diff options
author | Saša Živkov <zivkov@gmail.com> | 2013-10-01 12:02:30 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2013-10-01 12:02:31 +0000 |
commit | 0a07a9a670cb9c5c1108347acf97def8af70dafd (patch) | |
tree | 340f038498116899123997b9f7069204ec81f917 | |
parent | 1d0673b5f4e46fa147941a4d5b6845a8e08ae8c5 (diff) | |
parent | 3488eece9f1a197aedfe41d0b3275065c4981c82 (diff) |
Merge "Verify access to source ref during add branch operation" into stable-2.6
-rw-r--r-- | gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java | 41 | ||||
-rw-r--r-- | gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java | 5 |
2 files changed, 44 insertions, 2 deletions
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java index 56d4be3b7d..937f84362c 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java @@ -28,16 +28,26 @@ import com.google.gerrit.reviewdb.client.AccountGroup; import com.google.gerrit.reviewdb.client.Branch; import com.google.gerrit.reviewdb.client.Change; import com.google.gerrit.reviewdb.client.Project; +import com.google.gerrit.reviewdb.client.Project.NameKey; import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.IdentifiedUser; import com.google.gerrit.server.InternalUser; import com.google.gerrit.server.config.CanonicalWebUrl; import com.google.gerrit.server.config.GitReceivePackGroups; import com.google.gerrit.server.config.GitUploadPackGroups; +import com.google.gerrit.server.git.GitRepositoryManager; import com.google.inject.Inject; import com.google.inject.Provider; import com.google.inject.assistedinject.Assisted; +import org.eclipse.jgit.lib.Ref; +import org.eclipse.jgit.lib.Repository; +import org.eclipse.jgit.revwalk.RevCommit; +import org.eclipse.jgit.revwalk.RevWalk; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -45,6 +55,7 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.Map.Entry; import javax.annotation.Nullable; @@ -53,6 +64,8 @@ public class ProjectControl { public static final int VISIBLE = 1 << 0; public static final int OWNER = 1 << 1; + private static final Logger log = LoggerFactory.getLogger(ProjectControl.class); + public static class GenericFactory { private final ProjectCache projectCache; @@ -117,6 +130,7 @@ public class ProjectControl { private final String canonicalWebUrl; private final CurrentUser user; private final ProjectState state; + private final GitRepositoryManager repoManager; private final PermissionCollection.Factory permissionFilter; private final Collection<ContributorAgreement> contributorAgreements; @@ -130,8 +144,10 @@ public class ProjectControl { ProjectControl(@GitUploadPackGroups Set<AccountGroup.UUID> uploadGroups, @GitReceivePackGroups Set<AccountGroup.UUID> receiveGroups, final ProjectCache pc, final PermissionCollection.Factory permissionFilter, + final GitRepositoryManager repoManager, @CanonicalWebUrl @Nullable final String canonicalWebUrl, @Assisted CurrentUser who, @Assisted ProjectState ps) { + this.repoManager = repoManager; this.uploadGroups = uploadGroups; this.receiveGroups = receiveGroups; this.permissionFilter = permissionFilter; @@ -445,4 +461,29 @@ public class ProjectControl { } return false; } + + public boolean canReadCommit(RevWalk rw, RevCommit commit) { + NameKey projName = state.getProject().getNameKey(); + try { + Repository repo = repoManager.openRepository(projName); + try { + for (Entry<String, Ref> entry : repo.getAllRefs().entrySet()) { + RevCommit tip = rw.parseCommit(entry.getValue().getObjectId()); + if (rw.isMergedInto(commit, tip) + && controlForRef(entry.getKey()).canPerform(Permission.READ)) { + return true; + } + } + } finally { + repo.close(); + } + } catch (IOException e) { + String msg = + String.format( + "Cannot verify permissions to commit object %s in repository %s", + commit.name(), projName.get()); + log.error(msg, e); + } + return controlForRef("refs/*").canPerform(Permission.READ); + } } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java index 59b7670f65..7c465cd6a8 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java @@ -247,8 +247,9 @@ public class RefControl { } if (object instanceof RevCommit) { - return owner || canPerform(Permission.CREATE); - + return owner + || (canPerform(Permission.CREATE) && projectControl.canReadCommit(rw, + (RevCommit) object)); } else if (object instanceof RevTag) { final RevTag tag = (RevTag) object; try { |