opendev/gerrit
Code Issues Proposed changes

Remove PermissionBackend#user(Provider<CurrentUser>)

Browse Source 
Checking permissions of users that aren't the caller on the current request
can have implications on the security of the system. The most prominent
one is creating a group-oracle.

To limit the cases where we could potentially expose Gerrit to these
threats, PermissionBackend removes the method that was operating solely
on the provider of the current user.

Change-Id: I601ea1200a15a5f262ca0770b23cc1c7bee126b1
This commit is contained in:
Patrick Hiesel
2018-02-20 12:19:33 +01:00
parent 659ea71969
commit 4bdef6c030
78 changed files with 124 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/com/google/gerrit/server/restapi/account/GetExternalIds.java
View File

@@ -62,7 +62,7 @@ public class GetExternalIds implements RestReadView<AccountResource> {
public List<AccountExternalIdInfo> apply(AccountResource resource)
throws RestApiException, IOException, OrmException, PermissionBackendException {
if (self.get() != resource.getUser()) {
permissionBackend.user(self).check(GlobalPermission.ACCESS_DATABASE);
permissionBackend.currentUser().check(GlobalPermission.ACCESS_DATABASE);
}
Collection<ExternalId> ids = externalIds.byAccount(resource.getUser().getAccountId());