opendev/gerrit
Code Issues Proposed changes

Return 403 when non-owner calls put-config endpoint

Browse Source 
Other project endpoints that requires the user to be the owner return
403 for non-owner so do the same to be consistent.

Change-Id: Ibdebfe17580f5c81b804db84996b209f431092db
This commit is contained in:
Hugo Arès
2017-04-12 20:46:02 -04:00
committed by David Pursehouse
parent 443c6b0e27
commit ba3182a5eb
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
gerrit-server/src/main/java/com/google/gerrit/server/project/PutConfig.java
View File

@@ -22,9 +22,11 @@ import com.google.gerrit.extensions.api.projects.ConfigInput;
import com.google.gerrit.extensions.api.projects.ConfigValue;
import com.google.gerrit.extensions.api.projects.ProjectConfigEntryType;
import com.google.gerrit.extensions.registration.DynamicMap;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.RestView;
import com.google.gerrit.reviewdb.client.Project;
@@ -90,10 +92,9 @@ public class PutConfig implements RestModifyView<ProjectResource, ConfigInput> {
}
@Override
public ConfigInfo apply(ProjectResource rsrc, ConfigInput input)
throws ResourceNotFoundException, BadRequestException, ResourceConflictException {
public ConfigInfo apply(ProjectResource rsrc, ConfigInput input) throws RestApiException {
if (!rsrc.getControl().isOwner()) {
throw new ResourceNotFoundException(rsrc.getName());
throw new AuthException("restricted to project owner");
}
return apply(rsrc.getControl(), input);
}