Allow users with Modify Account to get other users' preferences

Change the required capability permission to get another user's preferences from 'Administrator' to 'Modify Account'. Bug: Issue 3766 Change-Id: I61738a48020bd82bfed950b91ba1e4ff43d10647
2016-01-11 15:46:29 -08:00
parent 452a2d42e0
commit 8dcf701224
2 changed files with 10 additions and 2 deletions
--- a/Documentation/rest-api-accounts.txt
+++ b/Documentation/rest-api-accounts.txt
@@ -1083,6 +1083,14 @@ Retrieves the user's preferences.
 As result the account preferences of the user are returned as a
 link:#preferences-info[PreferencesInfo] entity.

+Users may only retrieve the preferences for their own account,
+unless they are an
+link:access-control.html#administrators[Administrator] or a member
+of a group that is granted the
+link:access-control.html#capability_modifyAccount[ModifyAccount]
+capability, in which case they can retrieve the preferences for
+any account.
+
 .Response
 ----
  HTTP/1.1 200 OK
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
@@ -89,8 +89,8 @@ public class GetPreferences implements RestReadView<AccountResource> {
      throws AuthException, ResourceNotFoundException, OrmException,
      IOException, ConfigInvalidException {
    if (self.get() != rsrc.getUser()
-        && !self.get().getCapabilities().canAdministrateServer()) {
-      throw new AuthException("restricted to administrator");
+        && !self.get().getCapabilities().canModifyAccount()) {
+      throw new AuthException("requires Modify Account capability");
    }

    Account.Id accountId = rsrc.getUser().getAccountId();