From d1ed08d46a9ed7f2393aaaa83b39c17f73bf1b44 Mon Sep 17 00:00:00 2001
From: Han-Wen Nienhuys <hanwen@google.com>
Date: Mon, 4 Sep 2017 18:13:23 +0200
Subject: [PATCH] Move CheckAccess endpoint into /projects/

This ensures proper load balancing on multi-master setups with
repo-affine request routing. Since the original REST endpoint was
added by Icf74b0fc40 which is not part of any release yet, this
change will not break backwards compatibility.

Change-Id: Ie1be1173ff8ab2a4c79e568834c6a1d182d79883
---
 Documentation/rest-api-config.txt             | 66 -----------------
 Documentation/rest-api-projects.txt           | 66 ++++++++++++++++-
 .../project}/CheckAccessIT.java               | 73 +++++++++++--------
 .../api/config/AccessCheckInput.java          |  4 +-
 .../gerrit/extensions/api/config/Server.java  |  7 --
 .../extensions/api/projects/ProjectApi.java   | 19 +++--
 .../gerrit/server/api/config/ServerImpl.java  | 17 +----
 .../server/api/projects/ProjectApiImpl.java   | 21 +++++-
 .../google/gerrit/server/config/Module.java   |  1 -
 .../{config => project}/CheckAccess.java      | 38 +++-------
 .../google/gerrit/server/project/Module.java  |  1 +
 11 files changed, 156 insertions(+), 157 deletions(-)
 rename gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/{rest/account => api/project}/CheckAccessIT.java (63%)
 rename gerrit-server/src/main/java/com/google/gerrit/server/{config => project}/CheckAccess.java (73%)

diff --git a/Documentation/rest-api-config.txt b/Documentation/rest-api-config.txt
index 32d3f78204..6596eda5ba 100644
--- a/Documentation/rest-api-config.txt
+++ b/Documentation/rest-api-config.txt
@@ -193,45 +193,6 @@ is returned that contains detected consistency problems.
   }
 ----
 
-[[check-access]]
-=== Check Access
---
-'POST /config/server/check.access'
---
-
-Runs access checks for other users.
-
-Input for the access checks that should be run must be provided in
-the request body inside a
-link:#access-check-input[AccessCheckInput] entity.
-
-.Request
-----
-  POST /config/server/check HTTP/1.0
-  Content-Type: application/json; charset=UTF-8
-
-  {
-    "project": "medium",
-    "account": "Kristen.Burns@gerritcodereview.com",
-    "ref": "refs/heads/secret/bla"
-  }
-----
-
-The result is a link:#access-check-info[AccessCheckInfo] entity
-detailing the read access of the given user for the given project (or
-project-ref combination).
-
-.Response
-----
-  HTTP/1.1 200 OK
-  Content-Type: application/json; charset=UTF-8
-
-  )]}'
-  {
-    "message": "user Kristen Burns \u003cKristen.Burns@gerritcodereview.com\u003e (1000098) cannot see ref refs/heads/secret/master in project medium",
-    "status": 403
-  }
-----
 
 [[confirm-email]]
 === Confirm Email
@@ -1297,33 +1258,6 @@ The ID of the task (hex string).
 [[json-entities]]
 == JSON Entities
 
-[[access-check-info]]
-=== AccessCheckInfo
-The `AccessCheckInfo` entity is the result of a
-an access check.
-
-[options="header",cols="1,^1,5"]
-|=========================================
-|Field Name                  ||Description
-|`status`||The HTTP status code for the access.
-200 means success, 403 means denied and 404 means the project does not
-exist.
-|`message`|optional|A clarifying message if `status` is not 200.
-|=========================================
-
-[[access-check-input]]
-=== AccessCheckInput
-The `AccessCheckInput` entity is a tuple of (account, project)  or
-(account, project, ref) for which we want to check access.
-
-[options="header",cols="1,^1,5"]
-|=========================================
-|Field Name                  ||Description
-|`account`||The account for which to check access
-|`project`||The project for which to check access
-|`ref`|optional|The refname for which to check access
-|=========================================
-
 [[accounts-config-info]]
 === AccountsConfigInfo
 The `AccountsConfigInfo` entity contains information about Gerrit
diff --git a/Documentation/rest-api-projects.txt b/Documentation/rest-api-projects.txt
index f083d0732b..9d76d34e51 100644
--- a/Documentation/rest-api-projects.txt
+++ b/Documentation/rest-api-projects.txt
@@ -1112,7 +1112,6 @@ As result a link:#project-access-info[ProjectAccessInfo] entity is returned.
   }
 ----
 
