From 5e0ea9c89b42ccb69b0494406b776302ee059dfe Mon Sep 17 00:00:00 2001 From: Marco Miller Date: Thu, 6 Sep 2018 17:05:04 -0400 Subject: [PATCH 1/3] ProjectTagsScreen: Base visibility on the create refs/tags/* permission Before this change, the Tags creation form fields were visible also if either refs/* or refs/head/* was allowed for Create Reference. This fix limits that visibility to a create refs/tags/* permission solely, as per current documentation anyway. isOwnerAnyRef() still also makes the panel visible, overriding potentially missing ref creation permissions. Create Annotated Tag is still also required for the user to be able to use the optional Annotation field. In this case, the created tag is no longer lightweight but becomes annotated. Both kinds of tags are still supported through such a single Tags creation panel or form, thus the need to allow both permissions even if aiming for annotated tags only. (Command line does not have that design limitation indeed.) Bug: Issue 9689 Change-Id: I7e3d11a62ad1e49575e6ef743138158efa831e6a --- Documentation/rest-api-access.txt | 4 ++ Documentation/rest-api-projects.txt | 2 + .../api/access/ProjectAccessInfo.java | 1 + .../client/access/ProjectAccessInfo.java | 2 + .../client/admin/ProjectTagsScreen.java | 2 +- .../gerrit/server/project/GetAccess.java | 1 + .../gerrit/server/project/ProjectControl.java | 60 +++++++++++++++---- 7 files changed, 58 insertions(+), 14 deletions(-) diff --git a/Documentation/rest-api-access.txt b/Documentation/rest-api-access.txt index 07a3d7848a..a90ea1afa2 100644 --- a/Documentation/rest-api-access.txt +++ b/Documentation/rest-api-access.txt @@ -263,6 +263,7 @@ The entries in the map are sorted by project name. ], "can_upload": true, "can_add": true, + "can_add_tags": true, "config_visible": true }, "MyProject": { @@ -279,6 +280,7 @@ The entries in the map are sorted by project name. ], "can_upload": true, "can_add": true, + "can_add_tags": true, "config_visible": true } } @@ -365,6 +367,8 @@ Whether the calling user owns this project. Whether the calling user can upload to any ref. |`can_add` |not set if `false`| Whether the calling user can add any ref. +|`can_add_tags` |not set if `false`| +Whether the calling user can add any tag ref. |`config_visible` |not set if `false`| Whether the calling user can see the `refs/meta/config` branch of the project. diff --git a/Documentation/rest-api-projects.txt b/Documentation/rest-api-projects.txt index 8e151bc45d..573337e5f2 100644 --- a/Documentation/rest-api-projects.txt +++ b/Documentation/rest-api-projects.txt @@ -1014,6 +1014,7 @@ As result a link:#project-access-info[ProjectAccessInfo] entity is returned. ], "can_upload": true, "can_add": true, + "can_add_tags": true, "config_visible": true } ---- @@ -1097,6 +1098,7 @@ As result a link:#project-access-info[ProjectAccessInfo] entity is returned. ], "can_upload": true, "can_add": true, + "can_add_tags": true, "config_visible": true } ---- diff --git a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/access/ProjectAccessInfo.java b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/access/ProjectAccessInfo.java index 0922d955d3..995c664a3b 100644 --- a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/access/ProjectAccessInfo.java +++ b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/access/ProjectAccessInfo.java @@ -26,5 +26,6 @@ public class ProjectAccessInfo { public Set ownerOf; public Boolean canUpload; public Boolean canAdd; + public Boolean canAddTags; public Boolean configVisible; } diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/access/ProjectAccessInfo.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/access/ProjectAccessInfo.java index b115c7d229..88635df8c4 100644 --- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/access/ProjectAccessInfo.java +++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/access/ProjectAccessInfo.java @@ -19,6 +19,8 @@ import com.google.gwt.core.client.JavaScriptObject; public class ProjectAccessInfo extends JavaScriptObject { public final native boolean canAddRefs() /*-{ return this.can_add ? true : false; }-*/; + public final native boolean canAddTagRefs() /*-{ return this.can_add_tags ? true : false; }-*/; + public final native boolean isOwner() /*-{ return this.is_owner ? true : false; }-*/; public final native boolean configVisible() /*-{ return this.config_visible ? true : false; }-*/; diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/ProjectTagsScreen.