|author||Luca Milanesio <email@example.com>||Thu Sep 16 00:09:15 2021 +0100|
|committer||Luca Milanesio <firstname.lastname@example.org>||Thu Sep 23 00:35:08 2021 +0100|
Filter out edit refs User's private edits are not part of an open change and should not be served or advertised. The refs could be in theory made invisible by playing with the ACLs. However, having a complex ACL would have a detrimental impact on the overall performance of the security evaluation. It does not make sense to expose the user's private edits and they would risk to make a clone failing with a wants-not-valid error. Change-Id: Idbae7ed339515daa44df3f0093a51f6343b4e8d5
Gerrit lib module to allow filtering out refs in the Git advertizing protocol phase.
Build this module as it was a Gerrit plugin:
git-refs-filterdirectory to Gerrit
bazel build plugins/git-refs-filter
bazel test plugins/git-refs-filter:git_refs_filter_tests
git-refs-filter.jarmodule is generated under
git-refs-filter.jar library to Gerrit
/lib and add the following one extra settings to
[gerrit] installModule = com.googlesource.gerrit.modules.gitrefsfilter.RefsFilterModule
The refsfilter module defines a new global capability called “Filter out closed changes refs”. By default the capability isn't assigned to any user or group, thus the module installation has no side effects.
Filtering a closed change refs has the following meaning:
To enable a group of users of getting a “filtered list” of refs (e.g. CI jobs):
NOTE Gerrit makes a super-simplified ACL evaluation if all the projects are globally readable (e.g. project has a READ rule to refs/*). To enable the closed changes filtering you need to disable any global read rule for the group that needs refs filtering.