Merge branch 'stable-2.14' into stable-2.15

* stable-2.14:
  Upgrade bazlets to latest stable-2.14

Change-Id: I294243886315404a58a36ebc03dd1fe332c031a0
diff --git a/WORKSPACE b/WORKSPACE
index 7e74f36..47aef91 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -3,7 +3,7 @@
 load("//:bazlets.bzl", "load_bazlets")
 
 load_bazlets(
-    commit = "e65c0e748c263b8e8c752612730285658a344ec2",
+    commit = "4b3ce19d8d18d9f7df56a06532723b91ea6949d0",
     #local_path = "/home/<user>/projects/bazlets",
 )
 
diff --git a/external_plugin_deps.bzl b/external_plugin_deps.bzl
index fca9fbb..3457c2f 100644
--- a/external_plugin_deps.bzl
+++ b/external_plugin_deps.bzl
@@ -1,13 +1,13 @@
 load("//tools/bzl:maven_jar.bzl", "GERRIT", "MAVEN_CENTRAL", "MAVEN_LOCAL", "maven_jar")
 
-JGIT_VERSION = "4.7.9.201904161809-r"
+JGIT_VERSION = "4.11.9.201909030838-r"
 REPO = MAVEN_CENTRAL
 
 def external_plugin_deps():
     maven_jar(
         name = "jgit-http-apache",
         artifact = "org.eclipse.jgit:org.eclipse.jgit.http.apache:" + JGIT_VERSION,
-        sha1 = "d6f23663efeb2bfab032c75915765e086a26d494",
+        sha1 = "f28a659ca83e2aa644f4ba81d28312d291d385ad",
         repository = REPO,
         unsign = True,
         exclude = [
@@ -19,7 +19,7 @@
     maven_jar(
         name = "jgit-lfs",
         artifact = "org.eclipse.jgit:org.eclipse.jgit.lfs:" + JGIT_VERSION,
-        sha1 = "6e8485a140b2f58195f3ed48ecb0dd7acf46410f",
+        sha1 = "88234aa639497cf725f2a32e47dbd7433975da67",
         repository = REPO,
         unsign = True,
         exclude = [
@@ -31,7 +31,7 @@
     maven_jar(
         name = "jgit-lfs-server",
         artifact = "org.eclipse.jgit:org.eclipse.jgit.lfs.server:" + JGIT_VERSION,
-        sha1 = "8dc0cf32615b15d327c70574022964b34f101226",
+        sha1 = "a1cd4548172c62a24cec195399e2dba877f44d32",
         repository = REPO,
         unsign = True,
         exclude = [
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java
index dcdcbac..40e00b0 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/GetLfsGlobalConfig.java
@@ -14,6 +14,8 @@
 
 package com.googlesource.gerrit.plugins.lfs;
 
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
+
 import com.google.common.collect.Maps;
 import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
 import com.google.gerrit.extensions.restapi.RestApiException;
@@ -21,6 +23,7 @@
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.config.AllProjectsName;
+import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.project.ProjectResource;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -33,22 +36,25 @@
   private final LfsConfigurationFactory lfsConfigFactory;
   private final AllProjectsName allProjectsName;
   private final Provider<CurrentUser> self;
+  private final PermissionBackend permissionBackend;
 
   @Inject
   GetLfsGlobalConfig(
       LfsConfigurationFactory lfsConfigFactory,
       AllProjectsName allProjectsName,
-      Provider<CurrentUser> self) {
+      Provider<CurrentUser> self,
+      PermissionBackend permissionBackend) {
     this.lfsConfigFactory = lfsConfigFactory;
     this.allProjectsName = allProjectsName;
     this.self = self;
+    this.permissionBackend = permissionBackend;
   }
 
