diff options
author | Shawn O. Pearce <sop@google.com> | 2010-11-08 17:07:26 -0800 |
---|---|---|
committer | Shawn O. Pearce <sop@google.com> | 2010-11-08 17:07:26 -0800 |
commit | ee5320abd7c58bc2c563dad4bb612e9a70d8a364 (patch) | |
tree | 59391c028f6b3db0465699fac76e5b97e0b966be | |
parent | 04bbac58b11fe5d50d6fff45ad90edc6ffbc5cec (diff) |
Hide access rights not visible to userv2.1.5.1
It may be an information leak to display to a user other branches
and the group those users have access to read. When displaying the
access rights of a project, filter the list of displayed RefRights
to only those RefRights that are owned by the user, or are visible
to them via READ +1 permission.
Change-Id: I70d04d494ec9cef81c2108ecb451a81ac0293615
Signed-off-by: Shawn O. Pearce <sop@google.com>
-rw-r--r-- | gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java index 3ff3892f9a..ef632c44bd 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ProjectDetailFactory.java @@ -26,6 +26,7 @@ import com.google.gerrit.server.account.GroupCache; import com.google.gerrit.server.project.NoSuchProjectException; import com.google.gerrit.server.project.ProjectControl; import com.google.gerrit.server.project.ProjectState; +import com.google.gerrit.server.project.RefControl; import com.google.inject.Inject; import com.google.inject.assistedinject.Assisted; @@ -75,8 +76,14 @@ class ProjectDetailFactory extends Handler<ProjectDetail> { final List<InheritedRefRight> refRights = new ArrayList<InheritedRefRight>(); for (final RefRight r : projectState.getInheritedRights()) { - InheritedRefRight refRight = new InheritedRefRight( - r, true, pc.controlForRef(r.getRefPattern()).isOwner()); + RefControl rc = pc.controlForRef(r.getRefPattern()); + boolean isOwner = rc.isOwner(); + + if (!isOwner && !rc.isVisible()) { + continue; + } + + InheritedRefRight refRight = new InheritedRefRight(r, true, isOwner); if (!refRights.contains(refRight)) { refRights.add(refRight); wantGroup(r.getAccountGroupId()); @@ -84,8 +91,14 @@ class ProjectDetailFactory extends Handler<ProjectDetail> { } for (final RefRight r : projectState.getLocalRights()) { - refRights.add(new InheritedRefRight( - r, false, pc.controlForRef(r.getRefPattern()).isOwner())); + RefControl rc = pc.controlForRef(r.getRefPattern()); + boolean isOwner = rc.isOwner(); + + if (!isOwner && !rc.isVisible()) { + continue; + } + + refRights.add(new InheritedRefRight(r, false, isOwner)); wantGroup(r.getAccountGroupId()); } |