opendev/gerrit
Code Issues Proposed changes

Merge branch 'stable-2.14' into stable-2.15

Browse Source 
* stable-2.14:
  Fix more comparisons of current user
  Fix permissions checks on Gerrit API on current user
  GroupCacheImpl: Fix log message when UUID is not found

Change-Id: Ida3dd1bd5fc2da5001059a0d5d8b36c83861f00a
This commit is contained in:
David Pursehouse 2018-05-22 17:33:31 +09:00
commit 62bd285eb0
34 changed files with 57 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gerrit-gpg/src/main/java/com/google/gerrit/gpg/server/GpgKeys.java
View File

@ -208,7 +208,7 @@ public class GpgKeys implements ChildCollection<AccountResource, GpgKey> {
if (!BouncyCastleUtil.havePGP()) {
throw new ResourceNotFoundException("GPG not enabled");
}
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new ResourceNotFoundException();
}
}

13
gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java
View File

@ -146,4 +146,17 @@ public abstract class CurrentUser {
public ExternalId.Key getLastLoginExternalIdKey() {
return get(lastLoginExternalIdPropertyKey);
}
/**
* Checks if the current user has the same account id of another.
*
* <p>Provide a generic interface for allowing subclasses to define whether two accounts represent
* the same account id.
*
* @param other user to compare
* @return true if the two users have the same account id
*/
public boolean hasSameAccountId(CurrentUser other) {
return false;
}
}

5
gerrit-server/src/main/java/com/google/gerrit/server/IdentifiedUser.java
View File

@ -489,6 +489,11 @@ public class IdentifiedUser extends CurrentUser {
realUser);
}
@Override
public boolean hasSameAccountId(CurrentUser other) {
return getAccountId().get() == other.getAccountId().get();
}
private String guessHost() {
String host = null;
SocketAddress remotePeer = null;

2
gerrit-server/src/main/java/com/google/gerrit/server/account/AddSshKey.java
View File

@ -76,7 +76,7 @@ public class AddSshKey implements RestModifyView<AccountResource, Input> {
public Response<SshKeyInfo> apply(AccountResource rsrc, Input input)
throws AuthException, BadRequestException, OrmException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}
return apply(rsrc.getUser(), input);

2
gerrit-server/src/main/java/com/google/gerrit/server/account/Capabilities.java
View File

@ -60,7 +60,7 @@ class Capabilities implements ChildCollection<AccountResource, AccountResource.C
public Capability parse(AccountResource parent, IdString id)
throws ResourceNotFoundException, AuthException, PermissionBackendException {
IdentifiedUser target = parent.getUser();
if (self.get() != target) {
if (!self.get().hasSameAccountId(target)) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
View File

@ -92,7 +92,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
input = new EmailInput();
}
if (self.get() != rsrc.getUser() || input.noConfirmation) {
if (!self.get().hasSameAccountId(rsrc.getUser()) || input.noConfirmation) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteActive.java
View File

@ -46,7 +46,7 @@ public class DeleteActive implements RestModifyView<AccountResource, Input> {
@Override
public Response<?> apply(AccountResource rsrc, Input input)
throws RestApiException, OrmException, IOException, ConfigInvalidException {
if (self.get() == rsrc.getUser()) {
if (self.get().hasSameAccountId(rsrc.getUser())) {
throw new ResourceConflictException("cannot deactivate own account");
}
return setInactiveFlag.deactivate(rsrc.getUser().getAccountId());

2
gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
View File

@ -68,7 +68,7 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
throws AuthException, ResourceNotFoundException, ResourceConflictException,
MethodNotAllowedException, OrmException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), rsrc.getEmail());

2
gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteExternalIds.java
View File

@ -63,7 +63,7 @@ public class DeleteExternalIds implements RestModifyView<AccountResource, List<S
public Response<?> apply(AccountResource resource, List<String> extIds)
throws RestApiException, IOException, OrmException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != resource.getUser()) {
if (!self.get().hasSameAccountId(resource.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ACCESS_DATABASE);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteSshKey.java
View File

@ -56,7 +56,7 @@ public class DeleteSshKey implements RestModifyView<AccountResource.SshKey, Inpu
public Response<?> apply(AccountResource.SshKey rsrc, Input input)
throws AuthException, OrmException, RepositoryNotFoundException, IOException,
ConfigInvalidException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteWatchedProjects.java
View File