   @Override
   public LfsGlobalConfigInfo apply(ProjectResource resource) throws RestApiException {
     IdentifiedUser user = self.get().asIdentifiedUser();
     if (!(resource.getNameKey().equals(allProjectsName)
-        && user.getCapabilities().canAdministrateServer())) {
+        && permissionBackend.user(user).testOrFalse(ADMINISTRATE_SERVER))) {
       throw new ResourceNotFoundException();
     }
 
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
index 3c9b4cc..d5eeddc 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
@@ -18,12 +18,14 @@
 import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_REGEX_TEMPLATE;
 import static com.google.gerrit.extensions.client.ProjectState.HIDDEN;
 import static com.google.gerrit.extensions.client.ProjectState.READ_ONLY;
+import static com.google.gerrit.server.permissions.ProjectPermission.ACCESS;
 
 import com.google.common.base.Strings;
 import com.google.gerrit.common.ProjectUtil;
 import com.google.gerrit.common.data.Capable;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectControl;
 import com.google.gerrit.server.project.ProjectState;
@@ -51,10 +53,9 @@
   private static final Logger log = LoggerFactory.getLogger(LfsApiServlet.class);
   private static final long serialVersionUID = 1L;
   private static final Pattern URL_PATTERN = Pattern.compile(LFS_OBJECTS_REGEX_REST);
-  private static final String DOWNLOAD = "download";
-  private static final String UPLOAD = "upload";
 
   private final ProjectCache projectCache;
+  private final PermissionBackend permissionBackend;
   private final LfsConfigurationFactory lfsConfigFactory;
   private final LfsRepositoryResolver repoResolver;
   private final LfsAuthUserProvider userProvider;
@@ -62,10 +63,12 @@
   @Inject
   LfsApiServlet(
       ProjectCache projectCache,
+      PermissionBackend permissionBackend,
       LfsConfigurationFactory lfsConfigFactory,
       LfsRepositoryResolver repoResolver,
       LfsAuthUserProvider userProvider) {
     this.projectCache = projectCache;
+    this.permissionBackend = permissionBackend;
     this.lfsConfigFactory = lfsConfigFactory;
     this.repoResolver = repoResolver;
     this.userProvider = userProvider;
@@ -85,12 +88,9 @@
     if (state == null || state.getProject().getState() == HIDDEN) {
       throw new LfsRepositoryNotFound(project.get());
     }
-    authorizeUser(
-        userProvider.getUser(auth, projName, request.getOperation()),
-        state,
-        request.getOperation());
+    authorizeUser(userProvider.getUser(auth, projName, request.getOperation()), state, request);
 
-    if (request.getOperation().equals(UPLOAD) && state.getProject().getState() == READ_ONLY) {
+    if (request.isUpload() && state.getProject().getState() == READ_ONLY) {
       throw new LfsRepositoryReadOnly(project.get());
     }
 
@@ -99,7 +99,7 @@
     // No config means we default to "not enabled".
     if (config != null && config.isEnabled()) {
       // For uploads, check object sizes against limit if configured
-      if (request.getOperation().equals(UPLOAD)) {
+      if (request.isUpload()) {
         if (config.isReadOnly()) {
           throw new LfsRepositoryReadOnly(project.get());
         }
@@ -123,12 +123,16 @@
     throw new LfsUnavailable(project.get());
   }
 
-  private void authorizeUser(CurrentUser user, ProjectState state, String operation)
+  private void authorizeUser(CurrentUser user, ProjectState state, LfsRequest request)
       throws LfsUnauthorized {
     ProjectControl control = state.controlFor(user);
-    if ((operation.equals(DOWNLOAD) && !control.isReadable())
-        || (operation.equals(UPLOAD) && Capable.OK != control.canPushToAtLeastOneRef())) {
-      String op = operation.toLowerCase();
+    if ((request.isDownload()
+            && !permissionBackend
+                .user(user)
+                .project(state.getProject().getNameKey())
+                .testOrFalse(ACCESS))
+        || (request.isUpload() && Capable.OK != control.canPushToAtLeastOneRef())) {
+      String op = request.getOperation().toLowerCase();
       String project = state.getProject().getName();
       String userName =
           Strings.isNullOrEmpty(user.getUserName()) ? "anonymous" : user.getUserName();
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java
index 5e81e73..b747925 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/PutLfsGlobalConfig.java
@@ -14,6 +14,7 @@
 
 package com.googlesource.gerrit.plugins.lfs;
 
