Merge "Fix: Permission.PUSH_MERGE checking for push bypassing Gerrit"
This commit is contained in:
Martin Fick
@@ -609,12 +609,11 @@ push to happen. Some projects wish to restrict merges to being created
|
|||||||
by Gerrit. By granting `Push` without `Push Merge Commit`, the only
|
by Gerrit. By granting `Push` without `Push Merge Commit`, the only
|
||||||
merges that enter the system will be those created by Gerrit.
|
merges that enter the system will be those created by Gerrit.
|
||||||
|
|
||||||
The reference name connected to a `Push Merge Commit` entry must always
|
For pushing a merge commit for review, the reference name connected to
|
||||||
be prefixed with `refs/for/`, for example `refs/for/refs/heads/BRANCH`.
|
a `Push Merge Commit` entry must be prefixed with `refs/for/`,
|
||||||
This applies even for an entry that complements a `Push` entry for
|
for example `refs/for/refs/heads/BRANCH`. For pushing a merge commit
|
||||||
`refs/heads/BRANCH` that allows direct pushes of non-merge commits, and
|
directly into the repository bypassing review, the reference name
|
||||||
the intention of the `Push Merge Commit` entry is to allow direct pushes
|
must be `refs/heads/BRANCH`.
|
||||||
of merge commits.
|
|
||||||
|
|
||||||
|
|
||||||
[[category_push_annotated]]
|
[[category_push_annotated]]
|
||||||
|
|||||||
@@ -1986,7 +1986,8 @@ public class ReceiveCommits {
|
|||||||
if (ctl.canForgeAuthor()
|
if (ctl.canForgeAuthor()
|
||||||
&& ctl.canForgeCommitter()
|
&& ctl.canForgeCommitter()
|
||||||
&& ctl.canForgeGerritServerIdentity()
|
&& ctl.canForgeGerritServerIdentity()
|
||||||
&& ctl.canUploadMerges()
|
&& (MagicBranch.isForReview(cmd.getRefName()) ? ctl.canUploadMerges()
|
||||||
|
: ctl.canPushMerges())
|
||||||
&& !projectControl.getProjectState().isUseSignedOffBy()
|
&& !projectControl.getProjectState().isUseSignedOffBy()
|
||||||
&& Iterables.isEmpty(rejectCommits)
|
&& Iterables.isEmpty(rejectCommits)
|
||||||
&& !GitRepositoryManager.REF_CONFIG.equals(ctl.getRefName())
|
&& !GitRepositoryManager.REF_CONFIG.equals(ctl.getRefName())
|
||||||
|
|||||||
@@ -355,11 +355,21 @@ public class CommitValidators {
|
|||||||
@Override
|
@Override
|
||||||
public List<CommitValidationMessage> onCommitReceived(
|
public List<CommitValidationMessage> onCommitReceived(
|
||||||
CommitReceivedEvent receiveEvent) throws CommitValidationException {
|
CommitReceivedEvent receiveEvent) throws CommitValidationException {
|
||||||
if (receiveEvent.commit.getParentCount() > 1
|
if (receiveEvent.commit.getParentCount() > 1) {
|
||||||
&& !refControl.canUploadMerges()) {
|
if (MagicBranch.isForReview(receiveEvent.command.getRefName())) {
|
||||||
throw new CommitValidationException("you are not allowed to upload merges");
|
if (!refControl.canUploadMerges()) {
|
||||||
|
throw new CommitValidationException(
|
||||||
|
"you are not allowed to upload merges for review");
|
||||||
}
|
}
|
||||||
return Collections.<CommitValidationMessage>emptyList();
|
} else {
|
||||||
|
if (!refControl.canPushMerges()) {
|
||||||
|
throw new CommitValidationException(
|
||||||
|
"you are not allowed to push merges directly bypassing code review");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return Collections.<CommitValidationMessage> emptyList();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -147,7 +147,17 @@ public class RefControl {
|
|||||||
&& canWrite();
|
&& canWrite();
|
||||||
}
|
}
|
||||||
|
|
||||||
/** @return true if this user can submit merge patch sets to this ref */
|
/**
|
||||||
|
* @return true if this user can push merge commits directly bypassing code
|
||||||
|
* review to this ref.
|
||||||
|
*/
|
||||||
|
public boolean canPushMerges() {
|
||||||
|
return projectControl.controlForRef(getRefName()).canPerform(
|
||||||
|
Permission.PUSH_MERGE)
|
||||||
|
&& canWrite();
|
||||||
|
}
|
||||||
|
|
||||||
|
/** @return true if this user can upload merge commits to this ref for review */
|
||||||
public boolean canUploadMerges() {
|
public boolean canUploadMerges() {
|
||||||
return projectControl.controlForRef("refs/for/" + getRefName())
|
return projectControl.controlForRef("refs/for/" + getRefName())
|
||||||
.canPerform(Permission.PUSH_MERGE)
|
.canPerform(Permission.PUSH_MERGE)
|
||||||
|
|||||||
@@ -51,6 +51,11 @@ public final class MagicBranch {
|
|||||||
|| refName.startsWith(NEW_CHANGE);
|
|| refName.startsWith(NEW_CHANGE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Checks if the supplied ref name is a magic branch for review */
|
||||||
|
public static boolean isForReview(String refName) {
|
||||||
|
return isMagicBranch(refName);
|
||||||
|
}
|
||||||
|
|
||||||
/** Returns the ref name prefix for a magic branch, <code>null</code> if the branch is not magic */
|
/** Returns the ref name prefix for a magic branch, <code>null</code> if the branch is not magic */
|
||||||
public static String getMagicRefNamePrefix(String refName) {
|
public static String getMagicRefNamePrefix(String refName) {
|
||||||
if (refName.startsWith(NEW_DRAFT_CHANGE)) {
|
if (refName.startsWith(NEW_DRAFT_CHANGE)) {
|
||||||
|
|||||||
Reference in New Issue
Block a user