Merge branch 'stable-2.8'

* stable-2.8:
  ReceiveCommits: Fix PUSH permission check for draft changes
  Don't allow project owners to create branches if create is blocked
  Add acceptance test for branch creation
  Wrong button is passed to revert action handler

Conflicts:
	gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/git/BUCK
	gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java

Change-Id: I11e4b0c846fa60b1bec67c4ca90de3d8fce6df8c

Documentation/access-control.txt

@@ -399,6 +399,14 @@ of adding individual reviewers before making the change public to all.  The
 change page will have a 'Publish' button which allows you to convert individual
 draft patch sets of a change into public patch sets for review.
 
+To block push permission to `refs/drafts/*` the following permission rule can
+be configured:
+
+====
+  [access "refs/drafts/*"]
+    push = block group Anonymous Users
+====
+
 
 [[access_categories]]
 == Access Categories

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/git/BUCK

@@ -1,7 +1,7 @@
 include_defs('//gerrit-acceptance-tests/tests.defs')
 
 acceptance_tests(
-  srcs = ['SubmitOnPushIT.java'],
+  srcs = ['DraftChangeBlockedIT.java', 'SubmitOnPushIT.java'],
   deps = ['//gerrit-acceptance-tests:lib'],
 )
 

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/git/DraftChangeBlockedIT.java

@@ -0,0 +1,114 @@
+// Copyright (C) 2014 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.acceptance.git;
+
+import static com.google.gerrit.acceptance.GitUtil.cloneProject;
+import static com.google.gerrit.acceptance.GitUtil.createProject;
+import static com.google.gerrit.server.group.SystemGroupBackend.ANONYMOUS_USERS;
+import static com.google.gerrit.server.project.Util.grant;
+
+import com.google.gerrit.acceptance.AbstractDaemonTest;
+import com.google.gerrit.acceptance.AccountCreator;
+import com.google.gerrit.acceptance.PushOneCommit;
+import com.google.gerrit.acceptance.SshSession;
+import com.google.gerrit.common.data.Permission;
+import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.reviewdb.server.ReviewDb;
+import com.google.gerrit.server.config.AllProjectsName;
+import com.google.gerrit.server.git.MetaDataUpdate;
+import com.google.gerrit.server.git.ProjectConfig;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.gwtorm.server.OrmException;
+import com.google.gwtorm.server.SchemaFactory;
+import com.google.inject.Inject;
+
+import org.eclipse.jgit.api.Git;
+import org.eclipse.jgit.api.errors.GitAPIException;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+
+public class DraftChangeBlockedIT extends AbstractDaemonTest {
+
+  @Inject
+  private AccountCreator accounts;
+
+  @Inject
+  private SchemaFactory<ReviewDb> reviewDbProvider;
+
+  @Inject
+  private ProjectCache projectCache;
+
+  @Inject
+  private AllProjectsName allProjects;
+
+  @Inject
+  private MetaDataUpdate.Server metaDataUpdateFactory;
+
+  @Inject
+  private PushOneCommit.Factory pushFactory;
+
+  private Project.NameKey project;
+  private Git git;
+  private ReviewDb db;
+
+  @Before
+  public void setUp() throws Exception {
+    ProjectConfig cfg = projectCache.checkedGet(allProjects).getConfig();
+    grant(cfg, Permission.PUSH, ANONYMOUS_USERS,
+        "refs/drafts/*").setBlock();
+    saveProjectConfig(cfg);
+
+    project = new Project.NameKey("p");
+    SshSession sshSession = new SshSession(server, admin);
+    createProject(sshSession, project.get());
+
+    db = reviewDbProvider.open();
+    git = cloneProject(sshSession.getUrl() + "/" + project.get());
+    sshSession.close();
+  }
+
+  @Test
+  public void testPushDraftChange_Blocked() throws GitAPIException,
+      OrmException, IOException {
+    // create draft by pushing to 'refs/drafts/'
+    PushOneCommit.Result r = pushTo("refs/drafts/master");
+    r.assertErrorStatus("cannot upload drafts");
+  }
+
+  @Test
+  public void testPushDraftChangeMagic_Blocked() throws GitAPIException,
+      OrmException, IOException {
+    // create draft by using 'draft' option
+    PushOneCommit.Result r = pushTo("refs/for/master%draft");
+    r.assertErrorStatus("cannot upload drafts");
+  }
+
+  private PushOneCommit.Result pushTo(String ref) throws GitAPIException,
+      IOException {
+    PushOneCommit push = pushFactory.create(db, admin.getIdent());
+    return push.to(git, ref);
+  }
+
+  private void saveProjectConfig(ProjectConfig cfg) throws IOException {
+    MetaDataUpdate md = metaDataUpdateFactory.create(allProjects);
+    try {
+      cfg.commit(md);
+    } finally {
+      md.close();
+    }
+  }
+}

