Make project state check in READ explicit

The majority of code in {Project,Ref,Change}Control is now about permissions, but not all. Exceptions include checks for a project's state. This is confusing, because users are presented with an exception telling them that they lack some kind of permission while the real reason for the failed operation is that the project's current state doesn't permit the operation. This is part of a series of commits to remove all project state checks from *Control classes and make explicit checks instead. Calls from resources in restapi/change/* need no explicit check if the project state permits reads as this is checked in ChangesCollection. Change-Id: Ifde8885cf48d7a63af52fe5ce3347f880f131d48
2018-01-15 17:58:15 +01:00
parent a9a057e1db
commit 0431dc2cae
20 changed files with 171 additions and 70 deletions
--- a/java/com/google/gerrit/httpd/raw/CatServlet.java
+++ b/java/com/google/gerrit/httpd/raw/CatServlet.java
@@ -15,6 +15,7 @@
 package com.google.gerrit.httpd.raw;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.ResourceConflictException;
 import com.google.gerrit.extensions.restapi.Url;
 import com.google.gerrit.reviewdb.client.Change;
 import com.google.gerrit.reviewdb.client.Patch;
@@ -29,6 +30,7 @@ import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.NoSuchChangeException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -57,6 +59,7 @@ public class CatServlet extends HttpServlet {
  private final PatchSetUtil psUtil;
  private final ChangeNotes.Factory changeNotesFactory;
  private final PermissionBackend permissionBackend;
  private final ProjectCache projectCache;
  @Inject
  CatServlet(
@@ -65,13 +68,15 @@ public class CatServlet extends HttpServlet {
      ChangeEditUtil ceu,
      PatchSetUtil psu,
      ChangeNotes.Factory cnf,
-      PermissionBackend pb) {
+      PermissionBackend pb,
      ProjectCache pc) {
    requestDb = sf;
    userProvider = usrprv;
    changeEditUtil = ceu;
    psUtil = psu;
    changeNotesFactory = cnf;
    permissionBackend = pb;
    projectCache = pc;
  }
  @Override
@@ -131,6 +136,7 @@ public class CatServlet extends HttpServlet {
          .change(notes)
          .database(requestDb)
          .check(ChangePermission.READ);
      projectCache.checkedGet(notes.getProjectName()).checkStatePermitsRead();
      if (patchKey.getParentKey().get() == 0) {
        // change edit
        Optional<ChangeEdit> edit = changeEditUtil.byChange(notes);
@@ -148,10 +154,10 @@ public class CatServlet extends HttpServlet {
        }
        revision = patchSet.getRevision().get();
      }
-    } catch (NoSuchChangeException | AuthException e) {
+    } catch (ResourceConflictException | NoSuchChangeException | AuthException e) {
      rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
      return;
-    } catch (OrmException | PermissionBackendException e) {
+    } catch (OrmException | PermissionBackendException | IOException e) {
      getServletContext().log("Cannot query database", e);
      rsp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
      return;
--- a/java/com/google/gerrit/server/ApprovalsUtil.java
+++ b/java/com/google/gerrit/server/ApprovalsUtil.java
@@ -49,10 +49,12 @@ import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.LabelPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.util.LabelVote;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -109,6 +111,7 @@ public class ApprovalsUtil {
  private final IdentifiedUser.GenericFactory userFactory;
  private final ApprovalCopier copier;
  private final PermissionBackend permissionBackend;
  private final ProjectCache projectCache;
  @VisibleForTesting
  @Inject
@@ -116,11 +119,13 @@ public class ApprovalsUtil {
      NotesMigration migration,
      IdentifiedUser.GenericFactory userFactory,
      ApprovalCopier copier,
-      PermissionBackend permissionBackend) {
+      PermissionBackend permissionBackend,
      ProjectCache projectCache) {
    this.migration = migration;
    this.userFactory = userFactory;
    this.copier = copier;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
  }
  /**
@@ -263,8 +268,9 @@ public class ApprovalsUtil {
  private boolean canSee(ReviewDb db, ChangeNotes notes, Account.Id accountId) {
    try {
      IdentifiedUser user = userFactory.create(accountId);
-      return permissionBackend.user(user).change(notes).database(db).test(ChangePermission.READ);
+      return projectCache.checkedGet(notes.getProjectName()).statePermitsRead()
-    } catch (PermissionBackendException e) {
