From ba3182a5ebab822f4c43219c02e7b51747adb334 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20Ar=C3=A8s?= Date: Wed, 12 Apr 2017 20:46:02 -0400 Subject: [PATCH] Return 403 when non-owner calls put-config endpoint Other project endpoints that requires the user to be the owner return 403 for non-owner so do the same to be consistent. Change-Id: Ibdebfe17580f5c81b804db84996b209f431092db --- .../gerrit/acceptance/api/project/ProjectIT.java | 10 ++++++++++ .../com/google/gerrit/server/project/PutConfig.java | 7 ++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/ProjectIT.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/ProjectIT.java index 3d34609716..86884097f9 100644 --- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/ProjectIT.java +++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/ProjectIT.java @@ -28,6 +28,7 @@ import com.google.gerrit.extensions.api.projects.ProjectInput; import com.google.gerrit.extensions.client.InheritableBoolean; import com.google.gerrit.extensions.client.ProjectState; import com.google.gerrit.extensions.client.SubmitType; +import com.google.gerrit.extensions.restapi.AuthException; import com.google.gerrit.extensions.restapi.BadRequestException; import com.google.gerrit.extensions.restapi.ResourceConflictException; import com.google.gerrit.reviewdb.client.RefNames; @@ -198,6 +199,15 @@ public class ProjectIT extends AbstractDaemonTest { assertThat(info.state).isEqualTo(input.state); } + @Test + public void nonOwnerCannotSetConfig() throws Exception { + ConfigInput input = createTestConfigInput(); + setApiUser(user); + exception.expect(AuthException.class); + exception.expectMessage("restricted to project owner"); + gApi.projects().name(project.get()).config(input); + } + private ConfigInput createTestConfigInput() { ConfigInput input = new ConfigInput(); input.description = "some description"; diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/PutConfig.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/PutConfig.java index 8c382b109f..8705f3ba05 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/project/PutConfig.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/PutConfig.java @@ -22,9 +22,11 @@ import com.google.gerrit.extensions.api.projects.ConfigInput; import com.google.gerrit.extensions.api.projects.ConfigValue; import com.google.gerrit.extensions.api.projects.ProjectConfigEntryType; import com.google.gerrit.extensions.registration.DynamicMap; +import com.google.gerrit.extensions.restapi.AuthException; import com.google.gerrit.extensions.restapi.BadRequestException; import com.google.gerrit.extensions.restapi.ResourceConflictException; import com.google.gerrit.extensions.restapi.ResourceNotFoundException; +import com.google.gerrit.extensions.restapi.RestApiException; import com.google.gerrit.extensions.restapi.RestModifyView; import com.google.gerrit.extensions.restapi.RestView; import com.google.gerrit.reviewdb.client.Project; @@ -90,10 +92,9 @@ public class PutConfig implements RestModifyView { } @Override - public ConfigInfo apply(ProjectResource rsrc, ConfigInput input) - throws ResourceNotFoundException, BadRequestException, ResourceConflictException { + public ConfigInfo apply(ProjectResource rsrc, ConfigInput input) throws RestApiException { if (!rsrc.getControl().isOwner()) { - throw new ResourceNotFoundException(rsrc.getName()); + throw new AuthException("restricted to project owner"); } return apply(rsrc.getControl(), input); }