commit 68b3492fcbd98bbbc4f48d24a4c194e50767481a
author Sven Selberg <svense@axis.com> Thu Dec 17 09:43:18 2020 +0100
committer Luca Milanesio <luca.milanesio@gmail.com> Fri Feb 12 15:32:58 2021 +0000
tree 72e6b5497506e969a516e2cc07c3048b94d43281
parent fc651f4a0dfb1250c46dc901df4bdfaf595702cf

ForRef#check should permit internal users to read all refs

79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.

Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d)

java/com/google/gerrit/server/permissions/RefControl.java

diff --git a/java/com/google/gerrit/server/permissions/RefControl.java b/java/com/google/gerrit/server/permissions/RefControl.java
index 5d6910a..411a52a 100644
--- a/java/com/google/gerrit/server/permissions/RefControl.java
+++ b/java/com/google/gerrit/server/permissions/RefControl.java
@@ -608,6 +608,10 @@
     private boolean can(RefPermission perm) throws PermissionBackendException {
       switch (perm) {
         case READ:
+          /* Internal users such as plugin users should be able to read all refs. */
+          if (getUser().isInternalUser()) {
+            return true;
+          }
           if (refName.startsWith(Constants.R_TAGS)) {
             return isTagVisible();
           }

javatests/com/google/gerrit/server/permissions/RefControlTest.java

diff --git a/javatests/com/google/gerrit/server/permissions/RefControlTest.java b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
index 0f0f1c3..429621a 100644
--- a/javatests/com/google/gerrit/server/permissions/RefControlTest.java
+++ b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
@@ -48,6 +48,7 @@
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.InternalUser;
 import com.google.gerrit.server.account.CapabilityCollection;
 import com.google.gerrit.server.account.GroupMembership;
 import com.google.gerrit.server.account.ListGroupMembership;
@@ -392,6 +393,11 @@
   }
 
   @Test
+  public void userRefIsVisibleForInternalUser() throws Exception {
+    internalUser(local).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
+  }
+
+  @Test
   public void branchDelegation1() throws Exception {
     allow(local, OWNER, ADMIN, "refs/*");
     allow(local, OWNER, DEVS, "refs/heads/x/*");
@@ -1039,6 +1045,21 @@
     return repo;
   }
 
+  private ProjectControl internalUser(ProjectConfig local) throws Exception {
+    return new ProjectControl(
+        Collections.emptySet(),
+        Collections.emptySet(),
+        sectionSorter,
+        changeControlFactory,
+        permissionBackend,
+        refVisibilityControl,
+        repoManager,
+        refFilterFactory,
+        allUsersName,
+        new InternalUser(),
+        newProjectState(local));
+  }
+
   private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) {
     return user(local, null, memberOf);
   }