Allow users with Modify Account to get other users' preferences
Change the required capability permission to get another
user's preferences from 'Administrator' to 'Modify Account'.
Bug: Issue 3766
Change-Id: I61738a48020bd82bfed950b91ba1e4ff43d10647
diff --git a/Documentation/rest-api-accounts.txt b/Documentation/rest-api-accounts.txt
index db3218e..ac4d9a0 100644
--- a/Documentation/rest-api-accounts.txt
+++ b/Documentation/rest-api-accounts.txt
@@ -1083,6 +1083,14 @@
As result the account preferences of the user are returned as a
link:#preferences-info[PreferencesInfo] entity.
+Users may only retrieve the preferences for their own account,
+unless they are an
+link:access-control.html#administrators[Administrator] or a member
+of a group that is granted the
+link:access-control.html#capability_modifyAccount[ModifyAccount]
+capability, in which case they can retrieve the preferences for
+any account.
+
.Response
----
HTTP/1.1 200 OK
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
index de67c09..facc2ec 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
@@ -89,8 +89,8 @@
throws AuthException, ResourceNotFoundException, OrmException,
IOException, ConfigInvalidException {
if (self.get() != rsrc.getUser()
- && !self.get().getCapabilities().canAdministrateServer()) {
- throw new AuthException("restricted to administrator");
+ && !self.get().getCapabilities().canModifyAccount()) {
+ throw new AuthException("requires Modify Account capability");
}
Account.Id accountId = rsrc.getUser().getAccountId();
