Merge "Add tests for notify_details"
diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/accounts/AccountIT.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/accounts/AccountIT.java
index 89585c3..d465334 100644
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/accounts/AccountIT.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/accounts/AccountIT.java
@@ -511,7 +511,7 @@
// user cannot delete email of admin
exception.expect(AuthException.class);
- exception.expectMessage("not allowed to delete email address");
+ exception.expectMessage("modify account not permitted");
gApi.accounts().id(admin.id.get()).deleteEmail(admin.email);
}
@@ -896,7 +896,7 @@
// user cannot reindex any account
exception.expect(AuthException.class);
- exception.expectMessage("not allowed to index account");
+ exception.expectMessage("modify account not permitted");
gApi.accounts().id(admin.username).index();
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
index f678379..791b2e2 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -87,26 +87,11 @@
return canEmailReviewers;
}
- /** @return true if the user can modify an account for another user. */
- public boolean canModifyAccount() {
- return canPerform(GlobalCapability.MODIFY_ACCOUNT) || canAdministrateServer();
- }
-
/** @return true if the user can view all accounts. */
public boolean canViewAllAccounts() {
return canPerform(GlobalCapability.VIEW_ALL_ACCOUNTS) || canAdministrateServer();
}
- /** @return true if the user can perform basic server maintenance. */
- public boolean canMaintainServer() {
- return canPerform(GlobalCapability.MAINTAIN_SERVER) || canAdministrateServer();
- }
-
- /** @return true if the user can view the entire queue. */
- public boolean canViewQueue() {
- return canPerform(GlobalCapability.VIEW_QUEUE) || canMaintainServer();
- }
-
/** @return true if the user can access the database (with gsql). */
public boolean canAccessDatabase() {
try {
@@ -238,24 +223,23 @@
return canAdministrateServer();
case EMAIL_REVIEWERS:
return canEmailReviewers();
- case MAINTAIN_SERVER:
- return canMaintainServer();
- case MODIFY_ACCOUNT:
- return canModifyAccount();
case VIEW_ALL_ACCOUNTS:
return canViewAllAccounts();
- case VIEW_QUEUE:
- return canViewQueue();
case FLUSH_CACHES:
case KILL_TASK:
case RUN_GC:
case VIEW_CACHES:
- return canPerform(perm.permissionName()) || canMaintainServer();
+ case VIEW_QUEUE:
+ return canPerform(perm.permissionName())
+ || canPerform(GlobalCapability.MAINTAIN_SERVER)
+ || canAdministrateServer();
case CREATE_ACCOUNT:
case CREATE_GROUP:
case CREATE_PROJECT:
+ case MAINTAIN_SERVER:
+ case MODIFY_ACCOUNT:
case STREAM_EVENTS:
case VIEW_CONNECTIONS:
case VIEW_PLUGINS:
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
index b1a5d3b..4af7162 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
@@ -32,6 +32,9 @@
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.mail.send.OutgoingEmailValidator;
import com.google.gerrit.server.mail.send.RegisterNewEmailSender;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -50,6 +53,7 @@
private final Provider<CurrentUser> self;
private final Realm realm;
+ private final PermissionBackend permissionBackend;
private final AccountManager accountManager;
private final RegisterNewEmailSender.Factory registerNewEmailFactory;
private final PutPreferred putPreferred;
@@ -60,6 +64,7 @@
CreateEmail(
Provider<CurrentUser> self,
Realm realm,
+ PermissionBackend permissionBackend,
AuthConfig authConfig,
AccountManager accountManager,
RegisterNewEmailSender.Factory registerNewEmailFactory,
@@ -67,6 +72,7 @@
@Assisted String email) {
this.self = self;
this.realm = realm;
+ this.permissionBackend = permissionBackend;
this.accountManager = accountManager;
this.registerNewEmailFactory = registerNewEmailFactory;
this.putPreferred = putPreferred;
@@ -78,9 +84,9 @@
public Response<EmailInfo> apply(AccountResource rsrc, EmailInput input)
throws AuthException, BadRequestException, ResourceConflictException,
ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
- IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to add email address");
+ IOException, ConfigInvalidException, PermissionBackendException {
+ if (self.get() != rsrc.getUser() || input.noConfirmation) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
if (input == null) {
@@ -91,10 +97,6 @@
throw new BadRequestException("invalid email address");
}
- if (input.noConfirmation && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to use no_confirmation");
- }
-
if (!realm.allowsEdit(AccountFieldName.REGISTER_NEW_EMAIL)) {
throw new MethodNotAllowedException("realm does not allow adding emails");
}
@@ -105,7 +107,7 @@
public Response<EmailInfo> apply(IdentifiedUser user, EmailInput input)
throws AuthException, BadRequestException, ResourceConflictException,
ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
- IOException, ConfigInvalidException {
+ IOException, ConfigInvalidException, PermissionBackendException {
if (input.email != null && !email.equals(input.email)) {
throw new BadRequestException("email address must match URL");
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
index bfdf06c..b4e2bdb 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
@@ -29,6 +29,9 @@
import com.google.gerrit.server.account.DeleteEmail.Input;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.account.externalids.ExternalIds;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -43,6 +46,7 @@
private final Provider<CurrentUser> self;
private final Realm realm;
+ private final PermissionBackend permissionBackend;
private final Provider<ReviewDb> dbProvider;
private final AccountManager accountManager;
private final ExternalIds externalIds;
@@ -51,11 +55,13 @@
DeleteEmail(
Provider<CurrentUser> self,
Realm realm,
+ PermissionBackend permissionBackend,
Provider<ReviewDb> dbProvider,
AccountManager accountManager,
ExternalIds externalIds) {
this.self = self;
this.realm = realm;
+ this.permissionBackend = permissionBackend;
this.dbProvider = dbProvider;
this.accountManager = accountManager;
this.externalIds = externalIds;
@@ -64,9 +70,10 @@
@Override
public Response<?> apply(AccountResource.Email rsrc, Input input)
throws AuthException, ResourceNotFoundException, ResourceConflictException,
- MethodNotAllowedException, OrmException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to delete email address");
+ MethodNotAllowedException, OrmException, IOException, ConfigInvalidException,
+ PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), rsrc.getEmail());
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
index e385020..bb207f0 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
@@ -24,6 +24,9 @@
import com.google.gerrit.server.config.AllUsersName;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.git.UserConfigSections;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -35,22 +38,27 @@
@Singleton
public class GetEditPreferences implements RestReadView<AccountResource> {
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
