opendev/gerrit
Code Issues Proposed changes

Access control for branch reads

Browse Source 
Enable ref level READ +1 access control, so permissions can be
fine-grained down to the branch level within the same project.

There are two parts to this change:

 - Filter the branches that the user can see in Upload and
   ReceiveCommits using the new RefFilter interface in JGit.
   This prevents a user from fetching something they are not
   allowed to read.

 - Ensure that any object created by the user only points to
   objects they can already reach.  This prevents the user
   from being able to discover objects they can't read by
   uploading a change that points at them.

Change-Id: I55a1811694e8f568e3404f625c5f0a8bf7000cac
This commit is contained in:
Nico Sallembien
2010-03-12 10:31:08 -08:00
committed by Shawn O. Pearce
parent ee1ad9b604
commit c4c51feff4
17 changed files with 451 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java
View File

@@ -327,6 +327,10 @@ class GitWebServlet extends HttpServlet {
try {
final Project.NameKey nameKey = new Project.NameKey(name);
project = projectControl.validateFor(nameKey);
if (!project.allRefsAreVisible()) {
// Pretend the project doesn't exist
throw new NoSuchProjectException(nameKey);
}
} catch (NoSuchProjectException e) {
rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
return;