+          && permissionBackend.user(user).change(notes).database(db).test(ChangePermission.READ);
    } catch (IOException | PermissionBackendException e) {
      log.warn(
          String.format(
              "Failed to check if account %d can see change %d",
--- a/java/com/google/gerrit/server/change/ChangeInserter.java
+++ b/java/com/google/gerrit/server/change/ChangeInserter.java
@@ -467,10 +467,11 @@ public class ChangeInserter implements InsertChangeOp {
              try {
                IdentifiedUser user = userFactory.create(accountId);
                return permissionBackend
-                    .user(user)
+                        .user(user)
-                    .change(notes)
+                        .change(notes)
-                    .database(db)
+                        .database(db)
-                    .test(ChangePermission.READ);
+                        .test(ChangePermission.READ)
                    && projectState.statePermitsRead();
              } catch (PermissionBackendException e) {
                log.warn(
                    String.format(
--- a/java/com/google/gerrit/server/change/ChangeJson.java
+++ b/java/com/google/gerrit/server/change/ChangeJson.java
@@ -124,6 +124,7 @@ import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.NoSuchChangeException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.project.RemoveReviewerControl;
 import com.google.gerrit.server.project.SubmitRuleOptions;
 import com.google.gerrit.server.query.change.ChangeData;
@@ -1469,13 +1470,19 @@ public class ChangeJson {
        : withUser.indexedChange(cd, notesFactory.createFromIndexedChange(cd.change()));
  }
-  private boolean isWorldReadable(ChangeData cd) throws OrmException, PermissionBackendException {
+  private boolean isWorldReadable(ChangeData cd)
      throws OrmException, PermissionBackendException, IOException {
    try {
      permissionBackendForChange(anonymous, cd).check(ChangePermission.READ);
      return true;
    } catch (AuthException ae) {
      return false;
    }
    ProjectState projectState = projectCache.checkedGet(cd.project());
    if (projectState == null) {
      log.error("project state for project " + cd.project() + " is null");
      return false;
    }
    return projectState.statePermitsRead();
  }
  @AutoValue
--- a/java/com/google/gerrit/server/events/EventBroker.java
+++ b/java/com/google/gerrit/server/events/EventBroker.java
@@ -163,7 +163,7 @@ public class EventBroker implements EventDispatcher {
      return false;
    }
    ProjectState pe = projectCache.get(change.getProject());
-    if (pe == null) {
+    if (pe == null || !pe.statePermitsRead()) {
      return false;
    }
    ReviewDb db = dbProvider.get();
--- a/java/com/google/gerrit/server/git/LocalMergeSuperSetComputation.java
+++ b/java/com/google/gerrit/server/git/LocalMergeSuperSetComputation.java
@@ -33,6 +33,8 @@ import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.NoSuchProjectException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gerrit.server.query.change.InternalChangeQuery;
 import com.google.gwtorm.server.OrmException;
@@ -87,10 +89,14 @@ public class LocalMergeSuperSetComputation implements MergeSuperSetComputation {
  private final Provider<InternalChangeQuery> queryProvider;
  private final Map<QueryKey, List<ChangeData>> queryCache;
  private final Map<Branch.NameKey, Optional<RevCommit>> heads;
  private final ProjectCache projectCache;
  @Inject
  LocalMergeSuperSetComputation(
-      PermissionBackend permissionBackend, Provider<InternalChangeQuery> queryProvider) {
+      PermissionBackend permissionBackend,
      Provider<InternalChangeQuery> queryProvider,
      ProjectCache projectCache) {
    this.projectCache = projectCache;
    this.permissionBackend = permissionBackend;
    this.queryProvider = queryProvider;
    this.queryCache = new HashMap<>();
@@ -171,8 +177,12 @@ public class LocalMergeSuperSetComputation implements MergeSuperSetComputation {
  }
  private boolean isVisible(ReviewDb db, ChangeSet changeSet, ChangeData cd, CurrentUser user)
-      throws PermissionBackendException {
+      throws PermissionBackendException, IOException {
-    boolean visible = changeSet.ids().contains(cd.getId());
+    ProjectState projectState = projectCache.checkedGet(cd.project());
    boolean visible =
        changeSet.ids().contains(cd.getId())
            && (projectState != null)
            && projectState.statePermitsRead();
    if (visible
        && !permissionBackend.user(user).change(cd).database(db).test(ChangePermission.READ)) {
      // We thought the change was visible, but it isn't.
