From 23ff2cfc8ffc00ad3d6e2c752d63394957c8720d Mon Sep 17 00:00:00 2001
From: Sven Selberg <svense@axis.com>
Date: Thu, 17 Dec 2020 09:43:18 +0100
Subject: ForRef#check should permit internal users to read all refs

79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.

Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
---
 java/com/google/gerrit/server/permissions/RefControl.java      |  4 ++++
 .../com/google/gerrit/server/permissions/RefControlTest.java   | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/java/com/google/gerrit/server/permissions/RefControl.java b/java/com/google/gerrit/server/permissions/RefControl.java
index b2dc41c892..945ae06c9d 100644
--- a/java/com/google/gerrit/server/permissions/RefControl.java
+++ b/java/com/google/gerrit/server/permissions/RefControl.java
@@ -603,6 +603,10 @@ class RefControl {
     private boolean can(RefPermission perm) throws PermissionBackendException {
       switch (perm) {
         case READ:
+          /* Internal users such as plugin users should be able to read all refs. */
+          if (getUser().isInternalUser()) {
+            return true;
+          }
           if (refName.startsWith(Constants.R_TAGS)) {
             return isTagVisible();
           }
diff --git a/javatests/com/google/gerrit/server/permissions/RefControlTest.java b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
index 6a1c037acf..7f2f5a432a 100644
--- a/javatests/com/google/gerrit/server/permissions/RefControlTest.java
+++ b/javatests/com/google/gerrit/server/permissions/RefControlTest.java
@@ -44,6 +44,7 @@ import com.google.gerrit.entities.AccountGroup;
 import com.google.gerrit.entities.Project;
 import com.google.gerrit.exceptions.InvalidNameException;
 import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.InternalUser;
 import com.google.gerrit.server.account.GroupMembership;
 import com.google.gerrit.server.account.ListGroupMembership;
 import com.google.gerrit.server.config.AllProjectsName;
@@ -311,6 +312,11 @@ public class RefControlTest {
     assertAllRefsAreNotVisible(user(allUsersName, DEVS));
   }
 
+  @Test
+  public void userRefIsVisibleForInternalUser() throws Exception {
+    internalUser(localKey).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
+  }
+
   @Test
   public void branchDelegation1() throws Exception {
     projectOperations
@@ -1219,6 +1225,10 @@ public class RefControlTest {
     return projectCache.checkedGet(nameKey, true);
   }
 
+  private ProjectControl internalUser(Project.NameKey localKey) throws Exception {
+    return projectControlFactory.create(new InternalUser(), getProjectState(localKey));
+  }
+
   private ProjectControl user(Project.NameKey localKey, AccountGroup.UUID... memberOf)
       throws Exception {
     return user(localKey, null, memberOf);
-- 
cgit v1.2.3