Change permissions to be branch based

The RefControl class introduces per-branch access control rules. ProjectRight is replaced by RefRight in the database, shifting all current access records to include a reference pattern that matches the previously assumed target namespace. For example, PUSH_HEAD is now matched against refs/heads/*, as is SUBMIT. Although this implementation starts the foundation for per-branch level READ access, it is not fully supported. The Git native protocol exposes all branches to readers, which means users can still fetch the Git objects even if the web UI wouldn't allow them to see the change. This work was a joint effort between Nico and Shawn. Nico started the change and did the bulk of the implementation. Shawn did a bunch of cleanup work near the tail end. Consequently all bugs are Shawn's fault. Bug: issue 60 Change-Id: I62401d80cbb885180614a4f20a945f5611de8986 Signed-off-by: Shawn O. Pearce <sop@google.com>
2010-01-25 09:05:17 -08:00
parent 55f3363fce
commit 75afdfdc84
33 changed files with 901 additions and 440 deletions
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/ProjectAdminService.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/ProjectAdminService.java
@@ -18,7 +18,7 @@ import com.google.gerrit.common.auth.SignInRequired;
 import com.google.gerrit.reviewdb.ApprovalCategory;
 import com.google.gerrit.reviewdb.Branch;
 import com.google.gerrit.reviewdb.Project;
-import com.google.gerrit.reviewdb.ProjectRight;
+import com.google.gerrit.reviewdb.RefRight;
 import com.google.gwt.user.client.rpc.AsyncCallback;
 import com.google.gwtjsonrpc.client.RemoteJsonService;
 import com.google.gwtjsonrpc.client.RpcImpl;
@@ -42,12 +42,12 @@ public interface ProjectAdminService extends RemoteJsonService {
      AsyncCallback<ProjectDetail> callback);

  @SignInRequired
-  void deleteRight(Project.NameKey projectName, Set<ProjectRight.Key> ids,
+  void deleteRight(Project.NameKey projectName, Set<RefRight.Key> ids,
      AsyncCallback<VoidResult> callback);

  @SignInRequired
  void addRight(Project.NameKey projectName, ApprovalCategory.Id categoryId,
-      String groupName, short min, short max,
+      String groupName, String refName, short min, short max,
      AsyncCallback<ProjectDetail> callback);

  @SignInRequired
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/ProjectDetail.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/ProjectDetail.java
@@ -16,7 +16,7 @@ package com.google.gerrit.common.data;

 import com.google.gerrit.reviewdb.AccountGroup;
 import com.google.gerrit.reviewdb.Project;
-import com.google.gerrit.reviewdb.ProjectRight;
+import com.google.gerrit.reviewdb.RefRight;

 import java.util.List;
 import java.util.Map;
@@ -24,7 +24,7 @@ import java.util.Map;
 public class ProjectDetail {
  public Project project;
  public Map<AccountGroup.Id, AccountGroup> groups;
-  public List<ProjectRight> rights;
+  public List<RefRight> rights;

  public ProjectDetail() {
  }
@@ -37,7 +37,7 @@ public class ProjectDetail {
    groups = g;
  }

-  public void setRights(final List<ProjectRight> r) {
+  public void setRights(final List<RefRight> r) {
    rights = r;
  }
 }