When resolving an account by ID check that it actually exists

REST endpoints that accept an account as input, allow that the account
is specified as account ID. The AccountResolver which is used to
resolve accounts currently accepts any account ID even if for this ID
no account exists. As result it is e.g. possible to add a non-existing
account as member to a group or as reviewer to a change.

Change-Id: I0462868df39bb826eb4c3e8f6a435d34e431c907
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>

gerrit-server/src/main/java/com/google/gerrit/server/account/AccountResolver.java

@@ -71,11 +71,21 @@ public class AccountResolver {
   public Set<Account.Id> findAll(String nameOrEmail) throws OrmException {
     Matcher m = Pattern.compile("^.* \\(([1-9][0-9]*)\\)$").matcher(nameOrEmail);
     if (m.matches()) {
-      return Collections.singleton(Account.Id.parse(m.group(1)));
+      Account.Id id = Account.Id.parse(m.group(1));
+      if (exists(id)) {
+        return Collections.singleton(id);
+      } else {
+        return Collections.emptySet();
+      }
     }
 
     if (nameOrEmail.matches("^[1-9][0-9]*$")) {
-      return Collections.singleton(Account.Id.parse(nameOrEmail));
+      Account.Id id = Account.Id.parse(nameOrEmail);
+      if (exists(id)) {
+        return Collections.singleton(id);
+      } else {
+        return Collections.emptySet();
+      }
     }
 
     if (nameOrEmail.matches(Account.USER_NAME_PATTERN)) {
@@ -88,6 +98,10 @@ public class AccountResolver {
     return findAllByNameOrEmail(nameOrEmail);
   }
 
+  private boolean exists(Account.Id id) throws OrmException {
+    return schema.get().accounts().get(id) != null;
+  }
+
   /**
    * Locate exactly one account matching the name or name/email string.
    *