opendev/gerrit
Code Issues Proposed changes

Return 403 when non-owner calls put-config endpoint

Browse Source 
Other project endpoints that requires the user to be the owner return
403 for non-owner so do the same to be consistent.

Change-Id: Ibdebfe17580f5c81b804db84996b209f431092db
This commit is contained in:
Hugo Arès
2017-04-12 20:46:02 -04:00
committed by David Pursehouse
parent 443c6b0e27
commit ba3182a5eb
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/ProjectIT.java
View File

@@ -28,6 +28,7 @@ import com.google.gerrit.extensions.api.projects.ProjectInput;
import com.google.gerrit.extensions.client.InheritableBoolean;
import com.google.gerrit.extensions.client.ProjectState;
import com.google.gerrit.extensions.client.SubmitType;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.reviewdb.client.RefNames;
@@ -198,6 +199,15 @@ public class ProjectIT extends AbstractDaemonTest {
assertThat(info.state).isEqualTo(input.state);
}
@Test
public void nonOwnerCannotSetConfig() throws Exception {
ConfigInput input = createTestConfigInput();
setApiUser(user);
exception.expect(AuthException.class);
exception.expectMessage("restricted to project owner");
gApi.projects().name(project.get()).config(input);
}
private ConfigInput createTestConfigInput() {
ConfigInput input = new ConfigInput();
input.description = "some description";

7
gerrit-server/src/main/java/com/google/gerrit/server/project/PutConfig.java
View File

@@ -22,9 +22,11 @@ import com.google.gerrit.extensions.api.projects.ConfigInput;
import com.google.gerrit.extensions.api.projects.ConfigValue;
import com.google.gerrit.extensions.api.projects.ProjectConfigEntryType;
import com.google.gerrit.extensions.registration.DynamicMap;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.RestView;
import com.google.gerrit.reviewdb.client.Project;
@@ -90,10 +92,9 @@ public class PutConfig implements RestModifyView<ProjectResource, ConfigInput> {
}
@Override
public ConfigInfo apply(ProjectResource rsrc, ConfigInput input)
throws ResourceNotFoundException, BadRequestException, ResourceConflictException {
public ConfigInfo apply(ProjectResource rsrc, ConfigInput input) throws RestApiException {
if (!rsrc.getControl().isOwner()) {
throw new ResourceNotFoundException(rsrc.getName());
throw new AuthException("restricted to project owner");
}
return apply(rsrc.getControl(), input);
}