diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt index 72e309a1be..397b99a742 100644 --- a/Documentation/access-control.txt +++ b/Documentation/access-control.txt @@ -1380,6 +1380,13 @@ allows the granted group to link:cmd-stream-events.html[stream Gerrit events via ssh]. +[[capability_viewAccess]] +=== View Access + +Allow checking access rights for arbitrary (user, project) pairs, +using the link:rest-api-projects.html#check-access[check.access] +endpoint + [[capability_viewAllAccounts]] === View All Accounts diff --git a/Documentation/rest-api-projects.txt b/Documentation/rest-api-projects.txt index 0ae3a6401c..0fbc73a46a 100644 --- a/Documentation/rest-api-projects.txt +++ b/Documentation/rest-api-projects.txt @@ -1311,7 +1311,7 @@ a link:#change-info[ChangeInfo] entity describing the resulting change. -- Runs access checks for other users. This requires the -link:access-control.html#capability_administrateServer[Administrate Server] +link:access-control.html#capability_viewAccess[View Access] global capability. Input for the access checks that should be run must be provided in diff --git a/java/com/google/gerrit/common/data/GlobalCapability.java b/java/com/google/gerrit/common/data/GlobalCapability.java index c15f7b9fcd..e613d21ce0 100644 --- a/java/com/google/gerrit/common/data/GlobalCapability.java +++ b/java/com/google/gerrit/common/data/GlobalCapability.java @@ -114,6 +114,9 @@ public class GlobalCapability { /** Can view all pending tasks in the queue (not just the filtered set). */ public static final String VIEW_QUEUE = "viewQueue"; + /** Can query permissions for any (project, user) pair */ + public static final String VIEW_ACCESS = "viewAccess"; + private static final List NAMES_ALL; private static final List NAMES_LC; private static final String[] RANGE_NAMES = { @@ -143,6 +146,7 @@ public class GlobalCapability { NAMES_ALL.add(VIEW_CONNECTIONS); NAMES_ALL.add(VIEW_PLUGINS); NAMES_ALL.add(VIEW_QUEUE); + NAMES_ALL.add(VIEW_ACCESS); NAMES_LC = new ArrayList<>(NAMES_ALL.size()); for (String name : NAMES_ALL) { diff --git a/java/com/google/gerrit/server/config/CapabilityConstants.java b/java/com/google/gerrit/server/config/CapabilityConstants.java index 502589266e..961dbbd958 100644 --- a/java/com/google/gerrit/server/config/CapabilityConstants.java +++ b/java/com/google/gerrit/server/config/CapabilityConstants.java @@ -43,4 +43,5 @@ public class CapabilityConstants extends TranslationBundle { public String viewConnections; public String viewPlugins; public String viewQueue; + public String viewAccess; } diff --git a/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java b/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java index 379cfc8dc9..8487d6e630 100644 --- a/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java +++ b/java/com/google/gerrit/server/permissions/DefaultPermissionBackend.java @@ -170,6 +170,7 @@ public class DefaultPermissionBackend extends PermissionBackend { case VIEW_ALL_ACCOUNTS: case VIEW_CONNECTIONS: case VIEW_PLUGINS: + case VIEW_ACCESS: return has(globalPermissionName(perm)) || isAdmin(); case ACCESS_DATABASE: diff --git a/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java b/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java index 04057e09f6..9593521570 100644 --- a/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java +++ b/java/com/google/gerrit/server/permissions/DefaultPermissionMappings.java @@ -58,6 +58,7 @@ public class DefaultPermissionMappings { .put(GlobalPermission.VIEW_CONNECTIONS, GlobalCapability.VIEW_CONNECTIONS) .put(GlobalPermission.VIEW_PLUGINS, GlobalCapability.VIEW_PLUGINS) .put(GlobalPermission.VIEW_QUEUE, GlobalCapability.VIEW_QUEUE) + .put(GlobalPermission.VIEW_ACCESS, GlobalCapability.VIEW_ACCESS) .build(); static { diff --git a/java/com/google/gerrit/server/permissions/GlobalPermission.java b/java/com/google/gerrit/server/permissions/GlobalPermission.java index 475eeeaafd..a789bd9fe6 100644 --- a/java/com/google/gerrit/server/permissions/GlobalPermission.java +++ b/java/com/google/gerrit/server/permissions/GlobalPermission.java @@ -50,7 +50,8 @@ public enum GlobalPermission implements GlobalOrPluginPermission { VIEW_CACHES, VIEW_CONNECTIONS, VIEW_PLUGINS, - VIEW_QUEUE; + VIEW_QUEUE, + VIEW_ACCESS; private static final Logger log = LoggerFactory.getLogger(GlobalPermission.class); diff --git a/java/com/google/gerrit/server/restapi/project/CheckAccess.java b/java/com/google/gerrit/server/restapi/project/CheckAccess.java index 2a6566875f..865f0778f6 100644 --- a/java/com/google/gerrit/server/restapi/project/CheckAccess.java +++ b/java/com/google/gerrit/server/restapi/project/CheckAccess.java @@ -68,7 +68,8 @@ public class CheckAccess implements RestModifyView