--- a/java/com/google/gerrit/server/git/MergeSuperSet.java
+++ b/java/com/google/gerrit/server/git/MergeSuperSet.java
@@ -27,6 +27,8 @@ import com.google.gerrit.server.index.change.ChangeField;
 import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gerrit.server.query.change.InternalChangeQuery;
 import com.google.gwtorm.server.OrmException;
@@ -75,6 +77,7 @@ public class MergeSuperSet {
  private final DynamicItem<MergeSuperSetComputation> mergeSuperSetComputation;
  private final PermissionBackend permissionBackend;
  private final Config cfg;
  private final ProjectCache projectCache;
  private MergeOpRepoManager orm;
  private boolean closeOrm;
@@ -86,13 +89,15 @@ public class MergeSuperSet {
      Provider<InternalChangeQuery> queryProvider,
      Provider<MergeOpRepoManager> repoManagerProvider,
      DynamicItem<MergeSuperSetComputation> mergeSuperSetComputation,
-      PermissionBackend permissionBackend) {
+      PermissionBackend permissionBackend,
      ProjectCache projectCache) {
    this.cfg = cfg;
    this.changeDataFactory = changeDataFactory;
    this.queryProvider = queryProvider;
    this.repoManagerProvider = repoManagerProvider;
    this.mergeSuperSetComputation = mergeSuperSetComputation;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
  }
  public static boolean wholeTopicEnabled(Config config) {
@@ -115,9 +120,17 @@ public class MergeSuperSet {
      }
      ChangeData cd = changeDataFactory.create(db, change.getProject(), change.getId());
      ProjectState projectState = projectCache.checkedGet(cd.project());
      ChangeSet changeSet =
          new ChangeSet(
-              cd, permissionBackend.user(user).change(cd).database(db).test(ChangePermission.READ));
+              cd,
              projectState != null
                  && projectState.statePermitsRead()
                  && permissionBackend
                      .user(user)
                      .change(cd)
                      .database(db)
                      .test(ChangePermission.READ));
      if (wholeTopicEnabled(cfg)) {
        return completeChangeSetIncludingTopics(db, changeSet, user);
      }
@@ -149,7 +162,7 @@ public class MergeSuperSet {
      CurrentUser user,
      Set<String> topicsSeen,
      Set<String> visibleTopicsSeen)
-      throws OrmException, PermissionBackendException {
+      throws OrmException, PermissionBackendException, IOException {
    List<ChangeData> visibleChanges = new ArrayList<>();
    List<ChangeData> nonVisibleChanges = new ArrayList<>();
@@ -208,7 +221,10 @@ public class MergeSuperSet {
  }
  private boolean canRead(ReviewDb db, CurrentUser user, ChangeData cd)
-      throws PermissionBackendException {
+      throws PermissionBackendException, IOException {
-    return permissionBackend.user(user).change(cd).database(db).test(ChangePermission.READ);
+    ProjectState projectState = projectCache.checkedGet(cd.project());
    return projectState != null
        && projectState.statePermitsRead()
        && permissionBackend.user(user).change(cd).database(db).test(ChangePermission.READ);
  }
 }
--- a/java/com/google/gerrit/server/git/VisibleRefFilter.java
+++ b/java/com/google/gerrit/server/git/VisibleRefFilter.java
@@ -316,7 +316,8 @@ public class VisibleRefFilter extends AbstractAdvertiseRefsHook {
      Map<Change.Id, Branch.NameKey> visibleChanges = new HashMap<>();
      for (ChangeData cd : changeCache.getChangeData(db.get(), project)) {
        ChangeNotes notes = changeNotesFactory.createFromIndexedChange(cd.change());
-        if (perm.indexedChange(cd, notes).test(ChangePermission.READ)) {
+        if (projectState.statePermitsRead()
