Move logic to check 'Modify Account' for secondary emails into InternalAccountDirectory

Secondary emails of other users must only be visible to users with the 'Modify Account' capability (see change Icf3108d45f). Secondary emails in AccountInfo are populated by InternalAccountDirectory.fillAccountInfo if the SECONDARY_EMAILS fill option is requested. At the moment each caller of InternalAccountDirectory.fillAccountInfo must check for the 'Modify Account' capability if the SECONDARY_EMAILS fill option is going to be requested. This is error-prone and callers by easily forget to do this permission check (e.g. change Ic8f169769 fixes a caller that was initially overlooked). To make this safer InternalAccountDirectory.fillAccountInfo is now checking for the 'Modify Account' capability and the SECONDARY_EMAILS fill option is omitted if this capability is not granted. Change-Id: I249c27e1a76cff0ca0e685eaca26941cd0b6b31b Signed-off-by: Edwin Kempin <ekempin@google.com>
2018-06-20 16:50:06 +02:00
parent 4f2d6d0b6e
commit 35fed1545b
51 changed files with 224 additions and 135 deletions
--- a/java/com/google/gerrit/server/account/AccountDirectory.java
+++ b/java/com/google/gerrit/server/account/AccountDirectory.java
@@ -15,6 +15,7 @@
 package com.google.gerrit.server.account;
 import com.google.gerrit.extensions.common.AccountInfo;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import java.util.Set;
 /**
@@ -47,6 +48,6 @@ public abstract class AccountDirectory {
    STATUS
  }
-  public abstract void fillAccountInfo(
+  public abstract void fillAccountInfo(Iterable<? extends AccountInfo> in, Set<FillOptions> options)
-      Iterable<? extends AccountInfo> in, Set<FillOptions> options);
+      throws PermissionBackendException;
 }
--- a/java/com/google/gerrit/server/account/AccountLoader.java
+++ b/java/com/google/gerrit/server/account/AccountLoader.java
@@ -20,6 +20,7 @@ import com.google.common.collect.Iterables;
 import com.google.gerrit.extensions.common.AccountInfo;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.account.AccountDirectory.FillOptions;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.assistedinject.Assisted;
 import com.google.inject.assistedinject.AssistedInject;
 import java.util.ArrayList;
@@ -83,18 +84,18 @@ public class AccountLoader {
    provided.add(info);
  }
-  public void fill() {
+  public void fill() throws PermissionBackendException {
    directory.fillAccountInfo(Iterables.concat(created.values(), provided), options);
  }
-  public void fill(Collection<? extends AccountInfo> infos) {
+  public void fill(Collection<? extends AccountInfo> infos) throws PermissionBackendException {
    for (AccountInfo info : infos) {
      put(info);
    }
    fill();
  }
-  public AccountInfo fillOne(Account.Id id) {
+  public AccountInfo fillOne(Account.Id id) throws PermissionBackendException {
    AccountInfo info = get(id);
    fill();
    return info;
--- a/java/com/google/gerrit/server/account/InternalAccountDirectory.java
+++ b/java/com/google/gerrit/server/account/InternalAccountDirectory.java
@@ -18,16 +18,23 @@ import static java.util.stream.Collectors.toList;
 import static java.util.stream.Collectors.toSet;
 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Streams;
 import com.google.gerrit.extensions.common.AccountInfo;
 import com.google.gerrit.extensions.common.AvatarInfo;
 import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.externalids.ExternalId;
 import com.google.gerrit.server.avatar.AvatarProvider;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.AbstractModule;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -35,6 +42,7 @@ import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
@Singleton
@@ -51,22 +59,45 @@ public class InternalAccountDirectory extends AccountDirectory {
  private final AccountCache accountCache;
  private final DynamicItem<AvatarProvider> avatar;
  private final IdentifiedUser.GenericFactory userFactory;
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  @Inject
  InternalAccountDirectory(
      AccountCache accountCache,
      DynamicItem<AvatarProvider> avatar,
-      IdentifiedUser.GenericFactory userFactory) {
+      IdentifiedUser.GenericFactory userFactory,
      Provider<CurrentUser> self,
      PermissionBackend permissionBackend) {
    this.accountCache = accountCache;
    this.avatar = avatar;
    this.userFactory = userFactory;
    this.self = self;
    this.permissionBackend = permissionBackend;
  }
  @Override
-  public void fillAccountInfo(Iterable<? extends AccountInfo> in, Set<FillOptions> options) {
+  public void fillAccountInfo(Iterable<? extends AccountInfo> in, Set<FillOptions> options)
      throws PermissionBackendException {
    if (options.equals(ID_ONLY)) {
      return;
    }
    boolean canModifyAccount = false;
    Account.Id currentUserId = null;
    if (self.get().isIdentifiedUser()) {
      currentUserId = self.get().getAccountId();
      try {
        permissionBackend.currentUser().check(GlobalPermission.MODIFY_ACCOUNT);
        canModifyAccount = true;
      } catch (AuthException e) {
        canModifyAccount = false;
      }
    }
    Set<FillOptions> fillOptionsWithoutSecondaryEmails =
        Sets.difference(options, EnumSet.of(FillOptions.SECONDARY_EMAILS));
    Set<Account.Id> ids =
        Streams.stream(in).map(a -> new Account.Id(a._accountId)).collect(toSet());
    Map<Account.Id, AccountState> accountStates = accountCache.get(ids);
@@ -74,7 +105,15 @@ public class InternalAccountDirectory extends AccountDirectory {
      Account.Id id = new Account.Id(info._accountId);
      AccountState state = accountStates.get(id);
      if (state != null) {
        if (!options.contains(FillOptions.SECONDARY_EMAILS)
            || Objects.equals(currentUserId, state.getAccount().getId())
            || canModifyAccount) {
          fill(info, accountStates.get(id), options);
        } else {
          // user is not allowed to see secondary emails
          fill(info, accountStates.get(id), fillOptionsWithoutSecondaryEmails);
        }
      } else {
        info._accountId = options.contains(FillOptions.ID) ? id.get() : null;
      }
--- a/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
+++ b/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
@@ -79,7 +79,6 @@ import com.google.gerrit.server.restapi.account.SshKeys;
 import com.google.gerrit.server.restapi.account.StarredChanges;
 import com.google.gerrit.server.restapi.account.Stars;
 import com.google.gerrit.server.restapi.change.ChangesCollection;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.assistedinject.Assisted;
 import java.util.List;
@@ -393,7 +392,7 @@ public class AccountApiImpl implements AccountApi {
  public List<GroupInfo> getGroups() throws RestApiException {
    try {
      return getGroups.apply(account);
-    } catch (OrmException e) {
+    } catch (Exception e) {
      throw asRestApiException("Cannot get groups", e);
    }
  }
@@ -518,7 +517,11 @@ public class AccountApiImpl implements AccountApi {
  @Override
  public List<AgreementInfo> listAgreements() throws RestApiException {
    try {
      return getAgreements.apply(account);
    } catch (Exception e) {
      throw asRestApiException("Cannot get agreements", e);
    }
  }
  @Override
--- a/java/com/google/gerrit/server/change/ChangeJson.java
+++ b/java/com/google/gerrit/server/change/ChangeJson.java
@@ -415,7 +415,8 @@ public class ChangeJson {
    return format(cd, Optional.of(rsrc.getPatchSet().getId()), true);
  }
-  public List<List<ChangeInfo>> formatQueryResults(List<QueryResult<ChangeData>> in) {
+  public List<List<ChangeInfo>> formatQueryResults(List<QueryResult<ChangeData>> in)
