ForRef#check should permit internal users to read all refs

79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.

Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d)

2 files changed, 26 insertions, 0 deletions

diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
index 2ba5e0f6d2..1f40262ba3 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
@@ -589,6 +589,10 @@ public class RefControl {
     private boolean can(RefPermission perm) throws PermissionBackendException {
       switch (perm) {
         case READ:
+          /* Internal users such as plugin users should be able to read all refs. */
+          if (getUser().isInternalUser()) {
+            return true;
+          }
           if (refName.startsWith(Constants.R_TAGS)) {
             return isTagVisible();
           }
diff --git a/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java b/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java
index 364013fcba..8baf52e201 100644
--- a/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java
+++ b/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java
@@ -47,6 +47,7 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.rules.PrologEnvironment;
 import com.google.gerrit.rules.RulesCache;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.InternalUser;
 import com.google.gerrit.server.account.CapabilityCollection;
 import com.google.gerrit.server.account.GroupMembership;
 import com.google.gerrit.server.account.ListGroupMembership;
@@ -399,6 +400,11 @@ public class RefControlTest {
   }
 
   @Test
+  public void userRefIsVisibleForInternalUser() throws Exception {
+    internalUser(local).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
+  }
+
+  @Test
   public void branchDelegation1() {
     allow(local, OWNER, ADMIN, "refs/*");
     allow(local, OWNER, DEVS, "refs/heads/x/*");
@@ -917,6 +923,22 @@ public class RefControlTest {
     return repo;
   }
 
+  private ProjectControl internalUser(ProjectConfig local) throws Exception {
+    return new ProjectControl(
+        Collections.<AccountGroup.UUID>emptySet(),
+        Collections.<AccountGroup.UUID>emptySet(),
+        sectionSorter,
+        null, // commitsCollection
+        changeControlFactory,
+        permissionBackend,
+        refVisibilityControl,
+        gitRepositoryManager,
+        visibleRefFilterFactory,
+        allUsersName,
+        new InternalUser(),
+        newProjectState(local));
+  }
+
   private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) {
     return user(local, null, memberOf);
   }