commit | 8b53adb4fb7402b7d75acce4c08b0b83c9215803 | [log] [tgz] |
---|---|---|
author | Edwin Kempin <ekempin@google.com> | Mon Apr 15 13:35:17 2024 +0000 |
committer | Edwin Kempin <ekempin@google.com> | Tue Apr 16 09:06:39 2024 +0000 |
tree | d68875bf14bef58bf23bfb39c5df94672e9ffb05 | |
parent | 71aba5b8c18dd505b4d907f8018f5a04e65f9377 [diff] |
"Get removable reviewers": Avoid unneccessary permission checks The "Get removable reviewers" step that is executed when formatting a change as JSON may do unnecessary permission checks. "Get removable reviewers" does the following permission checks: 1. Check whether the current user has the "Remove Reviewer" permission 2. If not, for each approval on the change do: 2a. Check if the approval can be removed without permission 2b. If not check whether the current user is a project owner (can write config) or whether the current user is an administrator. 2c. If not check again whether the current user has the "Remove Reviewer" permission The following permission checks are unnecessary: * If the current user does not have the "Remove Reviewer" permission and an approval cannot be removed without permission, it is checked whether the current user is a project owner or an admin. Instead of checking this once per approval, checking it once per change should be sufficient. * If the current user does not have the "Remove Reviewer" permission and is neither a project owner nor an administrator and an approval cannot be removed without permission, the "Remove Reviewer" permission is checked once again. This change fixes this by doing all the permission checks (check whether the current user has the "Remove Reviewer" permission and checking whether they are project owner or administrator) before the loop that iterates over the approvals and then do only the canRemoveReviewerWithoutPermissionCheck inside of the loop. Repeatedly checking the same permissions should be cheap since the result is expected to be cached during the request, but it can't harm to avoid unnecessary permission checks. It also improves the code readabilty, especially since a comment claimed that unnecessary permission checks are avoided, but then they were not. Release-Notes: skip Bug: Google b/335095952 Change-Id: I5db7a6a3d9e16a19010c7e03860c455b0c3cef60 Signed-off-by: Edwin Kempin <ekempin@google.com>
Gerrit is a code review and project management tool for Git based projects.
Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.
Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.
For information about how to install and use Gerrit, refer to the documentation.
Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.
Please report bugs on the issue tracker.
Gerrit is the work of hundreds of contributors. We appreciate your help!
Please read the contribution guidelines.
Note that we do not accept Pull Requests via the Github mirror.
The Developer Mailing list is repo-discuss on Google Groups.
Gerrit is provided under the Apache License 2.0.
Install Bazel and run the following:
git clone --recurse-submodules https://gerrit.googlesource.com/gerrit cd gerrit && bazel build release
The instruction how to configure GerritForge/BinTray repositories is here
On Debian/Ubuntu run:
apt-get update && apt-get install gerrit=<version>-<release>
NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.
On CentOS/RedHat run:
yum clean all && yum install gerrit-<version>[-<release>]
On Fedora run:
dnf clean all && dnf install gerrit-<version>[-<release>]
Docker images of Gerrit are available on DockerHub
To run a CentOS 8 based Gerrit image:
docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8
To run a Ubuntu 20.04 based Gerrit image:
docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20
NOTE: release is optional. Last released package of the version is installed if the release number is omitted.