      throws PermissionBackendException {
    try (Timer0.Context ignored = metrics.formatQueryResultsLatency.start()) {
      accountLoader = accountLoaderFactory.create(has(DETAILED_ACCOUNTS));
      List<List<ChangeInfo>> res = new ArrayList<>(in.size());
@@ -433,7 +434,8 @@ public class ChangeJson {
    }
  }
-  public List<ChangeInfo> formatChangeDatas(Collection<ChangeData> in) throws OrmException {
+  public List<ChangeInfo> formatChangeDatas(Collection<ChangeData> in)
      throws OrmException, PermissionBackendException {
    accountLoader = accountLoaderFactory.create(has(DETAILED_ACCOUNTS));
    ensureLoaded(in);
    List<ChangeInfo> out = new ArrayList<>(in.size());
--- a/java/com/google/gerrit/server/restapi/account/CreateAccount.java
+++ b/java/com/google/gerrit/server/restapi/account/CreateAccount.java
@@ -49,6 +49,7 @@ import com.google.gerrit.server.account.externalids.ExternalId;
 import com.google.gerrit.server.group.db.GroupsUpdate;
 import com.google.gerrit.server.group.db.InternalGroupUpdate;
 import com.google.gerrit.server.mail.send.OutgoingEmailValidator;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.group.GroupsCollection;
 import com.google.gerrit.server.ssh.SshKeyCache;
 import com.google.gwtorm.server.OrmException;
@@ -100,13 +101,13 @@ public class CreateAccount
  public Response<AccountInfo> apply(
      TopLevelResource rsrc, IdString id, @Nullable AccountInput input)
      throws BadRequestException, ResourceConflictException, UnprocessableEntityException,
-          OrmException, IOException, ConfigInvalidException {
+          OrmException, IOException, ConfigInvalidException, PermissionBackendException {
    return apply(id, input != null ? input : new AccountInput());
  }
  public Response<AccountInfo> apply(IdString id, AccountInput input)
      throws BadRequestException, ResourceConflictException, UnprocessableEntityException,
-          OrmException, IOException, ConfigInvalidException {
+          OrmException, IOException, ConfigInvalidException, PermissionBackendException {
    String username = id.get();
    if (input.username != null && !username.equals(input.username)) {
      throw new BadRequestException("username must match URL");
--- a/java/com/google/gerrit/server/restapi/account/GetAccount.java
+++ b/java/com/google/gerrit/server/restapi/account/GetAccount.java
@@ -18,6 +18,7 @@ import com.google.gerrit.extensions.common.AccountInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.account.AccountResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -32,7 +33,7 @@ public class GetAccount implements RestReadView<AccountResource> {
  }
  @Override
-  public AccountInfo apply(AccountResource rsrc) throws OrmException {
+  public AccountInfo apply(AccountResource rsrc) throws OrmException, PermissionBackendException {
    AccountLoader loader = infoFactory.create(true);
    AccountInfo info = loader.get(rsrc.getUser().getAccountId());
    loader.fill();
--- a/java/com/google/gerrit/server/restapi/account/GetAgreements.java
+++ b/java/com/google/gerrit/server/restapi/account/GetAgreements.java
@@ -28,6 +28,7 @@ import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.AccountResource;
 import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.restapi.config.AgreementJson;
 import com.google.inject.Inject;
@@ -60,7 +61,8 @@ public class GetAgreements implements RestReadView<AccountResource> {
  }
  @Override
-  public List<AgreementInfo> apply(AccountResource resource) throws RestApiException {
+  public List<AgreementInfo> apply(AccountResource resource)
      throws RestApiException, PermissionBackendException {
    if (!agreementsEnabled) {
      throw new MethodNotAllowedException("contributor agreements disabled");
    }
--- a/java/com/google/gerrit/server/restapi/account/GetDetail.java
+++ b/java/com/google/gerrit/server/restapi/account/GetDetail.java
@@ -14,39 +14,25 @@
 package com.google.gerrit.server.restapi.account;
 import com.google.common.collect.Sets;
 import com.google.gerrit.extensions.common.AccountDetailInfo;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.account.AccountDirectory.FillOptions;
 import com.google.gerrit.server.account.AccountResource;
 import com.google.gerrit.server.account.InternalAccountDirectory;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.Set;
@Singleton
 public class GetDetail implements RestReadView<AccountResource> {
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  private final InternalAccountDirectory directory;
  @Inject
-  public GetDetail(
+  public GetDetail(InternalAccountDirectory directory) {
      Provider<CurrentUser> self,
      PermissionBackend permissionBackend,
      InternalAccountDirectory directory) {
    this.self = self;
    this.permissionBackend = permissionBackend;
    this.directory = directory;
  }
@@ -57,20 +43,7 @@ public class GetDetail implements RestReadView<AccountResource> {
    AccountDetailInfo info = new AccountDetailInfo(a.getId().get());
    info.registeredOn = a.getRegisteredOn();
    info.inactive = !a.isActive() ? true : null;
-    Set<FillOptions> fillOptions;
+    directory.fillAccountInfo(Collections.singleton(info), EnumSet.allOf(FillOptions.class));
    if (self.get().hasSameAccountId(rsrc.getUser())) {
      fillOptions = EnumSet.allOf(FillOptions.class);
    } else {
      try {
        permissionBackend.currentUser().check(GlobalPermission.MODIFY_ACCOUNT);
        fillOptions = EnumSet.allOf(FillOptions.class);
      } catch (AuthException e) {
        fillOptions =
            Sets.difference(
                EnumSet.allOf(FillOptions.class), EnumSet.of(FillOptions.SECONDARY_EMAILS));
      }
    }
    directory.fillAccountInfo(Collections.singleton(info), fillOptions);
    return info;
  }
 }
--- a/java/com/google/gerrit/server/restapi/account/GetGroups.java
+++ b/java/com/google/gerrit/server/restapi/account/GetGroups.java
@@ -22,6 +22,7 @@ import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.AccountResource;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.group.GroupJson;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -42,7 +43,8 @@ public class GetGroups implements RestReadView<AccountResource> {
  }
  @Override
-  public List<GroupInfo> apply(AccountResource resource) throws OrmException {
+  public List<GroupInfo> apply(AccountResource resource)
      throws OrmException, PermissionBackendException {
    IdentifiedUser user = resource.getUser();
    Account.Id userId = user.getAccountId();
    Set<AccountGroup.UUID> knownGroups = user.getEffectiveGroups().getKnownGroups();
--- a/java/com/google/gerrit/server/restapi/account/StarredChanges.java
+++ b/java/com/google/gerrit/server/restapi/account/StarredChanges.java
@@ -89,7 +89,7 @@ public class StarredChanges
    return new RestReadView<AccountResource>() {
      @Override
      public Object apply(AccountResource self)
-          throws BadRequestException, AuthException, OrmException {
+          throws BadRequestException, AuthException, OrmException, PermissionBackendException {
        QueryChanges query = changes.list();
        query.addQuery("starredby:" + self.getUser().getAccountId().get());
        return query.apply(TopLevelResource.INSTANCE);
--- a/java/com/google/gerrit/server/restapi/account/Stars.java
+++ b/java/com/google/gerrit/server/restapi/account/Stars.java
@@ -99,7 +99,7 @@ public class Stars implements ChildCollection<AccountResource, AccountResource.S
    @Override
    @SuppressWarnings("unchecked")
    public List<ChangeInfo> apply(AccountResource rsrc)
-        throws BadRequestException, AuthException, OrmException {
+        throws BadRequestException, AuthException, OrmException, PermissionBackendException {
