diff options
Diffstat (limited to 'extensions/BMO/Extension.pm')
-rw-r--r-- | extensions/BMO/Extension.pm | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index 8d7301f8b..34af43892 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -2258,9 +2258,11 @@ sub forced_format { sub query_database { my ($vars) = @_; + my $cgi = Bugzilla->cgi; + my $user = Bugzilla->user; + my $template = Bugzilla->template; # validate group membership - my $user = Bugzilla->user; $user->in_group('query_database') || ThrowUserError('auth_failure', { group => 'query_database', action => 'access', @@ -2272,6 +2274,12 @@ sub query_database { $vars->{query} = $query; if ($query) { + # Only allow POST requests + if ($cgi->request_method ne 'POST') { + ThrowCodeError('illegal_request_method', + { method => $cgi->request_method, accepted => ['POST'] }); + } + check_hash_token($input->{token}, ['query_database']); trick_taint($query); $vars->{executed} = 1; @@ -2308,6 +2316,14 @@ sub query_database { # return results $vars->{columns} = $columns; $vars->{rows} = $rows; + + if ($input->{csv}) { + print $cgi->header(-type=> 'text/csv', + -content_disposition=> "attachment; filename=\"query_database.csv\""); + $template->process("pages/query_database.csv.tmpl", $vars) + || ThrowTemplateError($template->error()); + exit; + } } } |