ForRef#check should permit internal users to read all refs

79d24d4 Make PermissionBackend#ForRef authoritative Introduced a regression where InternalUsers where not taken into consideration when checking READ permission. Bug: Issue 13786 Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
author: Sven Selberg <svense@axis.com> 2020-12-17 09:43:18 +0100
committer: Sven Selberg <svense@axis.com> 2020-12-21 14:37:02 +0100
commit: 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d (patch)
tree: fca7e3b57084a1f4a562d27960f26a450825b395
parent: 36d4fbe4ae7dd9b4c6076afe9dbb16905900bcd0 (diff)
2 files changed, 14 insertions, 0 deletions
diff --git a/java/com/google/gerrit/server/permissions/RefControl.java b/java/com/google/gerrit/server/permissions/RefControl.java
index b2dc41c892..945ae06c9d 100644
--- a/java/com/google/gerrit/server/permissions/RefControl.java
+++ b/java/com/google/gerrit/server/permissions/RefControl.java
@@ -603,6 +603,10 @@ class RefControl {
     private boolean can(RefPermission perm) throws PermissionBackendException {
       switch (perm) {
         case READ:
+          /* Internal users such as plugin users should be able to read all refs. */
+          if (getUser().isInternalUser()) {
+            return true;
+          }
           if (refName.startsWith(Constants.R_TAGS)) {
             return isTagVisible();
           }
diff --git a/javatests/com/google/gerrit/server/permissions/RefControlTest.java b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
index 6a1c037acf..7f2f5a432a 100644
--- a/javatests/com/google/gerrit/server/permissions/RefControlTest.java
+++ b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
@@ -44,6 +44,7 @@ import com.google.gerrit.entities.AccountGroup;
 import com.google.gerrit.entities.Project;
 import com.google.gerrit.exceptions.InvalidNameException;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.InternalUser;
 import com.google.gerrit.server.account.GroupMembership;
 import com.google.gerrit.server.account.ListGroupMembership;
 import com.google.gerrit.server.config.AllProjectsName;
@@ -312,6 +313,11 @@ public class RefControlTest {
   }
 
   @Test
+  public void userRefIsVisibleForInternalUser() throws Exception {
+    internalUser(localKey).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
+  }
+
+  @Test
   public void branchDelegation1() throws Exception {
     projectOperations
         .project(localKey)
@@ -1219,6 +1225,10 @@ public class RefControlTest {
     return projectCache.checkedGet(nameKey, true);
   }
 
+  private ProjectControl internalUser(Project.NameKey localKey) throws Exception {
+    return projectControlFactory.create(new InternalUser(), getProjectState(localKey));
+  }
+
   private ProjectControl user(Project.NameKey localKey, AccountGroup.UUID... memberOf)
       throws Exception {
     return user(localKey, null, memberOf);
author	Sven Selberg <svense@axis.com>	2020-12-17 09:43:18 +0100
committer	Sven Selberg <svense@axis.com>	2020-12-21 14:37:02 +0100
commit	23ff2cfc8ffc00ad3d6e2c752d63394957c8720d (patch)
tree	fca7e3b57084a1f4a562d27960f26a450825b395
parent	36d4fbe4ae7dd9b4c6076afe9dbb16905900bcd0 (diff)