Hide access rights not visible to user
It may be an information leak to display to a user other branches
and the group those users have access to read. When displaying the
access rights of a project, filter the list of displayed RefRights
to only those RefRights that are owned by the user, or are visible
to them via READ +1 permission.
Change-Id: I70d04d494ec9cef81c2108ecb451a81ac0293615
Signed-off-by: Shawn O. Pearce <sop@google.com>
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java
index 3ff3892f..ef632c4 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java
@@ -26,6 +26,7 @@
import com.google.gerrit.server.project.NoSuchProjectException;
import com.google.gerrit.server.project.ProjectControl;
import com.google.gerrit.server.project.ProjectState;
+import com.google.gerrit.server.project.RefControl;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
@@ -75,8 +76,14 @@
final List<InheritedRefRight> refRights = new ArrayList<InheritedRefRight>();
for (final RefRight r : projectState.getInheritedRights()) {
- InheritedRefRight refRight = new InheritedRefRight(
- r, true, pc.controlForRef(r.getRefPattern()).isOwner());
+ RefControl rc = pc.controlForRef(r.getRefPattern());
+ boolean isOwner = rc.isOwner();
+
+ if (!isOwner && !rc.isVisible()) {
+ continue;
+ }
+
+ InheritedRefRight refRight = new InheritedRefRight(r, true, isOwner);
if (!refRights.contains(refRight)) {
refRights.add(refRight);
wantGroup(r.getAccountGroupId());
@@ -84,8 +91,14 @@
}
for (final RefRight r : projectState.getLocalRights()) {
- refRights.add(new InheritedRefRight(
- r, false, pc.controlForRef(r.getRefPattern()).isOwner()));
+ RefControl rc = pc.controlForRef(r.getRefPattern());
+ boolean isOwner = rc.isOwner();
+
+ if (!isOwner && !rc.isVisible()) {
+ continue;
+ }
+
+ refRights.add(new InheritedRefRight(r, false, isOwner));
wantGroup(r.getAccountGroupId());
}