchrow_array()) {
    578. 

  578.         $sth_deleteWhineQuery->execute($id);
    579. 

  579.         $sth_deleteWhineSchedule->execute($id);
    580. 

  580.         $sth_deleteWhineEvent->execute($id);
    581. 

  581.     }
    582. 

  582. 

  583.     # 3) Bugs
    584. 

  584.     # 3.1) fall back to the default assignee
    585. 

  585.     $buglist = $dbh->selectall_arrayref(
    586. 

  586.         'SELECT bug_id, initialowner
    587. 

  587.          FROM bugs
    588. 

  588.          INNER JOIN components ON components.id = bugs.component_id
    589. 

  589.          WHERE assigned_to = ?', undef, $otherUserID);
    590. 

  590. 

  591.     my $sth_updateAssignee = $dbh->prepare(
    592. 

  592.         'UPDATE bugs SET assigned_to = ?, delta_ts = ? WHERE bug_id = ?');
    593. 

  593. 

  594.     foreach my $bug (@$buglist) {
    595. 

  595.         my ($bug_id, $default_assignee_id) = @$bug;
    596. 

  596.         $sth_updateAssignee->execute($default_assignee_id,
    597. 

  597.                                      $timestamp, $bug_id);
    598. 

  598.         $updatedbugs{$bug_id} = 1;
    599. 

  599.         $default_assignee_id ||= 0;
    600. 

  600.         $usercache{$default_assignee_id} ||=
    601. 

  601.             new Bugzilla::User($default_assignee_id);
    602. 

  602.         LogActivityEntry($bug_id, 'assigned_to', $otherUser->login,
    603. 

  603.                          $usercache{$default_assignee_id}->login,
    604. 

  604.                          $userid, $timestamp);
    605. 

  605.     }
    606. 

  606. 

  607.     # 3.2) fall back to the default QA contact
    608. 

  608.     $buglist = $dbh->selectall_arrayref(
    609. 

  609.         'SELECT bug_id, initialqacontact
    610. 

  610.          FROM bugs
    611. 

  611.          INNER JOIN components ON components.id = bugs.component_id
    612. 

  612.          WHERE qa_contact = ?', undef, $otherUserID);
    613. 

  613. 

  614.     my $sth_updateQAcontact = $dbh->prepare(
    615. 

  615.         'UPDATE bugs SET qa_contact = ?, delta_ts = ? WHERE bug_id = ?');
    616. 

  616. 

  617.     foreach my $bug (@$buglist) {
    618. 

  618.         my ($bug_id, $default_qa_contact_id) = @$bug;
    619. 

  619.         $sth_updateQAcontact->execute($default_qa_contact_id,
    620. 

  620.                                       $timestamp, $bug_id);
    621. 

  621.         $updatedbugs{$bug_id} = 1;
    622. 

  622.         $default_qa_contact_id ||= 0;
    623. 

  623.         $usercache{$default_qa_contact_id} ||=
    624. 

  624.             new Bugzilla::User($default_qa_contact_id);
    625. 

  625.         LogActivityEntry($bug_id, 'qa_contact', $otherUser->login,
    626. 

  626.                          $usercache{$default_qa_contact_id}->login,
    627. 

  627.                          $userid, $timestamp);
    628. 

  628.     }
    629. 

  629. 

  630.     # Finally, remove the user account itself.
    631. 

  631.     $dbh->do('DELETE FROM profiles WHERE userid = ?', undef, $otherUserID);
    632. 

  632. 

  633.     $dbh->bz_commit_transaction();
    634. 

  634.     delete_token($token);
    635. 

  635. 

  636.     $vars->{'message'} = 'account_deleted';
    637. 

  637.     $vars->{'otheruser'}{'login'} = $otherUser->login;
    638. 

  638.     $vars->{'restrictablegroups'} = $user->bless_groups();
    639. 

  639.     $template->process('admin/users/search.html.tmpl', $vars)
    640. 

  640.        || ThrowTemplateError($template->error());
    641. 

  641. 

  642.     # Send mail about what we've done to bugs.
    643. 