@ -61,7 +61,7 @@ public class DeleteWatchedProjects
public Response<?> apply(AccountResource rsrc, List<ProjectWatchInfo> input)
throws AuthException, UnprocessableEntityException, OrmException, IOException,
ConfigInvalidException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}
if (input == null) {

2
gerrit-server/src/main/java/com/google/gerrit/server/account/EmailsCollection.java
View File

@ -63,7 +63,7 @@ public class EmailsCollection
@Override
public AccountResource.Email parse(AccountResource rsrc, IdString id)
throws ResourceNotFoundException, PermissionBackendException, AuthException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

8
gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
View File

@ -73,11 +73,11 @@ class GetCapabilities implements RestReadView<AccountResource> {
}
@Override
public Object apply(AccountResource rsrc) throws AuthException, PermissionBackendException {
public Object apply(AccountResource resource) throws AuthException, PermissionBackendException {
PermissionBackend.WithUser perm = permissionBackend.user(self);
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(resource.getUser())) {
perm.check(GlobalPermission.ADMINISTRATE_SERVER);
perm = permissionBackend.user(rsrc.getUser());
perm = permissionBackend.user(resource.getUser());
}
Map<String, Object> have = new LinkedHashMap<>();
@ -85,7 +85,7 @@ class GetCapabilities implements RestReadView<AccountResource> {
have.put(p.permissionName(), true);
}
AccountLimits limits = limitsFactory.create(rsrc.getUser());
AccountLimits limits = limitsFactory.create(resource.getUser());
addRanges(have, limits);
addPriority(have, limits);

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetDiffPreferences.java
View File

@ -63,7 +63,7 @@ public class GetDiffPreferences implements RestReadView<AccountResource> {
@Override
public DiffPreferencesInfo apply(AccountResource rsrc)
throws AuthException, ConfigInvalidException, IOException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
View File

@ -57,7 +57,7 @@ public class GetEditPreferences implements RestReadView<AccountResource> {
@Override
public EditPreferencesInfo apply(AccountResource rsrc)
throws AuthException, IOException, ConfigInvalidException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetExternalIds.java
View File

@ -59,7 +59,7 @@ public class GetExternalIds implements RestReadView<AccountResource> {
@Override
public List<AccountExternalIdInfo> apply(AccountResource resource)
throws RestApiException, IOException, OrmException, PermissionBackendException {
if (self.get() != resource.getUser()) {
if (!self.get().hasSameAccountId(resource.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ACCESS_DATABASE);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetOAuthToken.java
View File

@ -53,7 +53,7 @@ class GetOAuthToken implements RestReadView<AccountResource> {
@Override
public OAuthTokenInfo apply(AccountResource rsrc)
throws AuthException, ResourceNotFoundException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to get access token");
}
Account a = rsrc.getUser().getAccount();

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
View File

@ -43,7 +43,7 @@ public class GetPreferences implements RestReadView<AccountResource> {
@Override
public GeneralPreferencesInfo apply(AccountResource rsrc)
throws AuthException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
View File

@ -55,7 +55,7 @@ public class GetSshKeys implements RestReadView<AccountResource> {
public List<SshKeyInfo> apply(AccountResource rsrc)
throws AuthException, OrmException, RepositoryNotFoundException, IOException,
ConfigInvalidException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser());

2
gerrit-server/src/main/java/com/google/gerrit/server/account/GetWatchedProjects.java
View File

@ -59,7 +59,7 @@ public class GetWatchedProjects implements RestReadView<AccountResource> {
public List<ProjectWatchInfo> apply(AccountResource rsrc)
throws OrmException, AuthException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
View File

@ -46,7 +46,7 @@ public class Index implements RestModifyView<AccountResource, Input> {
@Override
public Response<?> apply(AccountResource rsrc, Input input)
throws IOException, AuthException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PostWatchedProjects.java
View File

@ -69,7 +69,7 @@ public class PostWatchedProjects
public List<ProjectWatchInfo> apply(AccountResource rsrc, List<ProjectWatchInfo> input)
throws OrmException, RestApiException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PutAgreement.java
View File

@ -70,7 +70,7 @@ public class PutAgreement implements RestModifyView<AccountResource, AgreementIn
throw new MethodNotAllowedException("contributor agreements disabled");
}
if (self.get() != resource.getUser()) {
if (!self.get().hasSameAccountId(resource.getUser())) {
throw new AuthException("not allowed to enter contributor agreement");
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PutHttpPassword.java
View File

