diff options
author | Sven Selberg <svense@axis.com> | 2020-12-17 09:43:18 +0100 |
---|---|---|
committer | Sven Selberg <svense@axis.com> | 2020-12-21 14:37:02 +0100 |
commit | 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d (patch) | |
tree | fca7e3b57084a1f4a562d27960f26a450825b395 | |
parent | 36d4fbe4ae7dd9b4c6076afe9dbb16905900bcd0 (diff) |
ForRef#check should permit internal users to read all refs
79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.
Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
-rw-r--r-- | java/com/google/gerrit/server/permissions/RefControl.java | 4 | ||||
-rw-r--r-- | javatests/com/google/gerrit/server/permissions/RefControlTest.java | 10 |
2 files changed, 14 insertions, 0 deletions
diff --git a/java/com/google/gerrit/server/permissions/RefControl.java b/java/com/google/gerrit/server/permissions/RefControl.java index b2dc41c892..945ae06c9d 100644 --- a/java/com/google/gerrit/server/permissions/RefControl.java +++ b/java/com/google/gerrit/server/permissions/RefControl.java @@ -603,6 +603,10 @@ class RefControl { private boolean can(RefPermission perm) throws PermissionBackendException { switch (perm) { case READ: + /* Internal users such as plugin users should be able to read all refs. */ + if (getUser().isInternalUser()) { + return true; + } if (refName.startsWith(Constants.R_TAGS)) { return isTagVisible(); } diff --git a/javatests/com/google/gerrit/server/permissions/RefControlTest.java b/javatests/com/google/gerrit/server/permissions/RefControlTest.java index 6a1c037acf..7f2f5a432a 100644 --- a/javatests/com/google/gerrit/server/permissions/RefControlTest.java +++ b/javatests/com/google/gerrit/server/permissions/RefControlTest.java @@ -44,6 +44,7 @@ import com.google.gerrit.entities.AccountGroup; import com.google.gerrit.entities.Project; import com.google.gerrit.exceptions.InvalidNameException; import com.google.gerrit.server.CurrentUser; +import com.google.gerrit.server.InternalUser; import com.google.gerrit.server.account.GroupMembership; import com.google.gerrit.server.account.ListGroupMembership; import com.google.gerrit.server.config.AllProjectsName; @@ -312,6 +313,11 @@ public class RefControlTest { } @Test + public void userRefIsVisibleForInternalUser() throws Exception { + internalUser(localKey).controlForRef("refs/users/default").asForRef().check(RefPermission.READ); + } + + @Test public void branchDelegation1() throws Exception { projectOperations .project(localKey) @@ -1219,6 +1225,10 @@ public class RefControlTest { return projectCache.checkedGet(nameKey, true); } + private ProjectControl internalUser(Project.NameKey localKey) throws Exception { + return projectControlFactory.create(new InternalUser(), getProjectState(localKey)); + } + private ProjectControl user(Project.NameKey localKey, AccountGroup.UUID... memberOf) throws Exception { return user(localKey, null, memberOf); |