opendev/gerrit
Code Issues Proposed changes

Provide a GET endpoint for CheckAccess

Browse Source 
Practically speaking, the CheckAccess endpoint is annoying for use in
administrative actions, because it requires the right Content-Type
headers.

Philosophically, the endpoint only inspects, so it should not use the
POST method.

Change-Id: I5270b683f51f2876785ba84e762b7ecedbceea21
This commit is contained in:
Han-Wen Nienhuys
2018-04-17 16:26:44 +02:00
committed by Edwin Kempin
parent a0ce3bb311
commit 5b089f2966
4 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Documentation/rest-api-projects.txt
View File

@@ -1345,6 +1345,14 @@ project-ref, or project-permission-ref combination.
} }
---- ----
This endpoint can also be accessed as a GET request, using the query
parameters `perm`, `account` and `ref`, for example:
----
GET /projects/MyProject/check.access?account=10024&ref=refs/heads/secret/bla
----
[[index]] [[index]]
=== Index all changes in a project === Index all changes in a project

63
java/com/google/gerrit/server/restapi/project/CheckAccessReadView.java Normal file
View File

@@ -0,0 +1,63 @@
// Copyright (C) 2018 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.restapi.project;
import com.google.gerrit.extensions.api.config.AccessCheckInfo;
import com.google.gerrit.extensions.api.config.AccessCheckInput;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestReadView;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectResource;
import com.google.gwtorm.server.OrmException;
import java.io.IOException;
import javax.inject.Inject;
import org.eclipse.jgit.errors.ConfigInvalidException;
import org.kohsuke.args4j.Option;
public class CheckAccessReadView implements RestReadView<ProjectResource> {
String refName;
String account;
String permission;
@Inject CheckAccess checkAccess;
@Option(name = "--ref", usage = "ref name to check permission for")
void addOption(String refName) {
this.refName = refName;
}
@Option(name = "--account", usage = "account to check acccess for")
void setAccount(String account) {
this.account = account;
}
@Option(name = "--perm", usage = "permission to check; default: read of any ref.")
void setPermission(String perm) {
this.permission = perm;
}
@Override
public AccessCheckInfo apply(ProjectResource rsrc)
throws OrmException, PermissionBackendException, RestApiException, IOException,
ConfigInvalidException {
AccessCheckInput input = new AccessCheckInput();
input.ref = refName;
input.account = account;
input.permission = permission;
return checkAccess.apply(rsrc, input);
}
}

1
java/com/google/gerrit/server/restapi/project/Module.java
View File

@@ -50,6 +50,7 @@ public class Module extends RestApiModule {
post(PROJECT_KIND, "access").to(SetAccess.class); post(PROJECT_KIND, "access").to(SetAccess.class);
put(PROJECT_KIND, "access:review").to(CreateAccessChange.class); put(PROJECT_KIND, "access:review").to(CreateAccessChange.class);
post(PROJECT_KIND, "check.access").to(CheckAccess.class); post(PROJECT_KIND, "check.access").to(CheckAccess.class);
get(PROJECT_KIND, "check.access").to(CheckAccessReadView.class);
get(PROJECT_KIND, "parent").to(GetParent.class); get(PROJECT_KIND, "parent").to(GetParent.class);
put(PROJECT_KIND, "parent").to(SetParent.class); put(PROJECT_KIND, "parent").to(SetParent.class);

14
javatests/com/google/gerrit/acceptance/api/project/CheckAccessIT.java
View File

@@ -18,6 +18,7 @@ import static com.google.common.truth.Truth.assertThat;
import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableList;
import com.google.gerrit.acceptance.AbstractDaemonTest; import com.google.gerrit.acceptance.AbstractDaemonTest;
import com.google.gerrit.acceptance.RestResponse;
import com.google.gerrit.acceptance.TestAccount; import com.google.gerrit.acceptance.TestAccount;
import com.google.gerrit.common.data.Permission; import com.google.gerrit.common.data.Permission;
import com.google.gerrit.extensions.api.config.AccessCheckInfo; import com.google.gerrit.extensions.api.config.AccessCheckInfo;
@@ -181,6 +182,19 @@ public class CheckAccessIT extends AbstractDaemonTest {
} }
} }
@Test
public void httpGet() throws Exception {
RestResponse rep =
adminRestSession.get(
"/projects/"
+ normalProject.get()
+ "/check.access"
+ "?ref=refs/heads/master&perm=viewPrivateChanges&account="
+ user.email);
rep.assertOK();
assertThat(rep.getEntityContent()).contains("403");
}
@Test @Test
public void accessible() throws Exception { public void accessible() throws Exception {
List<TestCase> inputs = List<TestCase> inputs =