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/CreateBranchIT.java

@@ -0,0 +1,181 @@
+// Copyright (C) 2014 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.acceptance.rest.project;
+
+import static com.google.gerrit.acceptance.GitUtil.createProject;
+import static org.junit.Assert.assertEquals;
+
+import com.google.gerrit.acceptance.AbstractDaemonTest;
+import com.google.gerrit.acceptance.RestResponse;
+import com.google.gerrit.acceptance.RestSession;
+import com.google.gerrit.acceptance.SshSession;
+import com.google.gerrit.acceptance.TestAccount;
+import com.google.gerrit.common.data.AccessSection;
+import com.google.gerrit.common.data.Permission;
+import com.google.gerrit.common.data.PermissionRule;
+import com.google.gerrit.reviewdb.client.Branch;
+import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.server.account.GroupCache;
+import com.google.gerrit.server.config.AllProjectsNameProvider;
+import com.google.gerrit.server.git.MetaDataUpdate;
+import com.google.gerrit.server.git.ProjectConfig;
+import com.google.gerrit.server.group.SystemGroupBackend;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.inject.Inject;
+
+import org.apache.http.HttpStatus;
+import org.eclipse.jgit.errors.ConfigInvalidException;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+
+public class CreateBranchIT extends AbstractDaemonTest {
+  @Inject
+  private MetaDataUpdate.Server metaDataUpdateFactory;
+
+  @Inject
+  private ProjectCache projectCache;
+
+  @Inject
+  private GroupCache groupCache;
+
+  @Inject
+  private AllProjectsNameProvider allProjects;
+
+  private RestSession userSession;
+
+  private Project.NameKey project;
+  private Branch.NameKey branch;
+
+  @Before
+  public void setUp() throws Exception {
+    TestAccount user = accounts.create("user", "user@example.com", "User");
+    userSession = new RestSession(server, user);
+
+    project = new Project.NameKey("p");
+    branch = new Branch.NameKey(project, "test");
+
+    SshSession sshSession = new SshSession(server, admin);
+    try {
+      createProject(sshSession, project.get(), null, true);
+    } finally {
+      sshSession.close();
+    }
+  }
+
+  @Test
+  public void createBranch_Forbidden() throws IOException {
+    RestResponse r =
+        userSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_FORBIDDEN, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByAdmin() throws IOException {
+    RestResponse r =
+        adminSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.get("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_OK, r.getStatusCode());
+  }
+
+  @Test
+  public void branchAlreadyExists_Conflict() throws IOException {
+    RestResponse r =
+        adminSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.put("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CONFLICT, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByProjectOwner() throws IOException,
+      ConfigInvalidException {
+    grantOwner();
+
+    RestResponse r =
+        userSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.get("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_OK, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByAdminCreateReferenceBlocked() throws IOException,
+      ConfigInvalidException {
+    blockCreateReference();
+    RestResponse r =
+        adminSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.get("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_OK, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByProjectOwnerCreateReferenceBlocked_Forbidden()
+      throws IOException, ConfigInvalidException {
+    grantOwner();
+    blockCreateReference();
+    RestResponse r =
+        userSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_FORBIDDEN, r.getStatusCode());
+  }
+
+  private void blockCreateReference() throws IOException, ConfigInvalidException {
+    MetaDataUpdate md = metaDataUpdateFactory.create(allProjects.get());
+    md.setMessage(String.format("Block %s", Permission.CREATE));
+    ProjectConfig config = ProjectConfig.read(md);
+    AccessSection s = config.getAccessSection("refs/*", true);
+    Permission p = s.getPermission(Permission.CREATE, true);
+    PermissionRule rule = new PermissionRule(config.resolve(
+        SystemGroupBackend.getGroup(SystemGroupBackend.ANONYMOUS_USERS)));
+    rule.setBlock();
+    p.add(rule);
+    config.commit(md);
+    projectCache.evict(config.getProject());
+  }
+
+  private void grantOwner() throws IOException, ConfigInvalidException {
+    MetaDataUpdate md = metaDataUpdateFactory.create(project);
+    md.setMessage(String.format("Grant %s", Permission.OWNER));
+    ProjectConfig config = ProjectConfig.read(md);
+    AccessSection s = config.getAccessSection("refs/*", true);
+    Permission p = s.getPermission(Permission.OWNER, true);
+    PermissionRule rule = new PermissionRule(config.resolve(
+        SystemGroupBackend.getGroup(SystemGroupBackend.REGISTERED_USERS)));
+    p.add(rule);
+    config.commit(md);
+    projectCache.evict(config.getProject());
+  }
+}