-
 [[create-access-change]]
 === Create Access Rights Change for review.
 --
@@ -1178,6 +1177,46 @@ a link:#change-info[ChangeInfo] entity describing the resulting change.
   }
 ----
 
+[[check-access]]
+=== Check Access
+--
+'POST /projects/MyProject/check.access'
+--
+
+Runs access checks for other users. This requires the
+link:access-control.html#capability_administrateServer[Administrate Server]
+global capability.
+
+Input for the access checks that should be run must be provided in
+the request body inside a
+link:#access-check-input[AccessCheckInput] entity.
+
+.Request
+----
+  POST /projects/MyProject/check.access HTTP/1.0
+  Content-Type: application/json; charset=UTF-8
+
+  {
+    "account": "Kristen.Burns@gerritcodereview.com",
+    "ref": "refs/heads/secret/bla"
+  }
+----
+
+The result is a link:#access-check-info[AccessCheckInfo] entity
+detailing the read access of the given user for the given project (or
+project-ref combination).
+
+.Response
+----
+  HTTP/1.1 200 OK
+  Content-Type: application/json; charset=UTF-8
+
+  )]}'
+  {
+    "message": "user Kristen Burns \u003cKristen.Burns@gerritcodereview.com\u003e (1000098) cannot see ref refs/heads/secret/bla in project MyProject",
+    "status": 403
+  }
+----
 
 [[index]]
 === Index all changes in a project
@@ -2564,6 +2603,31 @@ If the name ends with `.git`, the suffix will be automatically removed.
 [[json-entities]]
 == JSON Entities
 
+[[access-check-info]]
+=== AccessCheckInfo
+
+The `AccessCheckInfo` entity is the result of an access check.
+
+[options="header",cols="1,^1,5"]
+|=========================================
+|Field Name                  ||Description
+|`status`                    ||The HTTP status code for the access.
+200 means success, 403 means denied and 404 means the project does not exist.
+|`message`                   |optional|A clarifying message if `status` is not 200.
+|=========================================
+
+[[access-check-input]]
+=== AccessCheckInput
+The `AccessCheckInput` entity is either an account or
+(account, ref) tuple for which we want to check access.
+
+[options="header",cols="1,^1,5"]
+|=========================================
+|Field Name                  ||Description
+|`account`                   ||The account for which to check access
+|`ref`                       |optional|The refname for which to check access
+|=========================================
+
 [[ban-input]]
 === BanInput
 The `BanInput` entity contains information for banning commits in a
diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CheckAccessIT.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/CheckAccessIT.java
similarity index 63%
rename from gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CheckAccessIT.java
rename to gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/CheckAccessIT.java
index 53c89c5c95..b471efcdaa 100644
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CheckAccessIT.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/project/CheckAccessIT.java
@@ -12,24 +12,24 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package com.google.gerrit.acceptance.rest.account;
+package com.google.gerrit.acceptance.api.project;
 
 import static com.google.common.truth.Truth.assertThat;
 import static org.junit.Assert.fail;
 
 import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableMap;
 import com.google.gerrit.acceptance.AbstractDaemonTest;
 import com.google.gerrit.acceptance.TestAccount;
 import com.google.gerrit.common.data.Permission;
 import com.google.gerrit.extensions.api.config.AccessCheckInfo;
 import com.google.gerrit.extensions.api.config.AccessCheckInput;
+import com.google.gerrit.extensions.restapi.BadRequestException;
 import com.google.gerrit.extensions.restapi.RestApiException;
+import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
 import com.google.gerrit.reviewdb.client.AccountGroup;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.group.SystemGroupBackend;
 import java.util.List;
-import java.util.Map;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -79,46 +79,59 @@ public class CheckAccessIT extends AbstractDaemonTest {
   }
 
   @Test
-  public void invalidInputs() {
-    List<AccessCheckInput> inputs =
-        ImmutableList.of(
-            new AccessCheckInput(),
-            new AccessCheckInput(user.email, null, null),
-            new AccessCheckInput(null, normalProject.toString(), null),
-            new AccessCheckInput("doesnotexist@invalid.com", normalProject.toString(), null));
-    for (AccessCheckInput input : inputs) {
-      try {
-        gApi.config().server().checkAccess(input);
-        fail(String.format("want RestApiException for %s", newGson().toJson(input)));
-      } catch (RestApiException e) {
+  public void emptyInput() throws Exception {
+    exception.expect(BadRequestException.class);
+    exception.expectMessage("input requires 'account'");
+    gApi.projects().name(normalProject.get()).checkAccess(new AccessCheckInput());
+  }
 
