Remove READ_NO_CONFIG permission

Now that DefaultRefFilter is an implementation detail of
PermissionBackend we can remove READ_NO_CONFIG as it was only used to
migrate all callers away from direct calls to *Control classes.

Change-Id: I5bf0a6f59cf66b3720c2cb2b671d821eceb593bb

java/com/google/gerrit/server/permissions/DefaultRefFilter.java

@@ -21,6 +21,7 @@ import static com.google.gerrit.reviewdb.client.RefNames.REFS_CONFIG;
 import static com.google.gerrit.reviewdb.client.RefNames.REFS_USERS_SELF;
 import static java.util.stream.Collectors.toMap;
 
+import com.google.common.collect.ImmutableSet;
 import com.google.gerrit.common.Nullable;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.reviewdb.client.Account;
@@ -65,7 +66,7 @@ class DefaultRefFilter {
   private static final Logger log = LoggerFactory.getLogger(DefaultRefFilter.class);
 
   interface Factory {
-    DefaultRefFilter create(CurrentUser who, ProjectState projectState);
+    DefaultRefFilter create(ProjectControl projectControl);
   }
 
   private final TagCache tagCache;
@@ -74,9 +75,10 @@ class DefaultRefFilter {
   private final Provider<ReviewDb> db;
   private final GroupCache groupCache;
   private final PermissionBackend permissionBackend;
-  private final PermissionBackend.ForProject permissionBackendForProject;
+  private final ProjectControl projectControl;
   private final CurrentUser user;
   private final ProjectState projectState;
+  private final PermissionBackend.ForProject permissionBackendForProject;
 
   private Map<Change.Id, Branch.NameKey> visibleChanges;
 
@@ -88,18 +90,19 @@ class DefaultRefFilter {
       Provider<ReviewDb> db,
       GroupCache groupCache,
       PermissionBackend permissionBackend,
-      @Assisted CurrentUser user,
+      @Assisted ProjectControl projectControl) {
-      @Assisted ProjectState projectState) {
     this.tagCache = tagCache;
     this.changeNotesFactory = changeNotesFactory;
     this.changeCache = changeCache;
     this.db = db;
     this.groupCache = groupCache;
     this.permissionBackend = permissionBackend;
+    this.projectControl = projectControl;
+
+    this.user = projectControl.getUser();
+    this.projectState = projectControl.getProjectState();
     this.permissionBackendForProject =
         permissionBackend.user(user).database(db).project(projectState.getNameKey());
-    this.user = user;
-    this.projectState = projectState;
   }
 
   Map<String, Ref> filter(Map<String, Ref> refs, Repository repo, RefFilterOptions opts)
@@ -113,7 +116,7 @@ class DefaultRefFilter {
     if (!projectState.isAllUsers()) {
       if (checkProjectPermission(forProject, ProjectPermission.READ)) {
         return refs;
-      } else if (checkProjectPermission(forProject, ProjectPermission.READ_NO_CONFIG)) {
+      } else if (projectControl.allRefsAreVisible(ImmutableSet.of(RefNames.REFS_CONFIG))) {
         return fastHideRefsMetaConfig(refs);
       }
     }

java/com/google/gerrit/server/permissions/ProjectControl.java

@@ -16,7 +16,6 @@ package com.google.gerrit.server.permissions;
 
 import static com.google.common.base.Preconditions.checkArgument;
 
-import com.google.common.collect.ImmutableSet;
 import com.google.gerrit.common.data.AccessSection;
 import com.google.gerrit.common.data.Permission;
 import com.google.gerrit.common.data.PermissionRule;
@@ -25,7 +24,6 @@ import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.reviewdb.client.Branch;
 import com.google.gerrit.reviewdb.client.Change;
 import com.google.gerrit.reviewdb.client.Project;
-import com.google.gerrit.reviewdb.client.RefNames;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.account.GroupMembership;
@@ -179,6 +177,10 @@ class ProjectControl {
     return match(rule.getGroup().getUUID(), isChangeOwner);
   }
 
+  boolean allRefsAreVisible(Set<String> ignore) {
+    return user.isInternalUser() || canPerformOnAllRefs(Permission.READ, ignore);
+  }
+
   /** Can the user run upload pack? */
   private boolean canRunUploadPack() {
     for (AccountGroup.UUID group : uploadGroups) {
@@ -199,10 +201,6 @@ class ProjectControl {
     return false;
   }
 
-  private boolean allRefsAreVisible(Set<String> ignore) {
-    return user.isInternalUser() || canPerformOnAllRefs(Permission.READ, ignore);
-  }
-
   /** Returns whether the project is hidden. */
   private boolean isHidden() {
     return getProject().getState().equals(com.google.gerrit.extensions.client.ProjectState.HIDDEN);
@@ -391,7 +389,7 @@ class ProjectControl {
     @Override
     public Map<String, Ref> filter(Map<String, Ref> refs, Repository repo, RefFilterOptions opts)
         throws PermissionBackendException {
-      return refFilterFactory.create(getUser(), getProjectState()).filter(refs, repo, opts);
+      return refFilterFactory.create(ProjectControl.this).filter(refs, repo, opts);
     }
 
     private boolean can(ProjectPermission perm) throws PermissionBackendException {
@@ -403,9 +401,6 @@ class ProjectControl {
         case READ:
           return !isHidden() && allRefsAreVisible(Collections.emptySet());
 
-        case READ_NO_CONFIG:
-          return !isHidden() && allRefsAreVisible(ImmutableSet.of(RefNames.REFS_CONFIG));
-
         case CREATE_REF:
           return canAddRefs();
         case CREATE_CHANGE:

java/com/google/gerrit/server/permissions/ProjectPermission.java

@@ -34,14 +34,6 @@ public enum ProjectPermission {
    */
   READ(Permission.READ),
 
-  /**
-   * Can read all non-config references in the repository.
-   *
-   * <p>This is the same as {@code READ} but does not check if they user can see refs/meta/config.
-   * Therefore, callers should check {@code READ} before excluding config refs in a short-circuit.
-   */
-  READ_NO_CONFIG,
-
   /**
    * Can create at least one reference in the project.
    *