Implement visibility using permission backend
Use the permission backend implemented in Gerrit v2.15
to verify that only the owners with read access to the change
are actually added as reviewers.
Bug: Issue 12118
Change-Id: I7924e1df1824b9994f0ce7bd69efd7472853113d
diff --git a/owners-autoassign/src/main/java/com/vmware/gerrit/owners/common/ReviewerManager.java b/owners-autoassign/src/main/java/com/vmware/gerrit/owners/common/ReviewerManager.java
index c30fca9..8e5b167 100644
--- a/owners-autoassign/src/main/java/com/vmware/gerrit/owners/common/ReviewerManager.java
+++ b/owners-autoassign/src/main/java/com/vmware/gerrit/owners/common/ReviewerManager.java
@@ -24,9 +24,13 @@
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.Account.Id;
+import com.google.gerrit.reviewdb.client.Change;
+import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.IdentifiedUser;
-import com.google.gerrit.server.change.ChangesCollection;
-import com.google.gerrit.server.project.ChangeControl;
+import com.google.gerrit.server.permissions.ChangePermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.query.change.ChangeData;
import com.google.gerrit.server.util.ManualRequestContext;
import com.google.gerrit.server.util.OneOffRequestContext;
import com.google.gwtorm.server.OrmException;
@@ -44,18 +48,21 @@
private final OneOffRequestContext requestContext;
private final GerritApi gApi;
private final IdentifiedUser.GenericFactory userFactory;
- private final ChangesCollection changes;
+ private final ChangeData.Factory changeDataFactory;
+ private final PermissionBackend permissionBackend;
@Inject
public ReviewerManager(
OneOffRequestContext requestContext,
GerritApi gApi,
IdentifiedUser.GenericFactory userFactory,
- ChangesCollection changes) {
+ ChangeData.Factory changeDataFactory,
+ PermissionBackend permissionBackend) {
this.requestContext = requestContext;
this.gApi = gApi;
this.userFactory = userFactory;
- this.changes = changes;
+ this.changeDataFactory = changeDataFactory;
+ this.permissionBackend = permissionBackend;
}
public void addReviewers(ChangeApi cApi, Collection<Account.Id> reviewers)
@@ -64,13 +71,12 @@
ChangeInfo changeInfo = cApi.get();
try (ManualRequestContext ctx =
requestContext.openAs(new Account.Id(changeInfo.owner._accountId))) {
- ChangeControl changeControl = changes.parse(change.getId()).getControl();
// TODO(davido): Switch back to using changes API again,
// when it supports batch mode for adding reviewers
ReviewInput in = new ReviewInput();
in.reviewers = new ArrayList<>(reviewers.size());
for (Account.Id account : reviewers) {
- if (isVisibleTo(changeControl, account)) {
+ if (isVisibleTo(ctx.getReviewDbProvider().get(), changeInfo, account)) {
AddReviewerInput addReviewerInput = new AddReviewerInput();
addReviewerInput.reviewer = account.toString();
in.reviewers.add(addReviewerInput);
@@ -78,7 +84,7 @@
log.warn(
"Not adding account {} as reviewer to change {} because the associated ref is not visible",
account,
- change.getId());
+ changeInfo._number);
}
gApi.changes().id(changeInfo.id).current().review(in);
}
@@ -89,7 +95,13 @@
}
}
- private boolean isVisibleTo(ChangeControl changeControl, Id account) {
- return changeControl.forUser(userFactory.create(account)).isRefVisible();
+ private boolean isVisibleTo(ReviewDb reviewDb, ChangeInfo changeInfo, Id account) {
+ ChangeData changeData =
+ changeDataFactory.create(
+ reviewDb, new Project.NameKey(changeInfo.project), new Change.Id(changeInfo._number));
+ return permissionBackend
+ .user(userFactory.create(account))
+ .change(changeData)
+ .testOrFalse(ChangePermission.READ);
}
}
