Allow users with ACCESS_DATABASE to get/delete external IDs of others

Change-Id: I677eeb6626e0f483109826fe3b6d5721e8508eae Signed-off-by: Edwin Kempin <ekempin@google.com>
2017-06-01 11:56:26 +02:00
parent b9121ddf39
commit 07c063dd10
3 changed files with 70 additions and 3 deletions
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/ExternalIdIT.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/ExternalIdIT.java
@@ -96,7 +96,6 @@ public class ExternalIdIT extends AbstractDaemonTest {
  @Test
  public void getExternalIds() throws Exception {
    Collection<ExternalId> expectedIds = accountCache.get(user.getId()).getExternalIds();
-
    List<AccountExternalIdInfo> expectedIdInfos = toExternalIdInfos(expectedIds);

    RestResponse response = userRestSession.get("/accounts/self/external.ids");
@@ -112,6 +111,34 @@ public class ExternalIdIT extends AbstractDaemonTest {
    assertThat(results).containsExactlyElementsIn(expectedIdInfos);
  }

+  @Test
+  public void getExternalIdsOfOtherUserNotAllowed() throws Exception {
+    setApiUser(user);
+    exception.expect(AuthException.class);
+    exception.expectMessage("not allowed to get external IDs");
+    gApi.accounts().id(admin.id.get()).getExternalIds();
+  }
+
+  @Test
+  public void getExternalIdsOfOtherUserWithAccessDatabase() throws Exception {
+    allowGlobalCapabilities(REGISTERED_USERS, GlobalCapability.ACCESS_DATABASE);
+
+    Collection<ExternalId> expectedIds = accountCache.get(admin.getId()).getExternalIds();
+    List<AccountExternalIdInfo> expectedIdInfos = toExternalIdInfos(expectedIds);
+
+    RestResponse response = userRestSession.get("/accounts/" + admin.id + "/external.ids");
+    response.assertOK();
+
+    List<AccountExternalIdInfo> results =
+        newGson()
+            .fromJson(
+                response.getReader(), new TypeToken<List<AccountExternalIdInfo>>() {}.getType());
+
+    Collections.sort(expectedIdInfos);
+    Collections.sort(results);
+    assertThat(results).containsExactlyElementsIn(expectedIdInfos);
+  }
+
  @Test
  public void deleteExternalIds() throws Exception {
    setApiUser(user);
@@ -138,6 +165,46 @@ public class ExternalIdIT extends AbstractDaemonTest {
    assertThat(results).containsExactlyElementsIn(expectedIds);
  }

+  @Test
+  public void deleteExternalIdsOfOtherUserNotAllowed() throws Exception {
+    List<AccountExternalIdInfo> extIds = gApi.accounts().self().getExternalIds();
+    setApiUser(user);
+    exception.expect(AuthException.class);
+    exception.expectMessage("not allowed to delete external IDs");
+    gApi.accounts()
+        .id(admin.id.get())
+        .deleteExternalIds(extIds.stream().map(e -> e.identity).collect(toList()));
+  }
+
+  @Test
+  public void deleteExternalIdsOfOtherUserWithAccessDatabase() throws Exception {
+    allowGlobalCapabilities(REGISTERED_USERS, GlobalCapability.ACCESS_DATABASE);
+
+    List<AccountExternalIdInfo> externalIds = gApi.accounts().self().getExternalIds();
+
+    List<String> toDelete = new ArrayList<>();
+    List<AccountExternalIdInfo> expectedIds = new ArrayList<>();
+    for (AccountExternalIdInfo id : externalIds) {
+      if (id.canDelete != null && id.canDelete) {
+        toDelete.add(id.identity);
+        continue;
+      }
+      expectedIds.add(id);
+    }
+
+    assertThat(toDelete).hasSize(1);
+
+    setApiUser(user);
+    RestResponse response =
+        userRestSession.post("/accounts/" + admin.id + "/external.ids:delete", toDelete);
+    response.assertNoContent();
+    List<AccountExternalIdInfo> results = gApi.accounts().id(admin.id.get()).getExternalIds();
+    // The external ID in WebSession will not be set for tests, resulting that
+    // "mailto:user@example.com" can be deleted while "username:user" can't.
+    assertThat(results).hasSize(1);
+    assertThat(results).containsExactlyElementsIn(expectedIds);
+  }
+
  @Test
  public void deleteExternalIdOfPreferredEmail() throws Exception {
    String preferredEmail = gApi.accounts().self().get().email;
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java
@@ -52,7 +52,7 @@ public class DeleteExternalIds implements RestModifyView<AccountResource, List<S
  @Override
  public Response<?> apply(AccountResource resource, List<String> extIds)
      throws RestApiException, IOException, OrmException, ConfigInvalidException {
-    if (self.get() != resource.getUser()) {
+    if (self.get() != resource.getUser() && !self.get().getCapabilities().canAccessDatabase()) {
      throw new AuthException("not allowed to delete external IDs");
    }

--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
@@ -51,7 +51,7 @@ public class GetExternalIds implements RestReadView<AccountResource> {
  @Override
  public List<AccountExternalIdInfo> apply(AccountResource resource)
      throws RestApiException, IOException, OrmException {
-    if (self.get() != resource.getUser()) {
+    if (self.get() != resource.getUser() && !self.get().getCapabilities().canAccessDatabase()) {
      throw new AuthException("not allowed to get external IDs");
    }