Restrict visibility to arbitrary user dashboards
Administrators have some expectation when using the suggest.accounts
visibility restriction feature that users cannot get the names or
email addresses for arbitrary accounts. In fact, because account IDs
are sequential, it would be easy for an adversary to get personal
information of all users on the server by requesting every user's
dashboard.
This change reuses the visibility restrictions established for the
suggestion service, moving the logic to a common AccountControl class.
This includes changing the meaning of the suggest.accounts config
option to be a boolean indicating whether account suggestion should
happen at all, which is now orthogonal to the account visibility
restriction policy. We still recognize the old values for
suggest.accounts, with the slight behavior change that
suggest.accounts=OFF now means that users cannot access the dashboards
of any other users. Administrators who do not want this behavior can
update their configuration.
Change-Id: I7c59aaf4a6196f294848c061f55bd8dd308d939d
diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index ebe71b2..964defd 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -24,6 +24,27 @@
diskbuffer = 10 m
----
+[[accounts]]Section accounts
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+[[accounts.visibility]]::
++
+Controls visibility of other users' dashboard pages and
+completion suggestions to web users.
++
+If `ALL`, all users are visible to all other users, even
+anonymous users.
++
+If `SAME_GROUP`, only users who are also members of a group the
+current user is a member of are visible.
++
+If `VISIBLE_GROUP`, only users who are members of at least one group
+that is visible to the current user are visible.
++
+If `NONE`, no users other than the current user are visible.
++
+Default is `ALL`.
+
[[addreviewer]]Section addreviewer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -2012,19 +2033,20 @@
[[suggest.accounts]]::
+
-If `ALL`, all matching user accounts will be offered as
-completion suggestions when adding a reviewer to a change,
-or a user to a group.
+If `true`, visible user accounts (according to the value of
+`accounts.visibility`) will be offered as completion suggestions
+when adding a reviewer to a change, or a user to a group.
+
-If `SAME_GROUP`, only users who are also members of a group the
-current user is a member of will be offered.
+If `false`, account suggestion is disabled.
+
-If `VISIBLE_GROUP`, only users who are members of at least one group
-that is visible to the current user will be offered.
+Older configurations may also have one of the `accounts.visibility`
+values for this field, including `OFF` as a synonym for `NONE`. If
+`accounts.visibility` is also set, that value overrides this one;
+otherwise, this value applies to both `suggest.accounts` and
+`accounts.visibility`.
+
-If `OFF`, no account suggestions are given.
-+
-Default is `ALL`.
+New configurations should prefer the boolean value for this field
+and an enum value for `accounts.visibility`.
[[theme]] Section theme
~~~~~~~~~~~~~~~~~~~~~~~
