Google Git
Sign in
gerrit / gerrit.git / c46d2c9310e4606582f65efa4492dc14e0e36f73^! / .
commitc46d2c9310e4606582f65efa4492dc14e0e36f73[log] [tgz]
authorLuca Milanesio <luca.milanesio@gmail.com>Thu Jun 13 14:39:16 2024 +0100
committerLuca Milanesio <luca.milanesio@gmail.com>Thu Jun 13 15:15:05 2024 +0000
tree18bc236714badc6fd8c2d298882c23c2c7921279
parentba868a93d4e9685e0b93025a0a6e342a0f132d74 [diff]
Fix permission backend extra query with parens

During the review the If144832047b4 the way the extra
query added by the permission backend was overlooked and,
in conjunction of a an empty query in the integration test
allowed the following ambiguity:

Query without permissions backend limitations
- author:self OR status:open => returns all open changes
  or authored by the current user

Query with a permissions backend hiding a testHiddenProject
- author:self OR status:open -project:testHiddenProject

The above query is not doing what the permission backend
would expect, because is evaluated as follows:
- author:self OR (status:open AND -project:testHiddenProject)

The above query would return all changes authored by the
current user, including the ones of testHiddenProject.

Release-Notes: Fix evaluation of extra query provided by a permission backend
Change-Id: I94dea44d5c5f00a9a90c29136cf265d4759b2165

diff --git a/java/com/google/gerrit/server/restapi/change/QueryChanges.java b/java/com/google/gerrit/server/restapi/change/QueryChanges.java
index d05cbf6..2878fe2 100644
--- a/java/com/google/gerrit/server/restapi/change/QueryChanges.java
+++ b/java/com/google/gerrit/server/restapi/change/QueryChanges.java

@@ -179,7 +179,7 @@
     }
 
     for (int i = 0; i < queries.size(); i++) {
-      queries.set(i, queries.get(i) + " " + queryFilter);
+      queries.set(i, "(" + queries.get(i) + ") AND (" + queryFilter + ")");
     }
   }
 

diff --git a/javatests/com/google/gerrit/acceptance/api/change/QueryChangesFilterPermissionBackendIT.java b/javatests/com/google/gerrit/acceptance/api/change/QueryChangesFilterPermissionBackendIT.java
index 07d32fe..a6c3c27 100644
--- a/javatests/com/google/gerrit/acceptance/api/change/QueryChangesFilterPermissionBackendIT.java
+++ b/javatests/com/google/gerrit/acceptance/api/change/QueryChangesFilterPermissionBackendIT.java

@@ -135,13 +135,14 @@
     TestRepository<InMemoryRepository> hiddenRepo = cloneProject(hiddenProject, admin);
     createChange(hiddenRepo);
 
-    assertThat(gApi.changes().query().get()).hasSize(2);
+    String changeQuery = "author:self OR status:open";
+    assertThat(gApi.changes().query(changeQuery).get()).hasSize(2);
 
     server
         .getTestInjector()
         .getInstance(TestPermissionBackend.class)
         .setExtraQueryFilter("-project:" + hiddenProject);
-    List<ChangeInfo> projectChanges = gApi.changes().query().get();
+    List<ChangeInfo> projectChanges = gApi.changes().query(changeQuery).get();
     assertThat(projectChanges.stream().map(c -> c.changeId)).containsExactly(projectChangeId);
   }
 }