Fix permissions checks on Gerrit API on current user
When the current user is using GerritApi, a new user object
with the same user-id of CurrentUser gets created on-the-fly.
Even though the user accountId is the same, the user instances
are different and will fail all the REST API permissions checks.
Turn instance checks with accountId checks to allow user to
execute GerritApi on themselves without the requirement of being
Gerrit administrators.
NOTE: GerritApi are mostly used in plugins, so this change allows
other plugins to function properly.
Change-Id: Iaeb204dda3791eb2757d89fe6bce6994c6305e04
diff --git a/gerrit-gpg/src/main/java/com/google/gerrit/gpg/server/GpgKeys.java b/gerrit-gpg/src/main/java/com/google/gerrit/gpg/server/GpgKeys.java
index 819ad96..9f2acd2 100644
--- a/gerrit-gpg/src/main/java/com/google/gerrit/gpg/server/GpgKeys.java
+++ b/gerrit-gpg/src/main/java/com/google/gerrit/gpg/server/GpgKeys.java
@@ -219,7 +219,7 @@
if (!BouncyCastleUtil.havePGP()) {
throw new ResourceNotFoundException("GPG not enabled");
}
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new ResourceNotFoundException();
}
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java b/gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java
index 029b54d..c6f10d2 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java
@@ -158,4 +158,17 @@
public ExternalId.Key getLastLoginExternalIdKey() {
return get(lastLoginExternalIdPropertyKey);
}
+
+ /**
+ * Checks if the current user has the same account id of another.
+ *
+ * <p>Provide a generic interface for allowing subclasses to define whether two accounts represent
+ * the same account id.
+ *
+ * @param other user to compare
+ * @return true if the two users have the same account id
+ */
+ public boolean hasSameAccountId(CurrentUser other) {
+ return false;
+ }
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/IdentifiedUser.java b/gerrit-server/src/main/java/com/google/gerrit/server/IdentifiedUser.java
index 2c4c61c..41b7c67 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/IdentifiedUser.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/IdentifiedUser.java
@@ -498,6 +498,11 @@
realUser);
}
+ @Override
+ public boolean hasSameAccountId(CurrentUser other) {
+ return getAccountId().get() == other.getAccountId().get();
+ }
+
private String guessHost() {
String host = null;
SocketAddress remotePeer = null;
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/AddSshKey.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/AddSshKey.java
index 8c10c73..44b632a 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AddSshKey.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AddSshKey.java
@@ -69,7 +69,8 @@
@Override
public Response<SshKeyInfo> apply(AccountResource rsrc, Input input)
throws AuthException, BadRequestException, OrmException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to add SSH keys");
}
return apply(rsrc.getUser(), input);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/Capabilities.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/Capabilities.java
index d35656c..e53b7d0 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/Capabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/Capabilities.java
@@ -51,7 +51,8 @@
@Override
public Capability parse(AccountResource parent, IdString id)
throws ResourceNotFoundException, AuthException {
- if (self.get() != parent.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(parent.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("restricted to administrator");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
index 15dedf1..00cf4e3 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
@@ -79,7 +79,8 @@
throws AuthException, BadRequestException, ResourceConflictException,
ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to add email address");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
index bcbf794..79edaa7 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
@@ -60,7 +60,8 @@
public Response<?> apply(AccountResource.Email rsrc, Input input)
throws AuthException, ResourceNotFoundException, ResourceConflictException,
MethodNotAllowedException, OrmException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to delete email address");
}
return apply(rsrc.getUser(), rsrc.getEmail());
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java
index 42726dc..7ab8aaf 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java
@@ -60,7 +60,7 @@
@Override
public Response<?> apply(AccountResource resource, List<String> externalIds)
throws RestApiException, IOException, OrmException, ConfigInvalidException {
- if (self.get() != resource.getUser()) {
+ if (!self.get().hasSameAccountId(resource.getUser())) {
throw new AuthException("not allowed to delete external IDs");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteSshKey.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteSshKey.java
index 3d5d38e..abb0118 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteSshKey.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteSshKey.java
@@ -50,7 +50,8 @@
public Response<?> apply(AccountResource.SshKey rsrc, Input input)
throws AuthException, OrmException, RepositoryNotFoundException, IOException,
ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to delete SSH keys");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteWatchedProjects.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteWatchedProjects.java
index 97102a2..8cd979f 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteWatchedProjects.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteWatchedProjects.java
@@ -52,7 +52,8 @@
