RestApiServlet: Skip capability check for administrators
The migration to permission backend in I9458bd55fa wasn't equivalent: Old code: CapabilityUtils.checkRequiresCapability(globals.currentUser, null, rc.getClass()); New code: globals .permissionBackend .user(globals.currentUser) .checkAny(GlobalPermission.fromAnnotation(d.pluginName, d.view.getClass())); The skipping of capability check in the base version was erroneously omitted: if (ctl.canAdministrateServer()) { return; } This broke some plugins, most notably importer plugin. Plugin name is resolved to null (this is probably wrong too and indicates, that the capability check for plugin own capability is broken but it is a different bug). That why the check doesn't work, because import is a plugin capability and not gerrit core capability. The same wrong resolution of the plugin name to null is happening on stable-2.14 branch, but the only reason it works there, is because the capability check is omitted for administrators on stable-2.14 branch. Bug: Issue 8859 Change-Id: I61534cd9c5cd0da34782e671ae53c0b7fc2e4b65
This commit is contained in:
parent
21e6a00091
commit
5689d6fec4
|
@ -1160,10 +1160,18 @@ public class RestApiServlet extends HttpServlet {
|
|||
|
||||
private void checkRequiresCapability(ViewData d)
|
||||
throws AuthException, PermissionBackendException {
|
||||
globals
|
||||
.permissionBackend
|
||||
.user(globals.currentUser)
|
||||
.checkAny(GlobalPermission.fromAnnotation(d.pluginName, d.view.getClass()));
|
||||
try {
|
||||
globals
|
||||
.permissionBackend
|
||||
.user(globals.currentUser)
|
||||
.check(GlobalPermission.ADMINISTRATE_SERVER);
|
||||
} catch (AuthException e) {
|
||||
// Skiping
|
||||
globals
|
||||
.permissionBackend
|
||||
.user(globals.currentUser)
|
||||
.checkAny(GlobalPermission.fromAnnotation(d.pluginName, d.view.getClass()));
|
||||
}
|
||||
}
|
||||
|
||||
private static long handleException(
|
||||
|
|
Loading…
Reference in New Issue