Don't return single change ref if skipMetadata is set
skipMetadata indicates that all meta refs should be omitted. This is
more of a performance option than a security option, but for the sake of
completeness, this commit also omits single change ref evaluation in
case the option is provided.
Change-Id: I8bfb80fc727b8abf928d1c6ac1fd715149bfbe3a
diff --git a/java/com/google/gerrit/server/permissions/DefaultRefFilter.java b/java/com/google/gerrit/server/permissions/DefaultRefFilter.java
index c588bdf..c189f33 100644
--- a/java/com/google/gerrit/server/permissions/DefaultRefFilter.java
+++ b/java/com/google/gerrit/server/permissions/DefaultRefFilter.java
@@ -133,6 +133,9 @@
// See if we can get away with a single, cheap ref evaluation.
if (refs.size() == 1) {
String refName = Iterables.getOnlyElement(refs.values()).getName();
+ if (opts.filterMeta() && isMetadata(refName)) {
+ return ImmutableMap.of();
+ }
if (RefNames.isRefsChanges(refName)) {
return canSeeSingleChangeRef(refName) ? refs : ImmutableMap.of();
}
