opendev/gerrit
Code Issues Proposed changes

ported draft comments: Require authentication

Browse Source 
Ported draft comments is a new feature where we show a
user's draft comments on old patch sets on newer ones.

Only authenticated users can have draft comments. This
commit adds a missing check for authentication which
makes the endpoint fail gracefully with AuthException
instead of an internal server error.

Change-Id: I0752ab4474f3431ea9bcadeee579ef50aadd8acc
This commit is contained in:
Patrick Hiesel
2020-11-06 10:21:47 +01:00
committed by Joerg Zieren
parent 5626c6ca1b
commit afd6c70fbd
3 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/rest-api-changes.txt
View File

@@ -5134,6 +5134,8 @@ able to handle this situation. The same holds for drafts which are a reply to a
Different than the link:#get-ported-comments[Get Ported Comments] endpoint, the `author` of the Different than the link:#get-ported-comments[Get Ported Comments] endpoint, the `author` of the
returned comments is not filled for this endpoint as only comments of the calling user are returned. returned comments is not filled for this endpoint as only comments of the calling user are returned.
This endpoint requires authentication.
.Request .Request
---- ----
GET /changes/myProject~master~I8473b95934b5732ac55d26311a706c9c2bde9940/revisions/674ac754f91e64a0efb8087e59a176484bd534d1/ported_drafts/ HTTP/1.0 GET /changes/myProject~master~I8473b95934b5732ac55d26311a706c9c2bde9940/revisions/674ac754f91e64a0efb8087e59a176484bd534d1/ported_drafts/ HTTP/1.0

7
java/com/google/gerrit/server/restapi/change/ListPortedDrafts.java
View File

@@ -18,7 +18,9 @@ import com.google.common.collect.ImmutableList;
import com.google.gerrit.entities.HumanComment; import com.google.gerrit.entities.HumanComment;
import com.google.gerrit.entities.PatchSet; import com.google.gerrit.entities.PatchSet;
import com.google.gerrit.extensions.common.CommentInfo; import com.google.gerrit.extensions.common.CommentInfo;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.Response; import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestReadView; import com.google.gerrit.extensions.restapi.RestReadView;
import com.google.gerrit.server.CommentsUtil; import com.google.gerrit.server.CommentsUtil;
import com.google.gerrit.server.change.RevisionResource; import com.google.gerrit.server.change.RevisionResource;
@@ -46,7 +48,10 @@ public class ListPortedDrafts implements RestReadView<RevisionResource> {
@Override @Override
public Response<Map<String, List<CommentInfo>>> apply(RevisionResource revisionResource) public Response<Map<String, List<CommentInfo>>> apply(RevisionResource revisionResource)
throws PermissionBackendException { throws PermissionBackendException, RestApiException {
if (!revisionResource.getUser().isIdentifiedUser()) {
throw new AuthException("requires authentication; only authenticated users can have drafts");
}
PatchSet targetPatchset = revisionResource.getPatchSet(); PatchSet targetPatchset = revisionResource.getPatchSet();
List<HumanComment> draftComments = List<HumanComment> draftComments =

21
javatests/com/google/gerrit/acceptance/api/revision/PortedCommentsIT.java
View File

@@ -20,6 +20,7 @@ import static com.google.common.collect.MoreCollectors.onlyElement;
import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertThat;
import static com.google.gerrit.extensions.common.testing.CommentInfoSubject.assertThat; import static com.google.gerrit.extensions.common.testing.CommentInfoSubject.assertThat;
import static com.google.gerrit.extensions.common.testing.CommentInfoSubject.assertThatList; import static com.google.gerrit.extensions.common.testing.CommentInfoSubject.assertThatList;
import static com.google.gerrit.testing.GerritJUnit.assertThrows;
import static com.google.gerrit.truth.MapSubject.assertThatMap; import static com.google.gerrit.truth.MapSubject.assertThatMap;
import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableList;
@@ -37,6 +38,7 @@ import com.google.gerrit.entities.PatchSet;
import com.google.gerrit.extensions.api.changes.DeleteCommentInput; import com.google.gerrit.extensions.api.changes.DeleteCommentInput;
import com.google.gerrit.extensions.client.Side; import com.google.gerrit.extensions.client.Side;
import com.google.gerrit.extensions.common.CommentInfo; import com.google.gerrit.extensions.common.CommentInfo;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.RestApiException; import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.truth.NullAwareCorrespondence; import com.google.gerrit.truth.NullAwareCorrespondence;
import com.google.inject.Inject; import com.google.inject.Inject;
@@ -495,6 +497,25 @@ public class PortedCommentsIT extends AbstractDaemonTest {
assertThat(portedComment).author().id().isEqualTo(authorId.get()); assertThat(portedComment).author().id().isEqualTo(authorId.get());
} }
@Test
public void anonymousUsersGetAuthExceptionForPortedDrafts() throws Exception {
Change.Id changeId = changeOps.newChange().create();
PatchSet.Id patchsetId = changeOps.change(changeId).currentPatchset().get().patchsetId();
requestScopeOps.setApiUserAnonymous();
AuthException thrown =
assertThrows(
AuthException.class,
() ->
gApi.changes()
.id(patchsetId.changeId().get())
.revision(patchsetId.get())
.portedDrafts());
assertThat(thrown)
.hasMessageThat()
.contains("requires authentication; only authenticated users can have drafts");
}
@Test @Test
public void portedDraftCommentHasNoAuthor() throws Exception { public void portedDraftCommentHasNoAuthor() throws Exception {
// Set up change and patchsets. // Set up change and patchsets.