ProjectControl: Use VisibleRefFilter for commit visibility
Even if all refs are visible, we still need to do the normal
reachability check in case commits have been rolled back out of one of
the visible branches. This fixes a potential security flaw that would
have allowed users to read commits that administrators had
intentionally obliterated.
We cannot simply remove the check for READ on refs/* because the
reachability check previously in canReadCommit was insufficient. In
particular, it only checked whether a commit was reachable from a
branch or tag. We already have sophisticated logic for determining the
set of visible commits: VisibleRefFilter.
Unfortunately this introduces some ugliness, as we have to pass in
ReviewDbs at various call sites, and set up more in-memory state for
the tests.
Change-Id: Idd2867fe5abfeed0e431e2b2c16acb1d4bff40b9
10 files changed
