Merge change Ie16b8ca2

* changes:
  Check if the user has permission to upload changes

5 files changed, 45 insertions, 2 deletions

diff --git a/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java b/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java
index e8fd2f375c..d06e3a85bf 100644
--- a/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java
+++ b/src/main/java/com/google/gerrit/client/reviewdb/ReviewDb.java
@@ -31,7 +31,7 @@ import com.google.gwtorm.client.Sequence;
  * </ul>
  */
 public interface ReviewDb extends Schema {
-  public static final int VERSION = 18;
+  public static final int VERSION = 19;
 
   @Relation
   SchemaVersionAccess schemaVersion();
diff --git a/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java b/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java
index aabc23d47a..7f438fe4ec 100644
--- a/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java
+++ b/src/main/java/com/google/gerrit/server/config/SystemConfigProvider.java
@@ -245,6 +245,7 @@ class SystemConfigProvider implements Provider<SystemConfig> {
     cat.setPosition((short) -1);
     cat.setFunctionName(NoOpFunction.NAME);
     vals = new ArrayList<ApprovalCategoryValue>();
+    vals.add(value(cat, 2, "Upload permission"));
     vals.add(value(cat, 1, "Read access"));
     vals.add(value(cat, -1, "No access"));
     c.approvalCategories().insert(Collections.singleton(cat), txn);
@@ -254,7 +255,7 @@ class SystemConfigProvider implements Provider<SystemConfig> {
       final ProjectRight read =
           new ProjectRight(new ProjectRight.Key(DEFAULT_WILD_NAME, cat.getId(),
               sConfig.anonymousGroupId));
-      read.setMaxValue((short) 1);
+      read.setMaxValue((short) 2);
       read.setMinValue((short) 1);
       c.projectRights().insert(Collections.singleton(read));
     }
diff --git a/src/main/java/com/google/gerrit/server/ssh/commands/Receive.java b/src/main/java/com/google/gerrit/server/ssh/commands/Receive.java
index 196e3636ea..db6b74157f 100644
--- a/src/main/java/com/google/gerrit/server/ssh/commands/Receive.java
+++ b/src/main/java/com/google/gerrit/server/ssh/commands/Receive.java
@@ -178,8 +178,18 @@ final class Receive extends AbstractGitCommand {
 
   private Map<ObjectId, Ref> refsById;
 
+  protected boolean canUpload() {
+    return canPerform(ApprovalCategory.READ, (short) 2);
+  }
+
   @Override
   protected void runImpl() throws IOException, Failure {
+    if (!canUpload()) {
+      final String reqName = project.getName();
+      throw new Failure(1, "fatal: Upload denied for project '" + reqName + "'",
+          new SecurityException("Account lacks Upload permission"));
+    }
+
     if (project.isUseContributorAgreements()) {
       verifyActiveContributorAgreement();
     }
diff --git a/src/main/webapp/WEB-INF/sql/upgrade018_019_mysql.sql b/src/main/webapp/WEB-INF/sql/upgrade018_019_mysql.sql
new file mode 100644
index 0000000000..63e4fe305c
--- /dev/null
+++ b/src/main/webapp/WEB-INF/sql/upgrade018_019_mysql.sql
@@ -0,0 +1,13 @@
+-- Upgrade: schema_version 18 to 19 (MySQL)
+--
+
+-- Per-project upload permission
+INSERT INTO approval_category_values
+(name, category_id, value)
+VALUES
+('Upload permission', 'READ', 2);
+
+UPDATE project_rights SET max_value = 2
+WHERE category_id = 'READ' AND max_value = 1;
+
+UPDATE schema_version SET version_nbr = 19;
diff --git a/src/main/webapp/WEB-INF/sql/upgrade018_019_postgres.sql b/src/main/webapp/WEB-INF/sql/upgrade018_019_postgres.sql
new file mode 100644
index 0000000000..e436b1eab4
--- /dev/null
+++ b/src/main/webapp/WEB-INF/sql/upgrade018_019_postgres.sql
@@ -0,0 +1,19 @@
+-- Upgrade: schema_version 18 to 19 (PostgreSQL)
+--
+
+BEGIN;
+
+SELECT check_schema_version(18);
+
+-- Per-project upload permission
+INSERT INTO approval_category_values
+(name, category_id, value)
+VALUES
+('Upload permission', 'READ', 2);
+
+UPDATE project_rights SET max_value = 2
+WHERE category_id = 'READ' AND max_value = 1;
+
+UPDATE schema_version SET version_nbr = 19;
+
+COMMIT;