opendev/gerrit
Code Issues Proposed changes

Make permissions for tag creation consistent

Browse Source 
For each tag type you need a special permission for the tag creation:
- Lightweight tags require 'Create Reference'
- Annontated tags require 'Push Annotated Tags'
- Signed tags require 'Push Signed Tags'

When creating a tag by push there are 2 cases:
1. The commit to which the tag points already exists in Gerrit
   (it is reachable from any branch/tag that is readable by the
   calling user)
2. The commit to which the tag points is new
   (it is not reachable from any branch/tag that is readable by the
   calling user)

So far the permissions that were required to push a tag on a new
commit were inconsistent:
- For lightweight tags we required 'Push' in addition to 'Create
  Reference'
- For annotated/signed tags 'Push Annotated Tags'/'Push Signed Tags'
  were sufficient.

Due to this it was not possible to allow pushing of annotated/signed
tags for existing commits, but not for new commits.

Change the behaviour for annotated/signed tags so that it's consistent
with the behaviour for lightweight tags and require 'Push' in addition
to 'Push Annotated Tags'/'Push Signed Tags', if the tag points to a
new commit.

We may consider renaming 'Push Annotated Tags'/'Push Signed Tags' to
'Create Annotated Tags'/'Create Signed Tags' later.

Add tests for the tag creation by push that cover lightweight and
annotated tags on existing and new commits. Tests for signed tags may
be added later.

Change-Id: I1094a2be4871e16239b6a6daefc537ffc77af3bf
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit is contained in:
Edwin Kempin
2016-09-02 14:37:17 +02:00
parent 86cdf1b494
commit 94db6b6e84
6 changed files with 226 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Documentation/access-control.txt
View File

@@ -466,7 +466,9 @@ as well as bypass review for new commits on that branch.
To push lightweight (non-annotated) tags, grant
`Create Reference` for reference name `+refs/tags/*+`, as lightweight
tags are implemented just like branches in Git.
tags are implemented just like branches in Git. To push a lightweight
tag on a new commit (commit not reachable from any branch/tag) grant
`Push` permission on `+refs/tags/*+` too.
For example, to grant the possibility to create new branches under the
namespace `foo`, you have to grant this permission on
@@ -682,6 +684,9 @@ To delete or overwrite an existing tag, grant `Push` with the force
option enabled for reference name `+refs/tags/*+`, as deleting a tag
requires the same permission as deleting a branch.
To push an annotated tag on a new commit (commit not reachable from any
branch/tag) grant `Push` permission on `+refs/tags/*+` too.
[[category_push_signed]]
=== Push Signed Tag