Merge "PermissionBackend: Make considering admin credential configurable"
This commit is contained in:
Saša Živkov
@@ -33,4 +33,7 @@ public @interface RequiresAnyCapability {
|
||||
|
||||
/** Scope of the named capabilities. */
|
||||
CapabilityScope scope() default CapabilityScope.CONTEXT;
|
||||
|
||||
/** Fall back to admin credentials. Only applies to plugin capability check. */
|
||||
boolean fallBackToAdmin() default true;
|
||||
}
|
||||
|
||||
@@ -32,4 +32,7 @@ public @interface RequiresCapability {
|
||||
|
||||
/** Scope of the named capability. */
|
||||
CapabilityScope scope() default CapabilityScope.CONTEXT;
|
||||
|
||||
/** Fall back to admin credentials. Only applies to plugin capability check. */
|
||||
boolean fallBackToAdmin() default true;
|
||||
}
|
||||
|
||||
@@ -22,10 +22,16 @@ import java.util.Objects;
|
||||
public class PluginPermission implements GlobalOrPluginPermission {
|
||||
private final String pluginName;
|
||||
private final String capability;
|
||||
private final boolean fallBackToAdmin;
|
||||
|
||||
public PluginPermission(String pluginName, String capability) {
|
||||
this(pluginName, capability, true);
|
||||
}
|
||||
|
||||
public PluginPermission(String pluginName, String capability, boolean fallBackToAdmin) {
|
||||
this.pluginName = checkNotNull(pluginName, "pluginName");
|
||||
this.capability = checkNotNull(capability, "capability");
|
||||
this.fallBackToAdmin = fallBackToAdmin;
|
||||
}
|
||||
|
||||
public String pluginName() {
|
||||
@@ -36,6 +42,10 @@ public class PluginPermission implements GlobalOrPluginPermission {
|
||||
return capability;
|
||||
}
|
||||
|
||||
public boolean fallBackToAdmin() {
|
||||
return fallBackToAdmin;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String permissionName() {
|
||||
return pluginName + '-' + capability;
|
||||
|
||||
@@ -238,7 +238,9 @@ public class CapabilityControl {
|
||||
if (perm instanceof GlobalPermission) {
|
||||
return can((GlobalPermission) perm);
|
||||
} else if (perm instanceof PluginPermission) {
|
||||
return canPerform(perm.permissionName()) || isAdmin_DoNotUse();
|
||||
PluginPermission pluginPermission = (PluginPermission) perm;
|
||||
return canPerform(pluginPermission.permissionName())
|
||||
|| (pluginPermission.fallBackToAdmin() && isAdmin_DoNotUse());
|
||||
}
|
||||
throw new PermissionBackendException(perm + " unsupported");
|
||||
}
|
||||
|
||||
@@ -91,11 +91,24 @@ public enum GlobalPermission implements GlobalOrPluginPermission {
|
||||
throw new PermissionBackendException("cannot extract permission");
|
||||
} else if (rc != null) {
|
||||
return Collections.singleton(
|
||||
resolve(pluginName, rc.value(), rc.scope(), clazz, RequiresCapability.class));
|
||||
resolve(
|
||||
pluginName,
|
||||
rc.value(),
|
||||
rc.scope(),
|
||||
rc.fallBackToAdmin(),
|
||||
clazz,
|
||||
RequiresCapability.class));
|
||||
} else if (rac != null) {
|
||||
Set<GlobalOrPluginPermission> r = new LinkedHashSet<>();
|
||||
for (String capability : rac.value()) {
|
||||
r.add(resolve(pluginName, capability, rac.scope(), clazz, RequiresAnyCapability.class));
|
||||
r.add(
|
||||
resolve(
|
||||
pluginName,
|
||||
capability,
|
||||
rac.scope(),
|
||||
rac.fallBackToAdmin(),
|
||||
clazz,
|
||||
RequiresAnyCapability.class));
|
||||
}
|
||||
return Collections.unmodifiableSet(r);
|
||||
} else {
|
||||
@@ -129,13 +142,14 @@ public enum GlobalPermission implements GlobalOrPluginPermission {
|
||||
@Nullable String pluginName,
|
||||
String capability,
|
||||
CapabilityScope scope,
|
||||
boolean fallBackToAdmin,
|
||||
Class<?> clazz,
|
||||
Class<?> annotationClass)
|
||||
throws PermissionBackendException {
|
||||
if (pluginName != null
|
||||
&& !"gerrit".equals(pluginName)
|
||||
&& (scope == CapabilityScope.PLUGIN || scope == CapabilityScope.CONTEXT)) {
|
||||
return new PluginPermission(pluginName, capability);
|
||||
return new PluginPermission(pluginName, capability, fallBackToAdmin);
|
||||
}
|
||||
|
||||
if (scope == CapabilityScope.PLUGIN) {
|
||||
|
||||
Reference in New Issue
Block a user