Cleanup access checks in account REST API implementations

The more common pattern is to compare IdentifiedUser using reference equality. If they are the same object instance in the JVM then its the same user. This happens when the URL was "/accounts/self/..." and thus is very clearly for the calling user. Don't allow registering new emails if the realm doesn't permit it. Some realms may disable this feature because they want only the address from the LDAP directory to be used on the server. Load emails from the cached AccountState, rather than pulling them from the database. This is the set the user's commits are verified against so its a more accurate view to show to the user. If the server cache is behind the database table the API will now reflect its actually behind. Shorten a few error messages, avoiding some line wrapping. Change-Id: I3d644735117ccea3a120c49ace85b992f3ead6d6
2013-05-23 08:41:35 -07:00
parent 8150dadaf4
commit b2249e90f9
8 changed files with 67 additions and 75 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
@@ -25,7 +25,6 @@ import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.reviewdb.client.Account.FieldName;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
-import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.PutName.Input;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -54,16 +53,16 @@ public class PutName implements RestModifyView<AccountResource, Input> {
  }

  @Override
-  public Object apply(AccountResource rsrc, Input input) throws AuthException,
-      MethodNotAllowedException, ResourceNotFoundException, OrmException {
-    IdentifiedUser s = (IdentifiedUser) self.get();
-    if (s.getAccountId().get() != rsrc.getUser().getAccountId().get()
+  public Response<String> apply(AccountResource rsrc, Input input)
+      throws AuthException, MethodNotAllowedException,
+      ResourceNotFoundException, OrmException {
+    if (self.get() != rsrc.getUser()
        && !self.get().getCapabilities().canAdministrateServer()) {
      throw new AuthException("not allowed to change name");
    }

    if (!realm.allowsEdit(FieldName.FULL_NAME)) {
-      throw new MethodNotAllowedException("The realm doesn't allow editing names");
+      throw new MethodNotAllowedException("realm does not allow editing name");
    }

    if (input == null) {
@@ -72,13 +71,13 @@ public class PutName implements RestModifyView<AccountResource, Input> {

    Account a = dbProvider.get().accounts().get(rsrc.getUser().getAccountId());
    if (a == null) {
-      throw new ResourceNotFoundException("No such account: "
-          + rsrc.getUser().getAccountId());
+      throw new ResourceNotFoundException("account not found");
    }
    a.setFullName(input.name);
    dbProvider.get().accounts().update(Collections.singleton(a));
    byIdCache.evict(a.getId());
-    return Strings.isNullOrEmpty(a.getFullName()) ?
-        Response.none() : a.getFullName();
+    return Strings.isNullOrEmpty(a.getFullName())
+        ? Response.<String> none()
+        : Response.ok(a.getFullName());
  }
 }