Convert project permission check to PermissionBackend
Change-Id: I4846da921ba7d58783f8aab63dadcdc168966301
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/DeleteSshKey.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/DeleteSshKey.java
index d3685cc..24c05e8 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/DeleteSshKey.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/DeleteSshKey.java
@@ -19,6 +19,7 @@
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.server.account.AccountResource;
import com.google.gerrit.server.account.DeleteSshKey.Input;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -43,7 +44,8 @@
@Override
public Response<?> apply(ServiceUserResource.SshKey rsrc, Input input)
throws OrmException, AuthException, RepositoryNotFoundException,
- IOException, ConfigInvalidException {
+ IOException, ConfigInvalidException,
+ PermissionBackendException {
return deleteSshKey.get().apply(
new AccountResource.SshKey(rsrc.getUser(), rsrc.getSshKey()), input);
}
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ListServiceUsers.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ListServiceUsers.java
index e6e4e06..d48be6e 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ListServiceUsers.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ListServiceUsers.java
@@ -27,6 +27,7 @@
import com.google.gerrit.server.account.AccountState;
import com.google.gerrit.server.config.ConfigResource;
import com.google.gerrit.server.git.ProjectLevelConfig;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -63,7 +64,7 @@
@Override
public Map<String, ServiceUserInfo> apply(ConfigResource rscr)
- throws OrmException, AuthException {
+ throws OrmException, AuthException, PermissionBackendException {
ProjectLevelConfig storage = projectCache.getAllProjects().getConfig(pluginName + ".db");
CurrentUser user = userProvider.get();
if (user == null || !user.isIdentifiedUser()) {
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutEmail.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutEmail.java
index 8a9389e..941d337 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutEmail.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutEmail.java
@@ -14,6 +14,8 @@
package com.googlesource.gerrit.plugins.serviceuser;
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
+
import com.google.common.base.Strings;
import com.google.gerrit.common.errors.EmailException;
import com.google.gerrit.extensions.restapi.AuthException;
@@ -30,6 +32,8 @@
import com.google.gerrit.server.account.DeleteEmail;
import com.google.gerrit.server.account.PutPreferred;
import com.google.gerrit.server.config.ConfigResource;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -54,6 +58,7 @@
private final Provider<DeleteEmail> deleteEmail;
private final Provider<PutPreferred> putPreferred;
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
@Inject
PutEmail(Provider<GetConfig> getConfig,
@@ -61,24 +66,26 @@
Provider<CreateEmail.Factory> createEmailFactory,
Provider<DeleteEmail> deleteEmail,
Provider<PutPreferred> putPreferred,
- Provider<CurrentUser> self) {
+ Provider<CurrentUser> self,
+ PermissionBackend permissionBackend) {
this.getConfig = getConfig;
this.getEmail = getEmail;
this.createEmailFactory = createEmailFactory;
this.deleteEmail = deleteEmail;
this.putPreferred = putPreferred;
this.self = self;
+ this.permissionBackend = permissionBackend;
}
@Override
public Response<?> apply(ServiceUserResource rsrc, Input input)
throws AuthException, ResourceNotFoundException,
ResourceConflictException, MethodNotAllowedException, OrmException,
- BadRequestException, ConfigInvalidException, EmailException, IOException {
+ BadRequestException, ConfigInvalidException, EmailException, IOException,
+ PermissionBackendException {
Boolean emailAllowed = getConfig.get().apply(new ConfigResource()).allowEmail;
- if ((emailAllowed == null || !emailAllowed)
- && !self.get().getCapabilities().canAdministrateServer()) {
- throw new ResourceConflictException("setting email not allowed");
+ if ((emailAllowed == null || !emailAllowed)) {
+ permissionBackend.user(self).check(ADMINISTRATE_SERVER);
}
String email = getEmail.get().apply(rsrc);
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
index d5f2883..358ac13 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutHttpPassword.java
@@ -13,6 +13,8 @@
// limitations under the License.
