#!/usr/bin/perl -T
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

use 5.10.1;
use strict;
use warnings;

use lib qw(. lib local/lib/perl5);

use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Config qw(:admin);
use Bugzilla::Util;
use Bugzilla::Error;
use Bugzilla::Group;
use Bugzilla::Product;
use Bugzilla::User;
use Bugzilla::Token;

use constant SPECIAL_GROUPS => ('chartgroup', 'insidergroup',
                                'timetrackinggroup', 'querysharegroup');

my $cgi = Bugzilla->cgi;
my $dbh = Bugzilla->dbh;
my $template = Bugzilla->template;
my $vars = {};

my $user = Bugzilla->login(LOGIN_REQUIRED);

print $cgi->header();

$user->in_group('creategroups')
  || ThrowUserError("auth_failure", {group  => "creategroups",
                                     action => "edit",
                                     object => "groups"});

my $action = trim($cgi->param('action') || '');
my $token  = $cgi->param('token');

# CheckGroupID checks that a positive integer is given and is
# actually a valid group ID. If all tests are successful, the
# trimmed group ID is returned.

sub CheckGroupID {
    my ($group_id) = @_;
    $group_id = trim($group_id || 0);
    ThrowUserError("group_not_specified") unless $group_id;
    (detaint_natural($group_id)
      && Bugzilla->dbh->selectrow_array("SELECT id FROM groups WHERE id = ?",
                                        undef, $group_id))
      || ThrowUserError("invalid_group_ID");
    return $group_id;
}

# CheckGroupRegexp checks that the regular expression is valid
# (the regular expression being optional, the test is successful
# if none is given, as expected). The trimmed regular expression
# is returned.

sub CheckGroupRegexp {
    my ($regexp) = @_;
    $regexp = trim($regexp || '');
    trick_taint($regexp);
    ThrowUserError("invalid_regexp") unless (eval {qr/$regexp/});
    return $regexp;
}

# A helper for displaying the edit.html.tmpl template.
sub get_current_and_available {
    my ($group, $vars) = @_;

    my @all_groups         = Bugzilla::Group->get_all;
    my @members_current    = @{$group->grant_direct(GROUP_MEMBERSHIP)};
    my @member_of_current  = @{$group->granted_by_direct(GROUP_MEMBERSHIP)};
    my @bless_from_current = @{$group->grant_direct(GROUP_BLESS)};
    my @bless_to_current   = @{$group->granted_by_direct(GROUP_BLESS)};
    my (@visible_from_current, @visible_to_me_current);
    if (Bugzilla->params->{'usevisibilitygroups'}) {
        @visible_from_current  = @{$group->grant_direct(GROUP_VISIBLE)};
        @visible_to_me_current = @{$group->granted_by_direct(GROUP_VISIBLE)};
    }

    # Figure out what groups are not currently a member of this group,
    # and what groups this group is not currently a member of.
    my (@members_available, @member_of_available,
        @bless_from_available, @bless_to_available,
        @visible_from_available, @visible_to_me_available);
    foreach my $group_option (@all_groups) {
        if (Bugzilla->params->{'usevisibilitygroups'}) {
            push(@visible_from_available, $group_option)
                if !grep($_->id == $group_option->id, @visible_from_current);
            push(@visible_to_me_available, $group_option)
                if !grep($_->id == $group_option->id, @visible_to_me_current);
        }

        push(@bless_from_available, $group_option)
            if !grep($_->id == $group_option->id, @bless_from_current);

        # The group itself should never show up in the membership lists,
        # and should show up in only one of the bless lists (otherwise
        # you can try to allow it to bless itself twice, leading to a
        # database unique constraint error).
        next if $group_option->id == $group->id;

        push(@members_available, $group_option)
            if !grep($_->id == $group_option->id, @members_current);
        push(@member_of_available, $group_option)
            if !grep($_->id == $group_option->id, @member_of_current);
        push(@bless_to_available, $group_option)
           if !grep($_->id == $group_option->id, @bless_to_current);
    }

    $vars->{'members_current'}     = \@members_current;
    $vars->{'members_available'}   = \@members_available;
    $vars->{'member_of_current'}   = \@member_of_current;
    $vars->{'member_of_available'} = \@member_of_available;

