summaryrefslogtreecommitdiffstats
path: root/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java
diff options
context:
space:
mode:
Diffstat (limited to 'gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java')
-rw-r--r--gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java50
1 files changed, 38 insertions, 12 deletions
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java
index 9ad125090c..f27b9d388c 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/project/ReviewProjectAccess.java
@@ -14,6 +14,7 @@
package com.google.gerrit.httpd.rpc.project;
+import com.google.common.base.Throwables;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.TimeUtil;
import com.google.gerrit.common.data.AccessSection;
@@ -21,6 +22,7 @@ import com.google.gerrit.common.data.GlobalCapability;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.common.errors.PermissionDeniedException;
import com.google.gerrit.extensions.api.changes.AddReviewerInput;
+import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.reviewdb.client.Change;
@@ -37,11 +39,13 @@ import com.google.gerrit.server.change.PostReviewers;
import com.google.gerrit.server.config.AllProjectsName;
import com.google.gerrit.server.git.MetaDataUpdate;
import com.google.gerrit.server.git.ProjectConfig;
-import com.google.gerrit.server.git.validators.CommitValidators;
import com.google.gerrit.server.group.SystemGroupBackend;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.permissions.RefPermission;
+import com.google.gerrit.server.project.ContributorAgreementsChecker;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gerrit.server.project.ProjectControl;
-import com.google.gerrit.server.project.RefControl;
import com.google.gerrit.server.project.SetParent;
import com.google.gerrit.server.update.BatchUpdate;
import com.google.gerrit.server.update.UpdateException;
@@ -53,6 +57,7 @@ import java.io.IOException;
import java.util.List;
import org.eclipse.jgit.lib.ObjectId;
import org.eclipse.jgit.lib.ObjectInserter;
+import org.eclipse.jgit.lib.ObjectReader;
import org.eclipse.jgit.revwalk.RevCommit;
import org.eclipse.jgit.revwalk.RevWalk;
@@ -67,6 +72,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
}
private final ReviewDb db;
+ private final PermissionBackend permissionBackend;
private final Sequences seq;
private final Provider<PostReviewers> reviewersProvider;
private final ProjectCache projectCache;
@@ -77,6 +83,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
@Inject
ReviewProjectAccess(
final ProjectControl.Factory projectControlFactory,
+ PermissionBackend permissionBackend,
GroupBackend groupBackend,
MetaDataUpdate.User metaDataUpdateFactory,
ReviewDb db,
@@ -88,6 +95,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
BatchUpdate.Factory updateFactory,
Provider<SetParent> setParent,
Sequences seq,
+ ContributorAgreementsChecker contributorAgreements,
@Assisted("projectName") Project.NameKey projectName,
@Nullable @Assisted ObjectId base,
@Assisted List<AccessSection> sectionList,
@@ -104,8 +112,10 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
sectionList,
parentProjectName,
message,
+ contributorAgreements,
false);
this.db = db;
+ this.permissionBackend = permissionBackend;
this.seq = seq;
this.reviewersProvider = reviewersProvider;
this.projectCache = projectCache;
@@ -114,19 +124,32 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
this.updateFactory = updateFactory;
}
+ // TODO(dborowitz): Hack MetaDataUpdate so it can be created within a BatchUpdate and we can avoid
+ // calling setUpdateRef(false).
+ @SuppressWarnings("deprecation")
@Override
protected Change.Id updateProjectConfig(
ProjectControl projectControl,
ProjectConfig config,
MetaDataUpdate md,
boolean parentProjectUpdate)
- throws IOException, OrmException, PermissionDeniedException {
- RefControl refsMetaConfigControl = projectControl.controlForRef(RefNames.REFS_CONFIG);
- if (!refsMetaConfigControl.isVisible()) {
+ throws IOException, OrmException, PermissionDeniedException, PermissionBackendException {
+ PermissionBackend.ForRef metaRef =
+ permissionBackend
+ .user(projectControl.getUser())
+ .project(projectControl.getProject().getNameKey())
+ .ref(RefNames.REFS_CONFIG);
+ try {
+ metaRef.check(RefPermission.READ);
+ } catch (AuthException denied) {
throw new PermissionDeniedException(RefNames.REFS_CONFIG + " not visible");
}
- if (!projectControl.isOwner() && !refsMetaConfigControl.canUpload()) {
- throw new PermissionDeniedException("cannot upload to " + RefNames.REFS_CONFIG);
+ if (!projectControl.isOwner()) {
+ try {
+ metaRef.check(RefPermission.CREATE_CHANGE);
+ } catch (AuthException denied) {
+ throw new PermissionDeniedException("cannot create change for " + RefNames.REFS_CONFIG);
+ }
}
md.setInsertChangeId(true);
@@ -138,8 +161,9 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
return null;
}
- try (RevWalk rw = new RevWalk(md.getRepository());
- ObjectInserter objInserter = md.getRepository().newObjectInserter();
+ try (ObjectInserter objInserter = md.getRepository().newObjectInserter();
+ ObjectReader objReader = objInserter.newReader();
+ RevWalk rw = new RevWalk(objReader);
BatchUpdate bu =
updateFactory.create(
db, config.getProject().getNameKey(), projectControl.getUser(), TimeUtil.nowTs())) {
@@ -147,7 +171,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
bu.insertChange(
changeInserterFactory
.create(changeId, commit, RefNames.REFS_CONFIG)
- .setValidatePolicy(CommitValidators.Policy.NONE)
+ .setValidate(false)
.setUpdateRef(false)); // Created by commitToNewRef.
bu.execute();
} catch (UpdateException | RestApiException e) {
@@ -173,9 +197,10 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
AddReviewerInput input = new AddReviewerInput();
input.reviewer = projectOwners;
reviewersProvider.get().apply(rsrc, input);
- } catch (IOException | OrmException | RestApiException | UpdateException e) {
+ } catch (Exception e) {
// one of the owner groups is not visible to the user and this it why it
// can't be added as reviewer
+ Throwables.throwIfUnchecked(e);
}
}
@@ -192,8 +217,9 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
AddReviewerInput input = new AddReviewerInput();
input.reviewer = r.getGroup().getUUID().get();
reviewersProvider.get().apply(rsrc, input);
- } catch (IOException | OrmException | RestApiException | UpdateException e) {
+ } catch (Exception e) {
// ignore
+ Throwables.throwIfUnchecked(e);
}
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-15 02:48:24 +0000