public Response<?> apply(AccountResource rsrc, List<ProjectWatchInfo> input)
throws AuthException, UnprocessableEntityException, OrmException, IOException,
ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("It is not allowed to edit project watches of other users");
}
if (input == null) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
index cd3c0c8..fa36d1d 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
@@ -78,7 +78,8 @@
@Override
public Object apply(AccountResource resource) throws AuthException {
- if (self.get() != resource.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(resource.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("restricted to administrator");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetDiffPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetDiffPreferences.java
index 0edff4f..c2f7b8f 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetDiffPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetDiffPreferences.java
@@ -57,7 +57,8 @@
@Override
public DiffPreferencesInfo apply(AccountResource rsrc)
throws AuthException, ConfigInvalidException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("restricted to administrator");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
index e385020..e795f83 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
@@ -49,7 +49,8 @@
@Override
public EditPreferencesInfo apply(AccountResource rsrc)
throws AuthException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("requires Modify Account capability");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
index 6ea911f..c926cff 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
@@ -49,7 +49,7 @@
@Override
public List<AccountExternalIdInfo> apply(AccountResource resource)
throws RestApiException, OrmException {
- if (self.get() != resource.getUser()) {
+ if (!self.get().hasSameAccountId(resource.getUser())) {
throw new AuthException("not allowed to get external IDs");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetOAuthToken.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetOAuthToken.java
index 4bbb5d4..61f5b84 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetOAuthToken.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetOAuthToken.java
@@ -50,7 +50,7 @@
@Override
public OAuthTokenInfo apply(AccountResource rsrc)
throws AuthException, ResourceNotFoundException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to get access token");
}
Account a = rsrc.getUser().getAccount();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
index 77cdbd4..95b115f 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
@@ -36,7 +36,8 @@
@Override
public GeneralPreferencesInfo apply(AccountResource rsrc) throws AuthException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("requires Modify Account capability");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
index 980d880..a169f6f 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
@@ -47,7 +47,8 @@
public List<SshKeyInfo> apply(AccountResource rsrc)
throws AuthException, OrmException, RepositoryNotFoundException, IOException,
ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to get SSH keys");
}
return apply(rsrc.getUser());
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetWatchedProjects.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetWatchedProjects.java
index e0aeee0..d8580eb 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetWatchedProjects.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetWatchedProjects.java
@@ -51,7 +51,8 @@
@Override
public List<ProjectWatchInfo> apply(AccountResource rsrc)
throws OrmException, AuthException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("It is not allowed to list project watches of other users");
}
Account.Id accountId = rsrc.getUser().getAccountId();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
index 1666c70..238241c 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
@@ -39,7 +39,8 @@
@Override
public Response<?> apply(AccountResource rsrc, Input input) throws IOException, AuthException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to index account");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PostWatchedProjects.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PostWatchedProjects.java
index 55ba912..7a4e0ec 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PostWatchedProjects.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PostWatchedProjects.java
@@ -63,7 +63,8 @@
@Override
public List<ProjectWatchInfo> apply(AccountResource rsrc, List<ProjectWatchInfo> input)
throws OrmException, RestApiException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to edit project watches");
}
Account.Id accountId = rsrc.getUser().getAccountId();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutAgreement.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutAgreement.java
index 423d5a1..e622575 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutAgreement.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutAgreement.java
@@ -72,7 +72,7 @@
throw new MethodNotAllowedException("contributor agreements disabled");
}
- if (self.get() != resource.getUser()) {
+ if (!self.get().hasSameAccountId(resource.getUser())) {
throw new AuthException("not allowed to enter contributor agreement");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
index c87779e..0174ff1 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
@@ -77,13 +77,15 @@
String newPassword;
if (input.generate) {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to generate HTTP password");
}
newPassword = generate();
} else if (input.httpPassword == null) {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to clear HTTP password");