  643.     # The deleted user is not notified of the changes.
    644. 

  644.     foreach (keys(%updatedbugs)) {
    645. 

  645.         Bugzilla::BugMail::Send($_, {'changer' => $user->login} );
    646. 

  646.     }
    647. 

  647. 

  648. ###########################################################################
    649. 

  649. } elsif ($action eq 'activity') {
    650. 

  650.     my $otherUser = check_user($otherUserID, $otherUserLogin);
    651. 

  651. 

  652.     $vars->{'profile_changes'} = $dbh->selectall_arrayref(
    653. 

  653.         "SELECT profiles.login_name AS who, " .
    654. 

  654.                 $dbh->sql_date_format('profiles_activity.profiles_when') . " AS activity_when,
    655. 

  655.                 fielddefs.description AS what,
    656. 

  656.                 profiles_activity.oldvalue AS removed,
    657. 

  657.                 profiles_activity.newvalue AS added
    658. 

  658.          FROM profiles_activity
    659. 

  659.          INNER JOIN profiles ON profiles_activity.who = profiles.userid
    660. 

  660.          INNER JOIN fielddefs ON fielddefs.id = profiles_activity.fieldid
    661. 

  661.          WHERE profiles_activity.userid = ?
    662. 

  662.          ORDER BY profiles_activity.profiles_when",
    663. 

  663.         {'Slice' => {}},
    664. 

  664.         $otherUser->id);
    665. 

  665. 

  666.     $vars->{'otheruser'} = $otherUser;
    667. 

  667. 

  668.     $template->process("account/profile-activity.html.tmpl", $vars)
    669. 

  669.         || ThrowTemplateError($template->error());
    670. 

  670. 

  671. ###########################################################################
    672. 

  672. } else {
    673. 

  673.     $vars->{'action'} = $action;
    674. 

  674.     ThrowCodeError('action_unrecognized', $vars);
    675. 

  675. }
    676. 

  676. 

  677. exit;
    678. 

  678. 

  679. ###########################################################################
    680. 

  680. # Helpers
    681. 

  681. ###########################################################################
    682. 

  682. 

  683. # Try to build a user object using its ID, else its login name, and throw
    684. 

  684. # an error if the user does not exist.
    685. 

  685. sub check_user {
    686. 

  686.     my ($otherUserID, $otherUserLogin) = @_;
    687. 

  687. 

  688.     my $otherUser;
    689. 

  689.     my $vars = {};
    690. 

  690. 

  691.     if ($otherUserID) {
    692. 

  692.         $otherUser = Bugzilla::User->new($otherUserID);
    693. 

  693.         $vars->{'user_id'} = $otherUserID;
    694. 

  694.     }
    695. 

  695.     elsif ($otherUserLogin) {
    696. 

  696.         $otherUser = new Bugzilla::User({ name => $otherUserLogin });
    697. 

  697.         $vars->{'user_login'} = $otherUserLogin;
    698. 

  698.     }
    699. 

  699.     ($otherUser && $otherUser->id) || ThrowCodeError('invalid_user', $vars);
    700. 

  700. 

  701.     return $otherUser;
    702. 

  702. }
    703. 

  703. 

  704. # Copy incoming list selection values from CGI params to template variables.
    705. 

  705. sub mirrorListSelectionValues {
    706. 

  706.     my $cgi = Bugzilla->cgi;
    707. 

  707.     if (defined($cgi->param('matchtype'))) {
    708. 

  708.         foreach ('matchvalue', 'matchstr', 'matchtype', 'grouprestrict', 'groupid') {
    709. 

  709.             $vars->{'listselectionvalues'}{$_} = $cgi->param($_);
    710. 

  710.         }
    711. 

  711.     }
    712. 

  712. }
    713. 

  713. 

  714. # Retrieve user data for the user editing form. User creation and user
    715. 

  715. # editing code rely on this to call derive_groups().
    716. 

  716. sub userDataToVars {
    717. 

  717.     my $otheruserid = shift;
    718. 

  718.     my $otheruser = new Bugzilla::User($otheruserid);
    719. 

  719.     my $query;
    720. 

