diff options
author | David Pursehouse <david.pursehouse@sonymobile.com> | 2013-10-02 16:10:35 +0900 |
---|---|---|
committer | David Pursehouse <david.pursehouse@sonymobile.com> | 2013-10-02 16:10:35 +0900 |
commit | d292e7b5562ffb84a4e6e03c9bb2d9e48cc2a576 (patch) | |
tree | a6f06c52a97b23a81a8a02a9530c9f6079b9ef15 | |
parent | b4497fd7ce5f90b3accc09dcf4bfc631d12034a0 (diff) | |
parent | 1a8ce59b6a95f17176477d453c74d19666392308 (diff) |
Merge branch 'stable-2.6' into stable-2.7
* stable-2.6:
Fix compilation failure in RefControlTest
Verify access to source ref during add branch operation
Change-Id: I4a6c61e924baa44142ed0ade771a08bd20d09f79
3 files changed, 45 insertions, 3 deletions
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java index 56d4be3b7d..937f84362c 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java @@ -28,16 +28,26 @@ import com.google.gerrit.reviewdb.client.AccountGroup; import com.google.gerrit.reviewdb.client.Branch; import com.google.gerrit.reviewdb.client.Change; import com.google.gerrit.reviewdb.client.Project; +import com.google.gerrit.reviewdb.client.Project.NameKey; import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.IdentifiedUser; import com.google.gerrit.server.InternalUser; import com.google.gerrit.server.config.CanonicalWebUrl; import com.google.gerrit.server.config.GitReceivePackGroups; import com.google.gerrit.server.config.GitUploadPackGroups; +import com.google.gerrit.server.git.GitRepositoryManager; import com.google.inject.Inject; import com.google.inject.Provider; import com.google.inject.assistedinject.Assisted; +import org.eclipse.jgit.lib.Ref; +import org.eclipse.jgit.lib.Repository; +import org.eclipse.jgit.revwalk.RevCommit; +import org.eclipse.jgit.revwalk.RevWalk; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -45,6 +55,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.Map.Entry; import javax.annotation.Nullable; @@ -53,6 +64,8 @@ public class ProjectControl { public static final int VISIBLE = 1 << 0; public static final int OWNER = 1 << 1; + private static final Logger log = LoggerFactory.getLogger(ProjectControl.class); + public static class GenericFactory { private final ProjectCache projectCache; @@ -117,6 +130,7 @@ public class ProjectControl { private final String canonicalWebUrl; private final CurrentUser user; private final ProjectState state; + private final GitRepositoryManager repoManager; private final PermissionCollection.Factory permissionFilter; private final Collection<ContributorAgreement> contributorAgreements; @@ -130,8 +144,10 @@ public class ProjectControl { ProjectControl(@GitUploadPackGroups Set<AccountGroup.UUID> uploadGroups, @GitReceivePackGroups Set<AccountGroup.UUID> receiveGroups, final ProjectCache pc, final PermissionCollection.Factory permissionFilter, + final GitRepositoryManager repoManager, @CanonicalWebUrl @Nullable final String canonicalWebUrl, @Assisted CurrentUser who, @Assisted ProjectState ps) { + this.repoManager = repoManager; this.uploadGroups = uploadGroups; this.receiveGroups = receiveGroups; this.permissionFilter = permissionFilter; @@ -445,4 +461,29 @@ public class ProjectControl { } return false; } + + public boolean canReadCommit(RevWalk rw, RevCommit commit) { + NameKey projName = state.getProject().getNameKey(); + try { + Repository repo = repoManager.openRepository(projName); + try { + for (Entry<String, Ref> entry : repo.getAllRefs().entrySet()) { + RevCommit tip = rw.parseCommit(entry.getValue().getObjectId()); + if (rw.isMergedInto(commit, tip) + && controlForRef(entry.getKey()).canPerform(Permission.READ)) { + return true; + } + } + } finally { + repo.close(); + } + } catch (IOException e) { + String msg = + String.format( + "Cannot verify permissions to commit object %s in repository %s", + commit.name(), projName.get()); + log.error(msg, e); + } + return controlForRef("refs/*").canPerform(Permission.READ); + } } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java index 59b7670f65..7c465cd6a8 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java @@ -247,8 +247,9 @@ public class RefControl { } if (object instanceof RevCommit) { - return owner || canPerform(Permission.CREATE); - + return owner + || (canPerform(Permission.CREATE) && projectControl.canReadCommit(rw, + (RevCommit) object)); } else if (object instanceof RevTag) { final RevTag tag = (RevTag) object; try { diff --git a/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java b/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java index f1bb7de558..a64039cf74 100644 --- a/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java +++ b/gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java @@ -529,7 +529,7 @@ public class RefControlTest extends TestCase { return new ProjectControl(Collections.<AccountGroup.UUID> emptySet(), Collections.<AccountGroup.UUID> emptySet(), projectCache, - sectionSorter, + sectionSorter, null, canonicalWebUrl, new MockUser(name, memberOf), newProjectState()); } |