Fix Access when the only readable ref is a RegExp with a gerrit pattern

When no other ref than a RegExp with a gerrit username or shardeduserid
pattern, the permission is not properly validated and repository access
is denied.

With change Iedf3022f6c, calling shortestExample on regexp+parameters
refs produces a reference that won't match the username or the
shardeduserid.

For a reference like : ^refs/heads/users/${username}/.+
we will have the following:
'refs/heads/users/user1/my_branch' vs
'refs/heads/users/_PLACEHOLDER_/my_branch'

When we remove shortestExample, we have to modify Regexp and
ExpandParameters to skip the regexp start anchor caracter when comparing
against the prefix, or to compare regexps themselves.

Bug: Issue 3340
Change-Id: Id6a890a91c5d6d954dab74694c2d3fd53c15897c

java/com/google/gerrit/server/permissions/PermissionCollection.java

@@ -15,6 +15,7 @@
 package com.google.gerrit.server.permissions;
 
 import static com.google.gerrit.common.data.PermissionRule.Action.BLOCK;
+import static com.google.gerrit.server.project.RefPattern.containsParameters;
 import static com.google.gerrit.server.project.RefPattern.isRE;
 import static java.util.stream.Collectors.mapping;
 import static java.util.stream.Collectors.toList;
@@ -131,7 +132,9 @@ public class PermissionCollection {
         Iterable<SectionMatcher> matcherList, String ref, CurrentUser user) {
       try (Timer0.Context ignored = filterLatency.start()) {
         if (isRE(ref)) {
-          ref = RefPattern.shortestExample(ref);
+          if (!containsParameters(ref)) {
+            ref = RefPattern.shortestExample(ref);
+          }
         } else if (ref.endsWith("/*")) {
           ref = ref.substring(0, ref.length() - 1);
         }