private final AllUsersName allUsersName;
private final GitRepositoryManager gitMgr;
@Inject
GetEditPreferences(
- Provider<CurrentUser> self, AllUsersName allUsersName, GitRepositoryManager gitMgr) {
+ Provider<CurrentUser> self,
+ PermissionBackend permissionBackend,
+ AllUsersName allUsersName,
+ GitRepositoryManager gitMgr) {
this.self = self;
+ this.permissionBackend = permissionBackend;
this.allUsersName = allUsersName;
this.gitMgr = gitMgr;
}
@Override
public EditPreferencesInfo apply(AccountResource rsrc)
- throws AuthException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("requires Modify Account capability");
+ throws AuthException, IOException, ConfigInvalidException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return readFromGit(rsrc.getUser().getAccountId(), gitMgr, allUsersName, null);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
index 77cdbd4..3ebf864 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
@@ -19,6 +19,9 @@
import com.google.gerrit.extensions.restapi.RestReadView;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -26,18 +29,22 @@
@Singleton
public class GetPreferences implements RestReadView<AccountResource> {
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
private final AccountCache accountCache;
@Inject
- GetPreferences(Provider<CurrentUser> self, AccountCache accountCache) {
+ GetPreferences(
+ Provider<CurrentUser> self, PermissionBackend permissionBackend, AccountCache accountCache) {
this.self = self;
+ this.permissionBackend = permissionBackend;
this.accountCache = accountCache;
}
@Override
- public GeneralPreferencesInfo apply(AccountResource rsrc) throws AuthException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("requires Modify Account capability");
+ public GeneralPreferencesInfo apply(AccountResource rsrc)
+ throws AuthException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
Account.Id id = rsrc.getUser().getAccountId();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
index 980d880..9f5b9d5 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
@@ -22,6 +22,9 @@
import com.google.gerrit.reviewdb.client.AccountSshKey;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -35,20 +38,25 @@
public class GetSshKeys implements RestReadView<AccountResource> {
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
private final VersionedAuthorizedKeys.Accessor authorizedKeys;
@Inject
- GetSshKeys(Provider<CurrentUser> self, VersionedAuthorizedKeys.Accessor authorizedKeys) {
+ GetSshKeys(
+ Provider<CurrentUser> self,
+ PermissionBackend permissionBackend,
+ VersionedAuthorizedKeys.Accessor authorizedKeys) {
this.self = self;
+ this.permissionBackend = permissionBackend;
this.authorizedKeys = authorizedKeys;
}
@Override
public List<SshKeyInfo> apply(AccountResource rsrc)
throws AuthException, OrmException, RepositoryNotFoundException, IOException,
- ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to get SSH keys");
+ ConfigInvalidException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser());
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
index 6943dca..ecc6b8c 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
@@ -19,6 +19,9 @@
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.account.Index.Input;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -29,18 +32,22 @@
public static class Input {}
private final AccountCache accountCache;
+ private final PermissionBackend permissionBackend;
private final Provider<CurrentUser> self;
@Inject
- Index(AccountCache accountCache, Provider<CurrentUser> self) {
+ Index(
+ AccountCache accountCache, PermissionBackend permissionBackend, Provider<CurrentUser> self) {
this.accountCache = accountCache;
+ this.permissionBackend = permissionBackend;
this.self = self;
}
@Override
- public Response<?> apply(AccountResource rsrc, Input input) throws IOException, AuthException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to index account");
+ public Response<?> apply(AccountResource rsrc, Input input)
+ throws IOException, AuthException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
// evicting the account from the cache, reindexes the account
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
index 443a549..7a2868e 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
@@ -27,6 +27,9 @@
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.PutName.Input;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.AtomicUpdate;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -42,6 +45,7 @@
private final Provider<CurrentUser> self;
private final Realm realm;
+ private final PermissionBackend permissionBackend;
private final Provider<ReviewDb> dbProvider;
private final AccountCache byIdCache;
@@ -49,10 +53,12 @@
PutName(
Provider<CurrentUser> self,
Realm realm,
+ PermissionBackend permissionBackend,
Provider<ReviewDb> dbProvider,
AccountCache byIdCache) {
this.self = self;
this.realm = realm;
+ this.permissionBackend = permissionBackend;
this.dbProvider = dbProvider;
this.byIdCache = byIdCache;
}
@@ -60,9 +66,9 @@
@Override
public Response<String> apply(AccountResource rsrc, Input input)
throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
- IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to change name");
+ IOException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), input);
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
index fb87e1e..4941cc8 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
@@ -23,6 +23,9 @@
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.PutPreferred.Input;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.AtomicUpdate;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -37,20 +40,27 @@
private final Provider<CurrentUser> self;
private final Provider<ReviewDb> dbProvider;
+ private final PermissionBackend permissionBackend;
private final AccountCache byIdCache;
@Inject
- PutPreferred(Provider<CurrentUser> self, Provider<ReviewDb> dbProvider, AccountCache byIdCache) {
+ PutPreferred(
+ Provider<CurrentUser> self,
+ Provider<ReviewDb> dbProvider,
+ PermissionBackend permissionBackend,
+ AccountCache byIdCache) {
this.self = self;
this.dbProvider = dbProvider;
+ this.permissionBackend = permissionBackend;
this.byIdCache = byIdCache;
}
@Override
public Response<String> apply(AccountResource.Email rsrc, Input input)
- throws AuthException, ResourceNotFoundException, OrmException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to set preferred email address");
+ throws AuthException, ResourceNotFoundException, OrmException, IOException,
+ PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), rsrc.getEmail());
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
index ff541fd..73a720b 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
@@ -25,6 +25,9 @@
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.PutStatus.Input;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.AtomicUpdate;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -46,20 +49,27 @@
private final Provider<CurrentUser> self;
