opendev/gerrit
Code Issues Proposed changes

Don't allow the admin group to be renamed

Browse Source 
Renaming the admin group may cause loss of access to site admin
functions, and would permit another group owner to rename his
group to "admin", gaining those permissions.

Signed-off-by: Shawn O. Pearce <sop@google.com>
This commit is contained in:
Shawn O. Pearce
2008-12-30 09:14:57 -08:00
parent a013d20949
commit 5ff66abab1
2 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
appjar/src/main/java/com/google/gerrit/client/admin/AccountGroupScreen.java
View File

@@ -30,6 +30,7 @@ import com.google.gwt.user.client.ui.ClickListener;
import com.google.gwt.user.client.ui.FlowPanel; import com.google.gwt.user.client.ui.FlowPanel;
import com.google.gwt.user.client.ui.FocusListenerAdapter; import com.google.gwt.user.client.ui.FocusListenerAdapter;
import com.google.gwt.user.client.ui.Label; import com.google.gwt.user.client.ui.Label;
import com.google.gwt.user.client.ui.Panel;
import com.google.gwt.user.client.ui.SourcesTableEvents; import com.google.gwt.user.client.ui.SourcesTableEvents;
import com.google.gwt.user.client.ui.SuggestBox; import com.google.gwt.user.client.ui.SuggestBox;
import com.google.gwt.user.client.ui.TableListener; import com.google.gwt.user.client.ui.TableListener;
@@ -48,6 +49,7 @@ public class AccountGroupScreen extends AccountScreen {
private AccountInfoCache accounts = AccountInfoCache.empty(); private AccountInfoCache accounts = AccountInfoCache.empty();
private MemberTable members; private MemberTable members;
private Panel groupNamePanel;
private TextBox groupNameTxt; private TextBox groupNameTxt;
private Button saveName; private Button saveName;
@@ -100,11 +102,10 @@ public class AccountGroupScreen extends AccountScreen {
} }
private void initName() { private void initName() {
final VerticalPanel vp = new VerticalPanel(); groupNamePanel = new VerticalPanel();
groupNameTxt = new TextBox(); groupNameTxt = new TextBox();
groupNameTxt.setVisibleLength(60); groupNameTxt.setVisibleLength(60);
vp.add(groupNameTxt); groupNamePanel.add(groupNameTxt);
saveName = new Button(Util.C.buttonRenameGroup()); saveName = new Button(Util.C.buttonRenameGroup());
saveName.addClickListener(new ClickListener() { saveName.addClickListener(new ClickListener() {
@@ -119,8 +120,8 @@ public class AccountGroupScreen extends AccountScreen {
}); });
} }
}); });
vp.add(saveName); groupNamePanel.add(saveName);
add(vp); add(groupNamePanel);
new TextSaveButtonListener(groupNameTxt, saveName); new TextSaveButtonListener(groupNameTxt, saveName);
} }
@@ -209,6 +210,13 @@ public class AccountGroupScreen extends AccountScreen {
} }
private void display(final AccountGroupDetail result) { private void display(final AccountGroupDetail result) {
if (GroupAdminService.ADMIN_GROUP.equals(result.group.getNameKey())) {
groupNameTxt.setEnabled(false);
groupNamePanel.setVisible(false);
} else {
groupNamePanel.setVisible(true);
}
setTitleText(Util.M.group(result.group.getName())); setTitleText(Util.M.group(result.group.getName()));
groupNameTxt.setText(result.group.getName()); groupNameTxt.setText(result.group.getName());
descTxt.setText(result.group.getDescription()); descTxt.setText(result.group.getDescription());

8
appjar/src/main/java/com/google/gerrit/client/admin/GroupAdminServiceImpl.java
View File

@@ -104,7 +104,15 @@ public class GroupAdminServiceImpl extends BaseServiceImplementation implements
if (group == null) { if (group == null) {
throw new Failure(new NoSuchEntityException()); throw new Failure(new NoSuchEntityException());
} }
final AccountGroup.NameKey nameKey = new AccountGroup.NameKey(newName); final AccountGroup.NameKey nameKey = new AccountGroup.NameKey(newName);
if (group.getName().equals(ADMIN_GROUP) || nameKey.equals(ADMIN_GROUP)) {
// Forbid renaming the admin group, its highly special because it
// has near root level access to the server, based upon its name.
//
throw new Failure(new NameAlreadyUsedException());
}
if (!nameKey.equals(group.getNameKey())) { if (!nameKey.equals(group.getNameKey())) {
if (db.accountGroups().get(nameKey) != null) { if (db.accountGroups().get(nameKey) != null) {
throw new Failure(new NameAlreadyUsedException()); throw new Failure(new NameAlreadyUsedException());