From 17a4afe9818289e53969f9eec2cef2367a2d6104 Mon Sep 17 00:00:00 2001
From: Gervase Markham <gerv@gerv.net>
Date: Mon, 22 Dec 2014 09:53:22 +0000
Subject: Bug 836713 - Make group membership reports publicly-available.
 r=glob.

---
 extensions/BMO/lib/Reports/Groups.pm               | 45 +++++++++++++++++++---
 .../en/default/hook/reports/menu-end.html.tmpl     |  6 ++-
 .../en/default/pages/group_members.html.tmpl       | 33 ++++++++++++----
 .../en/default/pages/group_members.json.tmpl       |  8 +++-
 4 files changed, 75 insertions(+), 17 deletions(-)

diff --git a/extensions/BMO/lib/Reports/Groups.pm b/extensions/BMO/lib/Reports/Groups.pm
index ab0f1efa4..7fa86b243 100644
--- a/extensions/BMO/lib/Reports/Groups.pm
+++ b/extensions/BMO/lib/Reports/Groups.pm
@@ -20,11 +20,18 @@ sub admins_report {
     my $dbh = Bugzilla->dbh;
     my $user = Bugzilla->user;
 
-    ($user->in_group('editusers') || $user->in_group('infrasec'))
-        || ThrowUserError('auth_failure', { group  => 'editusers',
+    ($user->in_group('editbugs'))
+        || ThrowUserError('auth_failure', { group  => 'editbugs',
                                             action => 'run',
                                             object => 'group_admins' });
 
+    my @grouplist =
+                  ($user->in_group('editusers') || $user->in_group('infrasec'))
+                  ? map { lc($_->name) } Bugzilla::Group->get_all
+                  : _get_public_membership_groups();
+
+    my $groups = join(',', map { $dbh->quote($_) } @grouplist);
+
     my $query = "
         SELECT groups.name, " .
                $dbh->sql_group_concat('profiles.login_name', "','", 1) . "
@@ -36,6 +43,7 @@ sub admins_report {
                LEFT JOIN profiles
                     ON user_group_map.user_id = profiles.userid
          WHERE groups.isbuggroup = 1
+               AND groups.name IN ($groups)
       GROUP BY groups.name";
 
     my @groups;
@@ -160,11 +168,16 @@ sub members_report {
     my $user = Bugzilla->user;
     my $cgi = Bugzilla->cgi;
 
-    ($user->in_group('editusers') || $user->in_group('infrasec'))
-        || ThrowUserError('auth_failure', { group  => 'editusers',
+    ($user->in_group('editbugs'))
+        || ThrowUserError('auth_failure', { group  => 'editbugs',
                                             action => 'run',
                                             object => 'group_admins' });
 
+    my @grouplist =
+                  ($user->in_group('editusers') || $user->in_group('infrasec'))
+                  ? map { lc($_->name) } Bugzilla::Group->get_all
+                  : _get_public_membership_groups();
+
     my $include_disabled = $cgi->param('include_disabled') ? 1 : 0;
     $vars->{'include_disabled'} = $include_disabled;
 
@@ -172,8 +185,7 @@ sub members_report {
     my @group_names =
         sort
         grep { !/^(?:bz_.+|canconfirm|editbugs|editbugs-team|everyone)$/ }
-        map { lc($_->name) }
-        Bugzilla::Group->get_all;
+        @grouplist;
     unshift(@group_names, '');
     $vars->{'groups'} = \@group_names;
 
@@ -240,4 +252,25 @@ sub _filter_userlist {
     return [ sort { lc($a->identity) cmp lc($b->identity) } @$list ];
 }
 
