Consider rule action while constructing local owners list

Previously rule action was not considered during computation of local owners list in ProjectState. This means that members of group that was added to OWNER permission with BLOCK or DENY action were considered as project owners. This patch fixes this security breach. Now groups assigned to OWNER permission with BLOCK or DENY action will not be recognized as owners Change-Id: I048f52d7b23b55c9e8843c5b2c9907b3326c8d40 Signed-off-by: Dariusz Luksza <dariusz@luksza.org>
2014-11-17 10:15:43 +01:00
parent a1a5d62da9
commit b37ea2c10e
3 changed files with 48 additions and 5 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectState.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/ProjectState.java
@@ -14,6 +14,7 @@

 package com.google.gerrit.server.project;

+import static com.google.gerrit.common.data.PermissionRule.Action.ALLOW;
 import static java.nio.charset.StandardCharsets.UTF_8;

 import com.google.common.base.Function;
@@ -141,7 +142,7 @@ public class ProjectState {
        if (owner != null) {
          for (PermissionRule rule : owner.getRules()) {
            GroupReference ref = rule.getGroup();
-            if (ref.getUUID() != null) {
+            if (rule.getAction() == ALLOW && ref.getUUID() != null) {
              groups.add(ref.getUUID());
            }
          }