Fix: permission on user specific reference name cannot work
In ExpandParameters.match() the parameter 'ref' may also contain "${username}", e.g. in ProjectControl.canPerformOnAnyRef() the call on controlForRef() puts in a access section name, in this case 'ref' also need evaluation before doing next match, else it will not be matched and that section is skipped in preparing RefControl.relevant, as a result when a user has PUSH power *only* on that section, Gerrit will reject any upload request from this user. Fixed. evaluate any per-user ref in ExpandParameters.match(). Change-Id: I42c8e15d147eb4ad031b929cf51ccfc1e17a16e3
This commit is contained in:
parent
0b58982a17
commit
c56f72b09f
|
@ -110,13 +110,24 @@ public abstract class RefPatternMatcher {
|
|||
u = username;
|
||||
}
|
||||
|
||||
RefPatternMatcher next =
|
||||
getMatcher(template.replace(Collections.singletonMap("username", u)));
|
||||
return next != null && next.match(ref, username);
|
||||
RefPatternMatcher next = getMatcher(expand(template, u));
|
||||
return next != null ? next.match(expand(ref, u), username) : false;
|
||||
}
|
||||
|
||||
boolean matchPrefix(String ref) {
|
||||
return ref.startsWith(prefix);
|
||||
}
|
||||
|
||||
private String expand(String parameterizedRef, String userName) {
|
||||
if (parameterizedRef.contains("${")) {
|
||||
return expand(new ParameterizedString(parameterizedRef), userName);
|
||||
}
|
||||
return parameterizedRef;
|
||||
}
|
||||
|
||||
private String expand(ParameterizedString parameterizedRef, String userName) {
|
||||
return parameterizedRef.replace(Collections.singletonMap("username",
|
||||
userName));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -255,6 +255,13 @@ public class RefControlTest {
|
|||
u.controlForRef("refs/heads/master").canUpload());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUsernamePatternCanUploadToAnyRef() {
|
||||
grant(local, PUSH, REGISTERED_USERS, "refs/heads/users/${username}/*");
|
||||
ProjectControl u = util.user(local, "a-registered-user");
|
||||
assertTrue("can upload", u.canPushToAtLeastOneRef() == Capable.OK);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUsernamePatternNonRegex() {
|
||||
grant(local, READ, DEVS, "refs/sb/${username}/heads/*");
|
||||
|
|
Loading…
Reference in New Issue