+# Groups that any user with editbugs can see the membership or admin lists for.
+# Transparency FTW.
+sub _get_public_membership_groups {
+    my @all_groups = map { lc($_->name) } Bugzilla::Group->get_all;
+
+    my %hardcoded_groups = map { $_ => 1 } qw(
+        bugzilla-approvers
+        bugzilla-reviewers
+        can_restrict_comments
+        community-it-team
+        mozilla-employee-confidential
+        mozilla-foundation-confidential
+        mozilla-reps
+        qa-approvers
+    );
+
+    # We also automatically include all drivers groups - this gives us a little
+    # future-proofing
+    return grep { /-drivers$/ || exists $hardcoded_groups{$_} } @all_groups;
+}
+
 1;
diff --git a/extensions/BMO/template/en/default/hook/reports/menu-end.html.tmpl b/extensions/BMO/template/en/default/hook/reports/menu-end.html.tmpl
index fd48130eb..34c51db81 100644
--- a/extensions/BMO/template/en/default/hook/reports/menu-end.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/reports/menu-end.html.tmpl
@@ -24,17 +24,21 @@
       <a href="[% urlbase FILTER none %]page.cgi?id=release_tracking_report.html">Release Tracking Report</a>
     </strong> - For triaging release-train flag information.
   </li>
-  [% IF user.in_group('editusers') || user.in_group('infrasec') %]
+  [% IF user.in_group('editbugs') %]
     <li>
       <strong>
         <a href="[% urlbase FILTER none %]page.cgi?id=group_admins.html">Group Admins</a>
       </strong> - Lists the administrators of each group.
     </li>
+  [% END %]
+  [% IF user.in_group('editusers') || user.in_group('infrasec') %]
     <li>
       <strong>
         <a href="[% urlbase FILTER none %]page.cgi?id=group_membership.html">Group Membership Report</a>
       </strong> - Lists the groups a user is a member of.
     </li>
+  [% END %]
+  [% IF user.in_group('editbugs') %]
     <li>
       <strong>
         <a href="[% urlbase FILTER none %]page.cgi?id=group_members.html">Group Members Report</a>
diff --git a/extensions/BMO/template/en/default/pages/group_members.html.tmpl b/extensions/BMO/template/en/default/pages/group_members.html.tmpl
index daf4d5b0d..67db8ea2e 100644
--- a/extensions/BMO/template/en/default/pages/group_members.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/group_members.html.tmpl
@@ -11,6 +11,8 @@
   style_urls = [ "extensions/BMO/web/styles/reports.css" ]
 %]
 
+[% SET privileged = (user.in_group('editusers') || user.in_group('infrasec')) %]
+
 <form method="GET" action="page.cgi">
   <input type="hidden" name="id" value="group_members.html">
 
@@ -48,15 +50,23 @@
         <th>Type</th>
         <th>Count</th>
         <th>Members</th>
-        <th class="right">Last Seen (days ago)</th>
+        [% IF privileged %]
+          <th class="right">Last Seen (days ago)</th>
+        [% END %]
       </tr>
 
       [% FOREACH type = types %]
         [% count = loop.count() %]
         <tr class="report_item [% count % 2 == 1 ? "report_row_odd" : "report_row_even" %]">
           <td valign="top">
-            [% "via&nbsp;" UNLESS type.name == 'direct' %]
-            [% type.name FILTER html %]
+            [% IF type.name == 'direct' %]
+              direct
+            [% ELSE %]
+              via&nbsp;
+              [% IF privileged %]
+                [% type.name FILTER html %]
+              [% ELSE %]another&nbsp;group[% END %]
+            [% END %]
           </td>
           <td valign="top" align="right">
             [% type.members.size FILTER html %]
@@ -66,16 +76,23 @@
               [% FOREACH member = type.members %]
                 <tr>
                   <td width="100%">
-                    <a href="editusers.cgi?action=edit&amp;userid=[% member.id FILTER none %]"
-                      target="_blank">
+                    [% IF privileged %]
+                      <a href="editusers.cgi?action=edit&amp;userid=[% member.id FILTER none %]"
+                        target="_blank">
+                    [% ELSE %]
+                      <a href="user_profile?login=[% member.login FILTER uri %]"
+                        target="_blank">
+                    [% END %]
                       <span [% 'class="bz_inactive"' UNLESS member.is_enabled %]>
                         [% member.name FILTER html %] &lt;[% member.email FILTER email FILTER html %]&gt;
                       </span>
                     </a>
                   </td>
-                  <td align="right" nowrap>
-                    [% member.lastseen FILTER html %]
-                  </td>
+                  [% IF privileged %]
+                    <td align="right" nowrap>
+                      [% member.lastseen FILTER html %]
+                    </td>
+                  [% END %]
                 </tr>
               [% END %]
             </table>
diff --git a/extensions/BMO/template/en/default/pages/group_members.json.tmpl b/extensions/BMO/template/en/default/pages/group_members.json.tmpl
index 8cbb2a23a..e982731f7 100644
--- a/extensions/BMO/template/en/default/pages/group_members.json.tmpl
+++ b/extensions/BMO/template/en/default/pages/group_members.json.tmpl
@@ -20,12 +20,16 @@
           "membership": "direct",
         [% ELSE %]
           "membership": "indirect",
-          "group": "[% type.name FILTER js %]",
+          [% IF user.in_group('editusers') || user.in_group('infrasec') %]
+            "group": "[% type.name FILTER js %]",
+          [% END %]
         [% END %]
         [% IF include_disabled %]
           "disabled": "[% member.is_enabled ? "false" : "true" %]",
         [% END %]
-        "lastseen": "[% member.lastseen FILTER js %]"
+        [% IF user.in_group('editusers') || user.in_group('infrasec') %]
+          "lastseen": "[% member.lastseen FILTER js %]"
+        [% END %]
       }[% "," UNLESS i == count %]
     [% END %]
   [% END %]
-- 
cgit v1.2.3-24-g4f1b