            && perm.indexedChange(cd, notes).test(ChangePermission.READ)) {
          visibleChanges.put(cd.getId(), cd.change().getDest());
        }
      }
@@ -349,7 +350,7 @@ public class VisibleRefFilter extends AbstractAdvertiseRefsHook {
      return null;
    }
    try {
-      if (perm.change(r.notes()).test(ChangePermission.READ)) {
+      if (projectState.statePermitsRead() && perm.change(r.notes()).test(ChangePermission.READ)) {
        return r.notes();
      }
    } catch (PermissionBackendException e) {
--- a/java/com/google/gerrit/server/mail/send/ChangeEmail.java
+++ b/java/com/google/gerrit/server/mail/send/ChangeEmail.java
@@ -408,11 +408,12 @@ public abstract class ChangeEmail extends NotificationEmail {
  @Override
  protected boolean isVisibleTo(Account.Id to) throws OrmException, PermissionBackendException {
-    return args.permissionBackend
+    return projectState.statePermitsRead()
-        .user(args.identifiedUserFactory.create(to))
+        && args.permissionBackend
-        .change(changeData)
+            .user(args.identifiedUserFactory.create(to))
-        .database(args.db.get())
+            .change(changeData)
-        .test(ChangePermission.READ);
+            .database(args.db.get())
            .test(ChangePermission.READ);
  }
  /** Find all users who are authors of any part of this change. */
--- a/java/com/google/gerrit/server/patch/PatchScriptFactory.java
+++ b/java/com/google/gerrit/server/patch/PatchScriptFactory.java
@@ -42,6 +42,7 @@ import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.InvalidChangeOperationException;
 import com.google.gerrit.server.project.NoSuchChangeException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Provider;
 import com.google.inject.assistedinject.Assisted;
@@ -93,6 +94,7 @@ public class PatchScriptFactory implements Callable<PatchScript> {
  private final ChangeEditUtil editReader;
  private final Provider<CurrentUser> userProvider;
  private final PermissionBackend permissionBackend;
  private final ProjectCache projectCache;
  private Optional<ChangeEdit> edit;
  private final Change.Id changeId;
@@ -116,6 +118,7 @@ public class PatchScriptFactory implements Callable<PatchScript> {
      ChangeEditUtil editReader,
      Provider<CurrentUser> userProvider,
      PermissionBackend permissionBackend,
      ProjectCache projectCache,
      @Assisted ChangeNotes notes,
      @Assisted String fileName,
      @Assisted("patchSetA") @Nullable PatchSet.Id patchSetA,
@@ -131,6 +134,7 @@ public class PatchScriptFactory implements Callable<PatchScript> {
    this.editReader = editReader;
    this.userProvider = userProvider;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
    this.fileName = fileName;
    this.psa = patchSetA;
@@ -152,6 +156,7 @@ public class PatchScriptFactory implements Callable<PatchScript> {
      ChangeEditUtil editReader,
      Provider<CurrentUser> userProvider,
      PermissionBackend permissionBackend,
      ProjectCache projectCache,
      @Assisted ChangeNotes notes,
      @Assisted String fileName,
      @Assisted int parentNum,
@@ -167,6 +172,7 @@ public class PatchScriptFactory implements Callable<PatchScript> {
    this.editReader = editReader;
    this.userProvider = userProvider;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
    this.fileName = fileName;
    this.psa = null;
@@ -209,6 +215,10 @@ public class PatchScriptFactory implements Callable<PatchScript> {
      }
    }
    if (!projectCache.checkedGet(notes.getProjectName()).statePermitsRead()) {
      throw new NoSuchChangeException(changeId);
    }
    try (Repository git = repoManager.openRepository(notes.getProjectName())) {
