From c49ae23c38dd2aa92afd34814b191fe75af14e8e Mon Sep 17 00:00:00 2001
From: Khai Do <zaro0508@gmail.com>
Date: Fri, 8 Jan 2016 11:09:09 -0800
Subject: [PATCH] Remove required access permission to list account emails

Remove the required capability permission to allow any user to
listing another user's emails.  There is no access restriction
for the account[1] and account detail[2] endpoints so removing
the access restriction for emails seems consistent.

[1] http://$host/accounts/$user
[2] http://$host/accounts/$user/detail

Bug: Issue 3754
Change-Id: Ie7a57ba9497932d5ab1ba49cae08f4ff9d0453c4
---
 .../gerrit/server/account/GetEmails.java      | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEmails.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEmails.java
index bf9c9ecfe3..22ce4b29ac 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEmails.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEmails.java
@@ -15,12 +15,7 @@
 package com.google.gerrit.server.account;
 
 import com.google.common.collect.Lists;
-import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.RestReadView;
-import com.google.gerrit.server.CurrentUser;
-import com.google.gwtorm.server.OrmException;
-import com.google.inject.Inject;
-import com.google.inject.Provider;
 import com.google.inject.Singleton;
 
 import java.util.Collections;
@@ -29,21 +24,9 @@ import java.util.List;
 
 @Singleton
 public class GetEmails implements RestReadView<AccountResource> {
-  private final Provider<CurrentUser> self;
-
-  @Inject
-  public GetEmails(Provider<CurrentUser> self) {
-    this.self = self;
-  }
 
   @Override
-  public List<EmailInfo> apply(AccountResource rsrc) throws AuthException,
-      OrmException {
-    if (self.get() != rsrc.getUser()
-        && !self.get().getCapabilities().canModifyAccount()) {
-      throw new AuthException("not allowed to list email addresses");
-    }
-
+  public List<EmailInfo> apply(AccountResource rsrc) {
     List<EmailInfo> emails = Lists.newArrayList();
     for (String email : rsrc.getUser().getEmailAddresses()) {
       if (email != null) {