  720.     my $user = Bugzilla->user;
    721. 

  721.     my $dbh = Bugzilla->dbh;
    722. 

  722. 

  723.     my $grouplist = $otheruser->groups_as_string;
    724. 

  724. 

  725.     $vars->{'otheruser'} = $otheruser;
    726. 

  726.     $vars->{'groups'} = $user->bless_groups();
    727. 

  727. 

  728.     $vars->{'permissions'} = $dbh->selectall_hashref(
    729. 

  729.         qq{SELECT id,
    730. 

  730.                   COUNT(directmember.group_id) AS directmember,
    731. 

  731.                   COUNT(regexpmember.group_id) AS regexpmember,
    732. 

  732.                   (CASE WHEN (groups.id IN ($grouplist)
    733. 

  733.                               AND COUNT(directmember.group_id) = 0
    734. 

  734.                               AND COUNT(regexpmember.group_id) = 0
    735. 

  735.                              ) THEN 1 ELSE 0 END) 
    736. 

  736.                       AS derivedmember,
    737. 

  737.                   COUNT(directbless.group_id) AS directbless
    738. 

  738.            FROM groups
    739. 

  739.            LEFT JOIN user_group_map AS directmember
    740. 

  740.                   ON directmember.group_id = id
    741. 

  741.                  AND directmember.user_id = ?
    742. 

  742.                  AND directmember.isbless = 0
    743. 

  743.                  AND directmember.grant_type = ?
    744. 

  744.            LEFT JOIN user_group_map AS regexpmember
    745. 

  745.                   ON regexpmember.group_id = id
    746. 

  746.                  AND regexpmember.user_id = ?
    747. 

  747.                  AND regexpmember.isbless = 0
    748. 

  748.                  AND regexpmember.grant_type = ?
    749. 

  749.            LEFT JOIN user_group_map AS directbless
    750. 

  750.                   ON directbless.group_id = id
    751. 

  751.                  AND directbless.user_id = ?
    752. 

  752.                  AND directbless.isbless = 1
    753. 

  753.                  AND directbless.grant_type = ?
    754. 

  754.           } . $dbh->sql_group_by('id'),
    755. 

  755.         'id', undef,
    756. 

  756.         ($otheruserid, GRANT_DIRECT,
    757. 

  757.          $otheruserid, GRANT_REGEXP,
    758. 

  758.          $otheruserid, GRANT_DIRECT));
    759. 

  759. 

  760.     # Find indirect bless permission.
    761. 

  761.     $query = qq{SELECT groups.id
    762. 

  762.                 FROM groups, group_group_map AS ggm
    763. 

  763.                 WHERE groups.id = ggm.grantor_id
    764. 

  764.                   AND ggm.member_id IN ($grouplist)
    765. 

  765.                   AND ggm.grant_type = ?
    766. 

  766.                } . $dbh->sql_group_by('id');
    767. 

  767.     foreach (@{$dbh->selectall_arrayref($query, undef,
    768. 

  768.                                         (GROUP_BLESS))}) {
    769. 

  769.         # Merge indirect bless permissions into permission variable.
    770. 

  770.         $vars->{'permissions'}{${$_}[0]}{'indirectbless'} = 1;
    771. 

  771.     }
    772. 

  772. }
    773. 

  773. 

  774. sub edit_processing {
    775. 

  775.     my $otherUser = shift;
    776. 

  776.     my $user = Bugzilla->user;
    777. 

  777.     my $template = Bugzilla->template;
    778. 

  778. 

  779.     $user->in_group('editusers') || $user->can_see_user($otherUser)
    780. 

  780.         || ThrowUserError('auth_failure', {reason => "not_visible",
    781. 

  781.                                            action => "modify",
    782. 

  782.                                            object => "user"});
    783. 

  783. 

  784.     userDataToVars($otherUser->id);
    785. 

  785.     $vars->{'token'} = issue_session_token('edit_user');
    786. 

  786. 

  787.     $template->process('admin/users/edit.html.tmpl', $vars)
    788. 

  788.        || ThrowTemplateError($template->error());
    789. 

  789. }
    790. 

  790.