      if (!self.get().hasSameAccountId(rsrc.getUser())) {
        throw new AuthException("not allowed to list stars of another account");
      }
--- a/java/com/google/gerrit/server/restapi/change/ChangeMessages.java
+++ b/java/com/google/gerrit/server/restapi/change/ChangeMessages.java
@@ -22,6 +22,7 @@ import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
 import com.google.gerrit.extensions.restapi.RestView;
 import com.google.gerrit.server.change.ChangeMessageResource;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -51,7 +52,7 @@ public class ChangeMessages implements ChildCollection<ChangeResource, ChangeMes
  @Override
  public ChangeMessageResource parse(ChangeResource parent, IdString id)
-      throws OrmException, ResourceNotFoundException {
+      throws OrmException, ResourceNotFoundException, PermissionBackendException {
    String uuid = id.get();
    List<ChangeMessageInfo> changeMessages = listChangeMessages.apply(parent);
--- a/java/com/google/gerrit/server/restapi/change/CommentJson.java
+++ b/java/com/google/gerrit/server/restapi/change/CommentJson.java
@@ -32,6 +32,7 @@ import com.google.gerrit.reviewdb.client.FixReplacement;
 import com.google.gerrit.reviewdb.client.FixSuggestion;
 import com.google.gerrit.reviewdb.client.RobotComment;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -70,7 +71,7 @@ class CommentJson {
  }
  private abstract class BaseCommentFormatter<F extends Comment, T extends CommentInfo> {
-    public T format(F comment) {
+    public T format(F comment) throws PermissionBackendException {
      AccountLoader loader = fillAccounts ? accountLoaderFactory.create(true) : null;
      T info = toInfo(comment, loader);
      if (loader != null) {
@@ -79,7 +80,7 @@ class CommentJson {
      return info;
    }
-    public Map<String, List<T>> format(Iterable<F> comments) {
+    public Map<String, List<T>> format(Iterable<F> comments) throws PermissionBackendException {
      AccountLoader loader = fillAccounts ? accountLoaderFactory.create(true) : null;
      Map<String, List<T>> out = new TreeMap<>();
@@ -105,7 +106,7 @@ class CommentJson {
      return out;
    }
-    public List<T> formatAsList(Iterable<F> comments) {
+    public List<T> formatAsList(Iterable<F> comments) throws PermissionBackendException {
      AccountLoader loader = fillAccounts ? accountLoaderFactory.create(true) : null;
      List<T> out =
--- a/java/com/google/gerrit/server/restapi/change/CreateDraftComment.java
+++ b/java/com/google/gerrit/server/restapi/change/CreateDraftComment.java
@@ -35,6 +35,7 @@ import com.google.gerrit.server.PatchSetUtil;
 import com.google.gerrit.server.change.RevisionResource;
 import com.google.gerrit.server.patch.PatchListCache;
 import com.google.gerrit.server.patch.PatchListNotAvailableException;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.update.BatchUpdate;
 import com.google.gerrit.server.update.BatchUpdateOp;
 import com.google.gerrit.server.update.ChangeContext;
@@ -75,7 +76,7 @@ public class CreateDraftComment
  @Override
  protected Response<CommentInfo> applyImpl(
      BatchUpdate.Factory updateFactory, RevisionResource rsrc, DraftInput in)
-      throws RestApiException, UpdateException, OrmException {
+      throws RestApiException, UpdateException, OrmException, PermissionBackendException {
    if (Strings.isNullOrEmpty(in.path)) {
      throw new BadRequestException("path must be non-empty");
    } else if (in.message == null || in.message.trim().isEmpty()) {
--- a/java/com/google/gerrit/server/restapi/change/GetAssignee.java
+++ b/java/com/google/gerrit/server/restapi/change/GetAssignee.java
@@ -20,6 +20,7 @@ import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -35,7 +36,8 @@ public class GetAssignee implements RestReadView<ChangeResource> {
  }
  @Override
-  public Response<AccountInfo> apply(ChangeResource rsrc) throws OrmException {
+  public Response<AccountInfo> apply(ChangeResource rsrc)
      throws OrmException, PermissionBackendException {
    Optional<Account.Id> assignee = Optional.ofNullable(rsrc.getChange().getAssignee());
    if (assignee.isPresent()) {
      return Response.ok(accountLoaderFactory.create(true).fillOne(assignee.get()));
--- a/java/com/google/gerrit/server/restapi/change/GetComment.java
+++ b/java/com/google/gerrit/server/restapi/change/GetComment.java
@@ -17,6 +17,7 @@ package com.google.gerrit.server.restapi.change;
 import com.google.gerrit.extensions.common.CommentInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.change.CommentResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -33,7 +34,7 @@ public class GetComment implements RestReadView<CommentResource> {
  }
  @Override
-  public CommentInfo apply(CommentResource rsrc) throws OrmException {
+  public CommentInfo apply(CommentResource rsrc) throws OrmException, PermissionBackendException {
    return commentJson.get().newCommentFormatter().format(rsrc.getComment());
  }
 }
--- a/java/com/google/gerrit/server/restapi/change/GetDraftComment.java
+++ b/java/com/google/gerrit/server/restapi/change/GetDraftComment.java
@@ -17,6 +17,7 @@ package com.google.gerrit.server.restapi.change;
 import com.google.gerrit.extensions.common.CommentInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.change.DraftCommentResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -33,7 +34,8 @@ public class GetDraftComment implements RestReadView<DraftCommentResource> {
  }
  @Override
-  public CommentInfo apply(DraftCommentResource rsrc) throws OrmException {
+  public CommentInfo apply(DraftCommentResource rsrc)
      throws OrmException, PermissionBackendException {
    return commentJson.get().newCommentFormatter().format(rsrc.getComment());
  }
 }
--- a/java/com/google/gerrit/server/restapi/change/GetPastAssignees.java
+++ b/java/com/google/gerrit/server/restapi/change/GetPastAssignees.java
@@ -22,6 +22,7 @@ import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -39,7 +40,8 @@ public class GetPastAssignees implements RestReadView<ChangeResource> {
  }
  @Override
-  public Response<List<AccountInfo>> apply(ChangeResource rsrc) throws OrmException {
+  public Response<List<AccountInfo>> apply(ChangeResource rsrc)
      throws OrmException, PermissionBackendException {
    Set<Account.Id> pastAssignees = rsrc.getNotes().load().getPastAssignees();
    if (pastAssignees == null) {
--- a/java/com/google/gerrit/server/restapi/change/GetRobotComment.java
+++ b/java/com/google/gerrit/server/restapi/change/GetRobotComment.java
@@ -17,6 +17,7 @@ package com.google.gerrit.server.restapi.change;
 import com.google.gerrit.extensions.common.RobotCommentInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.change.RobotCommentResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -33,7 +34,8 @@ public class GetRobotComment implements RestReadView<RobotCommentResource> {
  }
  @Override
-  public RobotCommentInfo apply(RobotCommentResource rsrc) throws OrmException {
+  public RobotCommentInfo apply(RobotCommentResource rsrc)
      throws OrmException, PermissionBackendException {
    return commentJson.get().newRobotCommentFormatter().format(rsrc.getComment());
  }
 }
--- a/java/com/google/gerrit/server/restapi/change/ListChangeComments.java
+++ b/java/com/google/gerrit/server/restapi/change/ListChangeComments.java
@@ -20,6 +20,7 @@ import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CommentsUtil;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -49,7 +50,7 @@ public class ListChangeComments implements RestReadView<ChangeResource> {
  @Override
  public Map<String, List<CommentInfo>> apply(ChangeResource rsrc)
-      throws AuthException, OrmException {
