Merge changes Ib3f0849f,I9d12ed46,I38520cff
* changes: Factor out Contributor Agreements from ProjectControl Add ProjectPermissions for upload and receive pack, migrate callers Add ProjectPermission.READ_NO_CONFIG
This commit is contained in:
David Pursehouse
@@ -234,13 +234,16 @@ public class GitOverHttpServlet extends GitServlet {
|
||||
static class UploadFilter implements Filter {
|
||||
private final VisibleRefFilter.Factory refFilterFactory;
|
||||
private final UploadValidators.Factory uploadValidatorsFactory;
|
||||
private final PermissionBackend permissionBackend;
|
||||
|
||||
@Inject
|
||||
UploadFilter(
|
||||
VisibleRefFilter.Factory refFilterFactory,
|
||||
UploadValidators.Factory uploadValidatorsFactory) {
|
||||
UploadValidators.Factory uploadValidatorsFactory,
|
||||
PermissionBackend permissionBackend) {
|
||||
this.refFilterFactory = refFilterFactory;
|
||||
this.uploadValidatorsFactory = uploadValidatorsFactory;
|
||||
this.permissionBackend = permissionBackend;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -251,13 +254,20 @@ public class GitOverHttpServlet extends GitServlet {
|
||||
ProjectControl pc = (ProjectControl) request.getAttribute(ATT_CONTROL);
|
||||
UploadPack up = (UploadPack) request.getAttribute(ServletUtils.ATTRIBUTE_HANDLER);
|
||||
|
||||
if (!pc.canRunUploadPack()) {
|
||||
try {
|
||||
permissionBackend
|
||||
.user(pc.getUser())
|
||||
.project(pc.getProject().getNameKey())
|
||||
.check(ProjectPermission.RUN_UPLOAD_PACK);
|
||||
} catch (AuthException e) {
|
||||
GitSmartHttpTools.sendError(
|
||||
(HttpServletRequest) request,
|
||||
(HttpServletResponse) response,
|
||||
HttpServletResponse.SC_FORBIDDEN,
|
||||
"upload-pack not permitted on this server");
|
||||
return;
|
||||
} catch (PermissionBackendException e) {
|
||||
throw new ServletException(e);
|
||||
}
|
||||
// We use getRemoteHost() here instead of getRemoteAddr() because REMOTE_ADDR
|
||||
// may have been overridden by a proxy server -- we'll try to avoid this.
|
||||
@@ -312,10 +322,14 @@ public class GitOverHttpServlet extends GitServlet {
|
||||
|
||||
static class ReceiveFilter implements Filter {
|
||||
private final Cache<AdvertisedObjectsCacheKey, Set<ObjectId>> cache;
|
||||
private final PermissionBackend permissionBackend;
|
||||
|
||||
@Inject
|
||||
ReceiveFilter(@Named(ID_CACHE) Cache<AdvertisedObjectsCacheKey, Set<ObjectId>> cache) {
|
||||
ReceiveFilter(
|
||||
@Named(ID_CACHE) Cache<AdvertisedObjectsCacheKey, Set<ObjectId>> cache,
|
||||
PermissionBackend permissionBackend) {
|
||||
this.cache = cache;
|
||||
this.permissionBackend = permissionBackend;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -329,13 +343,20 @@ public class GitOverHttpServlet extends GitServlet {
|
||||
ProjectControl pc = (ProjectControl) request.getAttribute(ATT_CONTROL);
|
||||
Project.NameKey projectName = pc.getProject().getNameKey();
|
||||
|
||||
if (!pc.canRunReceivePack()) {
|
||||
try {
|
||||
permissionBackend
|
||||
.user(pc.getUser())
|
||||
.project(pc.getProject().getNameKey())
|
||||
.check(ProjectPermission.RUN_RECEIVE_PACK);
|
||||
} catch (AuthException e) {
|
||||
GitSmartHttpTools.sendError(
|
||||
(HttpServletRequest) request,
|
||||
(HttpServletResponse) response,
|
||||
HttpServletResponse.SC_FORBIDDEN,
|
||||
"receive-pack not permitted on this server");
|
||||
return;
|
||||
} catch (PermissionBackendException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
||||
Capable s = arc.canUpload();
|
||||
|
||||
@@ -25,6 +25,7 @@ import com.google.gerrit.server.extensions.events.GitReferenceUpdated;
|
||||
import com.google.gerrit.server.git.MetaDataUpdate;
|
||||
import com.google.gerrit.server.git.ProjectConfig;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ContributorAgreementsChecker;
|
||||
import com.google.gerrit.server.project.NoSuchProjectException;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.gerrit.server.project.ProjectControl;
|
||||
@@ -62,6 +63,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
|
||||
AllProjectsName allProjects,
|
||||
Provider<SetParent> setParent,
|
||||
GitReferenceUpdated gitRefUpdated,
|
||||
ContributorAgreementsChecker contributorAgreements,
|
||||
