diff options
Diffstat (limited to 'gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java')
-rw-r--r-- | gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java | 50 |
1 files changed, 38 insertions, 12 deletions
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java index 9ad125090c..f27b9d388c 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java @@ -14,6 +14,7 @@ package com.google.gerrit.httpd.rpc.project; +import com.google.common.base.Throwables; import com.google.gerrit.common.Nullable; import com.google.gerrit.common.TimeUtil; import com.google.gerrit.common.data.AccessSection; @@ -21,6 +22,7 @@ import com.google.gerrit.common.data.GlobalCapability; import com.google.gerrit.common.data.PermissionRule; import com.google.gerrit.common.errors.PermissionDeniedException; import com.google.gerrit.extensions.api.changes.AddReviewerInput; +import com.google.gerrit.extensions.restapi.AuthException; import com.google.gerrit.extensions.restapi.ResourceNotFoundException; import com.google.gerrit.extensions.restapi.RestApiException; import com.google.gerrit.reviewdb.client.Change; @@ -37,11 +39,13 @@ import com.google.gerrit.server.change.PostReviewers; import com.google.gerrit.server.config.AllProjectsName; import com.google.gerrit.server.git.MetaDataUpdate; import com.google.gerrit.server.git.ProjectConfig; -import com.google.gerrit.server.git.validators.CommitValidators; import com.google.gerrit.server.group.SystemGroupBackend; +import com.google.gerrit.server.permissions.PermissionBackend; +import com.google.gerrit.server.permissions.PermissionBackendException; +import com.google.gerrit.server.permissions.RefPermission; +import com.google.gerrit.server.project.ContributorAgreementsChecker; import com.google.gerrit.server.project.ProjectCache; import com.google.gerrit.server.project.ProjectControl; -import com.google.gerrit.server.project.RefControl; import com.google.gerrit.server.project.SetParent; import com.google.gerrit.server.update.BatchUpdate; import com.google.gerrit.server.update.UpdateException; @@ -53,6 +57,7 @@ import java.io.IOException; import java.util.List; import org.eclipse.jgit.lib.ObjectId; import org.eclipse.jgit.lib.ObjectInserter; +import org.eclipse.jgit.lib.ObjectReader; import org.eclipse.jgit.revwalk.RevCommit; import org.eclipse.jgit.revwalk.RevWalk; @@ -67,6 +72,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { } private final ReviewDb db; + private final PermissionBackend permissionBackend; private final Sequences seq; private final Provider<PostReviewers> reviewersProvider; private final ProjectCache projectCache; @@ -77,6 +83,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { @Inject ReviewProjectAccess( final ProjectControl.Factory projectControlFactory, + PermissionBackend permissionBackend, GroupBackend groupBackend, MetaDataUpdate.User metaDataUpdateFactory, ReviewDb db, @@ -88,6 +95,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { BatchUpdate.Factory updateFactory, Provider<SetParent> setParent, Sequences seq, + ContributorAgreementsChecker contributorAgreements, @Assisted("projectName") Project.NameKey projectName, @Nullable @Assisted ObjectId base, @Assisted List<AccessSection> sectionList, @@ -104,8 +112,10 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { sectionList, parentProjectName, message, + contributorAgreements, false); this.db = db; + this.permissionBackend = permissionBackend; this.seq = seq; this.reviewersProvider = reviewersProvider; this.projectCache = projectCache; @@ -114,19 +124,32 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { this.updateFactory = updateFactory; } + // TODO(dborowitz): Hack MetaDataUpdate so it can be created within a BatchUpdate and we can avoid + // calling setUpdateRef(false). + @SuppressWarnings("deprecation") @Override protected Change.Id updateProjectConfig( ProjectControl projectControl, ProjectConfig config, MetaDataUpdate md, boolean parentProjectUpdate) - throws IOException, OrmException, PermissionDeniedException { - RefControl refsMetaConfigControl = projectControl.controlForRef(RefNames.REFS_CONFIG); - if (!refsMetaConfigControl.isVisible()) { + throws IOException, OrmException, PermissionDeniedException, PermissionBackendException { + PermissionBackend.ForRef metaRef = + permissionBackend + .user(projectControl.getUser()) + .project(projectControl.getProject().getNameKey()) + .ref(RefNames.REFS_CONFIG); + try { + metaRef.check(RefPermission.READ); + } catch (AuthException denied) { throw new PermissionDeniedException(RefNames.REFS_CONFIG + " not visible"); } - if (!projectControl.isOwner() && !refsMetaConfigControl.canUpload()) { - throw new PermissionDeniedException("cannot upload to " + RefNames.REFS_CONFIG); + if (!projectControl.isOwner()) { + try { + metaRef.check(RefPermission.CREATE_CHANGE); + } catch (AuthException denied) { + throw new PermissionDeniedException("cannot create change for " + RefNames.REFS_CONFIG); + } } md.setInsertChangeId(true); @@ -138,8 +161,9 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { return null; } - try (RevWalk rw = new RevWalk(md.getRepository()); - ObjectInserter objInserter = md.getRepository().newObjectInserter(); + try (ObjectInserter objInserter = md.getRepository().newObjectInserter(); + ObjectReader objReader = objInserter.newReader(); + RevWalk rw = new RevWalk(objReader); BatchUpdate bu = updateFactory.create( db, config.getProject().getNameKey(), projectControl.getUser(), TimeUtil.nowTs())) { @@ -147,7 +171,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { bu.insertChange( changeInserterFactory .create(changeId, commit, RefNames.REFS_CONFIG) - .setValidatePolicy(CommitValidators.Policy.NONE) + .setValidate(false) .setUpdateRef(false)); // Created by commitToNewRef. bu.execute(); } catch (UpdateException | RestApiException e) { @@ -173,9 +197,10 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { AddReviewerInput input = new AddReviewerInput(); input.reviewer = projectOwners; reviewersProvider.get().apply(rsrc, input); - } catch (IOException | OrmException | RestApiException | UpdateException e) { + } catch (Exception e) { // one of the owner groups is not visible to the user and this it why it // can't be added as reviewer + Throwables.throwIfUnchecked(e); } } @@ -192,8 +217,9 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> { AddReviewerInput input = new AddReviewerInput(); input.reviewer = r.getGroup().getUUID().get(); reviewersProvider.get().apply(rsrc, input); - } catch (IOException | OrmException | RestApiException | UpdateException e) { + } catch (Exception e) { // ignore + Throwables.throwIfUnchecked(e); } } } |