    $vars->{'bless_from_current'}   = \@bless_from_current;
    $vars->{'bless_from_available'} = \@bless_from_available;
    $vars->{'bless_to_current'}     = \@bless_to_current;
    $vars->{'bless_to_available'}   = \@bless_to_available;

    if (Bugzilla->params->{'usevisibilitygroups'}) {
        $vars->{'visible_from_current'}    = \@visible_from_current;
        $vars->{'visible_from_available'}  = \@visible_from_available;
        $vars->{'visible_to_me_current'}   = \@visible_to_me_current;
        $vars->{'visible_to_me_available'} = \@visible_to_me_available;
    }
}

# If no action is specified, get a list of all groups available.

unless ($action) {
    my @groups = Bugzilla::Group->get_all;
    $vars->{'groups'} = \@groups;

    print $cgi->header();
    $template->process("admin/groups/list.html.tmpl", $vars)
      || ThrowTemplateError($template->error());
    exit;
}

#
# action='changeform' -> present form for altering an existing group
#
# (next action will be 'postchanges')
#

if ($action eq 'changeform') {
    # Check that an existing group ID is given
    my $group_id = CheckGroupID($cgi->param('group'));
    my $group = new Bugzilla::Group($group_id);
    check_for_restricted_groups([ $group ]);

    get_current_and_available($group, $vars);
    $vars->{'group'} = $group;
    $vars->{'token'} = issue_session_token('edit_group');

    print $cgi->header();
    $template->process("admin/groups/edit.html.tmpl", $vars)
      || ThrowTemplateError($template->error());

    exit;
}

#
# action='add' -> present form for parameters for new group
#
# (next action will be 'new')
#

if ($action eq 'add') {
    $vars->{'token'} = issue_session_token('add_group');
    print $cgi->header();
    $template->process("admin/groups/create.html.tmpl", $vars)
      || ThrowTemplateError($template->error());

    exit;
}



#
# action='new' -> add group entered in the 'action=add' screen
#

if ($action eq 'new') {
    check_token_data($token, 'add_group');
    my $group = Bugzilla::Group->create({
        name        => scalar $cgi->param('name'),
        description => scalar $cgi->param('desc'),
        userregexp  => scalar $cgi->param('regexp'),
        isactive    => scalar $cgi->param('isactive'),
        icon_url    => scalar $cgi->param('icon_url'),
        idle_member_removal => scalar $cgi->param('idle_member_removal'),
        isbuggroup  => 1,
        owner_user_id => scalar $cgi->param('owner'),
    });

    # Permit all existing products to use the new group if makeproductgroups.
    if ($cgi->param('insertnew')) {
        $dbh->do('INSERT INTO group_control_map
                  (group_id, product_id, membercontrol, othercontrol)
                  SELECT ?, products.id, ?, ? FROM products',
                  undef, ($group->id, CONTROLMAPSHOWN, CONTROLMAPNA));
    }
    delete_token($token);

    $vars->{'message'} = 'group_created';
    $vars->{'group'} = $group;
    get_current_and_available($group, $vars);
    $vars->{'token'} = issue_session_token('edit_group');

    print $cgi->header();
    $template->process("admin/groups/edit.html.tmpl", $vars)
      || ThrowTemplateError($template->error());
    exit;
}

#
# action='del' -> ask if user really wants to delete
#
# (next action would be 'delete')
#

if ($action eq 'del') {
    # Check that an existing group ID is given
    my $group = Bugzilla::Group->check({ id => scalar $cgi->param('group') });
    check_for_restricted_groups([ $group ]);
    $group->check_remove({ test_only => 1 });
    $vars->{'shared_queries'} =
        $dbh->selectrow_array('SELECT COUNT(*)
                                 FROM namedquery_group_map
                                WHERE group_id = ?', undef, $group->id);

