summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Lawrence <dkl@mozilla.com>2015-08-07 20:26:17 +0200
committerDavid Lawrence <dkl@mozilla.com>2015-08-07 20:26:17 +0200
commitc87a709ed067ddd8bc4d70ba82cc7eaeccfcc5ed (patch)
treea2406f27b936fbce4a2c0a91f0bc263155f1e72d
parent86a7f0140f898cd77e5d3a2dcfd52722d2f65089 (diff)
downloadbugzilla-c87a709ed067ddd8bc4d70ba82cc7eaeccfcc5ed.tar.gz
bugzilla-c87a709ed067ddd8bc4d70ba82cc7eaeccfcc5ed.tar.xz
Bug 1191888: Create security_remove.pl script to remove user from all visibility roles in secure bugs
-rwxr-xr-xscripts/security_remove.pl189
1 files changed, 189 insertions, 0 deletions
diff --git a/scripts/security_remove.pl b/scripts/security_remove.pl
new file mode 100755
index 000000000..90099e387
--- /dev/null
+++ b/scripts/security_remove.pl
@@ -0,0 +1,189 @@
+#!/usr/bin/perl
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This Source Code Form is "Incompatible With Secondary Licenses", as
+# defined by the Mozilla Public License, v. 2.0.
+
+use 5.10.1;
+use strict;
+use warnings;
+
+use FindBin '$RealBin';
+use lib "$RealBin/../..", "$RealBin/../../lib";
+
+use Bugzilla;
+use Bugzilla::Constants;
+use Bugzilla::Field;
+use Bugzilla::User;
+
+use Pod::Usage;
+
+# Load extensions for monkeypatched $user->clear_last_statistics_ts()
+BEGIN { Bugzilla->extensions(); }
+
+Bugzilla->usage_mode(USAGE_MODE_CMDLINE);
+
+if (scalar @ARGV < 1) {
+ die <<USAGE;
+Usage: security_remove.pl <user>
+
+E.g.: security_remove.pl foo\@bar.com
+
+will remove the specified user from the following roles on private only bugs:
+
+- Set reporter_accessible to false if user is the reporter
+- Remove from the cc list
+- Clear qa_contact if the user is qa_contact
+- Re-assign to nobody\@mozilla.org if user is the assignee
+
+This script should not touch user's membership or default assignee, qa contact,
+or cc settings for components.
+
+Script should not send any email about the changes.
+USAGE
+}
+
+my ($login_name) = @ARGV;
+
+# Load nobody user and set as current
+my $auto_user = Bugzilla::User->check({ name => 'automation@bmo.tld' });
+Bugzilla->set_user($auto_user);
+
+# Check target user
+my $target_user = Bugzilla::User->check({ name => $login_name });
+
+my $dbh = Bugzilla->dbh;
+my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)');
+
+# Gather bug ids
+my $reporter_bugs = $dbh->selectcol_arrayref(
+ q{SELECT bugs.bug_id
+ FROM bugs, bug_group_map
+ WHERE bugs.bug_id = bug_group_map.bug_id
+ AND bugs.reporter_accessible = 1
+ AND bugs.reporter = ?},
+ undef, $target_user->id) || [];
+
+my $assignee_bugs = $dbh->selectcol_arrayref(
+ q{SELECT bugs.bug_id
+ FROM bugs, bug_group_map
+ WHERE bugs.bug_id = bug_group_map.bug_id
+ AND bugs.assigned_to = ?},
+ undef, $target_user->id) || [];
+
+my $qa_bugs = $dbh->selectcol_arrayref(
+ q{SELECT bugs.bug_id
+ FROM bugs, bug_group_map
+ WHERE bugs.bug_id = bug_group_map.bug_id
+ AND bugs.qa_contact = ?},
+ undef, $target_user->id) || [];
+
+my $cc_bugs = $dbh->selectcol_arrayref(
+ q{SELECT cc.bug_id
+ FROM cc, bug_group_map
+ WHERE cc.bug_id = bug_group_map.bug_id
+ AND cc.who = ?},
+ undef, $target_user->id) || [];
+
+my $reporter_count = scalar @$reporter_bugs;
+my $assignee_count = scalar @$assignee_bugs;
+my $qa_count = scalar @$qa_bugs;
+my $cc_count = scalar @$cc_bugs;
+
+if (!$reporter_count
+ && !$assignee_count
+ && !$qa_count
+ && !$cc_count)
+{
+ warn "There are no bugs to update.\n";
+ exit 1;
+}
+
+warn <<EOF;
+About to remove user from the following number of bugs:
+
+Reporter: $reporter_count
+Assignee: $assignee_count
+QA Contact: $qa_count
+CC: $cc_count
+
+Press <Ctrl-C> to stop or <Enter> to continue...
