Fix onBehalfOf behaviour of Submit

When submitting changes using onBehalfOf only permission of the user
triggering the Submit need to be considered. With an Ic6dbda6de that
logic got broken, it was no longer possible to submit changes on behalf
of another user, if that user didn't have the SUBMIT permission
themselves.

This change fixes this issue by using IdentifiedUser.getRealUser() in
MergeOp where appropriate based on the situation.

Additionally as part of this change we address the pre-existing issue,
where the SUBMIT_AS permission for active user and READ permission for
on-behalf-of user would only be checked for the triggering change and
not for all changes in the Submission. This lead to potential cases of
submitting changes as part of the topic that they would otherwise lack
permissions to submit. The extra checks for the "current change" in
Submit.java are kept, to allow the possibility of an early exit, as
construction of the full Set of changes to be submitted together is an
expensive task.

By using real user and on-behalf-of user in MergeOp we are able to
address another issue, where only READ permission of the on-behalf-of
user were considered when constructing Merge Set. With this change we
use real user's permission for constructing the Merge Set, but also
validate on-behalf-of READ permissions as well once it's constructed.

We also fix the permission check in ProjectConfigValidator, where
on-behalf-of user would be previously checked instead of the real user
performing the Submit.

Also added some class docstrings for some of the classes, that I ran
across during investigation.

Release-Notes: skip
Google-Bug-Id: b/351138952
Change-Id: Ib126d5fb75ab46620e302d35aa4a75699739732c
9 files changed
tree: 734b54a9ee374c41e2dd706a736ac34d768917c8
  1. .github/
  2. .settings/
  3. .ts-out/
  4. antlr3/
  5. contrib/
  6. Documentation/
  7. e2e-tests/
  8. java/
  9. javatests/
  10. lib/
  11. modules/
  12. plugins/
  13. polygerrit-ui/
  14. prolog/
  15. prologtests/
  16. proto/
  17. resources/
  18. tools/
  19. webapp/
  20. .bazelignore
  21. .bazelproject
  22. .bazelrc
  23. .bazelversion
  24. .editorconfig
  25. .git-blame-ignore-revs
  26. .gitignore
  27. .gitmodules
  28. .gitreview
  29. .mailmap
  30. .pydevproject
  31. .zuul.yaml
  32. BUILD
  33. COPYING
  34. INSTALL
  35. Jenkinsfile
  36. MODULE.bazel
  37. package.json
  38. README.md
  39. SUBMITTING_PATCHES
  40. version.bzl
  41. web-dev-server.config.mjs
  42. WORKSPACE
  43. yarn.lock
README.md

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status Maven Central

Objective

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.

Documentation

For information about how to install and use Gerrit, refer to the documentation.

Source

Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.

Contribute

Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The Developer Mailing list is repo-discuss on Google Groups.

License

Gerrit is provided under the Apache License 2.0.

Build

Install Bazel and run the following:

    git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update && apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 8 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8

To run a Ubuntu 20.04 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.