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
 import static com.googlesource.gerrit.plugins.lfs.LfsProjectConfigSection.KEY_BACKEND;
 import static com.googlesource.gerrit.plugins.lfs.LfsProjectConfigSection.KEY_ENABLED;
 import static com.googlesource.gerrit.plugins.lfs.LfsProjectConfigSection.KEY_MAX_OBJECT_SIZE;
@@ -30,6 +31,7 @@
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.config.AllProjectsName;
 import com.google.gerrit.server.git.MetaDataUpdate;
+import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.project.ProjectResource;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -47,6 +49,7 @@
 
   private final String pluginName;
   private final AllProjectsName allProjectsName;
+  private final PermissionBackend permissionBackend;
   private final Provider<CurrentUser> self;
   private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
   private final LfsConfigurationFactory lfsConfigFactory;
@@ -56,12 +59,14 @@
   PutLfsGlobalConfig(
       @PluginName String pluginName,
       AllProjectsName allProjectsName,
+      PermissionBackend permissionBackend,
       Provider<CurrentUser> self,
       Provider<MetaDataUpdate.User> metaDataUpdateFactory,
       LfsConfigurationFactory lfsConfigFactory,
       GetLfsGlobalConfig get) {
     this.pluginName = pluginName;
     this.allProjectsName = allProjectsName;
+    this.permissionBackend = permissionBackend;
     this.self = self;
     this.metaDataUpdateFactory = metaDataUpdateFactory;
     this.lfsConfigFactory = lfsConfigFactory;
@@ -74,7 +79,8 @@
     IdentifiedUser user = self.get().asIdentifiedUser();
     Project.NameKey projectName = resource.getNameKey();
 
-    if (!(projectName.equals(allProjectsName) && user.getCapabilities().canAdministrateServer())) {
+    if (!(projectName.equals(allProjectsName)
+        && permissionBackend.user(user).testOrFalse(ADMINISTRATE_SERVER))) {
       throw new ResourceNotFoundException();
     }
 
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
index e30703e..32616f6 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
@@ -16,10 +16,14 @@
 
 import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_LOCKS_PATH_REGEX;
 import static com.google.gerrit.extensions.api.lfs.LfsDefinitions.LFS_URL_REGEX_TEMPLATE;
+import static com.google.gerrit.server.permissions.ProjectPermission.ACCESS;
 
 import com.google.common.base.Strings;
+import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectControl;
 import com.google.gerrit.server.project.ProjectState;
@@ -38,13 +42,17 @@
   static final Pattern LFS_LOCKS_URL_PATTERN =
       Pattern.compile(String.format(LFS_URL_REGEX_TEMPLATE, LFS_LOCKS_PATH_REGEX));
 
+  private final PermissionBackend permissionBackend;
+
   @Inject
   LfsGetLocksAction(
+      PermissionBackend permissionBackend,
       ProjectCache projectCache,
       LfsAuthUserProvider userProvider,
       LfsLocksHandler handler,
       @Assisted LfsLocksContext context) {
     super(projectCache, userProvider, handler, context);
+    this.permissionBackend = permissionBackend;
   }
 
   @Override
@@ -59,7 +67,12 @@
 
   @Override
   protected void authorizeUser(ProjectControl control) throws LfsUnauthorized {
-    if (!control.isReadable()) {
+    try {
+      permissionBackend
+          .user(control.getUser())
+          .project(control.getProject().getNameKey())
+          .check(ACCESS);
+    } catch (AuthException | PermissionBackendException e) {
       throwUnauthorizedOp("list locks", control);
     }
   }