From 73fd49ff3bbff6244802ba548bb22c2be39014e1 Mon Sep 17 00:00:00 2001
From: "bugreport%peshkin.net" <>
Date: Tue, 6 Jul 2004 08:12:29 +0000
Subject: Bug 243463 Use a param to protect new charts from leaking information
 r=justdave a=justdave

---
 chart.cgi                                  |  4 ++
 defparams.pl                               | 11 ++++++
 editproducts.cgi                           | 59 ++++++++++++++++--------------
 template/en/default/reports/menu.html.tmpl | 10 +++--
 4 files changed, 53 insertions(+), 31 deletions(-)

diff --git a/chart.cgi b/chart.cgi
index 229e9bbf7..b6f7f746b 100755
--- a/chart.cgi
+++ b/chart.cgi
@@ -84,6 +84,10 @@ if ($action eq "search") {
 
 Bugzilla->login(LOGIN_REQUIRED);
 
+UserInGroup(Param("chartgroup")) 
+    || ThrowUserError("authorization_failure", 
+                     {action => "use this feature"});
+
 # Only admins may create public queries
 UserInGroup('admin') || $cgi->delete('public');
 
diff --git a/defparams.pl b/defparams.pl
index 849c033ea..6861d0447 100644
--- a/defparams.pl
+++ b/defparams.pl
@@ -1034,6 +1034,17 @@ Reason: %reason%
    checker => \&check_numeric
   },
 
+  {
+   name => 'chartgroup',
+   desc => 'The name of the group of users who can use the "New Charts" ' .
+           'feature. Administrators should ensure that the public categories ' .
+           'and series definitions do not divulge unwanted information ' .
+           'before enabling this for an untrusted population. If left blank, ' .
+           'no users will be able to use New Charts.',
+   type => 't',
+   default => ''
+  },
+  
   {
    name => 'insidergroup',
    desc => 'The name of the group of users who can see/change private ' .
diff --git a/editproducts.cgi b/editproducts.cgi
index 8cf9a309d..6d33c8080 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -271,6 +271,10 @@ if ($action eq 'add') {
     print "</TR><TR>\n";
     print "  <TH ALIGN=\"right\">Version:</TH>\n";
     print "  <TD><INPUT SIZE=64 MAXLENGTH=255 NAME=\"version\" VALUE=\"unspecified\"></TD>\n";
+    print "</TR><TR>\n";
+    print "  <TH ALIGN=\"right\">Create chart datasets for this product:</TH>\n";
+    print "  <TD><INPUT TYPE=CHECKBOX NAME=\"createseries\" VALUE=1></TD>";
+    print "</TR>\n";
 
     print "</TABLE>\n<HR>\n";
     print "<INPUT TYPE=SUBMIT VALUE=\"Add\">\n";
@@ -389,36 +393,37 @@ if ($action eq 'new') {
                 CONTROLMAPNA . ", 0)");
     }
 
-    # Insert default charting queries for this product.
-    # If they aren't using charting, this won't do any harm.
-    GetVersionTable();
-
-    my @series;
-
-    # We do every status, every resolution, and an "opened" one as well.
-    foreach my $bug_status (@::legal_bug_status) {
-        push(@series, [$bug_status, "bug_status=$bug_status"]);
-    }
+    if ($::FORM{createseries}) {
+        # Insert default charting queries for this product.
+        # If they aren't using charting, this won't do any harm.
+        GetVersionTable();
+    
+        my @series;
+    
+        # We do every status, every resolution, and an "opened" one as well.
+        foreach my $bug_status (@::legal_bug_status) {
+            push(@series, [$bug_status, "bug_status=$bug_status"]);
+        }
 
-    foreach my $resolution (@::legal_resolution) {
-        next if !$resolution;
-        push(@series, [$resolution, "resolution=$resolution"]);
-    }
+        foreach my $resolution (@::legal_resolution) {
+            next if !$resolution;
+            push(@series, [$resolution, "resolution=$resolution"]);
+        }
 
-    # For localisation reasons, we get the name of the "global" subcategory
-    # and the title of the "open" query from the submitted form.
-    my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED");
-    my $query = join("&", map { "bug_status=$_" } @openedstatuses);
-    push(@series, [$::FORM{'open_name'}, $query]);
-
-    foreach my $sdata (@series) {
-        my $series = new Bugzilla::Series(undef, $product, 
-                                          $::FORM{'subcategory'},
-                                          $sdata->[0], $::userid, 1,
-                                          $sdata->[1] . "&product=$product", 1);
-        $series->writeToDatabase();
+        # For localisation reasons, we get the name of the "global" subcategory
+        # and the title of the "open" query from the submitted form.
+        my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED");
+        my $query = join("&", map { "bug_status=$_" } @openedstatuses);
+        push(@series, [$::FORM{'open_name'}, $query]);
+    
+        foreach my $sdata (@series) {
+            my $series = new Bugzilla::Series(undef, $product, 
+                                              $::FORM{'subcategory'},
+                                              $sdata->[0], $::userid, 1,
+                                              $sdata->[1] . "&product=$product", 1);
+            $series->writeToDatabase();
+        }
     }
-
     # Make versioncache flush
     unlink "$datadir/versioncache";
 
diff --git a/template/en/default/reports/menu.html.tmpl b/template/en/default/reports/menu.html.tmpl
index 7481790fd..5ac1516d5 100644
--- a/template/en/default/reports/menu.html.tmpl
+++ b/template/en/default/reports/menu.html.tmpl
@@ -64,10 +64,12 @@
     plot the status and/or resolution of [% terms.bugs %] against
     time, for each product in your database.
   </li>
-  <li>
-    <strong><a href="chart.cgi">New Charts</a></strong> - 
-    plot any arbitrary search against time. Far more powerful.
-  </li>
+  [% IF UserInGroup(Param("chartgroup")) %]
+    <li>
+      <strong><a href="chart.cgi">New Charts</a></strong> - 
+      plot any arbitrary search against time. Far more powerful.
+    </li>
+  [% END %]
 </ul>
 
 [% PROCESS global/footer.html.tmpl %]
-- 
cgit v1.2.3-24-g4f1b