Bug 1012508 - Add a admin_menu hook to change who has access to admin.cgi

Bugzilla/User.pm

@@ -1446,6 +1446,30 @@ sub get_accessible_products {
     return [ sort { $a->name cmp $b->name } values %products ];
 }
 
+sub can_administer {
+    my $self = shift;
+
+    if (not defined $self->{can_administer}) {
+        my $can_administer = 0;
+
+        $can_administer = 1 if $self->in_group('admin')
+            || $self->in_group('tweakparams')
+            || $self->in_group('editusers')
+            || $self->can_bless
+            || (Bugzilla->params->{'useclassification'} && $self->in_group('editclassifications'))
+            || $self->in_group('editcomponents')
+            || scalar(@{$self->get_products_by_permission('editcomponents')})
+            || $self->in_group('creategroups')
+            || $self->in_group('editkeywords')
+            || $self->in_group('bz_canusewhines');
+
+        Bugzilla::Hook::process('user_can_administer', { can_administer => \$can_administer });
+        $self->{can_administer} = $can_administer;
+    }
+
+    return $self->{can_administer};
+}
+
 sub check_can_admin_product {
     my ($self, $product_name) = @_;
 
@@ -2876,6 +2900,10 @@ not be aware of the existence of the product.
 
  Returns:     an array of product objects.
 
+=item C<can_administer>
+
+Returns 1 if the user can see the admin menu. Otherwise, returns 0
+
 =item C<check_can_admin_product($product_name)>
 
  Description: Checks whether the user is allowed to administrate the product.

admin.cgi

@@ -20,16 +20,7 @@ my $user = Bugzilla->login(LOGIN_REQUIRED);
 
 print $cgi->header();
 
-$user->in_group('admin')
-  || $user->in_group('tweakparams')
-  || $user->in_group('editusers')
-  || $user->can_bless
-  || (Bugzilla->params->{'useclassification'} && $user->in_group('editclassifications'))
-  || $user->in_group('editcomponents')
-  || scalar(@{$user->get_products_by_permission('editcomponents')})
-  || $user->in_group('creategroups')
-  || $user->in_group('editkeywords')
-  || $user->in_group('bz_canusewhines')
+$user->can_administer
   || ThrowUserError('auth_failure', {action => 'access', object => 'administrative_pages'});
 
 $template->process('admin/admin.html.tmpl')

extensions/Example/Extension.pm

@@ -31,6 +31,18 @@ use constant REL_EXAMPLE => -127;
 
 our $VERSION = '1.0';
 
+sub user_can_administer {
+    my ($self, $args) = @_;
+    my $can_administer = $args->{can_administer};
+
+    # If you add an option to the admin pages (e.g. by using the Hooks in
+    # template/en/default/admin/admin.html.tmpl), you may want to allow
+    # users in another group view admin.cgi
+    #if (Bugzilla->user->in_group('other_group')) {
+    #    $$can_administer = 1;
+    #}
+}
+
 sub admin_editusers_action {
     my ($self, $args) = @_;
     my ($vars, $action, $user) = @$args{qw(vars action user)};

template/en/default/global/common-links.html.tmpl

@@ -53,11 +53,7 @@
 
   [% IF user.login %]
     <li><span class="separator">| </span><a href="userprefs.cgi">Preferences</a></li>
-    [% IF user.in_group('tweakparams') || user.in_group('editusers') || user.can_bless
-          || (Param('useclassification') && user.in_group('editclassifications'))
-          || user.in_group('editcomponents') || user.in_group('admin') || user.in_group('creategroups')
-          || user.in_group('editkeywords') || user.in_group('bz_canusewhines')
-          || user.get_products_by_permission("editcomponents").size %]
+    [% IF user.can_administer %]
       <li><span class="separator">| </span><a href="admin.cgi">Administration</a></li>
     [% END %]