}
newPassword = null;
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
index 443a549..a00e2ad 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
@@ -61,7 +61,8 @@
public Response<String> apply(AccountResource rsrc, Input input)
throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to change name");
}
return apply(rsrc.getUser(), input);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
index ec60fb3..d86a312 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
@@ -50,7 +50,8 @@
@Override
public Response<String> apply(AccountResource.Email rsrc, Input input)
throws AuthException, ResourceNotFoundException, OrmException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to set preferred email address");
}
return apply(rsrc.getUser(), rsrc.getEmail());
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
index ff541fd..c16d8da 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
@@ -58,7 +58,8 @@
@Override
public Response<String> apply(AccountResource rsrc, Input input)
throws AuthException, ResourceNotFoundException, OrmException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("not allowed to set status");
}
return apply(rsrc.getUser(), input);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutUsername.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutUsername.java
index e3a3c12..21b1720 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutUsername.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutUsername.java
@@ -59,7 +59,8 @@
public String apply(AccountResource rsrc, Input input)
throws AuthException, MethodNotAllowedException, UnprocessableEntityException,
ResourceConflictException, OrmException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canAdministrateServer()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to set username");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
index ac0cc96..c72ff02 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
@@ -59,7 +59,8 @@
public DiffPreferencesInfo apply(AccountResource rsrc, DiffPreferencesInfo in)
throws AuthException, BadRequestException, ConfigInvalidException,
RepositoryNotFoundException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("requires Modify Account capability");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
index ca981b8..e2a2912 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
@@ -59,7 +59,8 @@
public EditPreferencesInfo apply(AccountResource rsrc, EditPreferencesInfo in)
throws AuthException, BadRequestException, RepositoryNotFoundException, IOException,
ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("requires Modify Account capability");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
index 91672f7..d2164f6 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
@@ -75,7 +75,8 @@
@Override
public GeneralPreferencesInfo apply(AccountResource rsrc, GeneralPreferencesInfo i)
throws AuthException, BadRequestException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new AuthException("requires Modify Account capability");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
index 6336e08..4f00e1a 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
@@ -56,7 +56,8 @@
@Override
public AccountResource.SshKey parse(AccountResource rsrc, IdString id)
throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())
+ && !self.get().getCapabilities().canModifyAccount()) {
throw new ResourceNotFoundException();
}
return parse(rsrc.getUser(), id);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/StarredChanges.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/StarredChanges.java
index 995aaa5..868d378 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/StarredChanges.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/StarredChanges.java
@@ -130,7 +130,7 @@
@Override
public Response<?> apply(AccountResource rsrc, EmptyInput in)
throws AuthException, OrmException, IOException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to add starred change");
}
try {
@@ -159,7 +159,7 @@
@Override
public Response<?> apply(AccountResource.StarredChange rsrc, EmptyInput in)
throws AuthException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed update starred changes");
}
return Response.none();
@@ -180,7 +180,7 @@
@Override
public Response<?> apply(AccountResource.StarredChange rsrc, EmptyInput in)
throws AuthException, OrmException, IOException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed remove starred change");
}
starredChangesUtil.star(
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/Stars.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/Stars.java
index 52c6cdf..cf43a21 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/Stars.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/Stars.java
@@ -97,7 +97,7 @@
@SuppressWarnings("unchecked")
public List<ChangeInfo> apply(AccountResource rsrc)
throws BadRequestException, AuthException, OrmException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to list stars of another account");
}
QueryChanges query = changes.list();
@@ -119,7 +119,7 @@
@Override
public SortedSet<String> apply(AccountResource.Star rsrc) throws AuthException, OrmException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to get stars of another account");
}
return starredChangesUtil.getLabels(self.get().getAccountId(), rsrc.getChange().getId());
@@ -140,7 +140,7 @@
@Override
public Collection<String> apply(AccountResource.Star rsrc, StarsInput in)
throws AuthException, BadRequestException, OrmException {
- if (self.get() != rsrc.getUser()) {
+ if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to update stars of another account");
}
try {