      bId = toObjectId(psEntityB);
      if (parentNum < 0) {
--- a/java/com/google/gerrit/server/project/ChangeControl.java
+++ b/java/com/google/gerrit/server/project/ChangeControl.java
@@ -130,7 +130,7 @@ class ChangeControl {
    if (getChange().isPrivate() && !isPrivateVisible(db, cd)) {
      return false;
    }
-    return refControl.isVisible() && getProjectControl().getProject().getState().permitsRead();
+    return refControl.isVisible();
  }
  /** Can this user abandon this change? */
--- a/java/com/google/gerrit/server/query/change/ChangeIsVisibleToPredicate.java
+++ b/java/com/google/gerrit/server/query/change/ChangeIsVisibleToPredicate.java
@@ -24,8 +24,11 @@ import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.NoSuchProjectException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Provider;
 import java.io.IOException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -36,17 +39,20 @@ public class ChangeIsVisibleToPredicate extends IsVisibleToPredicate<ChangeData>
  protected final ChangeNotes.Factory notesFactory;
  protected final CurrentUser user;
  protected final PermissionBackend permissionBackend;
  protected final ProjectCache projectCache;
  public ChangeIsVisibleToPredicate(
      Provider<ReviewDb> db,
      ChangeNotes.Factory notesFactory,
      CurrentUser user,
-      PermissionBackend permissionBackend) {
+      PermissionBackend permissionBackend,
      ProjectCache projectCache) {
    super(ChangeQueryBuilder.FIELD_VISIBLETO, IndexUtils.describe(user));
    this.db = db;
    this.notesFactory = notesFactory;
    this.user = user;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
  }
  @Override
@@ -60,6 +66,20 @@ public class ChangeIsVisibleToPredicate extends IsVisibleToPredicate<ChangeData>
    }
    ChangeNotes notes = notesFactory.createFromIndexedChange(change);
    try {
      ProjectState projectState = projectCache.checkedGet(cd.project());
      if (projectState == null) {
        logger.info("No such project: {}", cd.project());
        return false;
      }
      if (!projectState.statePermitsRead()) {
        return false;
      }
    } catch (IOException e) {
      throw new OrmException("unable to read project state", e);
    }
    boolean visible;
    try {
      visible =
--- a/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java
+++ b/java/com/google/gerrit/server/query/change/ChangeQueryBuilder.java
@@ -915,7 +915,8 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
  }
  public Predicate<ChangeData> visibleto(CurrentUser user) {
-    return new ChangeIsVisibleToPredicate(args.db, args.notesFactory, user, args.permissionBackend);
+    return new ChangeIsVisibleToPredicate(
        args.db, args.notesFactory, user, args.permissionBackend, args.projectCache);
  }
  public Predicate<ChangeData> is_visible() throws QueryParseException {
--- a/java/com/google/gerrit/server/query/change/ChangeQueryProcessor.java
+++ b/java/com/google/gerrit/server/query/change/ChangeQueryProcessor.java
@@ -34,6 +34,7 @@ import com.google.gerrit.server.index.change.ChangeSchemaDefinitions;
 import com.google.gerrit.server.index.change.IndexedChangeQuery;
 import com.google.gerrit.server.notedb.ChangeNotes;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import java.util.ArrayList;
@@ -63,6 +64,7 @@ public class ChangeQueryProcessor extends QueryProcessor<ChangeData>
  private final ChangeNotes.Factory notesFactory;
  private final DynamicMap<ChangeAttributeFactory> attributeFactories;
  private final PermissionBackend permissionBackend;
  private final ProjectCache projectCache;
  static {
    // It is assumed that basic rewrites do not touch visibleto predicates.