+      throws AuthException, OrmException, PermissionBackendException {
    ChangeData cd = changeDataFactory.create(db.get(), rsrc.getNotes());
    return commentJson
        .get()
--- a/java/com/google/gerrit/server/restapi/change/ListChangeDrafts.java
+++ b/java/com/google/gerrit/server/restapi/change/ListChangeDrafts.java
@@ -21,6 +21,7 @@ import com.google.gerrit.reviewdb.client.Comment;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CommentsUtil;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -50,7 +51,7 @@ public class ListChangeDrafts implements RestReadView<ChangeResource> {
  @Override
  public Map<String, List<CommentInfo>> apply(ChangeResource rsrc)
-      throws AuthException, OrmException {
+      throws AuthException, OrmException, PermissionBackendException {
    if (!rsrc.getUser().isIdentifiedUser()) {
      throw new AuthException("Authentication required");
    }
--- a/java/com/google/gerrit/server/restapi/change/ListChangeMessages.java
+++ b/java/com/google/gerrit/server/restapi/change/ListChangeMessages.java
@@ -23,6 +23,7 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.ChangeMessagesUtil;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -47,7 +48,8 @@ public class ListChangeMessages implements RestReadView<ChangeResource> {
  }
  @Override
-  public List<ChangeMessageInfo> apply(ChangeResource resource) throws OrmException {
+  public List<ChangeMessageInfo> apply(ChangeResource resource)
      throws OrmException, PermissionBackendException {
    List<ChangeMessage> messages =
        changeMessagesUtil.byChange(dbProvider.get(), resource.getNotes());
    List<ChangeMessageInfo> messageInfos =
--- a/java/com/google/gerrit/server/restapi/change/ListChangeRobotComments.java
+++ b/java/com/google/gerrit/server/restapi/change/ListChangeRobotComments.java
@@ -20,6 +20,7 @@ import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CommentsUtil;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -47,7 +48,7 @@ public class ListChangeRobotComments implements RestReadView<ChangeResource> {
  @Override
  public Map<String, List<RobotCommentInfo>> apply(ChangeResource rsrc)
-      throws AuthException, OrmException {
+      throws AuthException, OrmException, PermissionBackendException {
    ChangeData cd = changeDataFactory.create(db.get(), rsrc.getNotes());
    return commentJson
        .get()
--- a/java/com/google/gerrit/server/restapi/change/ListRevisionDrafts.java
+++ b/java/com/google/gerrit/server/restapi/change/ListRevisionDrafts.java
@@ -20,6 +20,7 @@ import com.google.gerrit.reviewdb.client.Comment;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CommentsUtil;
 import com.google.gerrit.server.change.RevisionResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -51,7 +52,8 @@ public class ListRevisionDrafts implements RestReadView<RevisionResource> {
  }
  @Override
-  public Map<String, List<CommentInfo>> apply(RevisionResource rsrc) throws OrmException {
+  public Map<String, List<CommentInfo>> apply(RevisionResource rsrc)
      throws OrmException, PermissionBackendException {
    return commentJson
        .get()
        .setFillAccounts(includeAuthorInfo())
@@ -59,7 +61,8 @@ public class ListRevisionDrafts implements RestReadView<RevisionResource> {
        .format(listComments(rsrc));
  }
-  public List<CommentInfo> getComments(RevisionResource rsrc) throws OrmException {
+  public List<CommentInfo> getComments(RevisionResource rsrc)
      throws OrmException, PermissionBackendException {
    return commentJson
        .get()
        .setFillAccounts(includeAuthorInfo())
--- a/java/com/google/gerrit/server/restapi/change/ListRobotComments.java
+++ b/java/com/google/gerrit/server/restapi/change/ListRobotComments.java
@@ -20,6 +20,7 @@ import com.google.gerrit.reviewdb.client.RobotComment;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CommentsUtil;
 import com.google.gerrit.server.change.RevisionResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -42,7 +43,8 @@ public class ListRobotComments implements RestReadView<RevisionResource> {
  }
  @Override
-  public Map<String, List<RobotCommentInfo>> apply(RevisionResource rsrc) throws OrmException {
+  public Map<String, List<RobotCommentInfo>> apply(RevisionResource rsrc)
      throws OrmException, PermissionBackendException {
    return commentJson
        .get()
        .setFillAccounts(true)
@@ -50,7 +52,8 @@ public class ListRobotComments implements RestReadView<RevisionResource> {
        .format(listComments(rsrc));
  }
-  public List<RobotCommentInfo> getComments(RevisionResource rsrc) throws OrmException {
+  public List<RobotCommentInfo> getComments(RevisionResource rsrc)
      throws OrmException, PermissionBackendException {
    return commentJson
        .get()
        .setFillAccounts(true)
--- a/java/com/google/gerrit/server/restapi/change/PutDraftComment.java
+++ b/java/com/google/gerrit/server/restapi/change/PutDraftComment.java
@@ -34,6 +34,7 @@ import com.google.gerrit.server.change.DraftCommentResource;
 import com.google.gerrit.server.notedb.ChangeUpdate;
 import com.google.gerrit.server.patch.PatchListCache;
 import com.google.gerrit.server.patch.PatchListNotAvailableException;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.update.BatchUpdate;
 import com.google.gerrit.server.update.BatchUpdateOp;
 import com.google.gerrit.server.update.ChangeContext;
@@ -80,7 +81,7 @@ public class PutDraftComment
  @Override
  protected Response<CommentInfo> applyImpl(
      BatchUpdate.Factory updateFactory, DraftCommentResource rsrc, DraftInput in)
-      throws RestApiException, UpdateException, OrmException {
+      throws RestApiException, UpdateException, OrmException, PermissionBackendException {
    if (in == null || in.message == null || in.message.trim().isEmpty()) {
      return delete.applyImpl(updateFactory, rsrc, null);
    } else if (in.id != null && !rsrc.getId().equals(in.id)) {
--- a/java/com/google/gerrit/server/restapi/change/QueryChanges.java
+++ b/java/com/google/gerrit/server/restapi/change/QueryChanges.java
@@ -28,6 +28,7 @@ import com.google.gerrit.index.query.QueryParseException;
 import com.google.gerrit.index.query.QueryRequiresAuthException;
 import com.google.gerrit.index.query.QueryResult;
 import com.google.gerrit.server.change.ChangeJson;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.query.change.ChangeData;
 import com.google.gerrit.server.query.change.ChangeQueryBuilder;
 import com.google.gerrit.server.query.change.ChangeQueryProcessor;
@@ -104,7 +105,7 @@ public class QueryChanges implements RestReadView<TopLevelResource> {
  @Override
  public List<?> apply(TopLevelResource rsrc)
-      throws BadRequestException, AuthException, OrmException {
+      throws BadRequestException, AuthException, OrmException, PermissionBackendException {
    List<List<ChangeInfo>> out;
    try {
      out = query();
@@ -117,7 +118,8 @@ public class QueryChanges implements RestReadView<TopLevelResource> {
    return out.size() == 1 ? out.get(0) : out;
  }
-  private List<List<ChangeInfo>> query() throws OrmException, QueryParseException {
+  private List<List<ChangeInfo>> query()
      throws OrmException, QueryParseException, PermissionBackendException {
    if (imp.isDisabled()) {
      throw new QueryParseException("query disabled");
    }
--- a/java/com/google/gerrit/server/restapi/change/ReviewersUtil.java
+++ b/java/com/google/gerrit/server/restapi/change/ReviewersUtil.java
@@ -22,12 +22,12 @@ import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.google.common.flogger.FluentLogger;
 import com.google.gerrit.common.Nullable;
 import com.google.gerrit.common.data.GroupReference;