    $vars->{'group'} = $group;
    $vars->{'token'} = issue_session_token('delete_group');

    print $cgi->header();
    $template->process("admin/groups/delete.html.tmpl", $vars)
      || ThrowTemplateError($template->error());

    exit;
}

#
# action='delete' -> really delete the group
#

if ($action eq 'delete') {
    check_token_data($token, 'delete_group');
    # Check that an existing group ID is given
    my $group = Bugzilla::Group->check({ id => scalar $cgi->param('group') });
    check_for_restricted_groups([ $group ]);
    $vars->{'name'} = $group->name;
    $group->remove_from_db({
        remove_from_users => scalar $cgi->param('removeusers'),
        remove_from_bugs  => scalar $cgi->param('removebugs'),
        remove_from_flags => scalar $cgi->param('removeflags'),
        remove_from_products => scalar $cgi->param('unbind'),
    });
    delete_token($token);

    $vars->{'message'} = 'group_deleted';
    $vars->{'groups'} = [Bugzilla::Group->get_all];

    print $cgi->header();
    $template->process("admin/groups/list.html.tmpl", $vars)
      || ThrowTemplateError($template->error());
    exit;
}

#
# action='postchanges' -> update the groups
#

if ($action eq 'postchanges') {
    check_token_data($token, 'edit_group');
    my $changes = doGroupChanges();
    delete_token($token);

    my $group = new Bugzilla::Group($cgi->param('group_id'));
    get_current_and_available($group, $vars);
    $vars->{'message'} = 'group_updated';
    $vars->{'group'}   = $group;
    $vars->{'changes'} = $changes;
    $vars->{'token'} = issue_session_token('edit_group');

    print $cgi->header();
    $template->process("admin/groups/edit.html.tmpl", $vars)
      || ThrowTemplateError($template->error());
    exit;
}

if ($action eq 'confirm_remove') {
    my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id')));
    check_for_restricted_groups([ $group ]);
    $vars->{'group'} = $group;
    $vars->{'regexp'} = CheckGroupRegexp($cgi->param('regexp'));
    $vars->{'token'} = issue_session_token('remove_group_members');
    $template->process('admin/groups/confirm-remove.html.tmpl', $vars)
        || ThrowTemplateError($template->error());
    exit;
}

if ($action eq 'remove_regexp') {
    check_token_data($token, 'remove_group_members');
    # remove all explicit users from the group with
    # gid = $cgi->param('group') that match the regular expression
    # stored in the DB for that group or all of them period

    my $group  = new Bugzilla::Group(CheckGroupID($cgi->param('group_id')));
    check_for_restricted_groups([ $group ]);
    my $regexp = CheckGroupRegexp($cgi->param('regexp'));

    $dbh->bz_start_transaction();

    my $users = $group->members_direct();
    my $sth_delete = $dbh->prepare(
        "DELETE FROM user_group_map
           WHERE user_id = ? AND isbless = 0 AND group_id = ?");

    my @deleted;
    foreach my $member (@$users) {
        if ($regexp eq '' || $member->login =~ m/$regexp/i) {
            $sth_delete->execute($member->id, $group->id);
            push(@deleted, $member);
        }
    }
    $dbh->bz_commit_transaction();

    $vars->{'users'}  = \@deleted;
    $vars->{'regexp'} = $regexp;
    delete_token($token);

    $vars->{'message'} = 'group_membership_removed';
    $vars->{'group'} = $group->name;
    $vars->{'groups'} = [Bugzilla::Group->get_all];

    print $cgi->header();
    $template->process("admin/groups/list.html.tmpl", $vars)
      || ThrowTemplateError($template->error());

    exit;
}

# No valid action found
ThrowUserError('unknown_action', {action => $action});

# Helper sub to handle the making of changes to a group
sub doGroupChanges {
    my $cgi = Bugzilla->cgi;
    my $dbh = Bugzilla->dbh;

    $dbh->bz_start_transaction();

