Split off raw SQL access into its own permission

Allowing raw SQL access (via the gsql tool) is potentially a very risky operation--especially on public servers. Administrators no longer implicity have this right, and have to be granted it manually. Change-Id: I67f3896af24653a92a36538a31a9ce3b1d2f48a1
2013-02-14 16:27:34 -05:00
parent 1c830c11e7
commit abd6d4e1d4
7 changed files with 52 additions and 2 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -130,6 +130,12 @@ public class CapabilityControl {
      || canAdministrateServer();
  }

+
+  /** @return true if the user can access the database (with gsql). */
+  public boolean canAccessDatabase() {
+    return canPerform(GlobalCapability.ACCESS_DATABASE);
+  }
+
  /** @return true if the user can force replication to any configured destination. */
  public boolean canStartReplication() {
    return canPerform(GlobalCapability.START_REPLICATION)
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
@@ -14,6 +14,7 @@

 package com.google.gerrit.server.account;

+import static com.google.gerrit.common.data.GlobalCapability.ACCESS_DATABASE;
 import static com.google.gerrit.common.data.GlobalCapability.CREATE_ACCOUNT;
 import static com.google.gerrit.common.data.GlobalCapability.CREATE_GROUP;
 import static com.google.gerrit.common.data.GlobalCapability.CREATE_PROJECT;
@@ -109,6 +110,7 @@ class GetCapabilities implements RestReadView<AccountResource> {
    have.put(VIEW_CONNECTIONS, cc.canViewConnections());
    have.put(VIEW_QUEUE, cc.canViewQueue());
    have.put(START_REPLICATION, cc.canStartReplication());
+    have.put(ACCESS_DATABASE, cc.canAccessDatabase());

    QueueProvider.QueueType queue = cc.getQueueType();
    if (queue != QueueProvider.QueueType.INTERACTIVE