From 68366fd5a0ec46c7f08d4cfc5362b9701b509d88 Mon Sep 17 00:00:00 2001
From: Edwin Kempin <edwin.kempin@sap.com>
Date: Tue, 12 Mar 2013 15:03:42 +0100
Subject: [PATCH] When resolving an account by ID check that it actually exists

REST endpoints that accept an account as input, allow that the account
is specified as account ID. The AccountResolver which is used to
resolve accounts currently accepts any account ID even if for this ID
no account exists. As result it is e.g. possible to add a non-existing
account as member to a group or as reviewer to a change.

Change-Id: I0462868df39bb826eb4c3e8f6a435d34e431c907
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
---
 .../gerrit/server/account/AccountResolver.java | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountResolver.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountResolver.java
index 509b6893c8..67d87b3326 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountResolver.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountResolver.java
@@ -71,11 +71,21 @@ public class AccountResolver {
   public Set<Account.Id> findAll(String nameOrEmail) throws OrmException {
     Matcher m = Pattern.compile("^.* \\(([1-9][0-9]*)\\)$").matcher(nameOrEmail);
     if (m.matches()) {
-      return Collections.singleton(Account.Id.parse(m.group(1)));
+      Account.Id id = Account.Id.parse(m.group(1));
+      if (exists(id)) {
+        return Collections.singleton(id);
+      } else {
+        return Collections.emptySet();
+      }
     }
 
     if (nameOrEmail.matches("^[1-9][0-9]*$")) {
-      return Collections.singleton(Account.Id.parse(nameOrEmail));
+      Account.Id id = Account.Id.parse(nameOrEmail);
+      if (exists(id)) {
+        return Collections.singleton(id);
+      } else {
+        return Collections.emptySet();
+      }
     }
 
     if (nameOrEmail.matches(Account.USER_NAME_PATTERN)) {
@@ -88,6 +98,10 @@ public class AccountResolver {
     return findAllByNameOrEmail(nameOrEmail);
   }
 
+  private boolean exists(Account.Id id) throws OrmException {
+    return schema.get().accounts().get(id) != null;
+  }
+
   /**
    * Locate exactly one account matching the name or name/email string.
    *