package com.googlesource.gerrit.plugins.serviceuser;
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
+
import com.google.common.base.Strings;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
@@ -21,6 +23,8 @@
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.ConfigResource;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -58,20 +62,22 @@
private final Provider<GetConfig> getConfig;
private final com.google.gerrit.server.account.PutHttpPassword putHttpPassword;
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
@Inject
PutHttpPassword(Provider<GetConfig> getConfig,
com.google.gerrit.server.account.PutHttpPassword putHttpPassword,
- Provider<CurrentUser> self) {
+ Provider<CurrentUser> self, PermissionBackend permissionBackend) {
this.getConfig = getConfig;
this.putHttpPassword = putHttpPassword;
this.self = self;
+ this.permissionBackend = permissionBackend;
}
@Override
public Response<String> apply(ServiceUserResource rsrc, Input input)
throws AuthException, ResourceConflictException, ConfigInvalidException,
- ResourceNotFoundException, OrmException, IOException {
+ ResourceNotFoundException, OrmException, IOException, PermissionBackendException {
if (input == null) {
input = new Input();
}
@@ -79,15 +85,11 @@
Boolean httpPasswordAllowed = getConfig.get().apply(new ConfigResource()).allowHttpPassword;
if (input.generate || input.httpPassword == null) {
- if ((httpPasswordAllowed == null || !httpPasswordAllowed)
- && !self.get().getCapabilities().canAdministrateServer()) {
- throw new ResourceConflictException("not allowed to generate HTTP password");
+ if ((httpPasswordAllowed == null || !httpPasswordAllowed)) {
+ permissionBackend.user(self).check(ADMINISTRATE_SERVER);
}
} else {
- if (!self.get().getCapabilities().canAdministrateServer()) {
- throw new AuthException("not allowed to set HTTP password directly, "
- + "requires the Administrate Server permission");
- }
+ permissionBackend.user(self).check(ADMINISTRATE_SERVER);
}
String newPassword = input.generate ? generate() : input.httpPassword;
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutOwner.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutOwner.java
index 726a4f5..c379487 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutOwner.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/PutOwner.java
@@ -14,6 +14,7 @@
package com.googlesource.gerrit.plugins.serviceuser;
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.KEY_OWNER;
import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.USER;
@@ -22,6 +23,7 @@
import com.google.gerrit.common.data.GroupDescriptions;
import com.google.gerrit.extensions.annotations.PluginName;
import com.google.gerrit.extensions.common.GroupInfo;
+import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.DefaultInput;
import com.google.gerrit.extensions.restapi.MethodNotAllowedException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
@@ -35,6 +37,8 @@
import com.google.gerrit.server.git.ProjectLevelConfig;
import com.google.gerrit.server.group.GroupJson;
import com.google.gerrit.server.group.GroupsCollection;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -63,12 +67,13 @@
private final MetaDataUpdate.User metaDataUpdateFactory;
private final GroupJson json;
private final Provider<CurrentUser> self;
+ private final PermissionBackend permissionBackend;
@Inject
PutOwner(Provider<GetConfig> getConfig, GroupsCollection groups,
@PluginName String pluginName, ProjectCache projectCache,
MetaDataUpdate.User metaDataUpdateFactory, GroupJson json,
- Provider<CurrentUser> self) {
+ Provider<CurrentUser> self, PermissionBackend permissionBackend) {
this.getConfig = getConfig;
this.groups = groups;
this.pluginName = pluginName;
@@ -77,17 +82,18 @@
this.metaDataUpdateFactory = metaDataUpdateFactory;
this.json = json;
this.self = self;
+ this.permissionBackend = permissionBackend;
}
@Override
public Response<GroupInfo> apply(ServiceUserResource rsrc, Input input)
throws UnprocessableEntityException, RepositoryNotFoundException,
- MethodNotAllowedException, IOException, OrmException, ResourceConflictException {
+ MethodNotAllowedException, IOException, OrmException, ResourceConflictException,
+ AuthException, PermissionBackendException {
ProjectLevelConfig storage = projectCache.getAllProjects().getConfig(pluginName + ".db");
Boolean ownerAllowed = getConfig.get().apply(new ConfigResource()).allowOwner;
- if ((ownerAllowed == null || !ownerAllowed)
- && !self.get().getCapabilities().canAdministrateServer()) {
- throw new ResourceConflictException("setting owner not allowed");
+ if ((ownerAllowed == null || !ownerAllowed)) {
+ permissionBackend.user(self).check(ADMINISTRATE_SERVER);
}
if (input == null) {
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserCollection.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserCollection.java
