Add 'View Plugins' global capability that allows to list plugins
At the moment only the Gerrit administrators can list the installed
plugins. However which plugins are installed may be also interesting
to project owners and users because they want to know which
functionality is available to them. Hiding the 'Plugins' > 'Installed'
menu is bad since this screen is the entry point to the documentation
of the installed plugins. This documentation may be relevant to normal
users.
Since being able to see the list of installed plugin may be considered
as security risk, by default still only administrators are able to
list them, but now the new capability allows to assign this permission
also to other users.
Change-Id: Ifed8ad76354b9a19e8c79edb0c965249b162fdfd
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt
index 8b2fd64..8ff2eb6 100644
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt
@@ -1311,6 +1311,12 @@
link:cmd-show-connections.html[look at Gerrit's current connections via ssh].
+[[capability_viewPlugins]]
+=== View Plugins
+
+Allow viewing the list of installed plugins.
+
+
[[capability_viewQueue]]
=== View Queue
diff --git a/Documentation/rest-api-accounts.txt b/Documentation/rest-api-accounts.txt
index ac5bd54..2801429 100644
--- a/Documentation/rest-api-accounts.txt
+++ b/Documentation/rest-api-accounts.txt
@@ -659,6 +659,7 @@
"viewCaches": true,
"flushCaches": true,
"viewConnections": true,
+ "viewPlugins": true,
"viewQueue": true,
"runGC": true
}
@@ -1145,6 +1146,8 @@
|`viewConnections` |not set if `false`|Whether the user has the
link:access-control.html#capability_viewConnections[View Connections]
capability.
+|`viewPlugins` |not set if `false`|Whether the user has the
+link:access-control.html#capability_viewPlugins[View Plugins] capability.
|`viewQueue` |not set if `false`|Whether the user has the
link:access-control.html#capability_viewQueue[View Queue] capability.
|=================================
diff --git a/Documentation/rest-api-config.txt b/Documentation/rest-api-config.txt
index 6c02bb6..6a3b34e 100644
--- a/Documentation/rest-api-config.txt
+++ b/Documentation/rest-api-config.txt
@@ -126,6 +126,11 @@
"id": "viewConnections",
"name": "View Connections"
},
+ "viewPlugins": {
+ "kind": "gerritcodereview#capability",
+ "id": "viewPlugins",
+ "name": "View Plugins"
+ },
"viewQueue": {
"kind": "gerritcodereview#capability",
"id": "viewQueue",
diff --git a/Documentation/rest-api-plugins.txt b/Documentation/rest-api-plugins.txt
index 89a22f0..0011213 100644
--- a/Documentation/rest-api-plugins.txt
+++ b/Documentation/rest-api-plugins.txt
@@ -23,6 +23,10 @@
Lists the plugins installed on the Gerrit server. Only the enabled
plugins are returned unless the `all` option is specified.
+To be allowed to see the installed plugins, a user must be a member of
+a group that is granted the 'View Plugins' capability or the
+'Administrate Server' capability.
+
As result a map is returned that maps the plugin IDs to
link:#plugin-info[PluginInfo] entries. The entries in the map are sorted
by plugin ID.
diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
index dbc1dd8..adbf10a 100644
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
@@ -32,6 +32,7 @@
public boolean viewAllAccounts;
public boolean viewCaches;
public boolean viewConnections;
+ public boolean viewPlugins;
public boolean viewQueue;
static class QueryLimit {
diff --git a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
index 80a04fa..d9ad274 100644
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
@@ -88,6 +88,9 @@
/** Can view open connections to the server's SSH port. */
public static final String VIEW_CONNECTIONS = "viewConnections";
+ /** Can view all installed plugins. */
+ public static final String VIEW_PLUGINS = "viewPlugins";
+
/** Can view all pending tasks in the queue (not just the filtered set). */
public static final String VIEW_QUEUE = "viewQueue";
@@ -112,6 +115,7 @@
NAMES_ALL.add(VIEW_ALL_ACCOUNTS);
NAMES_ALL.add(VIEW_CACHES);
NAMES_ALL.add(VIEW_CONNECTIONS);
+ NAMES_ALL.add(VIEW_PLUGINS);
NAMES_ALL.add(VIEW_QUEUE);
NAMES_LC = new ArrayList<>(NAMES_ALL.size());
diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
index 600c8d8..b7857e4 100644
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
@@ -14,9 +14,9 @@
package com.google.gerrit.client;
-import static com.google.gerrit.common.data.GlobalCapability.ADMINISTRATE_SERVER;
import static com.google.gerrit.common.data.GlobalCapability.CREATE_GROUP;
import static com.google.gerrit.common.data.GlobalCapability.CREATE_PROJECT;
+import static com.google.gerrit.common.data.GlobalCapability.VIEW_PLUGINS;
import com.google.gerrit.client.account.AccountCapabilities;
import com.google.gerrit.client.account.AccountInfo;
@@ -649,14 +649,14 @@
PageLinks.ADMIN_CREATE_GROUP,
peopleBar.getWidgetIndex(groupsListMenuItem) + 1);
}
- if (result.canPerform(ADMINISTRATE_SERVER)) {
+ if (result.canPerform(VIEW_PLUGINS)) {
insertLink(pluginsBar, C.menuPluginsInstalled(),
PageLinks.ADMIN_PLUGINS, 0);
menuLeft.insert(pluginsBar, C.menuPlugins(),
menuLeft.getWidgetIndex(peopleBar) + 1);
}
}
- }, CREATE_PROJECT, CREATE_GROUP, ADMINISTRATE_SERVER);
+ }, CREATE_PROJECT, CREATE_GROUP, VIEW_PLUGINS);
}
if (getConfig().isDocumentationAvailable()) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
index aad22eb..7556173 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -134,6 +134,12 @@
|| canAdministrateServer();
}
+ /** @return true if the user can view the installed plugins. */
+ public boolean canViewPlugins() {
+ return canPerform(GlobalCapability.VIEW_PLUGINS)
+ || canAdministrateServer();
+ }
+
/** @return true if the user can view the entire queue. */
public boolean canViewQueue() {
return canPerform(GlobalCapability.VIEW_QUEUE)
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
index e02f5a2..465ddab 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
@@ -27,6 +27,7 @@
import static com.google.gerrit.common.data.GlobalCapability.VIEW_ALL_ACCOUNTS;
import static com.google.gerrit.common.data.GlobalCapability.VIEW_CACHES;
import static com.google.gerrit.common.data.GlobalCapability.VIEW_CONNECTIONS;
+import static com.google.gerrit.common.data.GlobalCapability.VIEW_PLUGINS;
import static com.google.gerrit.common.data.GlobalCapability.VIEW_QUEUE;
import com.google.common.collect.Iterables;
@@ -117,6 +118,7 @@
have.put(VIEW_ALL_ACCOUNTS, cc.canViewAllAccounts());
have.put(VIEW_CACHES, cc.canViewCaches());
have.put(VIEW_CONNECTIONS, cc.canViewConnections());
+ have.put(VIEW_PLUGINS, cc.canViewPlugins());
have.put(VIEW_QUEUE, cc.canViewQueue());
QueueProvider.QueueType queue = cc.getQueueType();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
index 26081ca4..289173b 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
@@ -38,5 +38,6 @@
public String viewAllAccounts;
public String viewCaches;
public String viewConnections;
+ public String viewPlugins;
public String viewQueue;
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java b/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java
index a2348f3..c3f4338 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java
@@ -40,7 +40,7 @@
import java.util.Map;
/** List the installed plugins. */
-@RequiresCapability(GlobalCapability.ADMINISTRATE_SERVER)
+@RequiresCapability(GlobalCapability.VIEW_PLUGINS)
public class ListPlugins implements RestReadView<TopLevelResource> {
private final PluginLoader pluginLoader;
diff --git a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
index 8d1e983..9eb7d9b 100644
--- a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
+++ b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
@@ -14,4 +14,5 @@
viewAllAccounts = View All Accounts
viewCaches = View Caches
viewConnections = View Connections
+viewPlugins = View Plugins
viewQueue = View Queue
