CreateChange: Do not fail with 500 ISE if called by anonymous user

Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: I0eb38cad91f22f148d8884c7e1ccf2d9e7e8ace8

java/com/google/gerrit/server/restapi/change/CreateChange.java

@@ -160,6 +160,9 @@ public class CreateChange
       BatchUpdate.Factory updateFactory, TopLevelResource parent, ChangeInput input)
       throws IOException, InvalidChangeOperationException, RestApiException, UpdateException,
           PermissionBackendException, ConfigInvalidException {
+    if (!user.get().isIdentifiedUser()) {
+      throw new AuthException("Authentication required");
+    }
     IdentifiedUser me = user.get().asIdentifiedUser();
     checkAndSanitizeChangeInput(input, me);
 

javatests/com/google/gerrit/acceptance/rest/change/CreateChangeIT.java

@@ -40,6 +40,7 @@ import com.google.gerrit.extensions.client.GeneralPreferencesInfo;
 import com.google.gerrit.extensions.common.ChangeInfo;
 import com.google.gerrit.extensions.common.ChangeInput;
 import com.google.gerrit.extensions.common.MergeInput;
+import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.BadRequestException;
 import com.google.gerrit.extensions.restapi.ResourceConflictException;
 import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
@@ -124,6 +125,13 @@ public class CreateChangeIT extends AbstractDaemonTest {
     assertCreateFails(ci, BadRequestException.class, "commit message must be non-empty");
   }
 
+  @Test
+  public void createNewChange_RequiresAuthentication() throws Exception {
+    requestScopeOperations.setApiUserAnonymous();
+    assertCreateFails(
+        newChangeInput(ChangeStatus.NEW), AuthException.class, "Authentication required");
+  }
+
   @Test
   public void createNewChange() throws Exception {
     ChangeInfo info = assertCreateSucceeds(newChangeInput(ChangeStatus.NEW));