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/ProjectTagsScreen.java index bf541d399a..f66f42b54a 100644 --- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/ProjectTagsScreen.java +++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/ProjectTagsScreen.java @@ -94,7 +94,7 @@ public class ProjectTagsScreen extends PaginatedProjectScreen { new GerritCallback() { @Override public void onSuccess(ProjectAccessInfo result) { - addPanel.setVisible(result.canAddRefs()); + addPanel.setVisible(result.canAddTagRefs()); } }); query = new Query(match).start(start).run(); diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/GetAccess.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/GetAccess.java index b464f68345..79894559dd 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/GetAccess.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/GetAccess.java @@ -224,6 +224,7 @@ public class GetAccess implements RestReadView { info.canUpload = toBoolean(pc.isOwner() || (metaConfigControl.isVisible() && metaConfigControl.canUpload())); info.canAdd = toBoolean(pc.canAddRefs()); + info.canAddTags = toBoolean(pc.canAddTagRefs()); info.configVisible = pc.isOwner() || metaConfigControl.isVisible(); return info; diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java index 5684082477..fefc84d73d 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectControl.java @@ -14,6 +14,8 @@ package com.google.gerrit.server.project; +import static com.google.gerrit.reviewdb.client.RefNames.REFS_TAGS; + import com.google.common.collect.Maps; import com.google.gerrit.common.Nullable; import com.google.gerrit.common.PageLinks; @@ -293,6 +295,10 @@ public class ProjectControl { return (canPerformOnAnyRef(Permission.CREATE) || isOwnerAnyRef()); } + public boolean canAddTagRefs() { + return (canPerformOnTagRef(Permission.CREATE) || isOwnerAnyRef()); + } + public boolean canUpload() { for (SectionMatcher matcher : access()) { AccessSection section = matcher.section; @@ -409,6 +415,26 @@ public class ProjectControl { return new Capable(msg.toString()); } + private boolean canPerformOnTagRef(String permissionName) { + for (SectionMatcher matcher : access()) { + AccessSection section = matcher.section; + + if (section.getName().startsWith(REFS_TAGS)) { + Permission permission = section.getPermission(permissionName); + if (permission == null) { + continue; + } + + Boolean can = canPerform(permissionName, section, permission); + if (can != null) { + return can; + } + } + } + + return false; + } + private boolean canPerformOnAnyRef(String permissionName) { for (SectionMatcher matcher : access()) { AccessSection section = matcher.section; @@ -417,25 +443,33 @@ public class ProjectControl { continue; } - for (PermissionRule rule : permission.getRules()) { - if (rule.isBlock() || rule.isDeny() || !match(rule)) { - continue; - } - - // Being in a group that was granted this permission is only an - // approximation. There might be overrides and doNotInherit - // that would render this to be false. - // - if (controlForRef(section.getName()).canPerform(permissionName)) { - return true; - } - break; + Boolean can = canPerform(permissionName, section, permission); + if (can != null) { + return can; } } return false; } + private Boolean canPerform(String permissionName, AccessSection section, Permission permission) { + for (PermissionRule rule : permission.getRules()) { + if (rule.isBlock() || rule.isDeny() || !match(rule)) { + continue; + } + + // Being in a group that was granted this permission is only an + // approximation. There might be overrides and doNotInherit + // that would render this to be false. + // + if (controlForRef(section.getName()).canPerform(permissionName)) { + return true; + } + break; + } + return null; + } + private boolean canPerformOnAllRefs(String permission, Set ignore) { boolean canPerform = false; Set patterns = allRefPatterns(permission); From