RestApiServlet: Check for RequiresCapability annotation on superclasses

If a class extends a REST view that requires a capability, this required capability is ignored when this class is registered as REST view. Change the check for the RequiresCapability annotation in RestApiServlet so that it also searches for this annotation in superclasses. If a subclass requires a capability, capabilities required by the superclasses are still ignored. Change-Id: Ic6329f45463224a5a8078977ce6dcb2b5462018a Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
2013-08-30 10:43:57 +02:00
parent 9dd5400f12
commit 7025adb8f0
2 changed files with 28 additions and 2 deletions
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
@@ -876,7 +876,7 @@ public class RestApiServlet extends HttpServlet {

  private void checkAccessAnnotations(String pluginName, Class<?> clazz)
      throws AuthException {
-    RequiresCapability rc = clazz.getAnnotation(RequiresCapability.class);
+    RequiresCapability rc = getRequiresCapability(clazz);
    if (rc != null) {
      CurrentUser user = globals.currentUser.get();
      CapabilityControl ctl = user.getCapabilities();
@@ -903,6 +903,19 @@ public class RestApiServlet extends HttpServlet {
    }
  }

+  private static RequiresCapability getRequiresCapability(Class<?> clazz) {
+    RequiresCapability rc = clazz.getAnnotation(RequiresCapability.class);
+    if (rc != null) {
+      return rc;
+    }
+
+    if (clazz.getSuperclass() != null) {
+      return getRequiresCapability(clazz.getSuperclass());
+    }
+
+    return null;
+  }
+
  private static void handleException(Throwable err, HttpServletRequest req,
      HttpServletResponse res) throws IOException {
    String uri = req.getRequestURI();
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/DispatchCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/DispatchCommand.java
@@ -121,7 +121,7 @@ final class DispatchCommand extends BaseCommand {

  private void checkRequiresCapability(Command cmd)
      throws UnloggedFailure {
-    RequiresCapability rc = cmd.getClass().getAnnotation(RequiresCapability.class);
+    RequiresCapability rc = getRequiresCapability(cmd.getClass());
    if (rc != null) {
      CurrentUser user = currentUser.get();
      CapabilityControl ctl = user.getCapabilities();
@@ -154,6 +154,19 @@ final class DispatchCommand extends BaseCommand {
    }
  }

+  private static RequiresCapability getRequiresCapability(Class<?> clazz) {
+    RequiresCapability rc = clazz.getAnnotation(RequiresCapability.class);
+    if (rc != null) {
+      return rc;
+    }
+
+    if (clazz.getSuperclass() != null) {
+      return getRequiresCapability(clazz.getSuperclass());
+    }
+
+    return null;
+  }
+
  @Override
  public void destroy() {
    Command cmd = atomicCmd.getAndSet(null);