private final Provider<ReviewDb> dbProvider;
+ private final PermissionBackend permissionBackend;
private final AccountCache byIdCache;
@Inject
- PutStatus(Provider<CurrentUser> self, Provider<ReviewDb> dbProvider, AccountCache byIdCache) {
+ PutStatus(
+ Provider<CurrentUser> self,
+ Provider<ReviewDb> dbProvider,
+ PermissionBackend permissionBackend,
+ AccountCache byIdCache) {
this.self = self;
this.dbProvider = dbProvider;
+ this.permissionBackend = permissionBackend;
this.byIdCache = byIdCache;
}
@Override
public Response<String> apply(AccountResource rsrc, Input input)
- throws AuthException, ResourceNotFoundException, OrmException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("not allowed to set status");
+ throws AuthException, ResourceNotFoundException, OrmException, IOException,
+ PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), input);
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
index ac0cc96..88e9e20 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
@@ -29,6 +29,9 @@
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.git.MetaDataUpdate;
import com.google.gerrit.server.git.UserConfigSections;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -41,6 +44,7 @@
private final Provider<CurrentUser> self;
private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
private final AllUsersName allUsersName;
+ private final PermissionBackend permissionBackend;
private final GitRepositoryManager gitMgr;
@Inject
@@ -48,19 +52,21 @@
Provider<CurrentUser> self,
Provider<MetaDataUpdate.User> metaDataUpdateFactory,
AllUsersName allUsersName,
+ PermissionBackend permissionBackend,
GitRepositoryManager gitMgr) {
this.self = self;
this.metaDataUpdateFactory = metaDataUpdateFactory;
this.allUsersName = allUsersName;
+ this.permissionBackend = permissionBackend;
this.gitMgr = gitMgr;
}
@Override
public DiffPreferencesInfo apply(AccountResource rsrc, DiffPreferencesInfo in)
throws AuthException, BadRequestException, ConfigInvalidException,
- RepositoryNotFoundException, IOException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("requires Modify Account capability");
+ RepositoryNotFoundException, IOException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
if (in == null) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
index ca981b8..53285db 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
@@ -28,6 +28,9 @@
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.git.MetaDataUpdate;
import com.google.gerrit.server.git.UserConfigSections;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -40,6 +43,7 @@
private final Provider<CurrentUser> self;
private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
+ private final PermissionBackend permissionBackend;
private final GitRepositoryManager gitMgr;
private final AllUsersName allUsersName;
@@ -47,10 +51,12 @@
SetEditPreferences(
Provider<CurrentUser> self,
Provider<MetaDataUpdate.User> metaDataUpdateFactory,
+ PermissionBackend permissionBackend,
GitRepositoryManager gitMgr,
AllUsersName allUsersName) {
this.self = self;
this.metaDataUpdateFactory = metaDataUpdateFactory;
+ this.permissionBackend = permissionBackend;
this.gitMgr = gitMgr;
this.allUsersName = allUsersName;
}
@@ -58,9 +64,9 @@
@Override
public EditPreferencesInfo apply(AccountResource rsrc, EditPreferencesInfo in)
throws AuthException, BadRequestException, RepositoryNotFoundException, IOException,
- ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("requires Modify Account capability");
+ ConfigInvalidException, PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
if (in == null) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
index 91672f7..c033d9d 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
@@ -36,6 +36,9 @@
import com.google.gerrit.server.config.AllUsersName;
import com.google.gerrit.server.git.MetaDataUpdate;
import com.google.gerrit.server.git.UserConfigSections;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -51,6 +54,7 @@
public class SetPreferences implements RestModifyView<AccountResource, GeneralPreferencesInfo> {
private final Provider<CurrentUser> self;
private final AccountCache cache;
+ private final PermissionBackend permissionBackend;
private final GeneralPreferencesLoader loader;
private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
private final AllUsersName allUsersName;
@@ -60,6 +64,7 @@
SetPreferences(
Provider<CurrentUser> self,
AccountCache cache,
+ PermissionBackend permissionBackend,
GeneralPreferencesLoader loader,
Provider<MetaDataUpdate.User> metaDataUpdateFactory,
AllUsersName allUsersName,
@@ -67,6 +72,7 @@
this.self = self;
this.loader = loader;
this.cache = cache;
+ this.permissionBackend = permissionBackend;
this.metaDataUpdateFactory = metaDataUpdateFactory;
this.allUsersName = allUsersName;
this.downloadSchemes = downloadSchemes;
@@ -74,9 +80,10 @@
@Override
public GeneralPreferencesInfo apply(AccountResource rsrc, GeneralPreferencesInfo i)
- throws AuthException, BadRequestException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new AuthException("requires Modify Account capability");
+ throws AuthException, BadRequestException, IOException, ConfigInvalidException,
+ PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
checkDownloadScheme(i.downloadScheme);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
index 6336e08..70c02a1 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
@@ -15,6 +15,7 @@
package com.google.gerrit.server.account;
import com.google.gerrit.extensions.registration.DynamicMap;
+import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.ChildCollection;
import com.google.gerrit.extensions.restapi.IdString;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
@@ -22,6 +23,9 @@
import com.google.gerrit.reviewdb.client.AccountSshKey;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -34,6 +38,7 @@
private final DynamicMap<RestView<AccountResource.SshKey>> views;
private final GetSshKeys list;
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
private final VersionedAuthorizedKeys.Accessor authorizedKeys;
@Inject
@@ -41,10 +46,12 @@
DynamicMap<RestView<AccountResource.SshKey>> views,
GetSshKeys list,
Provider<CurrentUser> self,
+ PermissionBackend permissionBackend,
VersionedAuthorizedKeys.Accessor authorizedKeys) {
this.views = views;
this.list = list;
this.self = self;
+ this.permissionBackend = permissionBackend;
this.authorizedKeys = authorizedKeys;
}
@@ -55,9 +62,15 @@
@Override
public AccountResource.SshKey parse(AccountResource rsrc, IdString id)
- throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException {
- if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
- throw new ResourceNotFoundException();
+ throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException,
+ PermissionBackendException {
+ if (self.get() != rsrc.getUser()) {
+ try {
+ permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
+ } catch (AuthException e) {
+ // If lacking MODIFY_ACCOUNT claim the resource does not exist.
