Allow users with ACCESS_DATABASE to get/delete external IDs of others

Change-Id: I677eeb6626e0f483109826fe3b6d5721e8508eae Signed-off-by: Edwin Kempin <ekempin@google.com>
2017-06-01 11:56:26 +02:00
parent b9121ddf39
commit 07c063dd10
3 changed files with 70 additions and 3 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
@@ -51,7 +51,7 @@ public class GetExternalIds implements RestReadView<AccountResource> {
  @Override
  public List<AccountExternalIdInfo> apply(AccountResource resource)
      throws RestApiException, IOException, OrmException {
-    if (self.get() != resource.getUser()) {
+    if (self.get() != resource.getUser() && !self.get().getCapabilities().canAccessDatabase()) {
      throw new AuthException("not allowed to get external IDs");
    }