From c0fc50d35b1e3320b28b281c16489f78babc5abb Mon Sep 17 00:00:00 2001
From: "jocuri%softhome.net" <>
Date: Sat, 27 Mar 2004 05:00:11 +0000
Subject: Patch for bug 237369: implement relatively simple changes from %FORM
 to $cgi->param variable; patch by Teemu Mannermaa <wicked@etlicon.fi>;
 r=kiko, justdave; a=justdave.

---
 reports.cgi | 44 ++++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

(limited to 'reports.cgi')

diff --git a/reports.cgi b/reports.cgi
index 67274a6d5..b863249d6 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -40,7 +40,6 @@ use lib qw(.);
 use Bugzilla::Config qw(:DEFAULT $datadir);
 
 require "CGI.pl";
-use vars qw(%FORM); # globals from CGI.pl
 
 require "globals.pl";
 use vars qw(@legal_product); # globals from er, globals.pl
@@ -71,7 +70,7 @@ my @myproducts;
 push( @myproducts, "-All-");
 push( @myproducts, GetSelectableProducts());
 
-if (! defined $FORM{'product'}) {
+if (! defined $cgi->param('product')) {
 
     print $cgi->header();
     PutHeader("Bug Charts");
@@ -79,29 +78,29 @@ if (! defined $FORM{'product'}) {
     PutFooter();
 
 } else {
+    my $product = $cgi->param('product');
 
     # For security and correctness, validate the value of the "product" form variable.
     # Valid values are those products for which the user has permissions which appear
     # in the "product" drop-down menu on the report generation form.
-    grep($_ eq $FORM{'product'}, @myproducts)
-      || ThrowUserError("invalid_product_name", {product => $FORM{'product'}});
+    grep($_ eq $product, @myproducts)
+      || ThrowUserError("invalid_product_name", {product => $product});
 
     # We don't want people to be able to view
     # reports for products they don't have permissions for...
-    if (($FORM{'product'} ne '-All-')
-      && (!CanEnterProduct($FORM{'product'}))) {
+    if (($product ne '-All-') && (!CanEnterProduct($product))) {
         ThrowUserError("report_access_denied");
     }
           
     # We've checked that the product exists, and that the user can see it
     # This means that is OK to detaint
-    trick_taint($FORM{'product'});
+    trick_taint($product);
 
     print $cgi->header(-Content_Disposition=>'inline; filename=bugzilla_report.html');
 
     PutHeader("Bug Charts");
 
-    show_chart();
+    show_chart($product);
 
     PutFooter();
 }
@@ -189,21 +188,25 @@ sub daily_stats_filename {
 }
 
 sub show_chart {
-    if (! $FORM{datasets}) {
+    my ($product) = @_;
+
+    if (! defined $cgi->param('datasets')) {
         ThrowUserError("missing_datasets");
     }
+    my $datasets = join('', $cgi->param('datasets'));
 
   print <<FIN;
 <center>
 FIN
 
     my $type = chart_image_type();
-    my $data_file = daily_stats_filename($FORM{product});
-    my $image_file = chart_image_name($data_file, $type);
+    my $data_file = daily_stats_filename($product);
+    my $image_file = chart_image_name($data_file, $type, $datasets);
     my $url_image = "$graph_dir/" . url_quote($image_file);
 
     if (! -e "$graph_dir/$image_file") {
-        generate_chart("$dir/$data_file", "$graph_dir/$image_file", $type);
+        generate_chart("$dir/$data_file", "$graph_dir/$image_file", $type,
+                       $product, $datasets);
     }
     
     print <<FIN;
@@ -223,7 +226,7 @@ sub chart_image_type {
 }
 
 sub chart_image_name {
-    my ($data_file, $type) = @_;
+    my ($data_file, $type, $datasets) = @_;
 
     # This routine generates a filename from the requested fields. The problem
     # is that we have to check the safety of doing this. We can't just require
@@ -232,15 +235,16 @@ sub chart_image_name {
     # Instead, just require that each field name consists only of letters
     # and number
 
-    if ($FORM{'datasets'} !~ m/[A-Za-z0-9:]/) {
-        die "Invalid datasets $FORM{'datasets'}";
+    if ($datasets !~ m/[A-Za-z0-9:]/) {
+        die "Invalid datasets $datasets";
     }
+
     # Since we pass the tests, consider it OK
-    trick_taint($FORM{'datasets'});
+    trick_taint($datasets);
 
     # Cache charts by generating a unique filename based on what they
     # show. Charts should be deleted by collectstats.pl nightly.
-    my $id = join ("_", split (":", $FORM{datasets}));
+    my $id = join ("_", split (":", $datasets));
 
     return "${data_file}_${id}.$type";
 }
@@ -253,7 +257,7 @@ sub day_of_year {
 }
 
 sub generate_chart {
-    my ($data_file, $image_file, $type) = @_;
+    my ($data_file, $image_file, $type, $product, $datasets) = @_;
     
     if (! open FILE, $data_file) {
         ThrowCodeError("chart_data_not_generated");
@@ -261,7 +265,7 @@ sub generate_chart {
 
     my @fields;
     my @labels = qw(DATE);
-    my %datasets = map { $_ => 1 } split /:/, $FORM{datasets};
+    my %datasets = map { $_ => 1 } split /:/, $datasets;
 
     my %data = ();
     while (<FILE>) {
@@ -318,7 +322,7 @@ sub generate_chart {
 
     my %settings =
         (
-         "title" => "Status Counts for $FORM{'product'}",
+         "title" => "Status Counts for $product",
          "x_label" => "Dates",
          "y_label" => "Bug Counts",
          "legend_labels" => \@labels,
-- 
cgit v1.2.3-24-g4f1b