Bug 452525 - Allow the option of "OR" groups ("any of the groups" instead of "all of the groups")

r=gerv, a=sgreen

Bug 452525 - Allow the option of "OR" groups ("any of the groups" instead of "all of the groups")
9e7ad08c · Simon Green · 8465c056 · 9e7ad08c · 9e7ad08c · 9e7ad08c
Commit 9e7ad08c authored Dec 18, 2013 by Simon Green
9 changed files
--- a/Bugzilla/Config.pm
+++ b/Bugzilla/Config.pm
@@ -196,6 +196,9 @@ sub update_params {

    $param->{'utf8'} = 1 if $new_install;

+    # Bug 452525: OR based groups are on by default for new installations
+    $param->{'or_groups'} = 1 if $new_install;
+
    # --- REMOVE OLD PARAMS ---

    my %oldparams;

--- a/Bugzilla/Config/GroupSecurity.pm
+++ b/Bugzilla/Config/GroupSecurity.pm
@@ -83,6 +83,12 @@ sub get_param_list {
   name => 'strict_isolation',
   type => 'b',
   default => 0
+  },
+
+  {
+   name => 'or_groups',
+   type => 'b',
+   default => 0
  } );
  return @param_list;
 }

--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1228,9 +1228,12 @@ sub _standard_joins {
    push(@joins, $security_join);

    if ($user->id) {
-        $security_join->{extra} =
-            ["NOT (" . $user->groups_in_sql('security_map.group_id') . ")"];
-            
+        # See also _standard_joins for the other half of the below statement
+        if (!Bugzilla->params->{'or_groups'}) {
+            $security_join->{extra} =
+                ["NOT (" . $user->groups_in_sql('security_map.group_id') . ")"];
+        }
+
        my $security_cc_join = {
            table => 'cc',
            as    => 'security_cc',
@@ -1304,10 +1307,17 @@ sub _standard_where {
    # until their group controls are set. So if a bug has a NULL creation_ts,
    # it shouldn't show up in searches at all.
    my @where = ('bugs.creation_ts IS NOT NULL');
-    
-    my $security_term = 'security_map.group_id IS NULL';

    my $user = $self->_user;
+    my $security_term = '';
+    # See also _standard_joins for the other half of the below statement
+    if (Bugzilla->params->{'or_groups'}) {
+        $security_term .= " (security_map.group_id IS NULL OR security_map.group_id IN (" . $user->groups_as_string . "))";
+    }
+    else {
+        $security_term = 'security_map.group_id IS NULL';
+    }
+
    if ($user->id) {
        my $userid = $user->id;
        # This indentation makes the resulting SQL more readable.

--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
--- a/request.cgi
+++ b/request.cgi
@@ -118,20 +118,27 @@ sub queue {
                  ON bugs.product_id = products.id
          INNER JOIN components
                  ON bugs.component_id = components.id
-           LEFT JOIN bug_group_map AS bgmap
-                  ON bgmap.bug_id = bugs.bug_id
-                 AND bgmap.group_id NOT IN (" .
-                     $user->groups_as_string . ")
           LEFT JOIN bug_group_map AS privs
                  ON privs.bug_id = bugs.bug_id
           LEFT JOIN cc AS ccmap
                  ON ccmap.who = $userid
                 AND ccmap.bug_id = bugs.bug_id
-    " .
+           LEFT JOIN bug_group_map AS bgmap
+                  ON bgmap.bug_id = bugs.bug_id
+    ";
+
+    if (Bugzilla->params->{or_groups}) {
+        $query .= " AND bgmap.group_id IN (" . $user->groups_as_string . ")";
+        $query .= " WHERE     (privs.group_id IS NULL OR bgmap.group_id IS NOT NULL OR";
+    }
+    else {
+        $query .= " AND bgmap.group_id NOT IN (" . $user->groups_as_string . ")";
+        $query .= " WHERE     (bgmap.group_id IS NULL OR";
+    }

    # Weed out bug the user does not have access to
-    " WHERE     ((bgmap.group_id IS NULL) OR
-                 (ccmap.who IS NOT NULL AND cclist_accessible = 1) OR
+    $query .=
+    "            (ccmap.who IS NOT NULL AND cclist_accessible = 1) OR
                 (bugs.reporter = $userid AND bugs.reporter_accessible = 1) OR
                 (bugs.assigned_to = $userid) " .
                 (Bugzilla->params->{'useqacontact'} ? "OR

--- a/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -37,13 +37,20 @@

  usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
                         "specific groups?",
-  
+
  strict_isolation => "Don't allow users to be assigned to, " _
                      "be qa-contacts on, " _
                      "be added to CC list, " _
                      "or make or remove dependencies " _
                      "involving any bug that is in a product on which that " _
-                      "user is forbidden to edit.", 
-
+                      "user is forbidden to edit.",
+
+ or_groups => "Define the visibility of a $terms.bug which is in multiple " _
+              "groups. If this is on (recommended), a user only needs to " _
+              "be a member of one of the $terms.bug's groups in order to " _
+              "view it. If it is off, a user needs to be a member of all " _
+              "the $terms.bug's groups. Note that in either case, if the " _
+              "user has a role on the $terms.bug (e.g. reporter) that may " _
+              "also affect their permissions."
 }
 %]
--- a/template/en/default/admin/products/groupcontrol/edit.html.tmpl
+++ b/template/en/default/admin/products/groupcontrol/edit.html.tmpl
@@ -129,15 +129,17 @@ product.
 </p>
 <p>
 If any group has <b>Entry</b> selected, then this product will
-restrict [% terms.bug %] entry to only those users who are members of all the
-groups with entry selected.
+restrict [% terms.bug %] entry to only those users who are members of
+[%+ IF Param('or_groups') %]at least one of[% ELSE %]all[% END %] the groups
+with entry selected.
 </p>
 <p>
 If any group has <b>Canedit</b> selected, then this product
-will be read-only for any users who are not members of all of
-the groups with Canedit selected. ONLY users who are members of
-all the canedit groups will be able to edit. This is an additional
-restriction that further restricts what can be edited by a user.
+will be read-only for any users who are not members of
+[%+ IF Param('or_groups') %]one[% ELSE %]all[% END %] of the groups with
+Canedit selected. ONLY users who are members of
+[%+ IF Param('or_groups') %]at least one of[% ELSE %]all[% END %] the canedit groups
+will be able to edit. This is an additional restriction that further restricts what can be edited by a user.
 </p>
 <p>
 The following settings control let you choose privileges on a <b>per-product basis</b>.

--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -634,7 +634,7 @@ TUI_hide_default('attachment_text_field');
    <td colspan="3">
      <br>
        <strong>
-          Only users in all of the selected groups can view this 
+          Only users in [%+ IF Param('or_groups') %]at least one[% ELSE %]all[% END %] of the selected groups can view this 
          [%+ terms.bug %]:
        </strong>
      <br>

--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -651,8 +651,9 @@
      [% IF NOT emitted_description %]
        [% emitted_description = 1 %]
          <div id="bz_restrict_group_visibility_help">
-            <b>Only users in all of the selected groups can view this 
-              [%+ terms.bug %]:</b>
+            <b>Only users in
+              [%+ IF Param('or_groups') %]at least one[% ELSE %]all[% END %]
+              of the selected groups can view this [% terms.bug %]:</b>
             <p class="instructions">
               Unchecking all boxes makes this a more public [% terms.bug %].
             </p>