diff options
| author | Sven Selberg <svense@axis.com> | 2020-12-17 09:43:18 +0100 |
|---|---|---|
| committer | Luca Milanesio <luca.milanesio@gmail.com> | 2021-02-12 15:32:58 +0000 |
| commit | 68b3492fcbd98bbbc4f48d24a4c194e50767481a (patch) | |
| tree | 72e6b5497506e969a516e2cc07c3048b94d43281 | |
| parent | fc651f4a0dfb1250c46dc901df4bdfaf595702cf (diff) | |
ForRef#check should permit internal users to read all refs
79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.
Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d)
| -rw-r--r-- | java/com/google/gerrit/server/permissions/RefControl.java | 4 | ||||
| -rw-r--r-- | javatests/com/google/gerrit/server/permissions/RefControlTest.java | 21 |
2 files changed, 25 insertions, 0 deletions
diff --git a/java/com/google/gerrit/server/permissions/RefControl.java b/java/com/google/gerrit/server/permissions/RefControl.java index 5d6910a68d..411a52a73c 100644 --- a/java/com/google/gerrit/server/permissions/RefControl.java +++ b/java/com/google/gerrit/server/permissions/RefControl.java @@ -608,6 +608,10 @@ class RefControl { private boolean can(RefPermission perm) throws PermissionBackendException { switch (perm) { case READ: + /* Internal users such as plugin users should be able to read all refs. */ + if (getUser().isInternalUser()) { + return true; + } if (refName.startsWith(Constants.R_TAGS)) { return isTagVisible(); } diff --git a/javatests/com/google/gerrit/server/permissions/RefControlTest.java b/javatests/com/google/gerrit/server/permissions/RefControlTest.java index 0f0f1c3ec1..429621a69a 100644 --- a/javatests/com/google/gerrit/server/permissions/RefControlTest.java +++ b/javatests/com/google/gerrit/server/permissions/RefControlTest.java @@ -48,6 +48,7 @@ import com.google.gerrit.reviewdb.client.AccountGroup; import com.google.gerrit.reviewdb.client.Project; import com.google.gerrit.reviewdb.server.ReviewDb; import com.google.gerrit.server.CurrentUser; +import com.google.gerrit.server.InternalUser; import com.google.gerrit.server.account.CapabilityCollection; import com.google.gerrit.server.account.GroupMembership; import com.google.gerrit.server.account.ListGroupMembership; @@ -392,6 +393,11 @@ public class RefControlTest { } @Test + public void userRefIsVisibleForInternalUser() throws Exception { + internalUser(local).controlForRef("refs/users/default").asForRef().check(RefPermission.READ); + } + + @Test public void branchDelegation1() throws Exception { allow(local, OWNER, ADMIN, "refs/*"); allow(local, OWNER, DEVS, "refs/heads/x/*"); @@ -1039,6 +1045,21 @@ public class RefControlTest { return repo; } + private ProjectControl internalUser(ProjectConfig local) throws Exception { + return new ProjectControl( + Collections.emptySet(), + Collections.emptySet(), + sectionSorter, + changeControlFactory, + permissionBackend, + refVisibilityControl, + repoManager, + refFilterFactory, + allUsersName, + new InternalUser(), + newProjectState(local)); + } + private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) { return user(local, null, memberOf); } |