Change schema migration for revert permission to grant on refs/*

Currently, we are granting the newly created "revert" permission introduced in If5180bc98 on refs/heads/*. This is not good for some of our users as not everyone works only on those branches. Also, for all of our users this ref doesn't include refs/meta/config. This change fixes the migration by deleting the permission on refs/heads/* for Registered Users and moving it to refs/* This will take effect only if admins haven't touched the permission. Otherwise, we'd rather not change their preferences. Also, new All-Projects will be created with the permission on refs/* by default. Change-Id: I487f5715dba7b03d7ee365b069bd4a36873584e7
2020-05-29 10:36:39 +02:00
parent 7d44589f47
commit 73b5183442
5 changed files with 105 additions and 9 deletions
--- a/java/com/google/gerrit/server/schema/AclUtil.java
+++ b/java/com/google/gerrit/server/schema/AclUtil.java
@@ -105,4 +105,15 @@ public class AclUtil {
  public static PermissionRule rule(ProjectConfig config, GroupReference group) {
    return new PermissionRule(config.resolve(group));
  }
+
+  public static void remove(
+      ProjectConfig config, AccessSection section, String permission, GroupReference... groupList) {
+    Permission p = section.getPermission(permission, true);
+    for (GroupReference group : groupList) {
+      if (group != null) {
+        PermissionRule r = rule(config, group);
+        p.remove(r);
+      }
+    }
+  }
 }
--- a/java/com/google/gerrit/server/schema/AllProjectsCreator.java
+++ b/java/com/google/gerrit/server/schema/AllProjectsCreator.java
@@ -174,11 +174,12 @@ public class AllProjectsCreator {
      AccessSection heads, LabelType codeReviewLabel, ProjectConfig config) {
    AccessSection refsFor = config.getAccessSection("refs/for/*", true);
    AccessSection magic = config.getAccessSection("refs/for/" + AccessSection.ALL, true);
+    AccessSection all = config.getAccessSection("refs/*", true);

    grant(config, refsFor, Permission.ADD_PATCH_SET, registered);
    grant(config, heads, codeReviewLabel, -1, 1, registered);
    grant(config, heads, Permission.FORGE_AUTHOR, registered);
-    grant(config, heads, Permission.REVERT, registered);
+    grant(config, all, Permission.REVERT, registered);
    grant(config, magic, Permission.PUSH, registered);
    grant(config, magic, Permission.PUSH_MERGE, registered);
  }
--- a/java/com/google/gerrit/server/schema/GrantRevertPermission.java
+++ b/java/com/google/gerrit/server/schema/GrantRevertPermission.java
@@ -16,6 +16,7 @@ package com.google.gerrit.server.schema;

 import static com.google.gerrit.server.group.SystemGroupBackend.REGISTERED_USERS;
 import static com.google.gerrit.server.schema.AclUtil.grant;
+import static com.google.gerrit.server.schema.AclUtil.remove;

 import com.google.gerrit.common.data.AccessSection;
 import com.google.gerrit.common.data.GroupReference;
@@ -64,12 +65,26 @@ public class GrantRevertPermission {
      ProjectConfig projectConfig = projectConfigFactory.read(md);
      AccessSection heads = projectConfig.getAccessSection(AccessSection.HEADS, true);

-      Permission permission = heads.getPermission(Permission.REVERT);
-      if (permission != null && permission.getRule(registeredUsers) != null) {
-        // permission already exists, don't do anything.
+      Permission permissionOnRefsHeads = heads.getPermission(Permission.REVERT);
+
+      if (permissionOnRefsHeads != null) {
+        if (permissionOnRefsHeads.getRule(registeredUsers) == null
+            || permissionOnRefsHeads.getRules().size() > 1) {
+          // If admins already changed the permission, don't do anything.
+          return;
+        }
+        // permission already exists in refs/heads/*, delete it for Registered Users.
+        remove(projectConfig, heads, Permission.REVERT, registeredUsers);
+      }
+
+      AccessSection all = projectConfig.getAccessSection(AccessSection.ALL, true);
+      Permission permissionOnRefsStar = all.getPermission(Permission.REVERT);
+      if (permissionOnRefsStar != null && permissionOnRefsStar.getRule(registeredUsers) != null) {
+        // permission already exists in refs/*, don't do anything.
        return;
      }
-      grant(projectConfig, heads, Permission.REVERT, registeredUsers);
+      // If the permission doesn't exist of refs/* for Registered Users, grant it.
+      grant(projectConfig, all, Permission.REVERT, registeredUsers);

      md.getCommitBuilder().setAuthor(serverUser);
      md.getCommitBuilder().setCommitter(serverUser);
--- a/java/com/google/gerrit/server/schema/testing/AllProjectsCreatorTestUtil.java
+++ b/java/com/google/gerrit/server/schema/testing/AllProjectsCreatorTestUtil.java
@@ -55,6 +55,7 @@ public class AllProjectsCreatorTestUtil {
          "[access \"refs/*\"]",
          "  read = group Administrators",
          "  read = group Anonymous Users",
+          "  revert = group Registered Users",
          "[access \"refs/for/*\"]",
          "  addPatchSet = group Registered Users",
          "[access \"refs/for/refs/*\"]",
@@ -75,7 +76,6 @@ public class AllProjectsCreatorTestUtil {
          "  push = group Project Owners",
          "  submit = group Administrators",
          "  submit = group Project Owners",
-          "  revert = group Registered Users",
          "[access \"refs/meta/config\"]",
          "  exclusiveGroupPermissions = read",
          "  create = group Administrators",