diff options
author | Jacek Centkowski <geminica.programs@gmail.com> | 2022-03-04 11:07:15 +0100 |
---|---|---|
committer | Jacek Centkowski <geminica.programs@gmail.com> | 2022-03-17 16:55:58 +0100 |
commit | 34a2d6b3da5f2dc60e0c84541800bb8c1f7588c5 (patch) | |
tree | f0b65e0f2b8218a118d24415b5dc544239477802 | |
parent | bf22fef492414882172cd153b02e692b29f34c36 (diff) |
Ignore '--no-limit' query changes option for anonymous users
Adding 'no-limit' option to query changes REST API can result in
substantial resources usage. This change ensures that it cannot be used
(or abused) by anonymous users.
Notes:
* one can still configure them to request unlimited results by setting
'Query Limit' Global Capability to Integer.MAX_VALUE for 'Anonymous
Users' group
* 'no-limit' option is only a part of query changes API hence accounts,
groups and projects are not affected by this change
Release-Notes: Ignore '--no-limit' for anonymous users change queries
Change-Id: Ic789690ffd2f94f02989c2906fcd75e442df86f8
-rw-r--r-- | Documentation/rest-api-changes.txt | 4 | ||||
-rw-r--r-- | java/com/google/gerrit/server/restapi/change/QueryChanges.java | 7 | ||||
-rw-r--r-- | javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java | 22 |
3 files changed, 28 insertions, 5 deletions
diff --git a/Documentation/rest-api-changes.txt b/Documentation/rest-api-changes.txt index 2bfb5d5b80..32bfc6b496 100644 --- a/Documentation/rest-api-changes.txt +++ b/Documentation/rest-api-changes.txt @@ -74,8 +74,8 @@ Queries changes visible to the caller. The link:user-search.html#_search_operators[query string] must be provided by the `q` parameter. The `n` parameter can be used to limit the returned results. The `no-limit` parameter can be used remove the default -limit on queries and return all results. This might not be supported by -all index backends. +limit on queries and return all results (does not apply to anonymous requests). +This might not be supported by all index backends. As result a list of link:#change-info[ChangeInfo] entries is returned. The change output is sorted by the last update time, most recently diff --git a/java/com/google/gerrit/server/restapi/change/QueryChanges.java b/java/com/google/gerrit/server/restapi/change/QueryChanges.java index 3c8157b51e..7df74f817f 100644 --- a/java/com/google/gerrit/server/restapi/change/QueryChanges.java +++ b/java/com/google/gerrit/server/restapi/change/QueryChanges.java @@ -27,6 +27,7 @@ import com.google.gerrit.extensions.restapi.TopLevelResource; import com.google.gerrit.index.query.QueryParseException; import com.google.gerrit.index.query.QueryRequiresAuthException; import com.google.gerrit.index.query.QueryResult; +import com.google.gerrit.server.AnonymousUser; import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.DynamicOptions; import com.google.gerrit.server.change.ChangeJson; @@ -95,7 +96,9 @@ public class QueryChanges implements RestReadView<TopLevelResource>, DynamicOpti this.start = start; } - @Option(name = "--no-limit", usage = "Return all results, overriding the default limit") + @Option( + name = "--no-limit", + usage = "Return all results, overriding the default limit. Ignored for anonymous users.") public void setNoLimit(boolean on) { this.noLimit = on; } @@ -168,7 +171,7 @@ public class QueryChanges implements RestReadView<TopLevelResource>, DynamicOpti if (start != null) { queryProcessor.setStart(start); } - if (noLimit != null) { + if (noLimit != null && !AnonymousUser.class.isAssignableFrom(userProvider.get().getClass())) { queryProcessor.setNoLimit(noLimit); } if (skipVisibility != null) { diff --git a/javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java b/javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java index 0c30ef5dce..7c504b8c25 100644 --- a/javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java +++ b/javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java @@ -2618,7 +2618,7 @@ public class ChangeIT extends AbstractDaemonTest { } @Test - public void queryChangesNoLimit() throws Exception { + public void queryChangesNoLimitRegisteredUser() throws Exception { projectOperations .allProjectsForUpdate() .add( @@ -2636,6 +2636,26 @@ public class ChangeIT extends AbstractDaemonTest { } @Test + public void queryChangesNoLimitIgnoredForAnonymousUser() throws Exception { + int limit = 2; + projectOperations + .allProjectsForUpdate() + .add( + allowCapability(GlobalCapability.QUERY_LIMIT) + .group(SystemGroupBackend.ANONYMOUS_USERS) + .range(0, limit)) + .update(); + for (int i = 0; i < 3; i++) { + createChange(); + } + requestScopeOperations.setApiUserAnonymous(); + List<ChangeInfo> resultsWithDefaultLimit = gApi.changes().query().get(); + List<ChangeInfo> resultsWithNoLimit = gApi.changes().query().withNoLimit().get(); + assertThat(resultsWithDefaultLimit).hasSize(limit); + assertThat(resultsWithNoLimit).hasSize(limit); + } + + @Test public void queryChangesStart() throws Exception { PushOneCommit.Result r1 = createChange(); createChange(); |