+ throw new ResourceNotFoundException();
+ }
}
return parse(rsrc.getUser(), id);
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java b/gerrit-server/src/main/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
index 23c6537..dc5ea4c 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
@@ -71,6 +71,7 @@
import com.google.gerrit.server.account.Stars;
import com.google.gerrit.server.change.ChangeResource;
import com.google.gerrit.server.change.ChangesCollection;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
@@ -234,14 +235,18 @@
@Override
public GeneralPreferencesInfo getPreferences() throws RestApiException {
- return getPreferences.apply(account);
+ try {
+ return getPreferences.apply(account);
+ } catch (PermissionBackendException e) {
+ throw new RestApiException("Cannot get preferences", e);
+ }
}
@Override
public GeneralPreferencesInfo setPreferences(GeneralPreferencesInfo in) throws RestApiException {
try {
return setPreferences.apply(account, in);
- } catch (IOException | ConfigInvalidException e) {
+ } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot set preferences", e);
}
}
@@ -259,7 +264,7 @@
public DiffPreferencesInfo setDiffPreferences(DiffPreferencesInfo in) throws RestApiException {
try {
return setDiffPreferences.apply(account, in);
- } catch (IOException | ConfigInvalidException e) {
+ } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot set diff preferences", e);
}
}
@@ -268,7 +273,7 @@
public EditPreferencesInfo getEditPreferences() throws RestApiException {
try {
return getEditPreferences.apply(account);
- } catch (IOException | ConfigInvalidException e) {
+ } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot query edit preferences", e);
}
}
@@ -277,7 +282,7 @@
public EditPreferencesInfo setEditPreferences(EditPreferencesInfo in) throws RestApiException {
try {
return setEditPreferences.apply(account, in);
- } catch (IOException | ConfigInvalidException e) {
+ } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot set edit preferences", e);
}
}
@@ -372,7 +377,11 @@
AccountResource.Email rsrc = new AccountResource.Email(account.getUser(), input.email);
try {
createEmailFactory.create(input.email).apply(rsrc, input);
- } catch (EmailException | OrmException | IOException | ConfigInvalidException e) {
+ } catch (EmailException
+ | OrmException
+ | IOException
+ | ConfigInvalidException
+ | PermissionBackendException e) {
throw new RestApiException("Cannot add email", e);
}
}
@@ -382,7 +391,7 @@
AccountResource.Email rsrc = new AccountResource.Email(account.getUser(), email);
try {
deleteEmail.apply(rsrc, null);
- } catch (OrmException | IOException | ConfigInvalidException e) {
+ } catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot delete email", e);
}
}
@@ -392,7 +401,7 @@
PutStatus.Input in = new PutStatus.Input(status);
try {
putStatus.apply(account, in);
- } catch (OrmException | IOException e) {
+ } catch (OrmException | IOException | PermissionBackendException e) {
throw new RestApiException("Cannot set status", e);
}
}
@@ -401,7 +410,7 @@
public List<SshKeyInfo> listSshKeys() throws RestApiException {
try {
return getSshKeys.apply(account);
- } catch (OrmException | IOException | ConfigInvalidException e) {
+ } catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot list SSH keys", e);
}
}
@@ -423,7 +432,7 @@
AccountResource.SshKey sshKeyRes =
sshKeys.parse(account, IdString.fromDecoded(Integer.toString(seq)));
deleteSshKey.apply(sshKeyRes, null);
- } catch (OrmException | IOException | ConfigInvalidException e) {
+ } catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
throw new RestApiException("Cannot delete SSH key", e);
}
}
@@ -476,7 +485,7 @@
public void index() throws RestApiException {
try {
index.apply(account, new Index.Input());
- } catch (IOException e) {
+ } catch (IOException | PermissionBackendException e) {
throw new RestApiException("Cannot index account", e);
}
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/api/changes/ChangeApiImpl.java b/gerrit-server/src/main/java/com/google/gerrit/server/api/changes/ChangeApiImpl.java
index d534c5a..cee2403 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/api/changes/ChangeApiImpl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/api/changes/ChangeApiImpl.java
@@ -572,7 +572,7 @@
public ChangeInfo check(FixInput fix) throws RestApiException {
try {
return check.apply(change, fix).value();
- } catch (OrmException e) {
+ } catch (OrmException | PermissionBackendException e) {
throw new RestApiException("Cannot check change", e);
}
}
@@ -581,7 +581,7 @@
public void index() throws RestApiException {
try {
index.apply(change, new Index.Input());
- } catch (IOException | OrmException e) {
+ } catch (IOException | OrmException | PermissionBackendException e) {
throw new RestApiException("Cannot index change", e);
}
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/change/Check.java b/gerrit-server/src/main/java/com/google/gerrit/server/change/Check.java
index 3b67930..5f6923e 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/change/Check.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/change/Check.java
@@ -17,21 +17,29 @@
import com.google.gerrit.extensions.api.changes.FixInput;
import com.google.gerrit.extensions.client.ListChangesOption;
import com.google.gerrit.extensions.common.ChangeInfo;
-import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.RestReadView;
+import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ChangeControl;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
+import com.google.inject.Provider;
public class Check
implements RestReadView<ChangeResource>, RestModifyView<ChangeResource, FixInput> {
+ private final PermissionBackend permissionBackend;
+ private final Provider<CurrentUser> user;
private final ChangeJson.Factory jsonFactory;
@Inject
- Check(ChangeJson.Factory json) {
+ Check(PermissionBackend permissionBackend, Provider<CurrentUser> user, ChangeJson.Factory json) {
