From 362b14d11d5ab221268f79edf1b25d41f32f7eaa Mon Sep 17 00:00:00 2001 From: Edwin Kempin Date: Fri, 9 May 2014 14:18:12 +0200 Subject: [PATCH] Add 'View Plugins' global capability that allows to list plugins At the moment only the Gerrit administrators can list the installed plugins. However which plugins are installed may be also interesting to project owners and users because they want to know which functionality is available to them. Hiding the 'Plugins' > 'Installed' menu is bad since this screen is the entry point to the documentation of the installed plugins. This documentation may be relevant to normal users. Since being able to see the list of installed plugin may be considered as security risk, by default still only administrators are able to list them, but now the new capability allows to assign this permission also to other users. Change-Id: Ifed8ad76354b9a19e8c79edb0c965249b162fdfd Signed-off-by: Edwin Kempin --- Documentation/access-control.txt | 6 ++++++ Documentation/rest-api-accounts.txt | 3 +++ Documentation/rest-api-config.txt | 5 +++++ Documentation/rest-api-plugins.txt | 4 ++++ .../gerrit/acceptance/rest/account/CapabilityInfo.java | 1 + .../com/google/gerrit/common/data/GlobalCapability.java | 4 ++++ .../src/main/java/com/google/gerrit/client/Gerrit.java | 6 +++--- .../com/google/gerrit/server/account/CapabilityControl.java | 6 ++++++ .../com/google/gerrit/server/account/GetCapabilities.java | 2 ++ .../google/gerrit/server/config/CapabilityConstants.java | 1 + .../java/com/google/gerrit/server/plugins/ListPlugins.java | 2 +- .../gerrit/server/config/CapabilityConstants.properties | 1 + 12 files changed, 37 insertions(+), 4 deletions(-) diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt index 8b2fd64f68..8ff2eb6238 100644 --- a/Documentation/access-control.txt +++ b/Documentation/access-control.txt @@ -1311,6 +1311,12 @@ capability allows the granted group to link:cmd-show-connections.html[look at Gerrit's current connections via ssh]. +[[capability_viewPlugins]] +=== View Plugins + +Allow viewing the list of installed plugins. + + [[capability_viewQueue]] === View Queue diff --git a/Documentation/rest-api-accounts.txt b/Documentation/rest-api-accounts.txt index ac5bd54a3c..28014295f9 100644 --- a/Documentation/rest-api-accounts.txt +++ b/Documentation/rest-api-accounts.txt @@ -659,6 +659,7 @@ Administrator that has authenticated with digest authentication: "viewCaches": true, "flushCaches": true, "viewConnections": true, + "viewPlugins": true, "viewQueue": true, "runGC": true } @@ -1145,6 +1146,8 @@ link:access-control.html#capability_viewCaches[View Caches] capability. |`viewConnections` |not set if `false`|Whether the user has the link:access-control.html#capability_viewConnections[View Connections] capability. +|`viewPlugins` |not set if `false`|Whether the user has the +link:access-control.html#capability_viewPlugins[View Plugins] capability. |`viewQueue` |not set if `false`|Whether the user has the link:access-control.html#capability_viewQueue[View Queue] capability. |================================= diff --git a/Documentation/rest-api-config.txt b/Documentation/rest-api-config.txt index 6c02bb66c1..6a3b34ea35 100644 --- a/Documentation/rest-api-config.txt +++ b/Documentation/rest-api-config.txt @@ -126,6 +126,11 @@ The entries in the map are sorted by capability ID. "id": "viewConnections", "name": "View Connections" }, + "viewPlugins": { + "kind": "gerritcodereview#capability", + "id": "viewPlugins", + "name": "View Plugins" + }, "viewQueue": { "kind": "gerritcodereview#capability", "id": "viewQueue", diff --git a/Documentation/rest-api-plugins.txt b/Documentation/rest-api-plugins.txt index 89a22f0c3f..0011213a16 100644 --- a/Documentation/rest-api-plugins.txt +++ b/Documentation/rest-api-plugins.txt @@ -23,6 +23,10 @@ namespace. Lists the plugins installed on the Gerrit server. Only the enabled plugins are returned unless the `all` option is specified. +To be allowed to see the installed plugins, a user must be a member of +a group that is granted the 'View Plugins' capability or the +'Administrate Server' capability. + As result a map is returned that maps the plugin IDs to link:#plugin-info[PluginInfo] entries. The entries in the map are sorted by plugin ID. diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java index dbc1dd8dc7..adbf10aced 100644 --- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java +++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java @@ -32,6 +32,7 @@ class CapabilityInfo { public boolean viewAllAccounts; public boolean viewCaches; public boolean viewConnections; + public boolean viewPlugins; public boolean viewQueue; static class QueryLimit { diff --git a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java index 80a04fa2fc..d9ad274374 100644 --- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java +++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java @@ -88,6 +88,9 @@ public class GlobalCapability { /** Can view open connections to the server's SSH port. */ public static final String VIEW_CONNECTIONS = "viewConnections"; + /** Can view all installed plugins. */ + public static final String VIEW_PLUGINS = "viewPlugins"; + /** Can view all pending tasks in the queue (not just the filtered set). */ public static final String VIEW_QUEUE = "viewQueue"; @@ -112,6 +115,7 @@ public class GlobalCapability { NAMES_ALL.add(VIEW_ALL_ACCOUNTS); NAMES_ALL.add(VIEW_CACHES); NAMES_ALL.add(VIEW_CONNECTIONS); + NAMES_ALL.add(VIEW_PLUGINS); NAMES_ALL.add(VIEW_QUEUE); NAMES_LC = new ArrayList<>(NAMES_ALL.size()); diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java index 600c8d8aaf..b7857e465f 100644 --- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java +++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java @@ -14,9 +14,9 @@ package com.google.gerrit.client; -import static com.google.gerrit.common.data.GlobalCapability.ADMINISTRATE_SERVER; import static com.google.gerrit.common.data.GlobalCapability.CREATE_GROUP; import static com.google.gerrit.common.data.GlobalCapability.CREATE_PROJECT; +import static com.google.gerrit.common.data.GlobalCapability.VIEW_PLUGINS; import com.google.gerrit.client.account.AccountCapabilities; import com.google.gerrit.client.account.AccountInfo; @@ -649,14 +649,14 @@ public class Gerrit implements EntryPoint { PageLinks.ADMIN_CREATE_GROUP, peopleBar.getWidgetIndex(groupsListMenuItem) + 1); } - if (result.canPerform(ADMINISTRATE_SERVER)) { + if (result.canPerform(VIEW_PLUGINS)) { insertLink(pluginsBar, C.menuPluginsInstalled(), PageLinks.ADMIN_PLUGINS, 0); menuLeft.insert(pluginsBar, C.menuPlugins(), menuLeft.getWidgetIndex(peopleBar) + 1); } } - }, CREATE_PROJECT, CREATE_GROUP, ADMINISTRATE_SERVER); + }, CREATE_PROJECT, CREATE_GROUP, VIEW_PLUGINS); } if (getConfig().isDocumentationAvailable()) { diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java index aad22eb0b7..7556173015 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java @@ -134,6 +134,12 @@ public class CapabilityControl { || canAdministrateServer(); } + /** @return true if the user can view the installed plugins. */ + public boolean canViewPlugins() { + return canPerform(GlobalCapability.VIEW_PLUGINS) + || canAdministrateServer(); + } + /** @return true if the user can view the entire queue. */ public boolean canViewQueue() { return canPerform(GlobalCapability.VIEW_QUEUE) diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java index e02f5a2730..465ddab59a 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java @@ -27,6 +27,7 @@ import static com.google.gerrit.common.data.GlobalCapability.STREAM_EVENTS; import static com.google.gerrit.common.data.GlobalCapability.VIEW_ALL_ACCOUNTS; import static com.google.gerrit.common.data.GlobalCapability.VIEW_CACHES; import static com.google.gerrit.common.data.GlobalCapability.VIEW_CONNECTIONS; +import static com.google.gerrit.common.data.GlobalCapability.VIEW_PLUGINS; import static com.google.gerrit.common.data.GlobalCapability.VIEW_QUEUE; import com.google.common.collect.Iterables; @@ -117,6 +118,7 @@ class GetCapabilities implements RestReadView { have.put(VIEW_ALL_ACCOUNTS, cc.canViewAllAccounts()); have.put(VIEW_CACHES, cc.canViewCaches()); have.put(VIEW_CONNECTIONS, cc.canViewConnections()); + have.put(VIEW_PLUGINS, cc.canViewPlugins()); have.put(VIEW_QUEUE, cc.canViewQueue()); QueueProvider.QueueType queue = cc.getQueueType(); diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java index 26081ca42f..289173b0ae 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java @@ -38,5 +38,6 @@ public class CapabilityConstants extends TranslationBundle { public String viewAllAccounts; public String viewCaches; public String viewConnections; + public String viewPlugins; public String viewQueue; } diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java b/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java index a2348f3f95..c3f43382f3 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java @@ -40,7 +40,7 @@ import java.util.List; import java.util.Map; /** List the installed plugins. */ -@RequiresCapability(GlobalCapability.ADMINISTRATE_SERVER) +@RequiresCapability(GlobalCapability.VIEW_PLUGINS) public class ListPlugins implements RestReadView { private final PluginLoader pluginLoader; diff --git a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties index 8d1e983dd8..9eb7d9b420 100644 --- a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties +++ b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties @@ -14,4 +14,5 @@ streamEvents = Stream Events viewAllAccounts = View All Accounts viewCaches = View Caches viewConnections = View Connections +viewPlugins = View Plugins viewQueue = View Queue