@@ -82,7 +84,8 @@ public class ChangeQueryProcessor extends QueryProcessor<ChangeData>
      Provider<ReviewDb> db,
      ChangeNotes.Factory notesFactory,
      DynamicMap<ChangeAttributeFactory> attributeFactories,
-      PermissionBackend permissionBackend) {
+      PermissionBackend permissionBackend,
      ProjectCache projectCache) {
    super(
        metricMaker,
        ChangeSchemaDefinitions.INSTANCE,
@@ -96,6 +99,7 @@ public class ChangeQueryProcessor extends QueryProcessor<ChangeData>
    this.notesFactory = notesFactory;
    this.attributeFactories = attributeFactories;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
  }
  @Override
@@ -138,7 +142,8 @@ public class ChangeQueryProcessor extends QueryProcessor<ChangeData>
  protected Predicate<ChangeData> enforceVisibility(Predicate<ChangeData> pred) {
    return new AndChangeSource(
        pred,
-        new ChangeIsVisibleToPredicate(db, notesFactory, userProvider.get(), permissionBackend),
+        new ChangeIsVisibleToPredicate(
            db, notesFactory, userProvider.get(), permissionBackend, projectCache),
        start);
  }
 }
--- a/java/com/google/gerrit/server/query/change/EqualsLabelPredicate.java
+++ b/java/com/google/gerrit/server/query/change/EqualsLabelPredicate.java
@@ -30,6 +30,7 @@ import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Provider;
 import java.io.IOException;
 public class EqualsLabelPredicate extends ChangeIndexPredicate {
  protected final ProjectCache projectCache;
@@ -123,8 +124,11 @@ public class EqualsLabelPredicate extends ChangeIndexPredicate {
    try {
      PermissionBackend.ForChange perm =
          permissionBackend.user(reviewer).database(dbProvider).change(cd);
-      return perm.test(ChangePermission.READ);
+      ProjectState projectState = projectCache.checkedGet(cd.project());
-    } catch (PermissionBackendException e) {
+      return projectState != null
          && projectState.statePermitsRead()
          && perm.test(ChangePermission.READ);
    } catch (PermissionBackendException | IOException e) {
      return false;
    }
  }
--- a/java/com/google/gerrit/server/restapi/change/ChangesCollection.java
+++ b/java/com/google/gerrit/server/restapi/change/ChangesCollection.java
@@ -135,13 +135,17 @@ public class ChangesCollection
    return createChange;
  }
-  private boolean canRead(ChangeNotes notes) throws PermissionBackendException {
+  private boolean canRead(ChangeNotes notes) throws PermissionBackendException, IOException {
    try {
      permissionBackend.user(user).change(notes).database(db).check(ChangePermission.READ);
      return true;
    } catch (AuthException e) {
      return false;
    }
    ProjectState projectState = projectCache.checkedGet(notes.getProjectName());
    if (projectState == null) {
      return false;
    }
    return projectState.statePermitsRead();
  }
  private void checkProjectStatePermitsRead(Project.NameKey project)
--- a/java/com/google/gerrit/server/restapi/change/GetRelated.java
+++ b/java/com/google/gerrit/server/restapi/change/GetRelated.java
@@ -101,7 +101,7 @@ public class GetRelated implements RestReadView<RevisionResource> {
    reloadChangeIfStale(cds, basePs);
-    for (RelatedChangesSorter.PatchSetData d : sorter.sort(cds, basePs, rsrc.getUser())) {
+    for (RelatedChangesSorter.PatchSetData d : sorter.sort(cds, basePs)) {
      PatchSet ps = d.patchSet();
      RevCommit commit;
      if (isEdit && ps.getId().equals(basePs.getId())) {
--- a/java/com/google/gerrit/server/restapi/change/RelatedChangesSorter.java
+++ b/java/com/google/gerrit/server/restapi/change/RelatedChangesSorter.java
@@ -34,6 +34,8 @@ import com.google.gerrit.server.git.GitRepositoryManager;
 import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -61,25 +63,30 @@ class RelatedChangesSorter {
  private final GitRepositoryManager repoManager;
  private final PermissionBackend permissionBackend;
  private final Provider<ReviewDb> dbProvider;
  private final ProjectCache projectCache;
  private final Provider<CurrentUser> currentUserProvider;
  @Inject
  RelatedChangesSorter(
      GitRepositoryManager repoManager,
      PermissionBackend permissionBackend,
-      Provider<ReviewDb> dbProvider) {
+      Provider<ReviewDb> dbProvider,
      ProjectCache projectCache,
      Provider<CurrentUser> currentUserProvider) {
    this.repoManager = repoManager;
    this.permissionBackend = permissionBackend;
    this.dbProvider = dbProvider;
    this.projectCache = projectCache;
    this.currentUserProvider = currentUserProvider;
  }
-  public List<PatchSetData> sort(List<ChangeData> in, PatchSet startPs, CurrentUser user)
+  public List<PatchSetData> sort(List<ChangeData> in, PatchSet startPs)
      throws OrmException, IOException, PermissionBackendException {
    checkArgument(!in.isEmpty(), "Input may not be empty");
    // Map of all patch sets, keyed by commit SHA-1.
