diff options
author | Francois Ferrand <thetypz@gmail.com> | 2020-01-28 17:02:26 +0100 |
---|---|---|
committer | Francois Ferrand <thetypz@gmail.com> | 2020-01-29 13:42:58 +0100 |
commit | a3db8e117d10a91920511d38779dc2c6e5d10fcf (patch) | |
tree | 6684c46d3aba14e6dfb8b704b777005b1f0291a7 | |
parent | 4f9264e5826d9067dafe59d6a4c2f3a45b740317 (diff) |
Fix editing name & email for service user
A service-user (either created by SSH command or through ServiceUser
plugin) is actually not bound to the realm : so it makes no sense to
check if the realm supports editing FULL_USERNAME or EMAIL.
To overcome, we now check realm capabilities only for users which belong
to that realm.
Change-Id: Ic4e04936a5d2444bf6b4644a2f8a3838a2686256
3 files changed, 20 insertions, 8 deletions
diff --git a/java/com/google/gerrit/server/restapi/account/DeleteEmail.java b/java/com/google/gerrit/server/restapi/account/DeleteEmail.java index 6bacde2220..36788c754b 100644 --- a/java/com/google/gerrit/server/restapi/account/DeleteEmail.java +++ b/java/com/google/gerrit/server/restapi/account/DeleteEmail.java @@ -24,6 +24,7 @@ import com.google.gerrit.extensions.restapi.ResourceConflictException; import com.google.gerrit.extensions.restapi.ResourceNotFoundException; import com.google.gerrit.extensions.restapi.Response; import com.google.gerrit.extensions.restapi.RestModifyView; +import com.google.gerrit.reviewdb.client.Account; import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.IdentifiedUser; import com.google.gerrit.server.account.AccountException; @@ -80,12 +81,14 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input> public Response<?> apply(IdentifiedUser user, String email) throws ResourceNotFoundException, ResourceConflictException, MethodNotAllowedException, OrmException, IOException, ConfigInvalidException { - if (!realm.allowsEdit(AccountFieldName.REGISTER_NEW_EMAIL)) { + Account.Id accountId = user.getAccountId(); + if (realm.accountBelongsToRealm(externalIds.byAccount(accountId)) + && !realm.allowsEdit(AccountFieldName.REGISTER_NEW_EMAIL)) { throw new MethodNotAllowedException("realm does not allow deleting emails"); } Set<ExternalId> extIds = - externalIds.byAccount(user.getAccountId()).stream() + externalIds.byAccount(accountId).stream() .filter(e -> email.equals(e.email())) .collect(toSet()); if (extIds.isEmpty()) { diff --git a/java/com/google/gerrit/server/restapi/account/PutName.java b/java/com/google/gerrit/server/restapi/account/PutName.java index 1e00aaccaf..4918aa38dc 100644 --- a/java/com/google/gerrit/server/restapi/account/PutName.java +++ b/java/com/google/gerrit/server/restapi/account/PutName.java @@ -22,6 +22,7 @@ import com.google.gerrit.extensions.restapi.MethodNotAllowedException; import com.google.gerrit.extensions.restapi.ResourceNotFoundException; import com.google.gerrit.extensions.restapi.Response; import com.google.gerrit.extensions.restapi.RestModifyView; +import com.google.gerrit.reviewdb.client.Account; import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.IdentifiedUser; import com.google.gerrit.server.ServerInitiated; @@ -29,6 +30,7 @@ import com.google.gerrit.server.account.AccountResource; import com.google.gerrit.server.account.AccountState; import com.google.gerrit.server.account.AccountsUpdate; import com.google.gerrit.server.account.Realm; +import com.google.gerrit.server.account.externalids.ExternalIds; import com.google.gerrit.server.permissions.GlobalPermission; import com.google.gerrit.server.permissions.PermissionBackend; import com.google.gerrit.server.permissions.PermissionBackendException; @@ -44,6 +46,7 @@ public class PutName implements RestModifyView<AccountResource, NameInput> { private final Provider<CurrentUser> self; private final Realm realm; private final PermissionBackend permissionBackend; + private final ExternalIds externalIds; private final Provider<AccountsUpdate> accountsUpdateProvider; @Inject @@ -51,10 +54,12 @@ public class PutName implements RestModifyView<AccountResource, NameInput> { Provider<CurrentUser> self, Realm realm, PermissionBackend permissionBackend, + ExternalIds externalIds, @ServerInitiated Provider<AccountsUpdate> accountsUpdateProvider) { this.self = self; this.realm = realm; this.permissionBackend = permissionBackend; + this.externalIds = externalIds; this.accountsUpdateProvider = accountsUpdateProvider; } @@ -71,11 +76,14 @@ public class PutName implements RestModifyView<AccountResource, NameInput> { public Response<String> apply(IdentifiedUser user, NameInput input) throws MethodNotAllowedException, ResourceNotFoundException, IOException, ConfigInvalidException, OrmException { + if (input == null) { input = new NameInput(); } - if (!realm.allowsEdit(AccountFieldName.FULL_NAME)) { + Account.Id accountId = user.getAccountId(); + if (realm.accountBelongsToRealm(externalIds.byAccount(accountId)) + && !realm.allowsEdit(AccountFieldName.FULL_NAME)) { throw new MethodNotAllowedException("realm does not allow editing name"); } @@ -83,7 +91,7 @@ public class PutName implements RestModifyView<AccountResource, NameInput> { AccountState accountState = accountsUpdateProvider .get() - .update("Set Full Name via API", user.getAccountId(), u -> u.setFullName(newName)) + .update("Set Full Name via API", accountId, u -> u.setFullName(newName)) .orElseThrow(() -> new ResourceNotFoundException("account not found")); return Strings.isNullOrEmpty(accountState.getAccount().getFullName()) ? Response.none() diff --git a/java/com/google/gerrit/server/restapi/account/PutUsername.java b/java/com/google/gerrit/server/restapi/account/PutUsername.java index 7fff626d16..bc95153cbe 100644 --- a/java/com/google/gerrit/server/restapi/account/PutUsername.java +++ b/java/com/google/gerrit/server/restapi/account/PutUsername.java @@ -79,10 +79,6 @@ public class PutUsername implements RestModifyView<AccountResource, UsernameInpu permissionBackend.currentUser().check(GlobalPermission.ADMINISTRATE_SERVER); } - if (!realm.allowsEdit(AccountFieldName.USER_NAME)) { - throw new MethodNotAllowedException("realm does not allow editing username"); - } - if (input == null) { input = new UsernameInput(); } @@ -92,6 +88,11 @@ public class PutUsername implements RestModifyView<AccountResource, UsernameInpu throw new MethodNotAllowedException("Username cannot be changed."); } + if (realm.accountBelongsToRealm(externalIds.byAccount(accountId)) + && !realm.allowsEdit(AccountFieldName.USER_NAME)) { + throw new MethodNotAllowedException("realm does not allow editing username"); + } + if (Strings.isNullOrEmpty(input.username)) { return input.username; } |