    # Check that the given group ID is valid and make a Group.
    my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id')));
    check_for_restricted_groups([ $group ]);

    if (defined $cgi->param('regexp')) {
        $group->set_user_regexp($cgi->param('regexp'));
    }

    if ($group->is_bug_group) {
        if (defined $cgi->param('name')) {
            $group->set_name($cgi->param('name'));
        }
        if (defined $cgi->param('desc')) {
            $group->set_description($cgi->param('desc'));
        }
        # Only set isactive if we came from the right form.
        if (defined $cgi->param('regexp')) {
            $group->set_is_active($cgi->param('isactive'));
        }
    }

    if (defined $cgi->param('icon_url')) {
        $group->set_icon_url($cgi->param('icon_url'));
    }

    if (defined $cgi->param('owner')) {
        $group->set_owner($cgi->param('owner'));
    }

    if (defined $cgi->param('idle_member_removal')) {
        $group->set_idle_member_removal($cgi->param('idle_member_removal'));
    }

    my $changes = $group->update();

    my $sth_insert = $dbh->prepare('INSERT INTO group_group_map
                                    (member_id, grantor_id, grant_type)
                                    VALUES (?, ?, ?)');

    my $sth_delete = $dbh->prepare('DELETE FROM group_group_map
                                     WHERE member_id = ?
                                           AND grantor_id = ?
                                           AND grant_type = ?');

    # First item is the type, second is whether or not it's "reverse"
    # (granted_by) (see _do_add for more explanation).
    my %fields = (
        members       => [GROUP_MEMBERSHIP, 0],
        bless_from    => [GROUP_BLESS, 0],
        visible_from  => [GROUP_VISIBLE, 0],
        member_of     => [GROUP_MEMBERSHIP, 1],
        bless_to      => [GROUP_BLESS, 1],
        visible_to_me => [GROUP_VISIBLE, 1]
    );
    while (my ($field, $data) = each %fields) {
        _do_add($group, $changes, $sth_insert, "${field}_add",
                $data->[0], $data->[1]);
        _do_remove($group, $changes, $sth_delete, "${field}_remove",
                   $data->[0], $data->[1]);
    }

    $dbh->bz_commit_transaction();
    return $changes;
}

sub _do_add {
    my ($group, $changes, $sth_insert, $field, $type, $reverse) = @_;
    my $cgi = Bugzilla->cgi;

    my $current;
    # $reverse means we're doing a granted_by--that is, somebody else
    # is granting us something.
    if ($reverse) {
        $current = $group->granted_by_direct($type);
    }
    else {
        $current = $group->grant_direct($type);
    }

    my $add_items = Bugzilla::Group->new_from_list([$cgi->param($field)]);
    check_for_restricted_groups($add_items);

    foreach my $add (@$add_items) {
        next if grep($_->id == $add->id, @$current);

        $changes->{$field} ||= [];
        push(@{$changes->{$field}}, $add->name);
        # They go this direction for a normal "This group is granting
        # $add something."
        my @ids = ($add->id, $group->id);
        # But they get reversed for "This group is being granted something
        # by $add."
        @ids = reverse @ids if $reverse;
        $sth_insert->execute(@ids, $type);
    }
}

sub _do_remove {
    my ($group, $changes, $sth_delete, $field, $type, $reverse) = @_;
    my $cgi = Bugzilla->cgi;
    my $remove_items = Bugzilla::Group->new_from_list([$cgi->param($field)]);
    check_for_restricted_groups($remove_items);

    foreach my $remove (@$remove_items) {
        my @ids = ($remove->id, $group->id);
        # See _do_add for an explanation of $reverse
        @ids = reverse @ids if $reverse;
        # Deletions always succeed and are harmless if they fail, so we
        # don't need to do any checks.
        $sth_delete->execute(@ids, $type);
        $changes->{$field} ||= [];
        push(@{$changes->{$field}}, $remove->name);
    }
}

# ensure non-admins cannot edit the admin group
# likewise you must be a member of the insider group in order to update it
sub check_for_restricted_groups {
    my ($groups) = @_;

    my $user = Bugzilla->user;
    return if $user->in_group('admin');

    # check for admin changes
    foreach my $group (@$groups) {
        if ($group->name eq 'admin') {
            ThrowUserError('auth_failure', {
                action => 'edit',
                object => 'admin_group',
            });
        }
    }

    # check for insider group changes
    my $insider_group = Bugzilla->params->{insidergroup};
    return if $user->in_group($insider_group);
    foreach my $group (@$groups) {
        if ($group->name eq $insider_group) {
            ThrowUserError('auth_failure', {
                action => 'edit',
                object => 'insider_group',
            });
        }
    }
}