@ -78,7 +78,7 @@ public class PutHttpPassword implements RestModifyView<AccountResource, Input> {
public Response<String> apply(AccountResource rsrc, Input input)
throws AuthException, ResourceNotFoundException, ResourceConflictException, OrmException,
IOException, ConfigInvalidException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
View File

@ -63,7 +63,7 @@ public class PutName implements RestModifyView<AccountResource, Input> {
public Response<String> apply(AccountResource rsrc, Input input)
throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
IOException, PermissionBackendException, ConfigInvalidException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), input);

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
View File

@ -55,7 +55,7 @@ public class PutPreferred implements RestModifyView<AccountResource.Email, Input
public Response<String> apply(AccountResource.Email rsrc, Input input)
throws AuthException, ResourceNotFoundException, OrmException, IOException,
PermissionBackendException, ConfigInvalidException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), rsrc.getEmail());

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
View File

@ -64,7 +64,7 @@ public class PutStatus implements RestModifyView<AccountResource, Input> {
public Response<String> apply(AccountResource rsrc, Input input)
throws AuthException, ResourceNotFoundException, OrmException, IOException,
PermissionBackendException, ConfigInvalidException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}
return apply(rsrc.getUser(), input);

2
gerrit-server/src/main/java/com/google/gerrit/server/account/PutUsername.java
View File

@ -62,7 +62,7 @@ public class PutUsername implements RestModifyView<AccountResource, Input> {
throws AuthException, MethodNotAllowedException, UnprocessableEntityException,
ResourceConflictException, OrmException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.ADMINISTRATE_SERVER);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
View File

@ -65,7 +65,7 @@ public class SetDiffPreferences implements RestModifyView<AccountResource, DiffP
public DiffPreferencesInfo apply(AccountResource rsrc, DiffPreferencesInfo in)
throws AuthException, BadRequestException, ConfigInvalidException,
RepositoryNotFoundException, IOException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
View File

@ -65,7 +65,7 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
public EditPreferencesInfo apply(AccountResource rsrc, EditPreferencesInfo in)
throws AuthException, BadRequestException, RepositoryNotFoundException, IOException,
ConfigInvalidException, PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
View File

@ -83,7 +83,7 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
public GeneralPreferencesInfo apply(AccountResource rsrc, GeneralPreferencesInfo i)
throws AuthException, BadRequestException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
}

2
gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
View File

@ -64,7 +64,7 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
public AccountResource.SshKey parse(AccountResource rsrc, IdString id)
throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException,
PermissionBackendException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
try {
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
} catch (AuthException e) {

6
gerrit-server/src/main/java/com/google/gerrit/server/account/StarredChanges.java
View File

@ -134,7 +134,7 @@ public class StarredChanges
@Override
public Response<?> apply(AccountResource rsrc, EmptyInput in)
throws RestApiException, OrmException, IOException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to add starred change");
}
try {
@ -167,7 +167,7 @@ public class StarredChanges
@Override
public Response<?> apply(AccountResource.StarredChange rsrc, EmptyInput in)
throws AuthException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed update starred changes");
}
return Response.none();
@ -188,7 +188,7 @@ public class StarredChanges
@Override
public Response<?> apply(AccountResource.StarredChange rsrc, EmptyInput in)
throws AuthException, OrmException, IOException, IllegalLabelException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed remove starred change");
}
starredChangesUtil.star(

6
gerrit-server/src/main/java/com/google/gerrit/server/account/Stars.java
View File

@ -98,7 +98,7 @@ public class Stars implements ChildCollection<AccountResource, AccountResource.S
@SuppressWarnings("unchecked")
public List<ChangeInfo> apply(AccountResource rsrc)
throws BadRequestException, AuthException, OrmException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to list stars of another account");
}
QueryChanges query = changes.list();
@ -120,7 +120,7 @@ public class Stars implements ChildCollection<AccountResource, AccountResource.S
@Override
public SortedSet<String> apply(AccountResource.Star rsrc) throws AuthException, OrmException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to get stars of another account");
}
return starredChangesUtil.getLabels(self.get().getAccountId(), rsrc.getChange().getId());
@ -141,7 +141,7 @@ public class Stars implements ChildCollection<AccountResource, AccountResource.S
@Override
public Collection<String> apply(AccountResource.Star rsrc, StarsInput in)
throws AuthException, BadRequestException, OrmException {
if (self.get() != rsrc.getUser()) {
if (!self.get().hasSameAccountId(rsrc.getUser())) {
throw new AuthException("not allowed to update stars of another account");
}
try {