    Map<String, PatchSetData> byId = collectById(in);
    PatchSetData start = byId.get(startPs.getRevision().get());
    checkArgument(start != null, "%s not found in %s", startPs, in);
    PermissionBackend.WithUser perm = permissionBackend.user(user).database(dbProvider);
    // Map of patch set -> immediate parent.
    ListMultimap<PatchSetData, PatchSetData> parents =
@@ -106,9 +113,9 @@ class RelatedChangesSorter {
      }
    }
-    Collection<PatchSetData> ancestors = walkAncestors(perm, parents, start);
+    Collection<PatchSetData> ancestors = walkAncestors(parents, start);
    List<PatchSetData> descendants =
-        walkDescendants(perm, children, start, otherPatchSetsOfStart, ancestors);
+        walkDescendants(children, start, otherPatchSetsOfStart, ancestors);
    List<PatchSetData> result = new ArrayList<>(ancestors.size() + descendants.size() - 1);
    result.addAll(Lists.reverse(descendants));
    result.addAll(ancestors);
@@ -140,17 +147,15 @@ class RelatedChangesSorter {
    return result;
  }
-  private static Collection<PatchSetData> walkAncestors(
+  private Collection<PatchSetData> walkAncestors(
-      PermissionBackend.WithUser perm,
+      ListMultimap<PatchSetData, PatchSetData> parents, PatchSetData start)
-      ListMultimap<PatchSetData, PatchSetData> parents,
+      throws PermissionBackendException, IOException {
      PatchSetData start)
      throws PermissionBackendException {
    LinkedHashSet<PatchSetData> result = new LinkedHashSet<>();
    Deque<PatchSetData> pending = new ArrayDeque<>();
    pending.add(start);
    while (!pending.isEmpty()) {
      PatchSetData psd = pending.remove();
-      if (result.contains(psd) || !isVisible(psd, perm)) {
+      if (result.contains(psd) || !isVisible(psd)) {
        continue;
      }
      result.add(psd);
@@ -159,26 +164,24 @@ class RelatedChangesSorter {
    return result;
  }
-  private static List<PatchSetData> walkDescendants(
+  private List<PatchSetData> walkDescendants(
      PermissionBackend.WithUser perm,
      ListMultimap<PatchSetData, PatchSetData> children,
      PatchSetData start,
      List<PatchSetData> otherPatchSetsOfStart,
      Iterable<PatchSetData> ancestors)
-      throws PermissionBackendException {
+      throws PermissionBackendException, IOException {
    Set<Change.Id> alreadyEmittedChanges = new HashSet<>();
    addAllChangeIds(alreadyEmittedChanges, ancestors);
    // Prefer descendants found by following the original patch set passed in.
    List<PatchSetData> result =
-        walkDescendentsImpl(perm, alreadyEmittedChanges, children, ImmutableList.of(start));
+        walkDescendentsImpl(alreadyEmittedChanges, children, ImmutableList.of(start));
    addAllChangeIds(alreadyEmittedChanges, result);
    // Then, go back and add new indirect descendants found by following any
    // other patch sets of start. These show up after all direct descendants,
    // because we wouldn't know where in the walk to insert them.
