opendev/gerrit
Code Issues Proposed changes

Remove required access permission to get account username

Browse Source 
Remove the required capability permission to allow any user to
get another user's username.  There is no access restriction
for the account[1] and account detail[2] endpoints which provide
the same info.

[1] http://$host/accounts/$user
[2] http://$host/accounts/$user/detail

bug: issue 3766
Change-Id: I2de5fd3251225d7da8fd203a60fe06ea1fc03174
This commit is contained in:
Khai Do
2016-01-11 15:41:39 -08:00
parent 0cef341883
commit 971caef87a
1 changed files with 0 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gerrit-server/src/main/java/com/google/gerrit/server/account/GetUsername.java
View File

@@ -35,10 +35,6 @@ public class GetUsername implements RestReadView<AccountResource> {
@Override
public String apply(AccountResource rsrc) throws AuthException,
ResourceNotFoundException {
if (self.get() != rsrc.getUser()
&& !self.get().getCapabilities().canAdministrateServer()) {
throw new AuthException("not allowed to get username");
}
String username = rsrc.getUser().getAccount().getUserName();
if (username == null) {
throw new ResourceNotFoundException();