+ this.permissionBackend = permissionBackend;
+ this.user = user;
this.jsonFactory = json;
}
@@ -42,12 +50,10 @@
@Override
public Response<ChangeInfo> apply(ChangeResource rsrc, FixInput input)
- throws RestApiException, OrmException {
+ throws RestApiException, OrmException, PermissionBackendException {
ChangeControl ctl = rsrc.getControl();
- if (!ctl.isOwner()
- && !ctl.getProjectControl().isOwner()
- && !ctl.getUser().getCapabilities().canMaintainServer()) {
- throw new AuthException("Cannot fix change");
+ if (!ctl.isOwner() && !ctl.getProjectControl().isOwner()) {
+ permissionBackend.user(user).check(GlobalPermission.MAINTAIN_SERVER);
}
return Response.withMustRevalidate(newChangeJson().fix(input).format(rsrc));
}
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/change/Index.java b/gerrit-server/src/main/java/com/google/gerrit/server/change/Index.java
index 9257445..ab92281 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/change/Index.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/change/Index.java
@@ -18,8 +18,12 @@
import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.reviewdb.server.ReviewDb;
+import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.change.Index.Input;
import com.google.gerrit.server.index.change.ChangeIndexer;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ChangeControl;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -32,20 +36,28 @@
public static class Input {}
private final Provider<ReviewDb> db;
+ private final PermissionBackend permissionBackend;
+ private final Provider<CurrentUser> user;
private final ChangeIndexer indexer;
@Inject
- Index(Provider<ReviewDb> db, ChangeIndexer indexer) {
+ Index(
+ Provider<ReviewDb> db,
+ PermissionBackend permissionBackend,
+ Provider<CurrentUser> user,
+ ChangeIndexer indexer) {
this.db = db;
+ this.permissionBackend = permissionBackend;
+ this.user = user;
this.indexer = indexer;
}
@Override
public Response<?> apply(ChangeResource rsrc, Input input)
- throws IOException, AuthException, OrmException {
+ throws IOException, AuthException, OrmException, PermissionBackendException {
ChangeControl ctl = rsrc.getControl();
- if (!ctl.isOwner() && !ctl.getUser().getCapabilities().canMaintainServer()) {
- throw new AuthException("Only change owner or server maintainer can reindex");
+ if (!ctl.isOwner()) {
+ permissionBackend.user(user).check(GlobalPermission.MAINTAIN_SERVER);
}
indexer.index(db.get(), rsrc.getChange());
return Response.none();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/FlushCache.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/FlushCache.java
index 5e19091..366dae1 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/FlushCache.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/FlushCache.java
@@ -23,6 +23,9 @@
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.FlushCache.Input;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -34,17 +37,20 @@
public static final String WEB_SESSIONS = "web_sessions";
+ private final PermissionBackend permissionBackend;
private final Provider<CurrentUser> self;
@Inject
- public FlushCache(Provider<CurrentUser> self) {
+ public FlushCache(PermissionBackend permissionBackend, Provider<CurrentUser> self) {
+ this.permissionBackend = permissionBackend;
this.self = self;
}
@Override
- public Response<String> apply(CacheResource rsrc, Input input) throws AuthException {
- if (WEB_SESSIONS.equals(rsrc.getName()) && !self.get().getCapabilities().canMaintainServer()) {
- throw new AuthException(String.format("only site maintainers can flush %s", WEB_SESSIONS));
+ public Response<String> apply(CacheResource rsrc, Input input)
+ throws AuthException, PermissionBackendException {
+ if (WEB_SESSIONS.equals(rsrc.getName())) {
+ permissionBackend.user(self).check(GlobalPermission.MAINTAIN_SERVER);
}
rsrc.getCache().invalidateAll();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/ListTasks.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/ListTasks.java
index 7e9bd71..be2edfd 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/ListTasks.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/ListTasks.java
@@ -19,11 +19,13 @@
import com.google.gerrit.extensions.restapi.RestReadView;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.server.CurrentUser;
-import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.git.TaskInfoFactory;
import com.google.gerrit.server.git.WorkQueue;
import com.google.gerrit.server.git.WorkQueue.ProjectTask;
import com.google.gerrit.server.git.WorkQueue.Task;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gerrit.server.project.ProjectState;
import com.google.gerrit.server.util.IdGenerator;
@@ -41,30 +43,40 @@
@Singleton
public class ListTasks implements RestReadView<ConfigResource> {
+ private final PermissionBackend permissionBackend;
private final WorkQueue workQueue;
private final ProjectCache projectCache;
- private final Provider<IdentifiedUser> self;
+ private final Provider<CurrentUser> self;
@Inject
- public ListTasks(WorkQueue workQueue, ProjectCache projectCache, Provider<IdentifiedUser> self) {
+ public ListTasks(
+ PermissionBackend permissionBackend,
+ WorkQueue workQueue,
+ ProjectCache projectCache,
+ Provider<CurrentUser> self) {
+ this.permissionBackend = permissionBackend;
this.workQueue = workQueue;
this.projectCache = projectCache;
this.self = self;
}
@Override
- public List<TaskInfo> apply(ConfigResource resource) throws AuthException {
+ public List<TaskInfo> apply(ConfigResource resource)
+ throws AuthException, PermissionBackendException {
CurrentUser user = self.get();
if (!user.isIdentifiedUser()) {
throw new AuthException("Authentication required");
}
List<TaskInfo> allTasks = getTasks();
- if (user.getCapabilities().canViewQueue()) {
+ try {
+ permissionBackend.user(user).check(GlobalPermission.VIEW_QUEUE);
return allTasks;
+ } catch (AuthException e) {
+ // Fall through to filter tasks.
