Moving mapping of default capability names out of GlobalPermission
The idea of GlobalPermissions, as well as the other GerritPermission types, is entirely internal to PermissionBackend implementations. It is basically a coincidence that GlobalPermissions map 1-to-1 with strings in GlobalCapabilities. Once we get into the other GerritPermission types like ProjectPermission, there are enum values that simply aren't meaningful to the user. In fact, today, we are actively confusing users by saying things like "readConfig not permitted", since readConfig is not a traditional Gerrit permission and not something mentioned in the documentation. To fix this, we need to stop relying on the permission names in exception message. This change begins that process with GlobalOrPluginPermissions. These classes no longer depend on DefaultPermissionBackend-specific strings, and the mappings are isolated in their own class. Implementations that do want to use them can depend on the new DefaultPermissionMappings class; this makes it explicit that those implementations are respecting implementation details of the old class. Mark GlobalOrPluginPermission#permissionName() as deprecated and throw UnsupportedOperationException, to force callers to use the new methods. In a future change, this method will be removed from GlobalPermission entirealy. Change-Id: Ic4eec72aa225676fee088a985ee0a0b89154575b
This commit is contained in:
Dave Borowitz
@@ -15,6 +15,7 @@
|
||||
package com.google.gerrit.server.permissions;
|
||||
|
||||
import static com.google.common.base.Preconditions.checkNotNull;
|
||||
import static com.google.gerrit.server.permissions.DefaultPermissionMappings.globalPermissionName;
|
||||
import static java.util.stream.Collectors.toSet;
|
||||
|
||||
import com.google.common.collect.Sets;
|
||||
@@ -140,7 +141,7 @@ public class DefaultPermissionBackend extends PermissionBackend {
|
||||
return can((GlobalPermission) perm);
|
||||
} else if (perm instanceof PluginPermission) {
|
||||
PluginPermission pluginPermission = (PluginPermission) perm;
|
||||
return has(pluginPermission.permissionName())
|
||||
return has(DefaultPermissionMappings.pluginPermissionName(pluginPermission))
|
||||
|| (pluginPermission.fallBackToAdmin() && isAdmin());
|
||||
}
|
||||
throw new PermissionBackendException(perm + " unsupported");
|
||||
@@ -158,7 +159,7 @@ public class DefaultPermissionBackend extends PermissionBackend {
|
||||
case RUN_GC:
|
||||
case VIEW_CACHES:
|
||||
case VIEW_QUEUE:
|
||||
return has(perm.permissionName()) || can(GlobalPermission.MAINTAIN_SERVER);
|
||||
return has(globalPermissionName(perm)) || can(GlobalPermission.MAINTAIN_SERVER);
|
||||
|
||||
case CREATE_ACCOUNT:
|
||||
case CREATE_GROUP:
|
||||
@@ -169,11 +170,11 @@ public class DefaultPermissionBackend extends PermissionBackend {
|
||||
case VIEW_ALL_ACCOUNTS:
|
||||
case VIEW_CONNECTIONS:
|
||||
case VIEW_PLUGINS:
|
||||
return has(perm.permissionName()) || isAdmin();
|
||||
return has(globalPermissionName(perm)) || isAdmin();
|
||||
|
||||
case ACCESS_DATABASE:
|
||||
case RUN_AS:
|
||||
return has(perm.permissionName());
|
||||
return has(globalPermissionName(perm));
|
||||
}
|
||||
throw new PermissionBackendException(perm + " unsupported");
|
||||
}
|
||||
@@ -209,7 +210,7 @@ public class DefaultPermissionBackend extends PermissionBackend {
|
||||
}
|
||||
|
||||
private boolean has(String permissionName) {
|
||||
return allow(capabilities().getPermission(permissionName));
|
||||
return allow(capabilities().getPermission(checkNotNull(permissionName)));
|
||||
}
|
||||
|
||||
private boolean allow(Collection<PermissionRule> rules) {
|
||||
|
||||
Reference in New Issue
Block a user