)]}'
{
  "commit": "e5f0ef3d2a0511600d247787b664d839db3db7f2",
  "tree": "7757abf824797b5da852cd9873532ea163f62d06",
  "parents": [
    "b6955d1057fd9ae0fe5e2c8f1c97455651641404"
  ],
  "author": {
    "name": "Edwin Kempin",
    "email": "ekempin@google.com",
    "time": "Wed Aug 14 08:41:05 2024 +0000"
  },
  "committer": {
    "name": "Edwin Kempin",
    "email": "ekempin@google.com",
    "time": "Mon Aug 19 08:25:26 2024 +0000"
  },
  "message": "Allow all users to call the Check Code Owner REST endpoint\n\nSo far calling the Check Code Owner REST endpoint required the caller to\nbe an admin (have the \u0027Administrate Server\u0027 capability or the \u0027Check\nCode Owner Capability\u0027). Due to this normal users couldn\u0027t debug issues\nwith OWNERS files on their own, but had to file tickets to find someone\nthat calls the REST endpoint and explains them the result. To reduce the\nticket load we are offering the Check Code Owner REST endpoint as a\nself-service now so that every user can invoke it.\n\nMost of the information that is provided by the REST endpoint is not\nsensitive and can be shown to normal users as they already have access\nto this information via other REST endpoints (via the code owner\nsuggestion they can find out if a user is a code owner, the inspected\ncode owner config files are already returned via the code owner\nsuggestion REST endpoint, whether an email is resolvable can be checked\nvia the account API, whether a user can see a change can be checked by\ntrying to add the user as a reviewer to the change, whether a user can\nvote on a change is contained in ChangeInfo when the user is a\nreviewer).\n\nThe returned debug logs however may contain information which should\nonly be shown to admins (e.g. messages that explain why a code owner\nemail is not resolvable reveal information about whether an email\nexists). This is why with change Ib28802d38 we distinguish between\nmessages that can be shown to all users vs. admins only. Now we are\nmaking use of this and return user messages for normal users and admin\nmessages for admins.\n\nThe \u0027user\u0027 option of the Check Code Owner REST endpoint checks the code\nownership of a user on behal of another user. This is something that\nonly admins should be able to do, hence we keep this disabled for normal\nusers (e.g. normal users should not be able to check code ownership on\nbehalf of an admin user as this would reveal accounts that the admin\nuser can see, but which are not visible to the calling user).\n\nSo far the Check Code Owner REST endpoint only checked the visibility of\ncode owners when a user was specified to check whether that user can see\nthe code owners (the \u0027user\u0027 option). If a user was not specified the\ncode owner visibility was not checked, since the REST endpoint could\nonly be invoked by admins this was not necessary and it was intended\nthat they could see all accounts. Now that also normal users can call\nthe REST endpoint we do check the code owner visibility when the calling\nuser is not an admin.\n\nBug: Google b/345161989\nChange-Id: I3a2d5d9cc6fde0bb1b4dd690008111ce7c311cf5\nSigned-off-by: Edwin Kempin \u003cekempin@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "303f9066f281fe3e45bd80bbbfef871e7eb53337",
      "old_mode": 33188,
      "old_path": "java/com/google/gerrit/plugins/codeowners/restapi/CheckCodeOwner.java",
      "new_id": "2eb6f92cc13c8809ed0b1f34c066df3c764f888d",
      "new_mode": 33188,
      "new_path": "java/com/google/gerrit/plugins/codeowners/restapi/CheckCodeOwner.java"
    },
    {
      "type": "modify",
      "old_id": "05a29bfd41da9e9c43547834d6dcca9a946e8fe3",
      "old_mode": 33188,
      "old_path": "javatests/com/google/gerrit/plugins/codeowners/acceptance/api/CheckCodeOwnerIT.java",
      "new_id": "0208bc9f50571d123418d2c033895fa1652663a3",
      "new_mode": 33188,
      "new_path": "javatests/com/google/gerrit/plugins/codeowners/acceptance/api/CheckCodeOwnerIT.java"
    },
    {
      "type": "modify",
      "old_id": "015cb9e1ccc8dd241abd6b6ce3c25476a160fb6e",
      "old_mode": 33188,
      "old_path": "resources/Documentation/rest-api.md",
      "new_id": "d1e559f3bb65eb9dd8533bd8260517dfa13eb5f1",
      "new_mode": 33188,
      "new_path": "resources/Documentation/rest-api.md"
    }
  ]
}