| commit | ed7771623b061703c60b1a4526910ce8d666f7d4 | [log] [tgz] |
|---|---|---|
| author | Edwin Kempin <ekempin@google.com> | Wed Nov 15 08:23:40 2017 -0800 |
| committer | Edwin Kempin <ekempin@google.com> | Wed Jan 10 13:41:34 2018 +0100 |
| tree | 7752cef9dc2c28e9e7f2e3abf5314b36dc072ef0 | |
| parent | 140e71f91652eab0fc743ad2ee1e792e9011e9dd [diff] |
Require 'Modify Account' to access another user's secondary emails Only the preferred email should be readily available to other users. Secondary emails should only be accessible to the user that owns the account or to users that have the 'Modify Account' capability. We choose to check on the 'Modify Account' capability because the intention of this change is to hide secondary emails from normal users and 'Modify Account' is a capability that is almost certainly only assigned to administrator users (as opposed to e.g. the 'View All Accounts' capability which may also be granted to normal users to see all accounts but not all account data). Also when you edit an account you must be able to see its full data. Admittedly the 'Modify Account' capability is not a perfect match for this and it would be nicer to have a new 'View Secondary Emails' capability for this. For now we refrain from adding yet another capability while we have no specific use case for it but follow-up changes can add it if needed. So far secondary emails of other users could be accessed in various ways: * GetEmails REST endpoint * QueryAccounts REST endpoint with the ALL_EMAILS options * QueryAccounts REST endpoint with the suggest option The GetEmails REST endpoint is now only supported if the calling user owns the account or if the calling user has the 'Modify Account' capability. Using the ALL_EMAILS option on the QueryAccounts REST endpoint also requires the 'Modify Account' capability now. The QueryAccounts REST endpoint with the suggest option is changed to only include secondary emails if the calling user has the 'Modify Account' capability. Also the GetExternalIds REST endpoint includes secondary emails in its response. However this REST endpoint already requires that the calling user owns the account or has the 'Access Database' capability. Hence already now normal users can't use this REST endpoint to get access of the secondary emails of other accounts. To hide secondary emails we must also disable querying accounts by secondary email. Otherwise one could search with 'email:foo.com' to find all accounts that have a '*@foo.com' email address. The following index fields contain the secondary emails (or parts of them): * EMAIL * NAME_PART * EXTERNAL_ID The EMAIL field is used for queries with the 'email' operator. With this change the EMAIL field is now only used if the calling user has the 'Modify Account' capability. If the calling user doesn't have this capability we now use the PREFERRED_EMAIL field instead. The NAME_PART field is used for default queries and queries with the 'name' operator. With this change the NAME_PART field is now only used if the calling user has the 'Modify Account' capability. For users that don't have this capability a new NAME_PART_NO_SECONDARY_EMAIL field was added that does not contain name parts of secondary emails and that then can be used instead of the NAME_PART field (see predecessor change). However this means that prefix searches by name parts are not working while a search index version is used that doesn't include the new NAME_PART_NO_SECONDARY_EMAIL field yet (e.g. while online reindexing hasn't finsished yet). This does affects reviewer suggestion, but shouldn't be a big issue since online reindexing for accounts is expected to be fast. The EXTERNAL_ID field is only used internally and there is no query operator that maps to it. Disabling querying by secondary email for users without the 'Modify Account' capability means that these users can't get reviewers suggested by secondary email anymore. Change-Id: Icf3108d45fb1a7c5f6965c28c4ddc2bfbfedb38a Signed-off-by: Edwin Kempin <ekempin@google.com>
Gerrit is a code review and project management tool for Git based projects.
Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.
Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.
For information about how to install and use Gerrit, refer to the documentation.
Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.
Please report bugs on the issue tracker.
Gerrit is the work of hundreds of contributors. We appreciate your help!
Please read the contribution guidelines.
Note that we do not accept Pull Requests via the Github mirror.
The IRC channel on freenode is #gerrit. An archive is available at: echelog.com.
The Developer Mailing list is repo-discuss on Google Groups.
Gerrit is provided under the Apache License 2.0.
Install Bazel and run the following:
git clone --recursive https://gerrit.googlesource.com/gerrit
cd gerrit && bazel build release
The instruction how to configure GerritForge/BinTray repositories is here
On Debian/Ubuntu run:
apt-get update & apt-get install gerrit=<version>-<release>
NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.
On CentOS/RedHat run:
yum clean all && yum install gerrit-<version>[-<release>]
On Fedora run:
dnf clean all && dnf install gerrit-<version>[-<release>]
Docker images of Gerrit are available on DockerHub
To run a CentOS 7 based Gerrit image:
docker run -p 8080:8080 gerritforge/gerrit-centos7[:version]
To run a Ubuntu 15.04 based Gerrit image:
docker run -p 8080:8080 gerritforge/gerrit-ubuntu15.04[:version]
NOTE: release is optional. Last released package of the version is installed if the release number is omitted.