Add new "Delete Changes" permission

Changes can only be deleted by Administrators, or by the change owner when they are granted the "Delete Own Changes" permission either on the "Change Owners" virtual group or an internal group they are a member of. This means that it is not possible to allow users to delete other users' changes other than by granting the "Administrate Server" permission, which also gives them all the other administrative capabilities. This is also inconsistent with how the "Delete Drafts" permission works. An example of where it would be better to have more flexible permissions is allowing changes to be deleted by Project Owners on a per-project basis, or by a group of users who are trusted (but not enough to grant them Administrator capabilities). Add a new permission "Delete Changes" which allows these use cases, thus a change can now also be deleted by users who are: - Member of a group that is explicitly granted "Delete Changes" on the change's destination branch. - Member of a group that is given the "Owner" permission on the project, when the virtual group "Project Owners" is granted "Delete Changes" on the change's destination branch. Bug: Issue 9354 Change-Id: I9d5d779eb0a6ce18faca02b9fc90904ec5da91d9
2018-07-05 13:24:47 +09:00
parent 1697a2bd2b
commit 42488f88ce
6 changed files with 58 additions and 6 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/ChangeControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/ChangeControl.java
@@ -261,7 +261,7 @@ public class ChangeControl {
        return (isOwner() || getRefControl().canDeleteDrafts());
      case NEW:
      case ABANDONED:
-        return (isAdmin() || (isOwner() && getRefControl().canDeleteOwnChanges(isOwner())));
+        return (isAdmin() || getRefControl().canDeleteChanges(isOwner()));
      case MERGED:
      default:
        return false;
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
@@ -417,9 +417,10 @@ public class RefControl {
    return canPerform(Permission.DELETE_DRAFTS);
  }

-  /** @return true if this user can delete their own changes. */
-  public boolean canDeleteOwnChanges(boolean isChangeOwner) {
-    return canPerform(Permission.DELETE_OWN_CHANGES, isChangeOwner);
+  /** @return true if this user can delete changes. */
+  public boolean canDeleteChanges(boolean isChangeOwner) {
+    return canPerform(Permission.DELETE_CHANGES)
+        || (isChangeOwner && canPerform(Permission.DELETE_OWN_CHANGES, isChangeOwner));
  }

  /** @return true if this user can edit topic names. */