-    result.addAll(
+    result.addAll(walkDescendentsImpl(alreadyEmittedChanges, children, otherPatchSetsOfStart));
        walkDescendentsImpl(perm, alreadyEmittedChanges, children, otherPatchSetsOfStart));
    return result;
  }
@@ -189,12 +192,11 @@ class RelatedChangesSorter {
    }
  }
-  private static List<PatchSetData> walkDescendentsImpl(
+  private List<PatchSetData> walkDescendentsImpl(
      PermissionBackend.WithUser perm,
      Set<Change.Id> alreadyEmittedChanges,
      ListMultimap<PatchSetData, PatchSetData> children,
      List<PatchSetData> start)
-      throws PermissionBackendException {
+      throws PermissionBackendException, IOException {
    if (start.isEmpty()) {
      return ImmutableList.of();
    }
@@ -205,7 +207,7 @@ class RelatedChangesSorter {
    pending.addAll(start);
    while (!pending.isEmpty()) {
      PatchSetData psd = pending.remove();
-      if (seen.contains(psd) || !isVisible(psd, perm)) {
+      if (seen.contains(psd) || !isVisible(psd)) {
        continue;
      }
      seen.add(psd);
@@ -236,14 +238,16 @@ class RelatedChangesSorter {
    return result;
  }
-  private static boolean isVisible(PatchSetData psd, PermissionBackend.WithUser perm)
+  private boolean isVisible(PatchSetData psd) throws PermissionBackendException, IOException {
-      throws PermissionBackendException {
+    PermissionBackend.WithUser perm =
        permissionBackend.user(currentUserProvider).database(dbProvider);
    try {
      perm.change(psd.data()).check(ChangePermission.READ);
      return true;
    } catch (AuthException e) {
      return false;
    }
    ProjectState state = projectCache.checkedGet(psd.data().project());
    return state != null && state.statePermitsRead();
  }
  @AutoValue
--- a/java/com/google/gerrit/server/restapi/change/Revisions.java
+++ b/java/com/google/gerrit/server/restapi/change/Revisions.java
@@ -33,6 +33,7 @@ import com.google.gerrit.server.edit.ChangeEditUtil;
 import com.google.gerrit.server.permissions.ChangePermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -51,6 +52,7 @@ public class Revisions implements ChildCollection<ChangeResource, RevisionResour
  private final ChangeEditUtil editUtil;
  private final PatchSetUtil psUtil;
  private final PermissionBackend permissionBackend;
  private final ProjectCache projectCache;
  @Inject
  Revisions(
@@ -58,12 +60,14 @@ public class Revisions implements ChildCollection<ChangeResource, RevisionResour
      Provider<ReviewDb> dbProvider,
      ChangeEditUtil editUtil,
      PatchSetUtil psUtil,
-      PermissionBackend permissionBackend) {
+      PermissionBackend permissionBackend,
      ProjectCache projectCache) {
    this.views = views;
    this.dbProvider = dbProvider;
    this.editUtil = editUtil;
    this.psUtil = psUtil;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
  }
  @Override
@@ -105,14 +109,14 @@ public class Revisions implements ChildCollection<ChangeResource, RevisionResour
    }
  }
-  private boolean visible(ChangeResource change) throws PermissionBackendException {
+  private boolean visible(ChangeResource change) throws PermissionBackendException, IOException {
    try {
      permissionBackend
          .user(change.getUser())
          .change(change.getNotes())
          .database(dbProvider)
          .check(ChangePermission.READ);
-      return true;
+      return projectCache.checkedGet(change.getProject()).statePermitsRead();
    } catch (AuthException e) {
      return false;
    }
--- a/java/com/google/gerrit/sshd/ChangeArgumentParser.java
+++ b/java/com/google/gerrit/sshd/ChangeArgumentParser.java
@@ -92,11 +92,12 @@ public class ChangeArgumentParser {
      if (!changes.containsKey(notes.getChangeId())
          && inProject(projectState, notes.getProjectName())
          && (canMaintainServer
-              || permissionBackend
+              || (permissionBackend
-                  .user(currentUser)
+                      .user(currentUser)
-                  .change(notes)
+                      .change(notes)
-                  .database(db)
+                      .database(db)
-                  .test(ChangePermission.READ))) {
+                      .test(ChangePermission.READ)
                  && projectState.statePermitsRead()))) {
        toAdd.add(notes);
      }
    }