opendev/gerrit
Code Issues Proposed changes

Prevent updates to refs/meta/group-names through push and submit

Browse Source 
Change-Id: Iea92c2b120a96439b3fb1240af0ab484bf02a858
This commit is contained in:
Patrick Hiesel
2017-11-15 11:14:17 +01:00
parent 4485711ffe
commit 83f09cb6bc
4 changed files with 66 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/com/google/gerrit/server/git/validators/CommitValidators.java
View File

@@ -778,7 +778,7 @@ public class CommitValidators {
}
}
/** Rejects updates to group branches. */
/** Rejects updates to group branches (refs/groups/* and refs/meta/group-names). */
public static class GroupCommitValidator implements CommitValidationListener {
private final AllUsersName allUsers;
@@ -790,6 +790,7 @@ public class CommitValidators {
public List<CommitValidationMessage> onCommitReceived(CommitReceivedEvent receiveEvent)
throws CommitValidationException {
// Groups are stored inside 'refs/groups/' refs inside the 'All-Users' repository.
// Group names are stored inside 'refs/meta/group-names' refs inside the 'All-Users' repository.
if (!allUsers.equals(receiveEvent.project.getNameKey())) {
return Collections.emptyList();
}
@@ -800,7 +801,8 @@ public class CommitValidators {
return Collections.emptyList();
}
if (receiveEvent.command.getRefName().startsWith(RefNames.REFS_GROUPS)) {
if (receiveEvent.command.getRefName().startsWith(RefNames.REFS_GROUPS)
|| receiveEvent.command.getRefName().equals(RefNames.REFS_GROUPNAMES)) {
throw new CommitValidationException("group update not allowed");
}
return Collections.emptyList();

4
java/com/google/gerrit/server/git/validators/MergeValidators.java
View File

@@ -319,8 +319,10 @@ public class MergeValidators {
IdentifiedUser caller)
throws MergeValidationException {
// Groups are stored inside 'refs/groups/' refs inside the 'All-Users' repository.
// Group names are stored inside 'refs/meta/group-names' inside the 'All-Users' repository.
if (!allUsersName.equals(destProject.getNameKey())
|| !destBranch.get().startsWith(RefNames.REFS_GROUPS)) {
|| (!destBranch.get().startsWith(RefNames.REFS_GROUPS)
&& !destBranch.get().equals(RefNames.REFS_GROUPNAMES))) {
return;
}