| commit | 7e4b43c9c66e162587dfaaf714fb3753f0b38cd1 | [log] [tgz] |
|---|---|---|
| author | Edwin Kempin <ekempin@google.com> | Wed Feb 15 17:19:45 2023 +0100 |
| committer | Edwin Kempin <ekempin@google.com> | Mon Feb 20 12:36:47 2023 +0100 |
| tree | 5af3d56758211aed7e4eeb249226b918ad0ce194 | |
| parent | 7e5c52a588e9106e00c422c3f6d995a265fbb3c9 [diff] |
Skip account visibility checks when querying changes
On the change screen users can see who participates in the change (the
change owner, reviewers, CCs etc.). The names of the participating users
are linkified and clicking on them leads to a dashboard with all changes
that are owned by this user. Due to Gerrit's account visibility setting
it can happen that the accounts of some of these users are not visible.
In this case clicking on the user link results in an error that is
unintelligible and confuses users (the error message is: "An error
occurred Error 400: Account [REDACTED_EMAIL_ADDRESS]' not found").
To solve this problem we skip the account visibility check when querying
changes (except if the user is referenced by a secondary email, see
reasoning below). This way clicking on a participating user on the
change screen will work even if their account is not visible.
Skipping the account visibility check when querying changes of
participating users is okay because:
* It doesn't reveal the existence of any account:
The calling user already knows that this account exists since they can
see it as a participating user on the change.
* The change query only returns changes that are visible to the calling
user: The calling user could have found the same changes by other
means (e.g. iterate over all changes that are visible to them and then
check which of these changes have the participating user as the change
owner).
Skipping the account visibility check for change queries in general is
okay because:
* Users can confirm the existence of non-visible accounts that
participated on any visible change by other means: The calling user
can iterate over all changes that are visible to them and collect all
users that participate in them.
To avoid that users can probe whether an account exists, we will no
longer return an error if an account doesn't exist, but instead we
return an empty query result. Otherwise users could deduce from the
response whether an arbitrary account exists (error -> account doesn't
exist, empty result -> account exists but didn't take part in any
visible changes).
Secondary emails are usually not visible to other users (e.g. to avoid
exposing dead names) and can only be seen by the user themselves, admin
users and special privileged users that have the Modify Account
capability assigned to them.
Secondary emails of participating users are not visible on the change
screen. In other words if a non-visible account takes part in a change,
all their account properties are visible to the users that can see the
change, except their secondary emails.
To avoid that users can probe for secondary emails by doing a change
query (e.g. by doing a 'owner:<secondary-email>' query) we still check
whether the calling user has permission to see secondary emails when the
given user identifier is resolved to a secondary email and return an
empty result if not (we can't return an error as this would reveal to
the calling user that this email exists).
Skipping the account visibility check for change queries affects several
search predicates:
* owner / uploader / label + user / reviewer / attention / commentby:
- Account visibility is not checked and matching changes are returned
if they are visible.
- For non-visible accounts that didn't participate in visible changes
and non-existing accounts an empty result is returned. Note that
the reviewer predicate already returned an empty result in this case
(if the specified account doesn't exist or is not visible the
reviewer predicate falls back to searching with the
reviewerByEmailPredicate which is for matching reviewers by email
that have no account). This means with this change we are making the
behaviour of these predicates consistent again.
The following predicates which are also based on users still check
account visibility:
* visibleto:
Account visibility is still checked. Whether a change is visible to an
account cannot be seen on the change. This means users that can see
the change, don't know about other accounts that can see the change.
Skipping the account visibility check for this predicate could reveal
the existence of non-visible accounts even if they didn't participate
in any visible changes (if the query returns results users can deduce
that the account exists).
* destination / query:
Account visibility is still checked. These predicates read a resource
of the account (a destination/query) that determines which changes
should be matched. Accessing this resource should only be allowed if
the account is visible, even if the account participated in any
visible changes as these resources are not exposed via the visible
changes.
Release-Notes: Account visibility is no longer checked when querying changes
Signed-off-by: Edwin Kempin <ekempin@google.com>
Bug: Google b/254824035
Change-Id: I022c6a13cd8df9284f526c9262a417cc757578dc
Signed-off-by: Edwin Kempin <ekempin@google.com>
Gerrit is a code review and project management tool for Git based projects.
Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.
Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.
For information about how to install and use Gerrit, refer to the documentation.
Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.
Please report bugs on the issue tracker.
Gerrit is the work of hundreds of contributors. We appreciate your help!
Please read the contribution guidelines.
Note that we do not accept Pull Requests via the Github mirror.
The Developer Mailing list is repo-discuss on Google Groups.
Gerrit is provided under the Apache License 2.0.
Install Bazel and run the following:
git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
cd gerrit && bazel build release
The instruction how to configure GerritForge/BinTray repositories is here
On Debian/Ubuntu run:
apt-get update && apt-get install gerrit=<version>-<release>
NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.
On CentOS/RedHat run:
yum clean all && yum install gerrit-<version>[-<release>]
On Fedora run:
dnf clean all && dnf install gerrit-<version>[-<release>]
Docker images of Gerrit are available on DockerHub
To run a CentOS 8 based Gerrit image:
docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8
To run a Ubuntu 20.04 based Gerrit image:
docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20
NOTE: release is optional. Last released package of the version is installed if the release number is omitted.