 import com.google.gerrit.extensions.common.GroupBaseInfo;
 import com.google.gerrit.extensions.common.SuggestedReviewerInfo;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.Url;
 import com.google.gerrit.index.IndexConfig;
 import com.google.gerrit.index.QueryOptions;
@@ -49,8 +49,6 @@ import com.google.gerrit.server.account.GroupMembers;
 import com.google.gerrit.server.index.account.AccountField;
 import com.google.gerrit.server.index.account.AccountIndexCollection;
 import com.google.gerrit.server.notedb.ChangeNotes;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.NoSuchProjectException;
 import com.google.gerrit.server.project.ProjectState;
@@ -130,7 +128,6 @@ public class ReviewersUtil {
  private final IndexConfig indexConfig;
  private final AccountControl.Factory accountControlFactory;
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  @Inject
  ReviewersUtil(
@@ -143,8 +140,7 @@ public class ReviewersUtil {
      AccountIndexCollection accountIndexes,
      IndexConfig indexConfig,
      AccountControl.Factory accountControlFactory,
-      Provider<CurrentUser> self,
+      Provider<CurrentUser> self) {
      PermissionBackend permissionBackend) {
    this.accountLoaderFactory = accountLoaderFactory;
    this.accountQueryBuilder = accountQueryBuilder;
    this.groupBackend = groupBackend;
@@ -155,7 +151,6 @@ public class ReviewersUtil {
    this.indexConfig = indexConfig;
    this.accountControlFactory = accountControlFactory;
    this.self = self;
    this.permissionBackend = permissionBackend;
  }
  public interface VisibilityControl {
@@ -301,15 +296,8 @@ public class ReviewersUtil {
  private List<SuggestedReviewerInfo> loadAccounts(List<Account.Id> accountIds)
      throws PermissionBackendException {
-    Set<FillOptions> fillOptions;
+    Set<FillOptions> fillOptions =
-    try {
+        Sets.union(AccountLoader.DETAILED_OPTIONS, EnumSet.of(FillOptions.SECONDARY_EMAILS));
      permissionBackend.currentUser().check(GlobalPermission.MODIFY_ACCOUNT);
      fillOptions = EnumSet.of(FillOptions.SECONDARY_EMAILS);
    } catch (AuthException e) {
      fillOptions = EnumSet.noneOf(FillOptions.class);
    }
    fillOptions.addAll(AccountLoader.DETAILED_OPTIONS);
    AccountLoader accountLoader = accountLoaderFactory.create(fillOptions);
    try (Timer0.Context ctx = metrics.loadAccountsLatency.start()) {
--- a/java/com/google/gerrit/server/restapi/change/TestSubmitRule.java
+++ b/java/com/google/gerrit/server/restapi/change/TestSubmitRule.java
@@ -25,6 +25,7 @@ import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.change.RevisionResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.SubmitRuleEvaluator;
 import com.google.gerrit.server.project.SubmitRuleOptions;
 import com.google.gerrit.server.query.change.ChangeData;
@@ -63,7 +64,7 @@ public class TestSubmitRule implements RestModifyView<RevisionResource, TestSubm
  @Override
  public List<Record> apply(RevisionResource rsrc, TestSubmitRuleInput input)
-      throws AuthException, OrmException {
+      throws AuthException, OrmException, PermissionBackendException {
    if (input == null) {
      input = new TestSubmitRuleInput();
    }
--- a/java/com/google/gerrit/server/restapi/config/AgreementJson.java
+++ b/java/com/google/gerrit/server/restapi/config/AgreementJson.java
@@ -23,6 +23,7 @@ import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.group.GroupJson;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -48,7 +49,7 @@ public class AgreementJson {
    this.groupJson = groupJson;
  }
-  public AgreementInfo format(ContributorAgreement ca) {
+  public AgreementInfo format(ContributorAgreement ca) throws PermissionBackendException {
    AgreementInfo info = new AgreementInfo();
    info.name = ca.getName();
    info.description = ca.getDescription();
--- a/java/com/google/gerrit/server/restapi/config/GetServerInfo.java
+++ b/java/com/google/gerrit/server/restapi/config/GetServerInfo.java
@@ -59,6 +59,7 @@ import com.google.gerrit.server.documentation.QueryDocumentationExecutor;
 import com.google.gerrit.server.index.change.ChangeField;
 import com.google.gerrit.server.index.change.ChangeIndexCollection;
 import com.google.gerrit.server.notedb.NotesMigration;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.restapi.change.AllowedFormats;
 import com.google.gerrit.server.submit.MergeSuperSet;
@@ -148,7 +149,8 @@ public class GetServerInfo implements RestReadView<ConfigResource> {
  }
  @Override
-  public ServerInfo apply(ConfigResource rsrc) throws MalformedURLException {
+  public ServerInfo apply(ConfigResource rsrc)
      throws MalformedURLException, PermissionBackendException {
    ServerInfo info = new ServerInfo();
    info.accounts = getAccountsInfo(accountVisibilityProvider);
    info.auth = getAuthInfo(authConfig, realm);
@@ -178,7 +180,7 @@ public class GetServerInfo implements RestReadView<ConfigResource> {
    return info;
  }
-  private AuthInfo getAuthInfo(AuthConfig cfg, Realm realm) {
+  private AuthInfo getAuthInfo(AuthConfig cfg, Realm realm) throws PermissionBackendException {
    AuthInfo info = new AuthInfo();
    info.authType = cfg.getAuthType();
    info.useContributorAgreements = toBoolean(cfg.isUseContributorAgreements());
--- a/java/com/google/gerrit/server/restapi/group/AddMembers.java
+++ b/java/com/google/gerrit/server/restapi/group/AddMembers.java
@@ -46,6 +46,7 @@ import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.group.MemberResource;
 import com.google.gerrit.server.group.db.GroupsUpdate;
 import com.google.gerrit.server.group.db.InternalGroupUpdate;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.account.AccountsCollection;
 import com.google.gerrit.server.restapi.group.AddMembers.Input;
 import com.google.gwtorm.server.OrmException;
@@ -116,7 +117,8 @@ public class AddMembers implements RestModifyView<GroupResource, Input> {
  @Override
  public List<AccountInfo> apply(GroupResource resource, Input input)
      throws AuthException, NotInternalGroupException, UnprocessableEntityException, OrmException,
-          IOException, ConfigInvalidException, ResourceNotFoundException {
+          IOException, ConfigInvalidException, ResourceNotFoundException,
          PermissionBackendException {
    GroupDescription.Internal internalGroup =
        resource.asInternalGroup().orElseThrow(NotInternalGroupException::new);
    input = Input.init(input);
@@ -203,7 +205,8 @@ public class AddMembers implements RestModifyView<GroupResource, Input> {
    }
  }
-  private List<AccountInfo> toAccountInfoList(Set<Account.Id> accountIds) {
+  private List<AccountInfo> toAccountInfoList(Set<Account.Id> accountIds)
      throws PermissionBackendException {
    List<AccountInfo> result = new ArrayList<>();
    AccountLoader loader = infoFactory.create(true);
    for (Account.Id accId : accountIds) {
@@ -224,7 +227,7 @@ public class AddMembers implements RestModifyView<GroupResource, Input> {
    @Override
    public AccountInfo apply(GroupResource resource, IdString id, Input input)
        throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
-            IOException, ConfigInvalidException {
+            IOException, ConfigInvalidException, PermissionBackendException {
      AddMembers.Input in = new AddMembers.Input();
      in._oneMember = id.get();
      try {
@@ -249,7 +252,8 @@ public class AddMembers implements RestModifyView<GroupResource, Input> {
    }
    @Override
-    public AccountInfo apply(MemberResource resource, Input input) throws OrmException {
+    public AccountInfo apply(MemberResource resource, Input input)
        throws OrmException, PermissionBackendException {
      // Do nothing, the user is already a member.