}
- Map<String, Boolean> visibilityCache = new HashMap<>();
+ Map<String, Boolean> visibilityCache = new HashMap<>();
List<TaskInfo> visibleTasks = new ArrayList<>();
for (TaskInfo task : allTasks) {
if (task.projectName != null) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/PostCaches.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/PostCaches.java
index 3cfa2b9..d08f0a9 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/PostCaches.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/PostCaches.java
@@ -26,6 +26,7 @@
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
import com.google.gerrit.server.config.PostCaches.Input;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.ArrayList;
@@ -66,7 +67,8 @@
@Override
public Response<String> apply(ConfigResource rsrc, Input input)
- throws AuthException, BadRequestException, UnprocessableEntityException {
+ throws AuthException, BadRequestException, UnprocessableEntityException,
+ PermissionBackendException {
if (input == null || input.operation == null) {
throw new BadRequestException("operation must be specified");
}
@@ -90,7 +92,7 @@
}
}
- private void flushAll() throws AuthException {
+ private void flushAll() throws AuthException, PermissionBackendException {
for (DynamicMap.Entry<Cache<?, ?>> e : cacheMap) {
CacheResource cacheResource =
new CacheResource(e.getPluginName(), e.getExportName(), e.getProvider());
@@ -101,7 +103,8 @@
}
}
- private void flush(List<String> cacheNames) throws UnprocessableEntityException, AuthException {
+ private void flush(List<String> cacheNames)
+ throws UnprocessableEntityException, AuthException, PermissionBackendException {
List<CacheResource> cacheResources = new ArrayList<>(cacheNames.size());
for (String n : cacheNames) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/TasksCollection.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/TasksCollection.java
index b239856..b33b1c5 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/TasksCollection.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/TasksCollection.java
@@ -21,10 +21,12 @@
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestView;
import com.google.gerrit.server.CurrentUser;
-import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.git.WorkQueue;
import com.google.gerrit.server.git.WorkQueue.ProjectTask;
import com.google.gerrit.server.git.WorkQueue.Task;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gerrit.server.project.ProjectState;
import com.google.inject.Inject;
@@ -36,7 +38,8 @@
private final DynamicMap<RestView<TaskResource>> views;
private final ListTasks list;
private final WorkQueue workQueue;
- private final Provider<IdentifiedUser> self;
+ private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
private final ProjectCache projectCache;
@Inject
@@ -44,12 +47,14 @@
DynamicMap<RestView<TaskResource>> views,
ListTasks list,
WorkQueue workQueue,
- Provider<IdentifiedUser> self,
+ Provider<CurrentUser> self,
+ PermissionBackend permissionBackend,
ProjectCache projectCache) {
this.views = views;
this.list = list;
this.workQueue = workQueue;
this.self = self;
+ this.permissionBackend = permissionBackend;
this.projectCache = projectCache;
}
@@ -60,30 +65,37 @@
@Override
public TaskResource parse(ConfigResource parent, IdString id)
- throws ResourceNotFoundException, AuthException {
+ throws ResourceNotFoundException, AuthException, PermissionBackendException {
CurrentUser user = self.get();
if (!user.isIdentifiedUser()) {
throw new AuthException("Authentication required");
}
+ int taskId;
try {
- int taskId = (int) Long.parseLong(id.get(), 16);
- Task<?> task = workQueue.getTask(taskId);
- if (task != null) {
- if (self.get().getCapabilities().canViewQueue()) {
- return new TaskResource(task);
- } else if (task instanceof ProjectTask) {
- ProjectTask<?> projectTask = ((ProjectTask<?>) task);
- ProjectState e = projectCache.get(projectTask.getProjectNameKey());
- if (e != null && e.controlFor(user).isVisible()) {
- return new TaskResource(task);
- }
- }
- }
- throw new ResourceNotFoundException(id);
+ taskId = (int) Long.parseLong(id.get(), 16);
} catch (NumberFormatException e) {
throw new ResourceNotFoundException(id);
}
+
+ Task<?> task = workQueue.getTask(taskId);
+ if (task != null) {
+ try {
+ permissionBackend.user(user).check(GlobalPermission.VIEW_QUEUE);
+ return new TaskResource(task);
+ } catch (AuthException e) {
+ // Fall through and try filtering.
+ }
+
+ if (task instanceof ProjectTask) {
+ ProjectTask<?> projectTask = ((ProjectTask<?>) task);
+ ProjectState e = projectCache.get(projectTask.getProjectNameKey());
+ if (e != null && e.controlFor(user).isVisible()) {
+ return new TaskResource(task);
+ }
+ }
+ }
+ throw new ResourceNotFoundException(id);
}
@Override
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/update/RepoContext.java b/gerrit-server/src/main/java/com/google/gerrit/server/update/RepoContext.java
index e635da9..9faf628 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/update/RepoContext.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/update/RepoContext.java
@@ -14,12 +14,11 @@
package com.google.gerrit.server.update;
+import java.io.IOException;
import org.eclipse.jgit.lib.ObjectId;
import org.eclipse.jgit.lib.ObjectInserter;
import org.eclipse.jgit.transport.ReceiveCommand;
-import java.io.IOException;
-
/** Context for performing the {@link BatchUpdateOp#updateRepo} phase. */
public interface RepoContext extends Context {
/**
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/ChangeArgumentParser.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/ChangeArgumentParser.java
index 4488c71..e64ab0e 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/ChangeArgumentParser.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/ChangeArgumentParser.java
@@ -16,6 +16,7 @@
import static java.util.stream.Collectors.toList;
+import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.reviewdb.client.Change;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.reviewdb.server.ReviewDb;
@@ -24,6 +25,9 @@
import com.google.gerrit.server.change.ChangeResource;
import com.google.gerrit.server.change.ChangesCollection;
import com.google.gerrit.server.notedb.ChangeNotes;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ChangeControl;
import com.google.gerrit.server.project.NoSuchChangeException;
import com.google.gerrit.server.project.ProjectControl;
@@ -43,6 +47,7 @@
private final ReviewDb db;
private final ChangeNotes.Factory changeNotesFactory;
private final ChangeControl.GenericFactory changeControlFactory;
+ private final PermissionBackend permissionBackend;
@Inject
ChangeArgumentParser(
@@ -51,13 +56,15 @@
ChangeFinder changeFinder,
ReviewDb db,
ChangeNotes.Factory changeNotesFactory,
- ChangeControl.GenericFactory changeControlFactory) {
+ ChangeControl.GenericFactory changeControlFactory,
+ PermissionBackend permissionBackend) {
this.currentUser = currentUser;
this.changesCollection = changesCollection;
this.changeFinder = changeFinder;
this.db = db;
this.changeNotesFactory = changeNotesFactory;
this.changeControlFactory = changeControlFactory;
+ this.permissionBackend = permissionBackend;
}
public void addChange(String id, Map<Change.Id, ChangeResource> changes)
@@ -80,9 +87,13 @@
