Return 403 when non-owner calls put-config endpoint
Other project endpoints that requires the user to be the owner return 403 for non-owner so do the same to be consistent. Change-Id: Ibdebfe17580f5c81b804db84996b209f431092db
This commit is contained in:
Hugo Arès
committed by
David Pursehouse
David Pursehouse
parent
443c6b0e27
commit
ba3182a5eb
@@ -28,6 +28,7 @@ import com.google.gerrit.extensions.api.projects.ProjectInput;
|
|||||||
import com.google.gerrit.extensions.client.InheritableBoolean;
|
import com.google.gerrit.extensions.client.InheritableBoolean;
|
||||||
import com.google.gerrit.extensions.client.ProjectState;
|
import com.google.gerrit.extensions.client.ProjectState;
|
||||||
import com.google.gerrit.extensions.client.SubmitType;
|
import com.google.gerrit.extensions.client.SubmitType;
|
||||||
|
import com.google.gerrit.extensions.restapi.AuthException;
|
||||||
import com.google.gerrit.extensions.restapi.BadRequestException;
|
import com.google.gerrit.extensions.restapi.BadRequestException;
|
||||||
import com.google.gerrit.extensions.restapi.ResourceConflictException;
|
import com.google.gerrit.extensions.restapi.ResourceConflictException;
|
||||||
import com.google.gerrit.reviewdb.client.RefNames;
|
import com.google.gerrit.reviewdb.client.RefNames;
|
||||||
@@ -198,6 +199,15 @@ public class ProjectIT extends AbstractDaemonTest {
|
|||||||
assertThat(info.state).isEqualTo(input.state);
|
assertThat(info.state).isEqualTo(input.state);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void nonOwnerCannotSetConfig() throws Exception {
|
||||||
|
ConfigInput input = createTestConfigInput();
|
||||||
|
setApiUser(user);
|
||||||
|
exception.expect(AuthException.class);
|
||||||
|
exception.expectMessage("restricted to project owner");
|
||||||
|
gApi.projects().name(project.get()).config(input);
|
||||||
|
}
|
||||||
|
|
||||||
private ConfigInput createTestConfigInput() {
|
private ConfigInput createTestConfigInput() {
|
||||||
ConfigInput input = new ConfigInput();
|
ConfigInput input = new ConfigInput();
|
||||||
input.description = "some description";
|
input.description = "some description";
|
||||||
|
|||||||
@@ -22,9 +22,11 @@ import com.google.gerrit.extensions.api.projects.ConfigInput;
|
|||||||
import com.google.gerrit.extensions.api.projects.ConfigValue;
|
import com.google.gerrit.extensions.api.projects.ConfigValue;
|
||||||
import com.google.gerrit.extensions.api.projects.ProjectConfigEntryType;
|
import com.google.gerrit.extensions.api.projects.ProjectConfigEntryType;
|
||||||
import com.google.gerrit.extensions.registration.DynamicMap;
|
import com.google.gerrit.extensions.registration.DynamicMap;
|
||||||
|
import com.google.gerrit.extensions.restapi.AuthException;
|
||||||
import com.google.gerrit.extensions.restapi.BadRequestException;
|
import com.google.gerrit.extensions.restapi.BadRequestException;
|
||||||
import com.google.gerrit.extensions.restapi.ResourceConflictException;
|
import com.google.gerrit.extensions.restapi.ResourceConflictException;
|
||||||
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
|
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
|
||||||
|
import com.google.gerrit.extensions.restapi.RestApiException;
|
||||||
import com.google.gerrit.extensions.restapi.RestModifyView;
|
import com.google.gerrit.extensions.restapi.RestModifyView;
|
||||||
import com.google.gerrit.extensions.restapi.RestView;
|
import com.google.gerrit.extensions.restapi.RestView;
|
||||||
import com.google.gerrit.reviewdb.client.Project;
|
import com.google.gerrit.reviewdb.client.Project;
|
||||||
@@ -90,10 +92,9 @@ public class PutConfig implements RestModifyView<ProjectResource, ConfigInput> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public ConfigInfo apply(ProjectResource rsrc, ConfigInput input)
|
public ConfigInfo apply(ProjectResource rsrc, ConfigInput input) throws RestApiException {
|
||||||
throws ResourceNotFoundException, BadRequestException, ResourceConflictException {
|
|
||||||
if (!rsrc.getControl().isOwner()) {
|
if (!rsrc.getControl().isOwner()) {
|
||||||
throw new ResourceNotFoundException(rsrc.getName());
|
throw new AuthException("restricted to project owner");
|
||||||
}
|
}
|
||||||
return apply(rsrc.getControl(), input);
|
return apply(rsrc.getControl(), input);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user