index 12d8d1c..666577b 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserCollection.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserCollection.java
@@ -14,6 +14,7 @@
package com.googlesource.gerrit.plugins.serviceuser;
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.KEY_CREATOR_ID;
import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.KEY_OWNER;
import static com.googlesource.gerrit.plugins.serviceuser.CreateServiceUser.USER;
@@ -35,6 +36,8 @@
import com.google.gerrit.server.config.ConfigResource;
import com.google.gerrit.server.git.ProjectLevelConfig;
import com.google.gerrit.server.group.GroupsCollection;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
@@ -54,13 +57,15 @@
private final ProjectCache projectCache;
private final Provider<CurrentUser> userProvider;
private final GroupsCollection groups;
+ private final PermissionBackend permissionBackend;
@Inject
ServiceUserCollection(DynamicMap<RestView<ServiceUserResource>> views,
CreateServiceUser.Factory createServiceUserFactory,
Provider<ListServiceUsers> list, Provider<AccountsCollection> accounts,
@PluginName String pluginName, ProjectCache projectCache,
- Provider<CurrentUser> userProvider, GroupsCollection groups) {
+ Provider<CurrentUser> userProvider, GroupsCollection groups,
+ PermissionBackend permissionBackend) {
this.views = views;
this.createServiceUserFactory = createServiceUserFactory;
this.list = list;
@@ -69,11 +74,12 @@
this.projectCache = projectCache;
this.userProvider = userProvider;
this.groups = groups;
+ this.permissionBackend = permissionBackend;
}
@Override
public ServiceUserResource parse(ConfigResource parent, IdString id)
- throws ResourceNotFoundException, AuthException, OrmException {
+ throws ResourceNotFoundException, AuthException, OrmException, PermissionBackendException {
ProjectLevelConfig storage = projectCache.getAllProjects().getConfig(pluginName + ".db");
IdentifiedUser serviceUser = accounts.get().parseId(id.get());
if (serviceUser == null
@@ -85,7 +91,7 @@
if (user == null || !user.isIdentifiedUser()) {
throw new AuthException("Authentication required");
}
- if (!user.getCapabilities().canAdministrateServer()) {
+ if (!permissionBackend.user(userProvider).testOrFalse(ADMINISTRATE_SERVER)) {
String owner = storage.get().getString(USER, id.get(), KEY_OWNER);
if (owner != null) {
try {
diff --git a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserMenu.java b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserMenu.java
index 859a773..6d5f5f1 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserMenu.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/ServiceUserMenu.java
@@ -14,14 +14,18 @@
package com.googlesource.gerrit.plugins.serviceuser;
+import static com.google.gerrit.server.permissions.GlobalPermission.ADMINISTRATE_SERVER;
+
import com.google.common.collect.Lists;
import com.google.gerrit.extensions.annotations.PluginName;
+import com.google.gerrit.extensions.api.access.PluginPermission;
import com.google.gerrit.extensions.client.MenuItem;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.webui.TopMenu;
import com.google.gerrit.server.CurrentUser;
-import com.google.gerrit.server.account.CapabilityControl;
import com.google.gerrit.server.config.ConfigResource;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
@@ -33,15 +37,18 @@
private final Provider<CurrentUser> userProvider;
private final List<MenuEntry> menuEntries;
private final Provider<ListServiceUsers> listServiceUsers;
+ private final PermissionBackend permissionBackend;
@Inject
ServiceUserMenu(@PluginName String pluginName,
Provider<CurrentUser> userProvider,
- Provider<ListServiceUsers> listServiceUsers) {
+ Provider<ListServiceUsers> listServiceUsers,
+ PermissionBackend permissionBackend) throws PermissionBackendException {
this.pluginName = pluginName;
this.userProvider = userProvider;
this.listServiceUsers = listServiceUsers;
menuEntries = Lists.newArrayList();
+ this.permissionBackend = permissionBackend;
List<MenuItem> peopleItems = Lists.newArrayListWithExpectedSize(2);
if (canCreateServiceUser()) {
@@ -57,15 +64,15 @@
private boolean canCreateServiceUser() {
if (userProvider.get().isIdentifiedUser()) {
- CapabilityControl ctl = userProvider.get().getCapabilities();
- return ctl.canPerform(pluginName + "-" + CreateServiceUserCapability.ID)
- || ctl.canAdministrateServer();
+ return permissionBackend.user(userProvider).testOrFalse(
+ new PluginPermission(pluginName, CreateServiceUserCapability.ID)) ||
+ permissionBackend.user(userProvider).testOrFalse(ADMINISTRATE_SERVER);
} else {
return false;
}
}
- private boolean hasServiceUser() {
+ private boolean hasServiceUser() throws PermissionBackendException {
try {
return !listServiceUsers.get().apply(new ConfigResource()).isEmpty();
} catch (AuthException | OrmException e) {