opendev/gerrit
Code Issues Proposed changes

Disable capability endpoints when not using default backend

Browse Source 
The capability names exposed by these endpoints are implementation
details of the DefaultPermissionBackend. A different implementation may
choose to hide the GlobalPermission enum names from the user entirely,
so it doesn't make sense to expose them.

Change-Id: I69ea38064ccbf1c04a976e7bcb4629ab5d66aeef
This commit is contained in:
Dave Borowitz
2018-04-11 10:27:36 +02:00
parent 0a5f646bd8
commit cc4d1ac051
6 changed files with 79 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/com/google/gerrit/server/restapi/account/Capabilities.java
View File

@@ -60,6 +60,7 @@ class Capabilities implements ChildCollection<AccountResource, AccountResource.C
@Override
public Capability parse(AccountResource parent, IdString id)
throws ResourceNotFoundException, AuthException, PermissionBackendException {
permissionBackend.checkUsesDefaultCapabilities();
IdentifiedUser target = parent.getUser();
if (self.get() != target) {
permissionBackend.currentUser().check(GlobalPermission.ADMINISTRATE_SERVER);

16
java/com/google/gerrit/server/restapi/account/GetCapabilities.java
View File

@@ -23,8 +23,9 @@ import com.google.gerrit.extensions.api.access.GlobalOrPluginPermission;
import com.google.gerrit.extensions.api.access.PluginPermission;
import com.google.gerrit.extensions.config.CapabilityDefinition;
import com.google.gerrit.extensions.registration.DynamicMap;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BinaryResult;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestReadView;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.OptionUtil;
@@ -75,7 +76,8 @@ class GetCapabilities implements RestReadView<AccountResource> {
}
@Override
public Object apply(AccountResource rsrc) throws AuthException, PermissionBackendException {
public Object apply(AccountResource rsrc) throws RestApiException, PermissionBackendException {
permissionBackend.checkUsesDefaultCapabilities();
PermissionBackend.WithUser perm = permissionBackend.currentUser();
if (self.get() != rsrc.getUser()) {
perm.check(GlobalPermission.ADMINISTRATE_SERVER);
@@ -158,8 +160,16 @@ class GetCapabilities implements RestReadView<AccountResource> {
@Singleton
static class CheckOne implements RestReadView<AccountResource.Capability> {
private final PermissionBackend permissionBackend;
@Inject
CheckOne(PermissionBackend permissionBackend) {
this.permissionBackend = permissionBackend;
}
@Override
public BinaryResult apply(Capability resource) {
public BinaryResult apply(Capability resource) throws ResourceNotFoundException {
permissionBackend.checkUsesDefaultCapabilities();
return BinaryResult.create("ok\n");
}
}