opendev/gerrit
Code Issues Proposed changes

Add fine-grained capabilities for administrative actions

Browse Source 
The Global Capabilities section in All-Projects can now be used to
grant subcommands that are available over SSH and were previously
restricted to only Administrators.

Bug: issue 48
Bug: issue 742
Change-Id: I7d8a931b174915191817ff845f1f9a846181d709
This commit is contained in:
Shawn O. Pearce
2011-06-16 13:49:42 -07:00
parent eda6e36af7
commit 7f48514889
28 changed files with 323 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
View File

@@ -64,6 +64,46 @@ public class CapabilityControl {
return user;
}
/** @return true if the user can create an account for another user. */
public boolean canCreateAccount() {
return canPerform(GlobalCapability.CREATE_ACCOUNT) || user.isAdministrator();
}
/** @return true if the user can create a group. */
public boolean canCreateGroup() {
return canPerform(GlobalCapability.CREATE_GROUP) || user.isAdministrator();
}
/** @return true if the user can kill any running task. */
public boolean canKillTask() {
return canPerform(GlobalCapability.KILL_TASK) || user.isAdministrator();
}
/** @return true if the user can view the server caches. */
public boolean canViewCaches() {
return canPerform(GlobalCapability.VIEW_CACHES) || user.isAdministrator();
}
/** @return true if the user can flush the server's caches. */
public boolean canFlushCaches() {
return canPerform(GlobalCapability.FLUSH_CACHES) || user.isAdministrator();
}
/** @return true if the user can view open connections. */
public boolean canViewConnections() {
return canPerform(GlobalCapability.VIEW_CONNECTIONS) || user.isAdministrator();
}
/** @return true if the user can view the entire queue. */
public boolean canViewQueue() {
return canPerform(GlobalCapability.VIEW_QUEUE) || user.isAdministrator();
}
/** @return true if the user can force replication to any configured destination. */
public boolean canStartReplication() {
return canPerform(GlobalCapability.START_REPLICATION) || user.isAdministrator();
}
/** True if the user has this permission. Works only for non labels. */
public boolean canPerform(String permissionName) {
return !access(permissionName).isEmpty();