Google Git
Sign in
gerrit / gerrit / f1598c54311460db7632d06cc855b8a18bbcf494
commitf1598c54311460db7632d06cc855b8a18bbcf494[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Mon Apr 15 10:12:56 2024 +0000
committerEdwin Kempin <ekempin@google.com>Tue Apr 16 09:06:31 2024 +0000
treeebf9fbbd7256a0e329f39bd867d090a0ce69a227
parenta356b05807119733e392e94b29fe1304d15895e9 [diff]
Disallow removing votes from merged changes by removing reviewers

Once a change has been merged it should be no longer possible to
remove/reduce approvals of the change as this could remove approvals
that were necessary for the submission and it's confusing to see a
merged change which doesn't have the necessary approvals to fulfill the
submit requirements. E.g. this is why PostReview doesn't allow to
remove/reduce votes (see PostReviewOp#validatePostSubmitLabels).

Hence it's a bug that having the 'Remove Reviewer' permission allows
users to remove approvals from merged changes.

If approvals are removed from a change after it has been merged we can
have the following inconsistencies:
* the change is shown as merged with fulfilled submit requirements but
  without any votes which is confusing to users, note that the submit
  requirements are still shown as fulfilled because the submit
  requirement results are persisted in NoteDb when the change is
  submitted
* tools that analyse merged changes may get confused if there are merged
  changes without approvals
* the submitter is recorded by an approval on the magic SUBM label which
  can be lost when the submitter is removed from the reviewers of the
  change

RemoveReviewerControl intended to prevent removing reviewers that have
non-zero votes on merged changes (see check in
canRemoveReviewerWithoutPermissionCheck) but failed to do so because
having the "Remove Reviewer" permission bypassed this in
testRemoveReview/checkRemoveReviewer).

In addition ChangeJson wrongly assumed that having the "Remove Reviewer"
permission is sufficient to remove any vote, even on merged changes and
it also doesn't take the magic SUBM approval into account
(removableReviewers only iterated over the labels that are returned to
the caller where the SUBM approval had been filtered out, although the
presence of the SUBM approval still makes the submitter a reviewer).

Not needing to check whether approvals with non-zero votes can be
removed for merged changes can also improve the latency for change
queries that return merged changes, since the "Get removable reviewers"
is not as a reason for change quries to be slow.

Release-Notes: Disallowed removing votes from merged changes by removing reviewers
Bug: Google b/334796368
Bug: Google b/335095952
Change-Id: Ia8edde3652c93251902cdafa8aba3f57b8e0915b
Signed-off-by: Edwin Kempin <ekempin@google.com>
6 files changed
tree: ebf9fbbd7256a0e329f39bd867d090a0ce69a227
  1. .settings/
  2. .ts-out/
  3. antlr3/
  4. contrib/
  5. Documentation/
  6. e2e-tests/
  7. java/
  8. javatests/
  9. lib/
  10. modules/
  11. plugins/
  12. polygerrit-ui/
  13. prolog/
  14. prologtests/
  15. proto/
  16. resources/
  17. tools/
  18. webapp/
  19. polymer-bridges
  20. .bazelignore
  21. .bazelproject
  22. .bazelrc
  23. .bazelversion
  24. .editorconfig
  25. .git-blame-ignore-revs
  26. .gitignore
  27. .gitmodules
  28. .gitreview
  29. .pydevproject
  30. .zuul.yaml
  31. BUILD
  32. COPYING
  33. INSTALL
  34. Jenkinsfile
  35. MODULE.bazel
  36. package.json
  37. README.md
  38. SUBMITTING_PATCHES
  39. version.bzl
  40. web-dev-server.config.mjs
  41. WORKSPACE
  42. yarn.lock
README.md

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status Maven Central

Objective

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.

Documentation

For information about how to install and use Gerrit, refer to the documentation.

Source

Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.

Contribute

Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The Developer Mailing list is repo-discuss on Google Groups.

License

Gerrit is provided under the Apache License 2.0.

Build

Install Bazel and run the following:

    git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update && apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 8 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8

To run a Ubuntu 20.04 based Gerrit image:

    docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.