Apply implicit approvals only when change owner == last patch set uploader

So far implicit approvals are applied on all patch sets that are
uploaded by a code owner. This has some implications that are unexpected
to users. E.g. if a non-code-owner uploads a change and a code owner
edits its commit message, the change gets implicitly code owner approved
(because editing the commit message creates a new patch set that is
uploaded by the code owner, and hence is implicitly code owner

Applying implicit approvals only based on the change owner (all patch
sets of changes that are owned by a code owner are automatically
approved) is even worse, as a non-code-owner could upload a new patch
set to a change that is owned by a code owner and then get their patch
set implicitly approved by the change owner. This would allow
non-code-onwers to get arbitrary code implicitly code owner approved.

To avoid both issues we now apply implicit code owner approvals only if
a change is owned by a code owner and if the last patch set was uploaded
by the change owner (change owner == last patch set uploader).

This doesn't resolve all security concerns about enabling implicit code
owner approvals, but is much safer than what we have now. It remains an
issue that code owners must be aware of their implicit code owner
approval when creating changes. E.g. if a code owner helps a contributor
to rebase a patch to another branch, they implicitly approve the change
on the other branch (since the code owner is the change owner).

Signed-off-by: Edwin Kempin <>
Change-Id: I33d5e7433172847d6ee419a7a17740353cd34a99
10 files changed
tree: aa86f3611f6b008231290225d0eb211dbaeb9ff2
  1. java/
  2. javatests/
  3. proto/
  4. resources/
  5. test/
  6. ui/
  7. .eslintrc.json
  8. .gitignore
  9. .gitreview
  10. bower.json
  11. BUILD
  13. package-lock.json
  14. package.json

Gerrit Code Review code-owners plugin

This plugin provides support for defining code owners for files in a repository.

If the code-owners plugin is enabled, changes can only be submitted if all touched files are covered by approvals from code owners.

Also see resources/Documentation/

IMPORTANT: Before installing/enabling the plugin follow the instructions from the setup guide, see resources/Documentation/