@Assisted("projectName") Project.NameKey projectName,
|
||||
@Nullable @Assisted ObjectId base,
|
||||
@Assisted List<AccessSection> sectionList,
|
||||
@@ -78,6 +80,7 @@ class ChangeProjectAccess extends ProjectAccessHandler<ProjectAccess> {
|
||||
sectionList,
|
||||
parentProjectName,
|
||||
message,
|
||||
contributorAgreements,
|
||||
true);
|
||||
this.projectAccessFactory = projectAccessFactory;
|
||||
this.projectCache = projectCache;
|
||||
|
||||
@@ -18,7 +18,6 @@ import static com.google.gerrit.common.ProjectAccessUtil.mergeSections;
|
||||
|
||||
import com.google.common.base.MoreObjects;
|
||||
import com.google.gerrit.common.data.AccessSection;
|
||||
import com.google.gerrit.common.data.Capable;
|
||||
import com.google.gerrit.common.data.GroupReference;
|
||||
import com.google.gerrit.common.data.Permission;
|
||||
import com.google.gerrit.common.data.PermissionRule;
|
||||
@@ -37,6 +36,7 @@ import com.google.gerrit.server.config.AllProjectsName;
|
||||
import com.google.gerrit.server.git.MetaDataUpdate;
|
||||
import com.google.gerrit.server.git.ProjectConfig;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ContributorAgreementsChecker;
|
||||
import com.google.gerrit.server.project.NoSuchProjectException;
|
||||
import com.google.gerrit.server.project.ProjectControl;
|
||||
import com.google.gerrit.server.project.RefPattern;
|
||||
@@ -58,6 +58,7 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
|
||||
private final MetaDataUpdate.User metaDataUpdateFactory;
|
||||
private final AllProjectsName allProjects;
|
||||
private final Provider<SetParent> setParent;
|
||||
private final ContributorAgreementsChecker contributorAgreements;
|
||||
|
||||
protected final Project.NameKey projectName;
|
||||
protected final ObjectId base;
|
||||
@@ -77,6 +78,7 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
|
||||
List<AccessSection> sectionList,
|
||||
Project.NameKey parentProjectName,
|
||||
String message,
|
||||
ContributorAgreementsChecker contributorAgreements,
|
||||
boolean checkIfOwner) {
|
||||
this.projectControlFactory = projectControlFactory;
|
||||
this.groupBackend = groupBackend;
|
||||
@@ -89,6 +91,7 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
|
||||
this.sectionList = sectionList;
|
||||
this.parentProjectName = parentProjectName;
|
||||
this.message = message;
|
||||
this.contributorAgreements = contributorAgreements;
|
||||
this.checkIfOwner = checkIfOwner;
|
||||
}
|
||||
|
||||
@@ -99,9 +102,10 @@ public abstract class ProjectAccessHandler<T> extends Handler<T> {
|
||||
PermissionDeniedException, PermissionBackendException {
|
||||
final ProjectControl projectControl = projectControlFactory.controlFor(projectName);
|
||||
|
||||
Capable r = projectControl.canPushToAtLeastOneRef();
|
||||
if (r != Capable.OK) {
|
||||
throw new PermissionDeniedException(r.getMessage());
|
||||
try {
|
||||
contributorAgreements.check(projectName, projectControl.getUser());
|
||||
} catch (AuthException e) {
|
||||
throw new PermissionDeniedException(e.getMessage());
|
||||
}
|
||||
|
||||
try (MetaDataUpdate md = metaDataUpdateFactory.create(projectName)) {
|
||||
|
||||
@@ -43,6 +43,7 @@ import com.google.gerrit.server.group.SystemGroupBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.permissions.RefPermission;
|
||||
import com.google.gerrit.server.project.ContributorAgreementsChecker;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.gerrit.server.project.ProjectControl;
|
||||
import com.google.gerrit.server.project.SetParent;
|
||||
@@ -94,6 +95,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
|
||||
BatchUpdate.Factory updateFactory,
|
||||
Provider<SetParent> setParent,
|
||||
Sequences seq,
|
||||
ContributorAgreementsChecker contributorAgreements,
|
||||
@Assisted("projectName") Project.NameKey projectName,
|
||||
@Nullable @Assisted ObjectId base,
|
||||
@Assisted List<AccessSection> sectionList,
|
||||
@@ -110,6 +112,7 @@ public class ReviewProjectAccess extends ProjectAccessHandler<Change.Id> {
|
||||
sectionList,
|
||||
parentProjectName,
|
||||
message,
|
||||
contributorAgreements,
|
||||
false);
|
||||
this.db = db;
|
||||
this.permissionBackend = permissionBackend;
|
||||
|
||||
Reference in New Issue
Block a user