Bug 352593: Move group creation from checksetup.pl to Bugzilla::Install

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> (module owner) a=myk

2 files changed, 121 insertions, 0 deletions

diff --git a/Bugzilla/Install.pm b/Bugzilla/Install.pm
index 9c2349199..1a910f8e0 100644
--- a/Bugzilla/Install.pm
+++ b/Bugzilla/Install.pm
@@ -58,6 +58,55 @@ use constant SETTINGS => {
 
 };
 
+use constant SYSTEM_GROUPS => (
+    {
+        name        => 'admin',
+        description => 'Administrators'
+    },
+    {
+        name        => 'tweakparams',
+        description => 'Can change Parameters'
+    },
+    {
+        name        => 'editusers',
+        description => 'Can edit or disable users'
+    },
+    {
+        name        => 'creategroups',
+        description => 'Can create and destroy groups'
+    },
+    {
+        name        => 'editclassifications',
+        description => 'Can create, destroy, and edit classifications'
+    },
+    {
+        name        => 'editcomponents',
+        description => 'Can create, destroy, and edit components'
+    },
+    {
+        name        => 'editkeywords',
+        description => 'Can create, destroy, and edit keywords'
+    },
+    {
+        name        => 'editbugs',
+        description => 'Can edit all bug fields',
+        userregexp  => '.*'
+    },
+    {
+        name        => 'canconfirm',
+        description => 'Can confirm a bug or mark it a duplicate'
+    },
+    {
+        name        => 'bz_canusewhines',
+        description => 'User can configure whine reports for self'
+    },
+    {
+        name        => 'bz_sudoers',
+        description => 'Can perform actions as other users'
+    },
+    # There are also other groups created in update_system_groups.
+);
+
 use constant DEFAULT_CLASSIFICATION => {
     name        => 'Unclassified',
     description => 'Unassigned to any classification'
@@ -87,6 +136,73 @@ sub update_settings {
     }
 }
 
+sub update_system_groups {
+    my $dbh = Bugzilla->dbh;
+
+    # Create most of the system groups
+    foreach my $definition (SYSTEM_GROUPS) {
+        my $exists = new Bugzilla::Group({ name => $definition->{name} });
+        $definition->{isbuggroup} = 0;
+        Bugzilla::Group->create($definition) unless $exists;
+    }
+
+    # Certain groups need something done after they are created. We do
+    # that here.
+
+    # Make sure people who can whine at others can also whine.
+    if (!new Bugzilla::Group({name => 'bz_canusewhineatothers'})) {
+        my $whineatothers = Bugzilla::Group->create({
+            name        => 'bz_canusewhineatothers',
+            description => 'Can configure whine reports for other users',
+            isbuggroup  => 0 });
+        my $whine = new Bugzilla::Group({ name => 'bz_canusewhines' });
+
+        $dbh->do('INSERT INTO group_group_map (grantor_id, member_id) 
+                       VALUES (?,?)', undef, $whine->id, $whineatothers->id);
+    }
+
+    # Make sure sudoers are automatically protected from being sudoed.
+    if (!new Bugzilla::Group({name => 'bz_sudo_protect'})) {
+        my $sudo_protect = Bugzilla::Group->create({
+            name        => 'bz_sudo_protect',
+            description => 'Can not be impersonated by other users',
+            isbuggroup  => 0 });
+        my $sudo = new Bugzilla::Group({ name => 'bz_sudoers' });
+        $dbh->do('INSERT INTO group_group_map (grantor_id, member_id) 
+                       VALUES (?,?)', undef, $sudo_protect->id, $sudo->id);
+    }
+
+    # Re-evaluate all regexps, to keep them up-to-date.
+    my $sth = $dbh->prepare(
+        "SELECT profiles.userid, profiles.login_name, groups.id, 
+                groups.userregexp, user_group_map.group_id
+           FROM (profiles CROSS JOIN groups)
+                LEFT JOIN user_group_map
+                ON user_group_map.user_id = profiles.userid
+                   AND user_group_map.group_id = groups.id
+                   AND user_group_map.grant_type = ?
+          WHERE userregexp != '' OR user_group_map.group_id IS NOT NULL");
+
+    my $sth_add = $dbh->prepare(
+        "INSERT INTO user_group_map (user_id, group_id, isbless, grant_type)
+              VALUES (?, ?, 0, " . GRANT_REGEXP . ")");
+
+    my $sth_del = $dbh->prepare(
+        "DELETE FROM user_group_map
+          WHERE user_id  = ? AND group_id = ? AND isbless = 0 
+                AND grant_type = " . GRANT_REGEXP);
+
+    $sth->execute(GRANT_REGEXP);
+    while (my ($uid, $login, $gid, $rexp, $present) = $sth->fetchrow_array()) {
+        if ($login =~ m/$rexp/i) {
+            $sth_add->execute($uid, $gid) unless $present;
+        } else {
+            $sth_del->execute($uid, $gid) if $present;
+        }
+    }
+
+}
+
 # This function should be called only after creating the admin user.
 sub create_default_product {
     my $dbh = Bugzilla->dbh;
diff --git a/Bugzilla/Install/DB.pm b/Bugzilla/Install/DB.pm
index e4e4e97fe..2e364c540 100644
--- a/Bugzilla/Install/DB.pm
+++ b/Bugzilla/Install/DB.pm
@@ -416,6 +416,11 @@ sub update_table_definitions {
     _copy_attachments_thedata_to_attach_data();
     _fix_broken_all_closed_series();
 
+    # 2005-08-14 bugreport@peshkin.net -- Bug 304583
+    # Get rid of leftover DERIVED group permissions
+    use constant GRANT_DERIVED => 1;
+    $dbh->do("DELETE FROM user_group_map WHERE grant_type = " . GRANT_DERIVED);
+
     # PUBLIC is a reserved word in Oracle.
     $dbh->bz_rename_column('series', 'public', 'is_public');