      return get.apply(resource);
    }
--- a/java/com/google/gerrit/server/restapi/group/AddSubgroups.java
+++ b/java/com/google/gerrit/server/restapi/group/AddSubgroups.java
@@ -36,6 +36,7 @@ import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.group.SubgroupResource;
 import com.google.gerrit.server.group.db.GroupsUpdate;
 import com.google.gerrit.server.group.db.InternalGroupUpdate;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.group.AddSubgroups.Input;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -92,7 +93,8 @@ public class AddSubgroups implements RestModifyView<GroupResource, Input> {
  @Override
  public List<GroupInfo> apply(GroupResource resource, Input input)
      throws NotInternalGroupException, AuthException, UnprocessableEntityException, OrmException,
-          ResourceNotFoundException, IOException, ConfigInvalidException {
+          ResourceNotFoundException, IOException, ConfigInvalidException,
          PermissionBackendException {
    GroupDescription.Internal group =
        resource.asInternalGroup().orElseThrow(NotInternalGroupException::new);
    input = Input.init(input);
@@ -141,7 +143,7 @@ public class AddSubgroups implements RestModifyView<GroupResource, Input> {
    @Override
    public GroupInfo apply(GroupResource resource, IdString id, Input input)
        throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
-            IOException, ConfigInvalidException {
+            IOException, ConfigInvalidException, PermissionBackendException {
      AddSubgroups.Input in = new AddSubgroups.Input();
      in.groups = ImmutableList.of(id.get());
      try {
@@ -166,7 +168,8 @@ public class AddSubgroups implements RestModifyView<GroupResource, Input> {
    }
    @Override
-    public GroupInfo apply(SubgroupResource resource, Input input) throws OrmException {
+    public GroupInfo apply(SubgroupResource resource, Input input)
        throws OrmException, PermissionBackendException {
      // Do nothing, the group is already included.
      return get.get().apply(resource);
    }
--- a/java/com/google/gerrit/server/restapi/group/CreateGroup.java
+++ b/java/com/google/gerrit/server/restapi/group/CreateGroup.java
@@ -50,6 +50,7 @@ import com.google.gerrit.server.group.SystemGroupBackend;
 import com.google.gerrit.server.group.db.GroupsUpdate;
 import com.google.gerrit.server.group.db.InternalGroupCreation;
 import com.google.gerrit.server.group.db.InternalGroupUpdate;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.validators.GroupCreationValidationListener;
 import com.google.gerrit.server.validators.ValidationException;
 import com.google.gwtorm.server.OrmDuplicateKeyException;
@@ -121,7 +122,7 @@ public class CreateGroup implements RestCreateView<TopLevelResource, GroupResour
  public GroupInfo apply(TopLevelResource resource, IdString id, GroupInput input)
      throws AuthException, BadRequestException, UnprocessableEntityException,
          ResourceConflictException, OrmException, IOException, ConfigInvalidException,
-          ResourceNotFoundException {
+          ResourceNotFoundException, PermissionBackendException {
    String name = id.get();
    if (input == null) {
      input = new GroupInput();
--- a/java/com/google/gerrit/server/restapi/group/GetAuditLog.java
+++ b/java/com/google/gerrit/server/restapi/group/GetAuditLog.java
@@ -35,6 +35,7 @@ import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.group.InternalGroup;
 import com.google.gerrit.server.group.InternalGroupDescription;
 import com.google.gerrit.server.group.db.Groups;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -77,7 +78,7 @@ public class GetAuditLog implements RestReadView<GroupResource> {
  @Override
  public List<? extends GroupAuditEventInfo> apply(GroupResource rsrc)
      throws AuthException, NotInternalGroupException, OrmException, IOException,
-          ConfigInvalidException {
+          ConfigInvalidException, PermissionBackendException {
    GroupDescription.Internal group =
        rsrc.asInternalGroup().orElseThrow(NotInternalGroupException::new);
    if (!rsrc.getControl().isOwner()) {
--- a/java/com/google/gerrit/server/restapi/group/GetDetail.java
+++ b/java/com/google/gerrit/server/restapi/group/GetDetail.java
@@ -18,6 +18,7 @@ import com.google.gerrit.extensions.client.ListGroupsOption;
 import com.google.gerrit.extensions.common.GroupInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -32,7 +33,7 @@ public class GetDetail implements RestReadView<GroupResource> {
  }
  @Override
-  public GroupInfo apply(GroupResource rsrc) throws OrmException {
+  public GroupInfo apply(GroupResource rsrc) throws OrmException, PermissionBackendException {
    return json.format(rsrc);
  }
 }
--- a/java/com/google/gerrit/server/restapi/group/GetGroup.java
+++ b/java/com/google/gerrit/server/restapi/group/GetGroup.java
@@ -17,6 +17,7 @@ package com.google.gerrit.server.restapi.group;
 import com.google.gerrit.extensions.common.GroupInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -31,7 +32,7 @@ public class GetGroup implements RestReadView<GroupResource> {
  }
  @Override
-  public GroupInfo apply(GroupResource resource) throws OrmException {
+  public GroupInfo apply(GroupResource resource) throws OrmException, PermissionBackendException {
    return json.format(resource.getGroup());
  }
 }
--- a/java/com/google/gerrit/server/restapi/group/GetMember.java
+++ b/java/com/google/gerrit/server/restapi/group/GetMember.java
@@ -18,6 +18,7 @@ import com.google.gerrit.extensions.common.AccountInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.account.AccountLoader;
 import com.google.gerrit.server.group.MemberResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -32,7 +33,7 @@ public class GetMember implements RestReadView<MemberResource> {
  }
  @Override
-  public AccountInfo apply(MemberResource rsrc) throws OrmException {
+  public AccountInfo apply(MemberResource rsrc) throws OrmException, PermissionBackendException {
    AccountLoader loader = infoFactory.create(true);
    AccountInfo info = loader.get(rsrc.getMember().getAccountId());
    loader.fill();
--- a/java/com/google/gerrit/server/restapi/group/GetOwner.java
+++ b/java/com/google/gerrit/server/restapi/group/GetOwner.java
@@ -21,6 +21,7 @@ import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -39,7 +40,8 @@ public class GetOwner implements RestReadView<GroupResource> {
  @Override
  public GroupInfo apply(GroupResource resource)
-      throws NotInternalGroupException, ResourceNotFoundException, OrmException {
+      throws NotInternalGroupException, ResourceNotFoundException, OrmException,
          PermissionBackendException {
    GroupDescription.Internal group =
        resource.asInternalGroup().orElseThrow(NotInternalGroupException::new);
    try {
--- a/java/com/google/gerrit/server/restapi/group/GetSubgroup.java
+++ b/java/com/google/gerrit/server/restapi/group/GetSubgroup.java
@@ -17,6 +17,7 @@ package com.google.gerrit.server.restapi.group;
 import com.google.gerrit.extensions.common.GroupInfo;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.group.SubgroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -31,7 +32,7 @@ public class GetSubgroup implements RestReadView<SubgroupResource> {
  }
  @Override
-  public GroupInfo apply(SubgroupResource rsrc) throws OrmException {
+  public GroupInfo apply(SubgroupResource rsrc) throws OrmException, PermissionBackendException {
    return json.format(rsrc.getMemberDescription());
  }
 }
--- a/java/com/google/gerrit/server/restapi/group/GroupJson.java
+++ b/java/com/google/gerrit/server/restapi/group/GroupJson.java
@@ -28,6 +28,7 @@ import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.server.account.GroupBackend;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -75,17 +76,18 @@ public class GroupJson {
    return this;
  }
-  public GroupInfo format(GroupResource rsrc) throws OrmException {
+  public GroupInfo format(GroupResource rsrc) throws OrmException, PermissionBackendException {
    return createGroupInfo(rsrc.getGroup(), rsrc::getControl);
  }
