Google Git
Sign in
gerrit / gerrit / 8367b862f36529a487f12f9c0b45e94e38d0a9b8
commit8367b862f36529a487f12f9c0b45e94e38d0a9b8[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Wed Feb 01 15:05:35 2023 +0100
committerEdwin Kempin <ekempin@google.com>Thu Feb 02 12:21:52 2023 +0100
treebd0cdf864cc1c91ab8fc2d926ddf3a9debdcd9c0
parent7110c26ed1387fbe1ec1aee608811ecb34fc2355 [diff]
AccountResolver: Fix account visibility checking

The ByFullName and ByDefaultSearch searchers have an
allowSkippingVisibilityCheck option that controls whether the visibility
check for the returned results can be skipped. This option has been
added in change I5dd345826 based on a misunderstanding of why these
searchers hard-coded true as the return value for the
callerMayAssumeCandidatesAreVisible() method. When adding the
allowSkippingVisibilityCheck option it was assumed that these searchers
skip the visibility check because they return true from the
callerMayAssumeCandidatesAreVisible() and hence to enforce a visibility
check we would need a new option to make this method return false.

In fact both searches already did an account visibility check and now
account visibility is checked twice if allowSkippingVisibilityCheck is
false:

1. Once the account visibility is checked when executing the account
   query in the tryParse/search method by using enforceVisibility(true)
   on InternalAccountQuery that is used to do the account query.

2. Once the account visibility is checked in the searchImpl method when
   searcher.callerMayAssumeCandidatesAreVisible() returns false.

The account visibility check at 1. is done for the current user while
the account visibility check at 2. is done for the user on whom's behalf
the accounts should be resolved (this is either the current user if the
resolve method is used, or the provided user if the resolveAsUser method
is used).

This means the check done at 1. is wrong when the resolveAsUser method
is used to resolve accounts on behalf of a user that is not the current
user.

To fix this we remove the usage of enforceVisibility(true) which always
checks the visibility for the current user and instead we always perform
the visibility check through 2. For this we remove the overrides of the
callerMayAssumeCandidatesAreVisible() for these searches so that the
default implementation of this method is used that always return false.

Doing this requires converting the ByFullName searcher into a
StringSearcher:

* old behaviour:
  tryParse was querying visible accounts by fullname and disregarded the
  result if there was not exactly one match. When searching, the search
  method simply returned that one match without any further check.

* new behaviour:
  When searching, the account index is queried by fullname without
  checking visibility and all results are returned. The visibility check
  is performed afterwards in searchImpl due to
  callerMayAssumeCandidatesAreVisible returning false now. In contrast
  to the old behaviour it may happen now that we find multiple visible
  accounts with the same full name. This is OK, since callers decide
  after retrieving the result if they require a unique match (see
  AccountResolver.Result#asUnique()) or if they are fine with multiple
  matches (see AccountResolver.Result#asList()). It might have actually
  been a bug with the old behaviour that finding mutliple accounts with
  the same full name did not work even when the caller was fine with
  getting mutltiple results.

Since the allowSkippingVisibilityCheck option is removed and
callerMayAssumeCandidatesAreVisible() always returns false for these
searchers now, we can remove the forcedVisibilitySearchers list of
searchers and the forceVisibilityCheck flag from the resolveAsUser
method, which simplifies AccountResolver.

Alternatively we considered dropping the visibility check at 2. (always
return true from callerMayAssumeCandidatesAreVisible()) and fix the
visibility checks at 1. to take the user on whom's behalf accounts are
resolved into account (e.g. replace the enforceVisibility(true) call
with an enforceVisibilityFor(user) call) but doing this turned out to be
quite tricky (e.g. QueryProcessor to which the call is delegated cannot
depend on CurrentUser without introducing a cyclic dependency in Guice
and fixing this would require us to rethink about how our build modules
should be structured). Hence we didn't take this alternative.

Release-Notes: skip
Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: I90c2cd6245929eb98687bb4e70e803b88d467f22
4 files changed
tree: bd0cdf864cc1c91ab8fc2d926ddf3a9debdcd9c0
  1. .settings/
  2. .ts-out/
  3. antlr3/
  4. contrib/
  5. Documentation/
  6. e2e-tests/
  7. java/
  8. javatests/
  9. lib/
  10. modules/
  11. plugins/
  12. polygerrit-ui/
  13. prolog/
  14. prologtests/
  15. proto/
  16. resources/
  17. tools/
  18. webapp/
  19. polymer-bridges
  20. .bazelignore
  21. .bazelproject
  22. .bazelrc
  23. .bazelversion
  24. .editorconfig
  25. .git-blame-ignore-revs
  26. .gitignore
  27. .gitmodules
  28. .gitreview
  29. .mailmap
  30. .pydevproject
  31. .zuul.yaml
  32. BUILD
  33. COPYING
  34. INSTALL
  35. Jenkinsfile
  36. package.json
  37. README.md
  38. SUBMITTING_PATCHES
  39. version.bzl
  40. web-dev-server.config.mjs
  41. WORKSPACE
  42. yarn.lock
README.md

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status Maven Central

Objective

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.

Documentation

For information about how to install and use Gerrit, refer to the documentation.

Source

Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.

Contribute

Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The Developer Mailing list is repo-discuss on Google Groups.

License

Gerrit is provided under the Apache License 2.0.

Build

Install Bazel and run the following:

    git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update && apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 8 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8

To run a Ubuntu 20.04 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.