From d31c2301593cecbb58b1ad3cbbbb065f05ca5fe7 Mon Sep 17 00:00:00 2001
From: Vitaliy Filippov <vitalif@yourcmc.ru>
Date: Fri, 21 Dec 2018 18:12:41 +0300
Subject: [PATCH] Add "forbid_open_products" setting

---
 Bugzilla/Config/GroupSecurity.pm              |  6 +++
 Bugzilla/Product.pm                           | 33 +++++++++++++++-
 editproducts.cgi                              |  5 ++-
 .../admin/params/groupsecurity.html.tmpl      | 39 +++++++++++--------
 .../en/default/global/user-error.html.tmpl    | 13 +++++++
 5 files changed, 75 insertions(+), 21 deletions(-)

diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm
index cf5263de1..3a669eeab 100644
--- a/Bugzilla/Config/GroupSecurity.pm
+++ b/Bugzilla/Config/GroupSecurity.pm
@@ -109,6 +109,12 @@ sub get_param_list
         type => 'b',
         default => 0
     },
+
+    {
+        name => 'forbid_open_products',
+        type => 'b',
+        default => 0
+    },
     );
     return @param_list;
 }
diff --git a/Bugzilla/Product.pm b/Bugzilla/Product.pm
index abf60c0f0..8303c8773 100644
--- a/Bugzilla/Product.pm
+++ b/Bugzilla/Product.pm
@@ -168,8 +168,11 @@ sub update
     my $self = shift;
     my $dbh = Bugzilla->dbh;
 
+    my $is_new = !$self->id;
+
     # Don't update the DB if something goes wrong below -> transaction.
     $dbh->bz_start_transaction();
+
     # Bugzilla::Field::Choice is not a threat as we don't have 'value' field
     # Yet do not call its update() for the future
     my ($changes, $old_self) = Bugzilla::Object::update($self, @_);
@@ -266,14 +269,40 @@ sub update
     }
 
     # Also update group settings.
-    if ($self->{check_group_controls})
+    if ($is_new || $self->{check_group_controls})
     {
         require Bugzilla::Bug;
 
-        my $old_settings = $old_self->group_controls;
+        my $old_settings = !$is_new ? $old_self->group_controls : {};
         my $new_settings = $self->group_controls;
         my $timestamp = $dbh->selectrow_array('SELECT NOW()');
 
+        if (Bugzilla->config->{forbid_open_products})
+        {
+            my $has_mandatory = 0;
+            my $has_entry = 0;
+            foreach my $gid (keys %$new_settings)
+            {
+                if ($new_settings->{$gid}->{entry})
+                {
+                    $has_entry = 1;
+                }
+                if ($new_settings->{$gid}->{membercontrol} == CONTROLMAPMANDATORY &&
+                    $new_settings->{$gid}->{othercontrol} == CONTROLMAPMANDATORY)
+                {
+                    $has_mandatory = 1;
+                }
+            }
+            if (!$has_mandatory)
+            {
+                ThrowUserError('product_mandatory_group_required');
+            }
+            if (!$has_entry)
+            {
+                ThrowUserError('product_entry_group_required');
+            }
+        }
+
         foreach my $gid (keys %$new_settings)
         {
             my $old_setting = $old_settings->{$gid} || {};
diff --git a/editproducts.cgi b/editproducts.cgi
index 269a33a44..6b69efff5 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -374,8 +374,9 @@ if ($action eq 'updategroupcontrols')
     my $product = $user->check_can_admin_product($product_name);
     check_token_data($token, 'edit_group_controls');
 
-    my @now_na = ();
-    my @now_mandatory = ();
+    my @now_na;
+    my @now_mandatory;
+    my @now_entry;
     my %membercontrol_g;
     my %othercontrol_g;
     foreach my $f (keys %$ARGS)
diff --git a/template/en/default/admin/params/groupsecurity.html.tmpl b/template/en/default/admin/params/groupsecurity.html.tmpl
index b09f4c991..604df478b 100644
--- a/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -31,32 +31,37 @@
     "If this is on, $terms.Bugzilla will by default associate newly created groups"
     _ " with each product in the database. Generally only useful for small databases.",
 
-  chartgroup => "The name of the group of users who can use the 'New Charts' " _
-                "feature. Administrators should ensure that the public categories " _
-                "and series definitions do not divulge confidential information " _
-                "before enabling this for an untrusted population. If left blank, " _
-                "no users will be able to use New Charts.",
+  chartgroup =>
+    "The name of the group of users who can use the 'New Charts' "
+    _ "feature. Administrators should ensure that the public categories "
+    _ "and series definitions do not divulge confidential information "
+    _ "before enabling this for an untrusted population. If left blank, "
+    _ "no users will be able to use New Charts.",
 
-  insidergroup => "The name of the group of users who can see/change private " _
-                  "comments and attachments.",
+  insidergroup =>
+    "The name of the group of users who can see/change private "
+    _ "comments and attachments.",
 
-  timetrackinggroup => "The name of the group of users who can see/change time tracking " _
-                       "information.",
+  timetrackinggroup =>
+    "The name of the group of users who can see/change time tracking information.",
 
-  querysharegroup => "The name of the group of users who can share their " _
-                     "saved searches with others.",
+  querysharegroup =>
+    "The name of the group of users who can share their saved searches with others.",
 
   usevisibilitygroups =>
     "<p>Do you wish to restrict visibility of users to members of specific groups,"
     _ " based on the configuration specified in group settings?</p>"
     _ "<p>If yes, each group can be allowed to see members of selected other groups.</p>",
 
-  strict_isolation => "Don't allow users to be assigned to, " _
-                      "be qa-contacts on, " _
-                      "be added to CC list, " _
-                      "or make or remove dependencies " _
-                      "involving any bug that is in a product on which that " _
-                      "user is forbidden to edit.", 
+  strict_isolation =>
+    "Don't allow users to be assigned to, be qa-contacts on, "
+    _ "be added to CC list, or make or remove dependencies "
+    _ "involving any bug that is in a product on which that "
+    _ "user is forbidden to edit.",
 
+  forbid_open_products =>
+    "Don't allow 'open' products, i.e. force everyone to set at least"
+    _ " one MANDATORY/MANDATORY and one ENTRY group for each product."
+    _ " This is checked for new products and for products whose group controls are being modified.",
  }
 %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index dc7ca3ebe..76718d425 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1602,6 +1602,19 @@
   "[% suggested | html %]"?
 [% END %]
 
+[% BLOCK error_product_mandatory_group_required %]
+  Bugzilla group security policy requires that all products have at least
+  one group which is set as MANDATORY/MANDATORY, which means that only users of
+  this group or users explicitly added as CC/Assignee/QA may access bugs in
+  the corresponding product.
+[% END %]
+
+[% BLOCK error_product_entry_group_required %]
+  [% terms.Bugzilla %] group security policy requires that all products have at least
+  one group which is set as ENTRY, which means that only users of
+  this group may file new bugs in the corresponding product.
+[% END %]
+
 [% BLOCK error_product_name_already_in_use %]
   [% title = "Product name already exists" %]
   [% admindocslinks = {'products.html' => 'Administering products'} %]