List<ChangeControl> matched =
useIndex ? changeFinder.find(id, currentUser) : changeFromNotesFactory(id, currentUser);
List<ChangeControl> toAdd = new ArrayList<>(changes.size());
- boolean canMaintainServer =
- currentUser.isIdentifiedUser()
- && currentUser.asIdentifiedUser().getCapabilities().canMaintainServer();
+ boolean canMaintainServer;
+ try {
+ permissionBackend.user(currentUser).check(GlobalPermission.MAINTAIN_SERVER);
+ canMaintainServer = true;
+ } catch (AuthException | PermissionBackendException e) {
+ canMaintainServer = false;
+ }
for (ChangeControl ctl : matched) {
if (!changes.containsKey(ctl.getId())
&& inProject(projectControl, ctl.getProject())
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/FlushCaches.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/FlushCaches.java
index 21bfe9b..392fd29 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/FlushCaches.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/FlushCaches.java
@@ -26,6 +26,7 @@
import com.google.gerrit.server.config.ListCaches;
import com.google.gerrit.server.config.ListCaches.OutputFormat;
import com.google.gerrit.server.config.PostCaches;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.CommandMetaData;
import com.google.gerrit.sshd.SshCommand;
import com.google.inject.Inject;
@@ -81,6 +82,8 @@
}
} catch (RestApiException e) {
throw die(e.getMessage());
+ } catch (PermissionBackendException e) {
+ throw new Failure(1, "unavailable", e);
}
}
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/IndexChangesCommand.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/IndexChangesCommand.java
index fc65cf3..0ee1c28 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/IndexChangesCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/IndexChangesCommand.java
@@ -18,6 +18,7 @@
import com.google.gerrit.reviewdb.client.Change;
import com.google.gerrit.server.change.ChangeResource;
import com.google.gerrit.server.change.Index;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.ChangeArgumentParser;
import com.google.gerrit.sshd.CommandMetaData;
import com.google.gerrit.sshd.SshCommand;
@@ -57,7 +58,7 @@
for (ChangeResource rsrc : changes.values()) {
try {
index.apply(rsrc, new Index.Input());
- } catch (IOException | RestApiException | OrmException e) {
+ } catch (IOException | RestApiException | OrmException | PermissionBackendException e) {
ok = false;
writeError(
"error", String.format("failed to index change %s: %s", rsrc.getId(), e.getMessage()));
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/KillCommand.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/KillCommand.java
index 4ebc568..3465a9c 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/KillCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/KillCommand.java
@@ -25,6 +25,7 @@
import com.google.gerrit.server.config.DeleteTask;
import com.google.gerrit.server.config.TaskResource;
import com.google.gerrit.server.config.TasksCollection;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.AdminHighPriorityCommand;
import com.google.gerrit.sshd.SshCommand;
import com.google.inject.Inject;
@@ -50,7 +51,7 @@
try {
TaskResource taskRsrc = tasksCollection.parse(cfgRsrc, IdString.fromDecoded(id));
deleteTask.apply(taskRsrc, null);
- } catch (AuthException | ResourceNotFoundException e) {
+ } catch (AuthException | ResourceNotFoundException | PermissionBackendException e) {
stderr.print("kill: " + id + ": No such task\n");
}
}
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
index 21591dd..bfa1a81 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
@@ -42,6 +42,7 @@
import com.google.gerrit.server.account.PutHttpPassword;
import com.google.gerrit.server.account.PutName;
import com.google.gerrit.server.account.PutPreferred;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.CommandMetaData;
import com.google.gerrit.sshd.SshCommand;
import com.google.gwtorm.server.OrmException;
@@ -174,7 +175,8 @@
}
private void setAccount()
- throws OrmException, IOException, UnloggedFailure, ConfigInvalidException {
+ throws OrmException, IOException, UnloggedFailure, ConfigInvalidException,
+ PermissionBackendException {
user = genericUserFactory.create(id);
rsrc = new AccountResource(user);
try {
@@ -237,7 +239,7 @@
private void deleteSshKeys(List<String> sshKeys)
throws RestApiException, OrmException, RepositoryNotFoundException, IOException,
- ConfigInvalidException {
+ ConfigInvalidException, PermissionBackendException {
List<SshKeyInfo> infos = getSshKeys.apply(rsrc);
if (sshKeys.contains("ALL")) {
for (SshKeyInfo i : infos) {
@@ -263,7 +265,8 @@
}
private void addEmail(String email)
- throws UnloggedFailure, RestApiException, OrmException, IOException, ConfigInvalidException {
+ throws UnloggedFailure, RestApiException, OrmException, IOException, ConfigInvalidException,
+ PermissionBackendException {
EmailInput in = new EmailInput();
in.email = email;
in.noConfirmation = true;
@@ -275,7 +278,8 @@
}
private void deleteEmail(String email)
- throws RestApiException, OrmException, IOException, ConfigInvalidException {
+ throws RestApiException, OrmException, IOException, ConfigInvalidException,
+ PermissionBackendException {
if (email.equals("ALL")) {
List<EmailInfo> emails = getEmails.apply(rsrc);
for (EmailInfo e : emails) {
@@ -286,7 +290,8 @@
}
}
- private void putPreferred(String email) throws RestApiException, OrmException, IOException {
+ private void putPreferred(String email)
+ throws RestApiException, OrmException, IOException, PermissionBackendException {
for (EmailInfo e : getEmails.apply(rsrc)) {
if (e.email.equals(email)) {
putPreferred.apply(new AccountResource.Email(user, email), null);
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowCaches.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowCaches.java
index e16f270..1ed7db3 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowCaches.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowCaches.java
@@ -23,6 +23,7 @@
import com.google.gerrit.common.Version;
import com.google.gerrit.extensions.annotations.RequiresAnyCapability;
import com.google.gerrit.extensions.events.LifecycleListener;
+import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.ConfigResource;
import com.google.gerrit.server.config.GetSummary;
@@ -34,6 +35,9 @@
import com.google.gerrit.server.config.ListCaches;
import com.google.gerrit.server.config.ListCaches.CacheInfo;
import com.google.gerrit.server.config.ListCaches.CacheType;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.CommandMetaData;
import com.google.gerrit.sshd.SshCommand;
import com.google.gerrit.sshd.SshDaemon;
@@ -80,12 +84,10 @@
private boolean showThreads;
@Inject private SshDaemon daemon;
-
@Inject private ListCaches listCaches;
-
@Inject private GetSummary getSummary;
-
@Inject private CurrentUser self;
+ @Inject private PermissionBackend permissionBackend;
@Option(
name = "--width",
@@ -168,7 +170,15 @@
printDiskCaches(caches);
stdout.print('\n');
- if (self.getCapabilities().canMaintainServer()) {
+ boolean showJvm;
+ try {
+ permissionBackend.user(self).check(GlobalPermission.MAINTAIN_SERVER);
+ showJvm = true;
+ } catch (AuthException | PermissionBackendException e) {
+ // Silently ignore and do not display detailed JVM information.
