Provide a GET endpoint for CheckAccess

Practically speaking, the CheckAccess endpoint is annoying for use in administrative actions, because it requires the right Content-Type headers. Philosophically, the endpoint only inspects, so it should not use the POST method. Change-Id: I5270b683f51f2876785ba84e762b7ecedbceea21
2018-04-17 16:26:44 +02:00 · 2018-04-17 16:26:44 +02:00 · 5b089f2966
commit 5b089f2966
parent a0ce3bb311
4 changed files with 86 additions and 0 deletions
--- a/Documentation/rest-api-projects.txt
+++ b/Documentation/rest-api-projects.txt
@ -1345,6 +1345,14 @@ project-ref, or project-permission-ref combination.
  }
 ----

+This endpoint can also be accessed as a GET request, using the query
+parameters `perm`, `account` and `ref`, for example:
+
+----
+  GET /projects/MyProject/check.access?account=10024&ref=refs/heads/secret/bla
+----
+
+
 [[index]]
 === Index all changes in a project

--- a/java/com/google/gerrit/server/restapi/project/CheckAccessReadView.java
+++ b/java/com/google/gerrit/server/restapi/project/CheckAccessReadView.java
@ -0,0 +1,63 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.server.restapi.project;
+
+import com.google.gerrit.extensions.api.config.AccessCheckInfo;
+import com.google.gerrit.extensions.api.config.AccessCheckInput;
+import com.google.gerrit.extensions.restapi.RestApiException;
+import com.google.gerrit.extensions.restapi.RestReadView;
+import com.google.gerrit.server.permissions.PermissionBackendException;
+import com.google.gerrit.server.project.ProjectResource;
+import com.google.gwtorm.server.OrmException;
+import java.io.IOException;
+import javax.inject.Inject;
+import org.eclipse.jgit.errors.ConfigInvalidException;
+import org.kohsuke.args4j.Option;
+
+public class CheckAccessReadView implements RestReadView<ProjectResource> {
+  String refName;
+  String account;
+  String permission;
+
+  @Inject CheckAccess checkAccess;
+
+  @Option(name = "--ref", usage = "ref name to check permission for")
+  void addOption(String refName) {
+    this.refName = refName;
+  }
+
+  @Option(name = "--account", usage = "account to check acccess for")
+  void setAccount(String account) {
+    this.account = account;
+  }
+
+  @Option(name = "--perm", usage = "permission to check; default: read of any ref.")
+  void setPermission(String perm) {
+    this.permission = perm;
+  }
+
+  @Override
+  public AccessCheckInfo apply(ProjectResource rsrc)
+      throws OrmException, PermissionBackendException, RestApiException, IOException,
+          ConfigInvalidException {
+
+    AccessCheckInput input = new AccessCheckInput();
+    input.ref = refName;
+    input.account = account;
+    input.permission = permission;
+
+    return checkAccess.apply(rsrc, input);
+  }
+}
--- a/java/com/google/gerrit/server/restapi/project/Module.java
+++ b/java/com/google/gerrit/server/restapi/project/Module.java
@ -50,6 +50,7 @@ public class Module extends RestApiModule {
    post(PROJECT_KIND, "access").to(SetAccess.class);
    put(PROJECT_KIND, "access:review").to(CreateAccessChange.class);
    post(PROJECT_KIND, "check.access").to(CheckAccess.class);
+    get(PROJECT_KIND, "check.access").to(CheckAccessReadView.class);

    get(PROJECT_KIND, "parent").to(GetParent.class);
    put(PROJECT_KIND, "parent").to(SetParent.class);
--- a/javatests/com/google/gerrit/acceptance/api/project/CheckAccessIT.java
+++ b/javatests/com/google/gerrit/acceptance/api/project/CheckAccessIT.java
@ -18,6 +18,7 @@ import static com.google.common.truth.Truth.assertThat;

 import com.google.common.collect.ImmutableList;
 import com.google.gerrit.acceptance.AbstractDaemonTest;
+import com.google.gerrit.acceptance.RestResponse;
 import com.google.gerrit.acceptance.TestAccount;
 import com.google.gerrit.common.data.Permission;
 import com.google.gerrit.extensions.api.config.AccessCheckInfo;
@ -181,6 +182,19 @@ public class CheckAccessIT extends AbstractDaemonTest {
    }
  }

+  @Test
+  public void httpGet() throws Exception {
+    RestResponse rep =
+        adminRestSession.get(
+            "/projects/"
+                + normalProject.get()
+                + "/check.access"
+                + "?ref=refs/heads/master&perm=viewPrivateChanges&account="
+                + user.email);
+    rep.assertOK();
+    assertThat(rep.getEntityContent()).contains("403");
+  }
+
  @Test
  public void accessible() throws Exception {
    List<TestCase> inputs =