-  public GroupInfo format(GroupDescription.Basic group) throws OrmException {
+  public GroupInfo format(GroupDescription.Basic group)
      throws OrmException, PermissionBackendException {
    return createGroupInfo(group, Suppliers.memoize(() -> groupControlFactory.controlFor(group)));
  }
  private GroupInfo createGroupInfo(
      GroupDescription.Basic group, Supplier<GroupControl> groupControlSupplier)
-      throws OrmException {
+      throws OrmException, PermissionBackendException {
    GroupInfo info = createBasicGroupInfo(group);
    if (group instanceof GroupDescription.Internal) {
@@ -108,7 +110,7 @@ public class GroupJson {
      GroupInfo info,
      GroupDescription.Internal internalGroup,
      Supplier<GroupControl> groupControlSupplier)
-      throws OrmException {
+      throws OrmException, PermissionBackendException {
    info.description = Strings.emptyToNull(internalGroup.getDescription());
    info.groupId = internalGroup.getId().get();
--- a/java/com/google/gerrit/server/restapi/group/ListGroups.java
+++ b/java/com/google/gerrit/server/restapi/group/ListGroups.java
@@ -41,6 +41,7 @@ import com.google.gerrit.server.account.GroupCache;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.InternalGroupDescription;
 import com.google.gerrit.server.group.db.Groups;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.restapi.account.GetGroups;
 import com.google.gwtorm.server.OrmException;
@@ -246,7 +247,8 @@ public class ListGroups implements RestReadView<TopLevelResource> {
  @Override
  public SortedMap<String, GroupInfo> apply(TopLevelResource resource)
-      throws OrmException, RestApiException, IOException, ConfigInvalidException {
+      throws OrmException, RestApiException, IOException, ConfigInvalidException,
          PermissionBackendException {
    SortedMap<String, GroupInfo> output = new TreeMap<>();
    for (GroupInfo info : get()) {
      output.put(MoreObjects.firstNonNull(info.name, "Group " + Url.decode(info.id)), info);
@@ -256,7 +258,8 @@ public class ListGroups implements RestReadView<TopLevelResource> {
  }
  public List<GroupInfo> get()
-      throws OrmException, RestApiException, IOException, ConfigInvalidException {
+      throws OrmException, RestApiException, IOException, ConfigInvalidException,
          PermissionBackendException {
    if (!Strings.isNullOrEmpty(suggest)) {
      return suggestGroups();
    }
@@ -280,7 +283,8 @@ public class ListGroups implements RestReadView<TopLevelResource> {
    return getAllGroups();
  }
-  private List<GroupInfo> getAllGroups() throws OrmException, IOException, ConfigInvalidException {
+  private List<GroupInfo> getAllGroups()
      throws OrmException, IOException, ConfigInvalidException, PermissionBackendException {
    Pattern pattern = getRegexPattern();
    Stream<GroupDescription.Internal> existingGroups =
        getAllExistingGroups()
@@ -312,7 +316,8 @@ public class ListGroups implements RestReadView<TopLevelResource> {
    return groups.getAllGroupReferences();
  }
-  private List<GroupInfo> suggestGroups() throws OrmException, BadRequestException {
+  private List<GroupInfo> suggestGroups()
      throws OrmException, BadRequestException, PermissionBackendException {
    if (conflictingSuggestParameters()) {
      throw new BadRequestException(
          "You should only have no more than one --project and -n with --suggest");
@@ -368,7 +373,7 @@ public class ListGroups implements RestReadView<TopLevelResource> {
  }
  private List<GroupInfo> filterGroupsOwnedBy(Predicate<GroupDescription.Internal> filter)
-      throws OrmException, IOException, ConfigInvalidException {
+      throws OrmException, IOException, ConfigInvalidException, PermissionBackendException {
    Pattern pattern = getRegexPattern();
    Stream<? extends GroupDescription.Internal> foundGroups =
        groups
@@ -396,13 +401,14 @@ public class ListGroups implements RestReadView<TopLevelResource> {
  }
  private List<GroupInfo> getGroupsOwnedBy(String id)
-      throws OrmException, RestApiException, IOException, ConfigInvalidException {
+      throws OrmException, RestApiException, IOException, ConfigInvalidException,
          PermissionBackendException {
    String uuid = groupsCollection.parse(id).getGroupUUID().get();
    return filterGroupsOwnedBy(group -> group.getOwnerGroupUUID().get().equals(uuid));
  }
  private List<GroupInfo> getGroupsOwnedBy(IdentifiedUser user)
-      throws OrmException, IOException, ConfigInvalidException {
+      throws OrmException, IOException, ConfigInvalidException, PermissionBackendException {
    return filterGroupsOwnedBy(group -> isOwner(user, group));
  }
--- a/java/com/google/gerrit/server/restapi/group/ListMembers.java
+++ b/java/com/google/gerrit/server/restapi/group/ListMembers.java
@@ -32,6 +32,7 @@ import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.group.InternalGroup;
 import com.google.gerrit.server.group.InternalGroupDescription;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import java.util.ArrayList;
@@ -66,7 +67,7 @@ public class ListMembers implements RestReadView<GroupResource> {
  @Override
  public List<AccountInfo> apply(GroupResource resource)
-      throws NotInternalGroupException, OrmException {
+      throws NotInternalGroupException, OrmException, PermissionBackendException {
    GroupDescription.Internal group =
        resource.asInternalGroup().orElseThrow(NotInternalGroupException::new);
    if (recursive) {
@@ -75,7 +76,8 @@ public class ListMembers implements RestReadView<GroupResource> {
    return getDirectMembers(group, resource.getControl());
  }
-  public List<AccountInfo> getTransitiveMembers(AccountGroup.UUID groupUuid) {
+  public List<AccountInfo> getTransitiveMembers(AccountGroup.UUID groupUuid)
      throws PermissionBackendException {
    Optional<InternalGroup> group = groupCache.get(groupUuid);
    if (group.isPresent()) {
      InternalGroupDescription internalGroup = new InternalGroupDescription(group.get());
@@ -86,7 +88,8 @@ public class ListMembers implements RestReadView<GroupResource> {
  }
  private List<AccountInfo> getTransitiveMembers(
-      GroupDescription.Internal group, GroupControl groupControl) {
+      GroupDescription.Internal group, GroupControl groupControl)
      throws PermissionBackendException {
    checkSameGroup(group, groupControl);
    Set<Account.Id> members =
        getTransitiveMemberIds(
@@ -94,19 +97,21 @@ public class ListMembers implements RestReadView<GroupResource> {
    return toAccountInfos(members);
  }
-  public List<AccountInfo> getDirectMembers(InternalGroup group) {
+  public List<AccountInfo> getDirectMembers(InternalGroup group) throws PermissionBackendException {
    InternalGroupDescription internalGroup = new InternalGroupDescription(group);
    return getDirectMembers(internalGroup, groupControlFactory.controlFor(internalGroup));
  }
  public List<AccountInfo> getDirectMembers(
-      GroupDescription.Internal group, GroupControl groupControl) {
+      GroupDescription.Internal group, GroupControl groupControl)
      throws PermissionBackendException {
    checkSameGroup(group, groupControl);
    Set<Account.Id> directMembers = getDirectMemberIds(group, groupControl);
    return toAccountInfos(directMembers);
  }
-  private List<AccountInfo> toAccountInfos(Set<Account.Id> members) {
+  private List<AccountInfo> toAccountInfos(Set<Account.Id> members)
      throws PermissionBackendException {
    List<AccountInfo> memberInfos = new ArrayList<>(members.size());
    for (Account.Id member : members) {
      memberInfos.add(accountLoader.get(member));
--- a/java/com/google/gerrit/server/restapi/group/ListSubgroups.java
+++ b/java/com/google/gerrit/server/restapi/group/ListSubgroups.java
@@ -24,6 +24,7 @@ import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
@@ -46,7 +47,8 @@ public class ListSubgroups implements RestReadView<GroupResource> {
  }
  @Override
-  public List<GroupInfo> apply(GroupResource rsrc) throws NotInternalGroupException, OrmException {
+  public List<GroupInfo> apply(GroupResource rsrc)
      throws NotInternalGroupException, OrmException, PermissionBackendException {