+ showJvm = false;
+ }
+ if (showJvm) {
sshSummary();
SummaryInfo summary = getSummary.setGc(gc).setJvm(showJVM).apply(new ConfigResource());
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowQueue.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowQueue.java
index 13db697..dfb9c9c 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowQueue.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowQueue.java
@@ -27,6 +27,9 @@
import com.google.gerrit.server.config.ListTasks.TaskInfo;
import com.google.gerrit.server.git.WorkQueue;
import com.google.gerrit.server.git.WorkQueue.Task;
+import com.google.gerrit.server.permissions.GlobalPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.sshd.AdminHighPriorityCommand;
import com.google.gerrit.sshd.CommandMetaData;
import com.google.gerrit.sshd.SshCommand;
@@ -60,10 +63,9 @@
)
private boolean groupByQueue;
+ @Inject private PermissionBackend permissionBackend;
@Inject private ListTasks listTasks;
-
@Inject private IdentifiedUser currentUser;
-
@Inject private WorkQueue workQueue;
private int columns = 80;
@@ -83,7 +85,7 @@
}
@Override
- protected void run() throws UnloggedFailure {
+ protected void run() throws Failure {
maxCommandWidth = wide ? Integer.MAX_VALUE : columns - 8 - 12 - 12 - 4 - 4;
stdout.print(
String.format(
@@ -97,10 +99,12 @@
tasks = listTasks.apply(new ConfigResource());
} catch (AuthException e) {
throw die(e);
+ } catch (PermissionBackendException e) {
+ throw new Failure(1, "permission backend unavailable", e);
}
- boolean viewAll = currentUser.getCapabilities().canViewQueue();
- long now = TimeUtil.nowMs();
+ boolean viewAll = permissionBackend.user(currentUser).testOrFalse(GlobalPermission.VIEW_QUEUE);
+ long now = TimeUtil.nowMs();
if (groupByQueue) {
ListMultimap<String, TaskInfo> byQueue = byQueue(tasks);
for (String queueName : byQueue.keySet()) {
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js
index e2f63c6..95fa2a7 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface.js
@@ -666,6 +666,58 @@
return this.send('POST', url, review, opt_errFn, opt_ctx);
},
+ getFileInChangeEdit: function(changeNum, path) {
+ return this.send('GET',
+ this.getChangeActionURL(changeNum, null,
+ '/edit/' + encodeURIComponent(path)
+ ));
+ },
+
+ rebaseChangeEdit: function(changeNum) {
+ return this.send('POST',
+ this.getChangeActionURL(changeNum, null,
+ '/edit:rebase'
+ ));
+ },
+
+ deleteChangeEdit: function(changeNum) {
+ return this.send('DELETE',
+ this.getChangeActionURL(changeNum, null,
+ '/edit'
+ ));
+ },
+
+ restoreFileInChangeEdit: function(changeNum, restore_path) {
+ return this.send('POST',
+ this.getChangeActionURL(changeNum, null, '/edit'),
+ {restore_path: restore_path}
+ );
+ },
+
+ renameFileInChangeEdit: function(changeNum, old_path, new_path) {
+ return this.send('POST',
+ this.getChangeActionURL(changeNum, null, '/edit'),
+ {old_path: old_path},
+ {new_path: new_path}
+ );
+ },
+
+ deleteFileInChangeEdit: function(changeNum, path) {
+ return this.send('DELETE',
+ this.getChangeActionURL(changeNum, null,
+ '/edit/' + encodeURIComponent(path)
+ ));
+ },
+
+ saveChangeEdit: function(changeNum, path, contents) {
+ return this.send('PUT',
+ this.getChangeActionURL(changeNum, null,
+ '/edit/' + encodeURIComponent(path)
+ ),
+ contents
+ );
+ },
+
saveChangeCommitMessageEdit: function(changeNum, message) {
var url = this.getChangeActionURL(changeNum, null, '/edit:message');
return this.send('PUT', url, {message: message});
diff --git a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html
index 31a98d9..0ff162d 100644
--- a/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html
+++ b/polygerrit-ui/app/elements/shared/gr-rest-api-interface/gr-rest-api-interface_test.html
@@ -595,5 +595,25 @@
});
});
});
+
+ test('saveChangeEdit', function(done) {
+ var change_num = '1';
+ var file_name = 'index.php';
+ var file_contents = '<?php';
+ sandbox.stub(element, 'send').returns(
+ Promise.resolve([change_num, file_name, file_contents])
+ );
+ sandbox.stub(element, 'getResponseObject')
+ .returns(Promise.resolve([change_num, file_name, file_contents]));
+ element._cache['/changes/' + change_num + '/edit/' + file_name] = {};
+ element.saveChangeEdit(change_num, file_name, file_contents).then(
+ function() {
+ assert.isTrue(element.send.calledWith('PUT',
+ '/changes/' + change_num + '/edit/' + file_name,
+ file_contents));
+ done();
+ }
+ );
+ });
});
</script>
