ForRef#check should permit internal users to read all refs
79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.
Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d)
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
index 2ba5e0f..1f40262 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
@@ -589,6 +589,10 @@
private boolean can(RefPermission perm) throws PermissionBackendException {
switch (perm) {
case READ:
+ /* Internal users such as plugin users should be able to read all refs. */
+ if (getUser().isInternalUser()) {
+ return true;
+ }
if (refName.startsWith(Constants.R_TAGS)) {
return isTagVisible();
}
diff --git a/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java b/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java
index 364013f..8baf52e 100644
--- a/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java
+++ b/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java
@@ -47,6 +47,7 @@
import com.google.gerrit.rules.PrologEnvironment;
import com.google.gerrit.rules.RulesCache;
import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.InternalUser;
import com.google.gerrit.server.account.CapabilityCollection;
import com.google.gerrit.server.account.GroupMembership;
import com.google.gerrit.server.account.ListGroupMembership;
@@ -399,6 +400,11 @@
}
@Test
+ public void userRefIsVisibleForInternalUser() throws Exception {
+ internalUser(local).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
+ }
+
+ @Test
public void branchDelegation1() {
allow(local, OWNER, ADMIN, "refs/*");
allow(local, OWNER, DEVS, "refs/heads/x/*");
@@ -917,6 +923,22 @@
return repo;
}
+ private ProjectControl internalUser(ProjectConfig local) throws Exception {
+ return new ProjectControl(
+ Collections.<AccountGroup.UUID>emptySet(),
+ Collections.<AccountGroup.UUID>emptySet(),
+ sectionSorter,
+ null, // commitsCollection
+ changeControlFactory,
+ permissionBackend,
+ refVisibilityControl,
+ gitRepositoryManager,
+ visibleRefFilterFactory,
+ allUsersName,
+ new InternalUser(),
+ newProjectState(local));
+ }
+
private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) {
return user(local, null, memberOf);
}
