Google Git
Sign in
gerrit / gerrit / 8b53adb4fb7402b7d75acce4c08b0b83c9215803
commit8b53adb4fb7402b7d75acce4c08b0b83c9215803[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Mon Apr 15 13:35:17 2024 +0000
committerEdwin Kempin <ekempin@google.com>Tue Apr 16 09:06:39 2024 +0000
treed68875bf14bef58bf23bfb39c5df94672e9ffb05
parent71aba5b8c18dd505b4d907f8018f5a04e65f9377 [diff]
"Get removable reviewers": Avoid unneccessary permission checks

The "Get removable reviewers" step that is executed when formatting a
change as JSON may do unnecessary permission checks.

"Get removable reviewers" does the following permission checks:

1. Check whether the current user has the "Remove Reviewer" permission
2. If not, for each approval on the change do:
2a. Check if the approval can be removed without permission
2b. If not check whether the current user is a project owner (can write
config) or whether the current user is an administrator.
2c. If not check again whether the current user has the "Remove Reviewer"
permission

The following permission checks are unnecessary:

* If the current user does not have the "Remove Reviewer" permission and
  an approval cannot be removed without permission, it is checked
  whether the current user is a project owner or an admin. Instead of
  checking this once per approval, checking it once per change should be
  sufficient.

* If the current user does not have the "Remove Reviewer" permission and
  is neither a project owner nor an administrator and an approval cannot
  be removed without permission, the "Remove Reviewer" permission is
  checked once again.

This change fixes this by doing all the permission checks (check whether
the current user has the "Remove Reviewer" permission and checking
whether they are project owner or administrator) before the loop that
iterates over the approvals and then do only the
canRemoveReviewerWithoutPermissionCheck inside of the loop.

Repeatedly checking the same permissions should be cheap since the
result is expected to be cached during the request, but it can't harm to
avoid unnecessary permission checks.

It also improves the code readabilty, especially since a comment claimed
that unnecessary permission checks are avoided, but then they were not.

Release-Notes: skip
Bug: Google b/335095952
Change-Id: I5db7a6a3d9e16a19010c7e03860c455b0c3cef60
Signed-off-by: Edwin Kempin <ekempin@google.com>
2 files changed
tree: d68875bf14bef58bf23bfb39c5df94672e9ffb05
  1. .settings/
  2. .ts-out/
  3. antlr3/
  4. contrib/
  5. Documentation/
  6. e2e-tests/
  7. java/
  8. javatests/
  9. lib/
  10. modules/
  11. plugins/
  12. polygerrit-ui/
  13. prolog/
  14. prologtests/
  15. proto/
  16. resources/
  17. tools/
  18. webapp/
  19. polymer-bridges
  20. .bazelignore
  21. .bazelproject
  22. .bazelrc
  23. .bazelversion
  24. .editorconfig
  25. .git-blame-ignore-revs
  26. .gitignore
  27. .gitmodules
  28. .gitreview
  29. .pydevproject
  30. .zuul.yaml
  31. BUILD
  32. COPYING
  33. INSTALL
  34. Jenkinsfile
  35. MODULE.bazel
  36. package.json
  37. README.md
  38. SUBMITTING_PATCHES
  39. version.bzl
  40. web-dev-server.config.mjs
  41. WORKSPACE
  42. yarn.lock
README.md

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status Maven Central

Objective

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.

Documentation

For information about how to install and use Gerrit, refer to the documentation.

Source

Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.

Contribute

Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The Developer Mailing list is repo-discuss on Google Groups.

License

Gerrit is provided under the Apache License 2.0.

Build

Install Bazel and run the following:

    git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update && apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 8 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8

To run a Ubuntu 20.04 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.