Require branch deletion permission for pushes over HTTP

Since smart HTTP can perform a branch deletion over HTTP requests, we need to disambiguate web requests from the web UI from HTTP requests coming from a git client tool such as git push. Moving all git commands into the AccessPath.GIT category and making a different category for the web UI allows us to tell these apart, so we can correctly require delete branch permission when removing a branch through a git command. This is a safety feature to prevent project owners from accidentally creating or deleting branches over git push, even though they can do this through the web UI without additional access controls. Bug: issue 393 Change-Id: I14cc68e31f5263913f5d9715a8f2241b5766bf23 Signed-off-by: Shawn O. Pearce <sop@google.com> Reviewed-by: Nico Sallembien <nsallembien@google.com>
2010-01-29 10:29:38 -08:00
parent f6a13f4eed
commit 53b0e7ffb5
9 changed files with 89 additions and 22 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/AccessPath.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/AccessPath.java
@@ -19,11 +19,14 @@ public enum AccessPath {
  /** An unknown access path, probably should not be special. */
  UNKNOWN,

-  /** Access through the web interface. */
-  WEB,
+  /** Access through the web UI. */
+  WEB_UI,

-  /** Access through an SSH command, e.g. git fetch or push. */
-  SSH,
+  /** Access through an SSH command that is not invoked by Git. */
+  SSH_COMMAND,
+
+  /** Access from a Git client using any Git protocol. */
+  GIT,

  /** Access through replication */
  REPLICATION;
--- a/gerrit-server/src/main/java/com/google/gerrit/server/PeerDaemonUser.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/PeerDaemonUser.java
@@ -39,7 +39,7 @@ public class PeerDaemonUser extends CurrentUser {

  @Inject
  protected PeerDaemonUser(AuthConfig authConfig, @Assisted SocketAddress peer) {
-    super(AccessPath.SSH, authConfig);
+    super(AccessPath.SSH_COMMAND, authConfig);

    final HashSet<AccountGroup.Id> g = new HashSet<AccountGroup.Id>();
    g.add(authConfig.getAdministratorsGroup());
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java
@@ -121,7 +121,7 @@ public class RefControl {
  public boolean canCreate(RevWalk rw, RevObject object) {
    boolean owner;
    switch (getCurrentUser().getAccessPath()) {
-      case WEB:
+      case WEB_UI:
        owner = isOwner();
        break;

@@ -179,10 +179,10 @@ public class RefControl {
   */
  public boolean canDelete() {
    switch (getCurrentUser().getAccessPath()) {
-      case WEB:
+      case WEB_UI:
        return isOwner() || canPerform(PUSH_HEAD, PUSH_HEAD_REPLACE);

-      case SSH:
+      case GIT:
        return canPerform(PUSH_HEAD, PUSH_HEAD_REPLACE);

      default: