1 files changed, 44 insertions, 25 deletions

diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/ApprovalsUtil.java b/gerrit-server/src/main/java/com/google/gerrit/server/ApprovalsUtil.java
index 57615c4511..82fa3f6673 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/ApprovalsUtil.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/ApprovalsUtil.java
@@ -28,10 +28,9 @@ import com.google.common.collect.Lists;
 import com.google.common.collect.Ordering;
 import com.google.common.collect.Sets;
 import com.google.common.primitives.Shorts;
+import com.google.gerrit.common.Nullable;
 import com.google.gerrit.common.data.LabelType;
 import com.google.gerrit.common.data.LabelTypes;
-import com.google.gerrit.common.data.Permission;
-import com.google.gerrit.common.data.PermissionRange;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.BadRequestException;
 import com.google.gerrit.extensions.restapi.RestApiException;
@@ -46,7 +45,10 @@ import com.google.gerrit.server.notedb.ChangeNotes;
 import com.google.gerrit.server.notedb.ChangeUpdate;
 import com.google.gerrit.server.notedb.NotesMigration;
 import com.google.gerrit.server.notedb.ReviewerStateInternal;
-import com.google.gerrit.server.project.ChangeControl;
+import com.google.gerrit.server.permissions.ChangePermission;
+import com.google.gerrit.server.permissions.LabelPermission;
+import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.util.LabelVote;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -60,6 +62,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import org.eclipse.jgit.lib.Config;
+import org.eclipse.jgit.revwalk.RevWalk;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -97,26 +101,26 @@ public class ApprovalsUtil {
   }
 
   private static Iterable<PatchSetApproval> filterApprovals(
-      Iterable<PatchSetApproval> psas, final Account.Id accountId) {
+      Iterable<PatchSetApproval> psas, Account.Id accountId) {
     return Iterables.filter(psas, a -> Objects.equals(a.getAccountId(), accountId));
   }
 
   private final NotesMigration migration;
   private final IdentifiedUser.GenericFactory userFactory;
-  private final ChangeControl.GenericFactory changeControlFactory;
   private final ApprovalCopier copier;
+  private final PermissionBackend permissionBackend;
 
   @VisibleForTesting
   @Inject
   public ApprovalsUtil(
       NotesMigration migration,
       IdentifiedUser.GenericFactory userFactory,
-      ChangeControl.GenericFactory changeControlFactory,
-      ApprovalCopier copier) {
+      ApprovalCopier copier,
+      PermissionBackend permissionBackend) {
     this.migration = migration;
     this.userFactory = userFactory;
-    this.changeControlFactory = changeControlFactory;
     this.copier = copier;
+    this.permissionBackend = permissionBackend;
   }
 
   /**
@@ -259,8 +263,8 @@ public class ApprovalsUtil {
   private boolean canSee(ReviewDb db, ChangeNotes notes, Account.Id accountId) {
     try {
       IdentifiedUser user = userFactory.create(accountId);
-      return changeControlFactory.controlFor(notes, user).isVisible(db);
-    } catch (OrmException e) {
+      return permissionBackend.user(user).change(notes).database(db).test(ChangePermission.READ);
+    } catch (PermissionBackendException e) {
       log.warn(
           "Failed to check if account {} can see change {}",
           accountId.get(),
@@ -302,7 +306,7 @@ public class ApprovalsUtil {
    * @param update change update.
    * @param labelTypes label types for the containing project.
    * @param ps patch set being approved.
-   * @param changeCtl change control for user adding approvals.
+   * @param user user adding approvals.
    * @param approvals approvals to add.
    * @throws RestApiException
    * @throws OrmException
@@ -312,24 +316,24 @@ public class ApprovalsUtil {
       ChangeUpdate update,
       LabelTypes labelTypes,
       PatchSet ps,
-      ChangeControl changeCtl,
+      CurrentUser user,
       Map<String, Short> approvals)
-      throws RestApiException, OrmException {
-    Account.Id accountId = changeCtl.getUser().getAccountId();
+      throws RestApiException, OrmException, PermissionBackendException {
+    Account.Id accountId = user.getAccountId();
     checkArgument(
         accountId.equals(ps.getUploader()),
         "expected user %s to match patch set uploader %s",
         accountId,
         ps.getUploader());
     if (approvals.isEmpty()) {
-      return Collections.emptyList();
+      return ImmutableList.of();
     }
-    checkApprovals(approvals, changeCtl);
+    checkApprovals(approvals, permissionBackend.user(user).database(db).change(update.getNotes()));
     List<PatchSetApproval> cells = new ArrayList<>(approvals.size());
     Date ts = update.getWhen();
     for (Map.Entry<String, Short> vote : approvals.entrySet()) {
       LabelType lt = labelTypes.byLabel(vote.getKey());
-      cells.add(newApproval(ps.getId(), changeCtl.getUser(), lt.getLabelId(), vote.getValue(), ts));
+      cells.add(newApproval(ps.getId(), user, lt.getLabelId(), vote.getValue(), ts));
     }
     for (PatchSetApproval psa : cells) {
       update.putApproval(psa.getLabel(), psa.getValue());
@@ -350,13 +354,15 @@ public class ApprovalsUtil {
     }
   }
 
-  private static void checkApprovals(Map<String, Short> approvals, ChangeControl changeCtl)
-      throws AuthException {
+  private static void checkApprovals(
+      Map<String, Short> approvals, PermissionBackend.ForChange forChange)
+      throws AuthException, PermissionBackendException {
     for (Map.Entry<String, Short> vote : approvals.entrySet()) {
       String name = vote.getKey();
       Short value = vote.getValue();
-      PermissionRange range = changeCtl.getRange(Permission.forLabel(name));
-      if (range == null || !range.contains(value)) {
+      try {
+        forChange.check(new LabelPermission.WithValue(name, value));
+      } catch (AuthException e) {
         throw new AuthException(
             String.format("applying label \"%s\": %d is restricted", name, value));
       }
@@ -376,20 +382,33 @@ public class ApprovalsUtil {
     return notes.load().getApprovals();
   }
 
-  public Iterable<PatchSetApproval> byPatchSet(ReviewDb db, ChangeControl ctl, PatchSet.Id psId)
+  public Iterable<PatchSetApproval> byPatchSet(
+      ReviewDb db,
+      ChangeNotes notes,
+      CurrentUser user,
+      PatchSet.Id psId,
+      @Nullable RevWalk rw,
+      @Nullable Config repoConfig)
       throws OrmException {
     if (!migration.readChanges()) {
       return sortApprovals(db.patchSetApprovals().byPatchSet(psId));
     }
-    return copier.getForPatchSet(db, ctl, psId);
+    return copier.getForPatchSet(db, notes, user, psId, rw, repoConfig);
   }
 
   public Iterable<PatchSetApproval> byPatchSetUser(
-      ReviewDb db, ChangeControl ctl, PatchSet.Id psId, Account.Id accountId) throws OrmException {
+      ReviewDb db,
+      ChangeNotes notes,
+      CurrentUser user,
+      PatchSet.Id psId,
+      Account.Id accountId,
+      @Nullable RevWalk rw,
+      @Nullable Config repoConfig)
+      throws OrmException {
     if (!migration.readChanges()) {
       return sortApprovals(db.patchSetApprovals().byPatchSetUser(psId, accountId));
     }
-    return filterApprovals(byPatchSet(db, ctl, psId), accountId);
+    return filterApprovals(byPatchSet(db, notes, user, psId, rw, repoConfig), accountId);
   }
 
   public PatchSetApproval getSubmitter(ReviewDb db, ChangeNotes notes, PatchSet.Id c) {