opendev/gerrit
Code Issues Proposed changes

Use WRITE_CONFIG in ProjectsCollection

Browse Source 
We want admins and project owners to be able to see hidden projects.
This is necessary because they need to be able to set the project state
back to ACTIVE or READ_ONLY to make it available again.

This commit also adds a test to verify that a host admin can see and
mutate a HIDDEN project.

Change-Id: Iaacb59f92111658a936a6af3bd0d8b09a4f4398a
This commit is contained in:
Patrick Hiesel
2018-09-24 10:26:24 +02:00
parent f431cca776
commit ca4b395488
2 changed files with 29 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
java/com/google/gerrit/server/restapi/project/ProjectsCollection.java
View File

@@ -145,23 +145,16 @@ public class ProjectsCollection
if (checkAccess) {
// Hidden projects(permitsRead = false) should only be accessible by the project owners.
// READ_CONFIG is checked here because it's only allowed to project owners(ACCESS may also
// WRITE_CONFIG is checked here because it's only allowed to project owners (ACCESS may also
// be allowed for other users). Allowing project owners to access here will help them to view
// and update the config of hidden projects easily.
ProjectPermission permissionToCheck =
state.statePermitsRead() ? ProjectPermission.ACCESS : ProjectPermission.READ_CONFIG;
try {
permissionBackend.currentUser().project(nameKey).check(permissionToCheck);
} catch (AuthException e) {
return null; // Pretend like not found on access denied.
}
if (!state.statePermitsRead()) {
// If the project's state does not permit reading, we want to hide it from all callers. The
// only exception to that are users who are allowed to mutate the project's configuration.
// This enables these users to still mutate the project's state (e.g. set a HIDDEN project
// to ACTIVE). Individual views should still check for checkStatePermitsRead() and this
// should just serve as a safety net in case the individual check is forgotten.
if (state.statePermitsRead()) {
try {
permissionBackend.currentUser().project(nameKey).check(ProjectPermission.ACCESS);
} catch (AuthException e) {
return null;
}
} else {
try {
permissionBackend.currentUser().project(nameKey).check(ProjectPermission.WRITE_CONFIG);
} catch (AuthException e) {