commit b0b35d8d62d4cadc98cc8e19d9011861258684ad
author David Ostrovsky <david.ostrovsky@gmail.com> Sat Feb 13 07:43:20 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Feb 13 07:43:20 2021 +0000
tree 69524a305643bb2489a384e3e72ba6cce253609f
parent 086b2604214166b4c70ac67e657020aa83aa575c
parent 5526b9376965ea490604409526f989eae873bca3

Merge "ForRef#check should permit internal users to read all refs" into stable-3.0

java/com/google/gerrit/server/permissions/RefControl.java

diff --git a/java/com/google/gerrit/server/permissions/RefControl.java b/java/com/google/gerrit/server/permissions/RefControl.java
index 650c8ba..10ded3c 100644
--- a/java/com/google/gerrit/server/permissions/RefControl.java
+++ b/java/com/google/gerrit/server/permissions/RefControl.java
@@ -603,6 +603,10 @@
     private boolean can(RefPermission perm) throws PermissionBackendException {
       switch (perm) {
         case READ:
+          /* Internal users such as plugin users should be able to read all refs. */
+          if (getUser().isInternalUser()) {
+            return true;
+          }
           if (refName.startsWith(Constants.R_TAGS)) {
             return isTagVisible();
           }

javatests/com/google/gerrit/server/permissions/RefControlTest.java

diff --git a/javatests/com/google/gerrit/server/permissions/RefControlTest.java b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
index 04b84b6..14fa01c 100644
--- a/javatests/com/google/gerrit/server/permissions/RefControlTest.java
+++ b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
@@ -47,6 +47,7 @@
 import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.InternalUser;
 import com.google.gerrit.server.account.CapabilityCollection;
 import com.google.gerrit.server.account.GroupMembership;
 import com.google.gerrit.server.account.ListGroupMembership;
@@ -368,6 +369,11 @@
   }
 
   @Test
+  public void userRefIsVisibleForInternalUser() throws Exception {
+    internalUser(local).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
+  }
+
+  @Test
   public void branchDelegation1() throws Exception {
     allow(local, OWNER, ADMIN, "refs/*");
     allow(local, OWNER, DEVS, "refs/heads/x/*");
@@ -1013,6 +1019,21 @@
     return repo;
   }
 
+  private ProjectControl internalUser(ProjectConfig local) throws Exception {
+    return new ProjectControl(
+        Collections.emptySet(),
+        Collections.emptySet(),
+        sectionSorter,
+        changeControlFactory,
+        permissionBackend,
+        refVisibilityControl,
+        repoManager,
+        refFilterFactory,
+        allUsersName,
+        new InternalUser(),
+        newProjectState(local));
+  }
+
   private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) {
     return user(local, null, memberOf);
   }