    GroupDescription.Internal group =
        rsrc.asInternalGroup().orElseThrow(NotInternalGroupException::new);
@@ -54,7 +56,8 @@ public class ListSubgroups implements RestReadView<GroupResource> {
  }
  public List<GroupInfo> getDirectSubgroups(
-      GroupDescription.Internal group, GroupControl groupControl) throws OrmException {
+      GroupDescription.Internal group, GroupControl groupControl)
      throws OrmException, PermissionBackendException {
    boolean ownerOfParent = groupControl.isOwner();
    List<GroupInfo> included = new ArrayList<>();
    for (AccountGroup.UUID subgroupUuid : group.getSubgroups()) {
--- a/java/com/google/gerrit/server/restapi/group/PutOwner.java
+++ b/java/com/google/gerrit/server/restapi/group/PutOwner.java
@@ -29,6 +29,7 @@ import com.google.gerrit.server.UserInitiated;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.group.db.GroupsUpdate;
 import com.google.gerrit.server.group.db.InternalGroupUpdate;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -56,7 +57,7 @@ public class PutOwner implements RestModifyView<GroupResource, OwnerInput> {
  public GroupInfo apply(GroupResource resource, OwnerInput input)
      throws ResourceNotFoundException, NotInternalGroupException, AuthException,
          BadRequestException, UnprocessableEntityException, OrmException, IOException,
-          ConfigInvalidException {
+          ConfigInvalidException, PermissionBackendException {
    GroupDescription.Internal internalGroup =
        resource.asInternalGroup().orElseThrow(NotInternalGroupException::new);
    if (!resource.getControl().isOwner()) {
--- a/java/com/google/gerrit/server/restapi/group/QueryGroups.java
+++ b/java/com/google/gerrit/server/restapi/group/QueryGroups.java
@@ -26,6 +26,7 @@ import com.google.gerrit.index.query.QueryParseException;
 import com.google.gerrit.index.query.QueryResult;
 import com.google.gerrit.server.group.InternalGroup;
 import com.google.gerrit.server.group.InternalGroupDescription;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.query.group.GroupQueryBuilder;
 import com.google.gerrit.server.query.group.GroupQueryProcessor;
 import com.google.gwtorm.server.OrmException;
@@ -94,7 +95,8 @@ public class QueryGroups implements RestReadView<TopLevelResource> {
  @Override
  public List<GroupInfo> apply(TopLevelResource resource)
-      throws BadRequestException, MethodNotAllowedException, OrmException {
+      throws BadRequestException, MethodNotAllowedException, OrmException,
          PermissionBackendException {
    if (Strings.isNullOrEmpty(query)) {
      throw new BadRequestException("missing query field");
    }
--- a/java/com/google/gerrit/sshd/commands/CreateAccountCommand.java
+++ b/java/com/google/gerrit/sshd/commands/CreateAccountCommand.java
@@ -24,6 +24,7 @@ import com.google.gerrit.extensions.restapi.IdString;
 import com.google.gerrit.extensions.restapi.RestApiException;
 import com.google.gerrit.extensions.restapi.TopLevelResource;
 import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.account.CreateAccount;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
@@ -70,7 +71,9 @@ final class CreateAccountCommand extends SshCommand {
  @Inject private CreateAccount createAccount;
  @Override
-  protected void run() throws OrmException, IOException, ConfigInvalidException, UnloggedFailure {
+  protected void run()
      throws OrmException, IOException, ConfigInvalidException, UnloggedFailure,
          PermissionBackendException {
    AccountInput input = new AccountInput();
    input.username = username;
    input.email = email;
--- a/java/com/google/gerrit/sshd/commands/CreateGroupCommand.java
+++ b/java/com/google/gerrit/sshd/commands/CreateGroupCommand.java
@@ -26,6 +26,7 @@ import com.google.gerrit.extensions.restapi.TopLevelResource;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.server.group.GroupResource;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.group.AddMembers;
 import com.google.gerrit.server.restapi.group.AddSubgroups;
 import com.google.gerrit.server.restapi.group.CreateGroup;
@@ -100,7 +101,9 @@ final class CreateGroupCommand extends SshCommand {
  @Inject private AddSubgroups addSubgroups;
  @Override
-  protected void run() throws Failure, OrmException, IOException, ConfigInvalidException {
+  protected void run()
      throws Failure, OrmException, IOException, ConfigInvalidException,
          PermissionBackendException {
    try {
      GroupResource rsrc = createGroup();
@@ -117,7 +120,8 @@ final class CreateGroupCommand extends SshCommand {
  }
  private GroupResource createGroup()
-      throws RestApiException, OrmException, IOException, ConfigInvalidException {
+      throws RestApiException, OrmException, IOException, ConfigInvalidException,
          PermissionBackendException {
    GroupInput input = new GroupInput();
    input.description = groupDescription;
    input.visibleToAll = visibleToAll;
@@ -132,7 +136,8 @@ final class CreateGroupCommand extends SshCommand {
  }
  private void addMembers(GroupResource rsrc)
-      throws RestApiException, OrmException, IOException, ConfigInvalidException {
+      throws RestApiException, OrmException, IOException, ConfigInvalidException,
          PermissionBackendException {
    AddMembers.Input input =
        AddMembers.Input.fromMembers(
            initialMembers.stream().map(Object::toString).collect(toList()));
@@ -140,7 +145,8 @@ final class CreateGroupCommand extends SshCommand {
  }
  private void addSubgroups(GroupResource rsrc)
-      throws RestApiException, OrmException, IOException, ConfigInvalidException {
+      throws RestApiException, OrmException, IOException, ConfigInvalidException,
          PermissionBackendException {
    AddSubgroups.Input input =
        AddSubgroups.Input.fromGroups(
            initialGroups.stream().map(AccountGroup.UUID::get).collect(toList()));
--- a/java/com/google/gerrit/sshd/commands/ListMembersCommand.java
+++ b/java/com/google/gerrit/sshd/commands/ListMembersCommand.java
@@ -25,6 +25,7 @@ import com.google.gerrit.server.account.GroupCache;
 import com.google.gerrit.server.account.GroupControl;
 import com.google.gerrit.server.group.InternalGroup;
 import com.google.gerrit.server.ioutil.ColumnFormatter;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.restapi.group.ListMembers;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
@@ -67,7 +68,7 @@ public class ListMembersCommand extends SshCommand {
      this.groupCache = groupCache;
    }
-    void display(PrintWriter writer) {
+    void display(PrintWriter writer) throws PermissionBackendException {
      Optional<InternalGroup> group = groupCache.get(new AccountGroup.NameKey(name));
      String errorText = "Group not found or not visible\n";
--- a/javatests/com/google/gerrit/server/query/account/AbstractQueryAccountsTest.java
+++ b/javatests/com/google/gerrit/server/query/account/AbstractQueryAccountsTest.java
@@ -541,17 +541,19 @@ public abstract class AbstractQueryAccountsTest extends GerritServerTests {
  @Test
  public void withSecondaryEmailsWithoutModifyAccountCapability() throws Exception {
-    AccountInfo user = newAccount("myuser", "My User", "abc@example.com", true);
+    AccountInfo user = newAccount("myuser", "My User", "other@example.com", true);
    AccountInfo otherUser = newAccount("otheruser", "Other User", "abc@example.com", true);
    String[] secondaryEmails = new String[] {"dfg@example.com", "hij@example.com"};
-    addEmails(user, secondaryEmails);
+    addEmails(otherUser, secondaryEmails);
    requestContext.setContext(newRequestContext(new Account.Id(user._accountId)));
-    List<AccountInfo> result = newQuery(user.username).withSuggest(true).get();
+    List<AccountInfo> result = newQuery(otherUser.username).withSuggest(true).get();
    assertThat(result.get(0).secondaryEmails).isNull();
    exception.expect(AuthException.class);
-    newQuery(user.username).withOption(ListAccountsOption.ALL_EMAILS).get();
+    newQuery(otherUser.username).withOption(ListAccountsOption.ALL_EMAILS).get();
  }
  @Test