gerrit-gwtui/src/main/java/com/google/gerrit/client/change/Actions.java

@@ -193,7 +193,7 @@ class Actions extends Composite {
 
   @UiHandler("revert")
   void onRevert(ClickEvent e) {
-    RevertAction.call(cherrypick, changeId, revision, project, subject);
+    RevertAction.call(revert, changeId, revision, project, subject);
   }
 
   private static void a2b(NativeMap<ActionInfo> actions, String a, Button b) {

gerrit-server/src/main/java/com/google/gerrit/server/git/ReceiveCommits.java

@@ -50,6 +50,7 @@ import com.google.gerrit.common.ChangeHooks;
 import com.google.gerrit.common.Nullable;
 import com.google.gerrit.common.data.Capable;
 import com.google.gerrit.common.data.LabelTypes;
+import com.google.gerrit.common.data.Permission;
 import com.google.gerrit.common.data.PermissionRule;
 import com.google.gerrit.extensions.registration.DynamicMap;
 import com.google.gerrit.extensions.registration.DynamicMap.Entry;
@@ -1177,6 +1178,15 @@ public class ReceiveCommits {
       reject(cmd, "project is read only");
       return;
     }
+
+    if (magicBranch.isDraft()
+        && projectControl.controlForRef("refs/drafts/" + ref)
+            .isBlocked(Permission.PUSH)) {
+      errors.put(Error.CODE_REVIEW, ref);
+      reject(cmd, "cannot upload drafts");
+      return;
+    }
+
     if (!magicBranch.ctl.canUpload()) {
       errors.put(Error.CODE_REVIEW, ref);
       reject(cmd, "cannot upload review");

gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java

@@ -246,7 +246,8 @@ public class RefControl {
     }
 
     if (object instanceof RevCommit) {
-      return owner
+      return getCurrentUser().getCapabilities().canAdministrateServer()
+          || (owner && !isBlocked(Permission.CREATE))
           || (canPerform(Permission.CREATE) && projectControl.canReadCommit(rw,
               (RevCommit) object));
     } else if (object instanceof RevTag) {
@@ -472,6 +473,15 @@ public class RefControl {
 
   /** True if the user has this permission. Works only for non labels. */
   boolean canPerform(String permissionName) {
+    return doCanPerform(permissionName, false);
+  }
+
+  /** True if the user is blocked from using this permission. */
+  public boolean isBlocked(String permissionName) {
+    return !doCanPerform(permissionName, true);
+  }
+
+  private boolean doCanPerform(String permissionName, boolean blockOnly) {
     List<PermissionRule> access = access(permissionName);
     Set<ProjectRef> allows = Sets.newHashSet();
     Set<ProjectRef> blocks = Sets.newHashSet();
@@ -483,7 +493,7 @@ public class RefControl {
       }
     }
     blocks.removeAll(allows);
-    return blocks.isEmpty() && !allows.isEmpty();
+    return blocks.isEmpty() && (!allows.isEmpty() || blockOnly);
   }
 
   /** True if the user has force this permission. Works only for non labels. */

gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java

@@ -141,6 +141,33 @@ public class RefControlTest {
         u.controlForRef("refs/heads/foobar").canUpload());
   }
 
+  @Test
+  public void testBlockPushDrafts() {
+    grant(util.getParentConfig(), PUSH, REGISTERED_USERS, "refs/for/refs/*");
+    grant(util.getParentConfig(), PUSH, ANONYMOUS_USERS, "refs/drafts/*")
+        .setBlock();
+
+    ProjectControl u = util.user(local);
+    assertTrue("can upload refs/heads/master",
+        u.controlForRef("refs/heads/master").canUpload());
+    assertTrue("push is blocked to refs/drafts/master",
+        u.controlForRef("refs/drafts/refs/heads/master").isBlocked(PUSH));
+  }
+
+  @Test
+  public void testBlockPushDraftsUnblockAdmin() {
+    grant(util.getParentConfig(), PUSH, ANONYMOUS_USERS, "refs/drafts/*")
+        .setBlock();
+    grant(util.getParentConfig(), PUSH, ADMIN, "refs/drafts/*");
+
+    assertTrue("push is blocked for anonymous to refs/drafts/master",
+        util.user(local).controlForRef("refs/drafts/refs/heads/master")
+            .isBlocked(PUSH));
+    assertFalse("push is blocked for admin refs/drafts/master",
+        util.user(local, "a", ADMIN).controlForRef("refs/drafts/refs/heads/master")
+            .isBlocked(PUSH));
+  }
+
   @Test
   public void testInheritRead_SingleBranchDoesNotOverrideInherited() {
     grant(util.getParentConfig(), READ, REGISTERED_USERS, "refs/*");