+EOF
+getc();
+
+$dbh->bz_start_transaction;
+
+# Reporter - set reporter_accessible to false
+my $field_id = get_field_id('reporter_accessible');
+foreach my $bug_id (@$reporter_bugs) {
+ warn "Updating bug $bug_id\n";
+ $dbh->do(
+ q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added)
+ VALUES (?, ?, ?, ?, ?, ?)},
+ undef, $bug_id, $auto_user->id, $timestamp, $field_id, 1, 0);
+ $dbh->do(
+ q{UPDATE bugs SET reporter_accessible = 0, delta_ts = ?, lastdiffed = ?
+ WHERE bug_id = ?},
+ undef, $timestamp, $timestamp, $bug_id);
+}
+
+# Assignee
+$field_id = get_field_id('assigned_to');
+foreach my $bug_id (@$assignee_bugs) {
+ warn "Updating bug $bug_id\n";
+ $dbh->do(
+ q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added)
+ VALUES (?, ?, ?, ?, ?, ?)},
+ undef, $bug_id, $auto_user->id, $timestamp, $field_id,
+ $target_user->login, $auto_user->login);
+ $dbh->do(
+ q{UPDATE bugs SET assigned_to = ?, delta_ts = ?, lastdiffed = ?
+ WHERE bug_id = ?},
+ undef, $auto_user->id, $timestamp, $timestamp, $bug_id);
+}
+
+# QA Contact
+$field_id = get_field_id('qa_contact');
+foreach my $bug_id (@$qa_bugs) {
+ warn "Updating bug $bug_id\n";
+ $dbh->do(
+ q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added)
+ VALUES (?, ?, ?, ?, ?, '')},
+ undef, $bug_id, $auto_user->id, $timestamp, $field_id, $target_user->login);
+ $dbh->do(
+ q{UPDATE bugs SET qa_contact = NULL, delta_ts = ?, lastdiffed = ?
+ WHERE bug_id = ?},
+ undef, $timestamp, $timestamp, $bug_id);
+}
+
+# CC list
+$field_id = get_field_id('cc');
+foreach my $bug_id (@$cc_bugs) {
+ warn "Updating bug $bug_id\n";
+ $dbh->do(
+ q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added)
+ VALUES (?, ?, ?, ?, ?, '')},
+ undef, $bug_id, $auto_user->id, $timestamp, $field_id, $target_user->login);
+ $dbh->do(q{DELETE FROM cc WHERE bug_id = ? AND who = ?},
+ undef, $bug_id, $target_user->id);
+}
+
+$target_user->clear_last_statistics_ts();
+
+$dbh->bz_commit_transaction;
+
+# It's complex to determine which items now need to be flushed from memcached.
+# As this is expected to be a rare event, we just flush the entire cache.
+Bugzilla->memcached->clear_all();
+
+__END__
+
+=head1 NAME
+
+security_remove.pl - Remove user from any role associated with private bugs.
+
+=head1 SYNOPSIS
+
+ security_remove.pl foo@bar.com