b02060fd909f36b697fab0f54888741c73975439 Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Mon, 10 Sep 2018 09:38:52 +0900 Subject: [PATCH 2/3] Set version to 2.14.13-SNAPSHOT Change-Id: I94df398e74616ff9237dde9da4e8d8a88b50ed5e --- gerrit-acceptance-framework/pom.xml | 2 +- gerrit-extension-api/pom.xml | 2 +- gerrit-plugin-api/pom.xml | 2 +- gerrit-plugin-gwtui/pom.xml | 2 +- gerrit-war/pom.xml | 2 +- version.bzl | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gerrit-acceptance-framework/pom.xml b/gerrit-acceptance-framework/pom.xml index ecab4455c4..e1f9533fef 100644 --- a/gerrit-acceptance-framework/pom.xml +++ b/gerrit-acceptance-framework/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 2.14.12 + 2.14.13-SNAPSHOT jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/gerrit-extension-api/pom.xml b/gerrit-extension-api/pom.xml index dfac8192c2..9fd7f148d5 100644 --- a/gerrit-extension-api/pom.xml +++ b/gerrit-extension-api/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 2.14.12 + 2.14.13-SNAPSHOT jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/gerrit-plugin-api/pom.xml b/gerrit-plugin-api/pom.xml index 33bba1e3c0..e2c7432b9a 100644 --- a/gerrit-plugin-api/pom.xml +++ b/gerrit-plugin-api/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 2.14.12 + 2.14.13-SNAPSHOT jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/gerrit-plugin-gwtui/pom.xml b/gerrit-plugin-gwtui/pom.xml index 227be2a57b..6fe6874f36 100644 --- a/gerrit-plugin-gwtui/pom.xml +++ b/gerrit-plugin-gwtui/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-gwtui - 2.14.12 + 2.14.13-SNAPSHOT jar Gerrit Code Review - Plugin GWT UI Common Classes for Gerrit GWT UI Plugins diff --git a/gerrit-war/pom.xml b/gerrit-war/pom.xml index eac54f46dc..491f65693d 100644 --- a/gerrit-war/pom.xml +++ b/gerrit-war/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 2.14.12 + 2.14.13-SNAPSHOT war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index e9f3f86b01..b72e742fea 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "2.14.12" +GERRIT_VERSION = "2.14.13-SNAPSHOT" From e46fd3dfee2dc1545bb3090490e5be2e3608d810 Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Mon, 10 Sep 2018 15:42:25 +0900 Subject: [PATCH 3/3] Upgrade JGit to 4.7.3.201809090215-r This release includes the following fixes since 4.7.2.201807261330-r: - Fix atomic lock file creation on NFS - Fix handling of option core.supportsAtomicCreateNewFile - GC: Avoid logging errors when deleting non-empty folders - Fix GC run in foreground to not use executor Change-Id: I6862cd6c3bff5b07234d886f80fb42504dd1ca79 --- lib/jgit/jgit.bzl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/jgit/jgit.bzl b/lib/jgit/jgit.bzl index 960b12b363..f9a2085151 100644 --- a/lib/jgit/jgit.bzl +++ b/lib/jgit/jgit.bzl @@ -1,6 +1,6 @@ load("//tools/bzl:maven_jar.bzl", "GERRIT", "MAVEN_CENTRAL", "MAVEN_LOCAL", "maven_jar") -_JGIT_VERS = "4.7.2.201807261330-r" +_JGIT_VERS = "4.7.3.201809090215-r" _DOC_VERS = _JGIT_VERS # Set to _JGIT_VERS unless using a snapshot @@ -35,28 +35,28 @@ def jgit_maven_repos(): name = "jgit-lib", artifact = "org.eclipse.jgit:org.eclipse.jgit:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "6c08ef848fa5f7d5d49776fa25ec24d738ee457d", - src_sha1 = "ee14417c135693ddc1eebcf23b8cb661c9b8387d", + sha1 = "81b7a1a7484ce0519298e388cab97082e2d20c97", + src_sha1 = "5e14588b33defc5da2f0179c7c7b42343d8836e0", unsign = True, ) maven_jar( name = "jgit-servlet", artifact = "org.eclipse.jgit:org.eclipse.jgit.http.server:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "2bde0520c1831eedff5d8e0347e254edc8bf9fa1", + sha1 = "8113a2bd4b426e12eda75a0f79438a58775feaab", unsign = True, ) maven_jar( name = "jgit-archive", artifact = "org.eclipse.jgit:org.eclipse.jgit.archive:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "a0ad9edcd5dc5ba2cf54dfaaa542e520e771d2b8", + sha1 = "14fe9c4f2bbfb78e66e3524a2ee6a86336ed957d", ) maven_jar( name = "jgit-junit", artifact = "org.eclipse.jgit:org.eclipse.jgit.junit:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "ef8a52ff0a7afcecdb6338b00b03b9a0e0f53dae", + sha1 = "d17e6e24dc7b8cbbf8a95235f51cc47bb8669519", unsign = True, )