opendev/gerrit
Code Issues Proposed changes

ForRef#check should permit internal users to read all refs

Browse Source 
79d24d4 Make PermissionBackend#ForRef authoritative
Introduced a regression where InternalUsers where not taken into
consideration when checking READ permission.

Bug: Issue 13786
Change-Id: I3f18507f65044ac96321c1efecf1f2688f36859f
(cherry picked from commit 23ff2cfc8f)
This commit is contained in:
Sven Selberg
2020-12-17 09:43:18 +01:00
committed by Luca Milanesio
parent fc651f4a0d
commit 68b3492fcb
2 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/com/google/gerrit/server/permissions/RefControl.java
View File

@@ -608,6 +608,10 @@ class RefControl {
private boolean can(RefPermission perm) throws PermissionBackendException { private boolean can(RefPermission perm) throws PermissionBackendException {
switch (perm) { switch (perm) {
case READ: case READ:
/* Internal users such as plugin users should be able to read all refs. */
if (getUser().isInternalUser()) {
return true;
}
if (refName.startsWith(Constants.R_TAGS)) { if (refName.startsWith(Constants.R_TAGS)) {
return isTagVisible(); return isTagVisible();
} }

21
javatests/com/google/gerrit/server/permissions/RefControlTest.java
View File

@@ -48,6 +48,7 @@ import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.reviewdb.client.Project; import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.reviewdb.server.ReviewDb; import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.CurrentUser; import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.InternalUser;
import com.google.gerrit.server.account.CapabilityCollection; import com.google.gerrit.server.account.CapabilityCollection;
import com.google.gerrit.server.account.GroupMembership; import com.google.gerrit.server.account.GroupMembership;
import com.google.gerrit.server.account.ListGroupMembership; import com.google.gerrit.server.account.ListGroupMembership;
@@ -391,6 +392,11 @@ public class RefControlTest {
assertAllRefsAreNotVisible(user(allUsers, DEVS)); assertAllRefsAreNotVisible(user(allUsers, DEVS));
} }
@Test
public void userRefIsVisibleForInternalUser() throws Exception {
internalUser(local).controlForRef("refs/users/default").asForRef().check(RefPermission.READ);
}
@Test @Test
public void branchDelegation1() throws Exception { public void branchDelegation1() throws Exception {
allow(local, OWNER, ADMIN, "refs/*"); allow(local, OWNER, ADMIN, "refs/*");
@@ -1039,6 +1045,21 @@ public class RefControlTest {
return repo; return repo;
} }
private ProjectControl internalUser(ProjectConfig local) throws Exception {
return new ProjectControl(
Collections.emptySet(),
Collections.emptySet(),
sectionSorter,
changeControlFactory,
permissionBackend,
refVisibilityControl,
repoManager,
refFilterFactory,
allUsersName,
new InternalUser(),
newProjectState(local));
}
private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) { private ProjectControl user(ProjectConfig local, AccountGroup.UUID... memberOf) {
return user(local, null, memberOf); return user(local, null, memberOf);
} }