-      }
+  @Test
+  public void nonexistentEmail() throws Exception {
+    exception.expect(UnprocessableEntityException.class);
+    exception.expectMessage("cannot find account doesnotexist@invalid.com");
+    gApi.projects()
+        .name(normalProject.get())
+        .checkAccess(new AccessCheckInput("doesnotexist@invalid.com", null));
+  }
+
+  private static class TestCase {
+    AccessCheckInput input;
+    String project;
+    int want;
+
+    TestCase(String mail, String project, String ref, int want) {
+      this.input = new AccessCheckInput(mail, ref);
+      this.project = project;
+      this.want = want;
     }
   }
 
   @Test
-  public void accessible() {
-    Map<AccessCheckInput, Integer> inputs =
-        ImmutableMap.of(
-            new AccessCheckInput(user.email, normalProject.get(), null), 200,
-            new AccessCheckInput(user.email, secretProject.get(), null), 403,
-            new AccessCheckInput(user.email, "nonexistent", null), 404,
-            new AccessCheckInput(privilegedUser.email, normalProject.get(), null), 200,
-            new AccessCheckInput(privilegedUser.email, secretProject.get(), null), 200);
+  public void accessible() throws Exception {
+    List<TestCase> inputs =
+        ImmutableList.of(
+            new TestCase(user.email, normalProject.get(), null, 200),
+            new TestCase(user.email, secretProject.get(), null, 403),
+            new TestCase(user.email, secretRefProject.get(), "refs/heads/secret/master", 403),
+            new TestCase(
+                privilegedUser.email, secretRefProject.get(), "refs/heads/secret/master", 200),
+            new TestCase(privilegedUser.email, normalProject.get(), null, 200),
+            new TestCase(privilegedUser.email, secretProject.get(), null, 200));
 
-    for (Map.Entry<AccessCheckInput, Integer> entry : inputs.entrySet()) {
-      String in = newGson().toJson(entry.getKey());
+    for (TestCase tc : inputs) {
+      String in = newGson().toJson(tc.input);
       AccessCheckInfo info = null;
 
       try {
-        info = gApi.config().server().checkAccess(entry.getKey());
+        info = gApi.projects().name(tc.project).checkAccess(tc.input);
       } catch (RestApiException e) {
-        fail(String.format("check.check(%s): exception %s", in, e));
+        fail(String.format("check.access(%s, %s): exception %s", tc.project, in, e));
       }
 
-      int want = entry.getValue();
+      int want = tc.want;
       if (want != info.status) {
-        fail(String.format("check.access(%s) = %d, want %d", in, info.status, want));
+        fail(
+            String.format("check.access(%s, %s) = %d, want %d", tc.project, in, info.status, want));
       }
 
       switch (want) {
diff --git a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/AccessCheckInput.java b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/AccessCheckInput.java
index 80a537c15b..7b7c19d14b 100644
--- a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/AccessCheckInput.java
+++ b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/AccessCheckInput.java
@@ -18,13 +18,11 @@ import com.google.gerrit.common.Nullable;
 
 public class AccessCheckInput {
   public String account;
-  public String project;
 
   @Nullable public String ref;
 
-  public AccessCheckInput(String account, String project, @Nullable String ref) {
+  public AccessCheckInput(String account, @Nullable String ref) {
     this.account = account;
-    this.project = project;
     this.ref = ref;
   }
 
diff --git a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/Server.java b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/Server.java
index de59ceef6c..ba8169835a 100644
--- a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/Server.java
+++ b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/config/Server.java
@@ -36,8 +36,6 @@ public interface Server {
 
   ConsistencyCheckInfo checkConsistency(ConsistencyCheckInput in) throws RestApiException;
 
-  AccessCheckInfo checkAccess(AccessCheckInput in) throws RestApiException;
-
   /**
    * A default implementation which allows source compatibility when adding new methods to the
    * interface.
@@ -79,10 +77,5 @@ public interface Server {
     public ConsistencyCheckInfo checkConsistency(ConsistencyCheckInput in) throws RestApiException {
       throw new NotImplementedException();
     }
-
-    @Override
-    public AccessCheckInfo checkAccess(AccessCheckInput in) throws RestApiException {
-      throw new NotImplementedException();
-    }
   }
 }
diff --git a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/projects/ProjectApi.java b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/projects/ProjectApi.java
index 8687ba3e65..a61b68a2e1 100644
--- a/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/projects/ProjectApi.java
+++ b/gerrit-extension-api/src/main/java/com/google/gerrit/extensions/api/projects/ProjectApi.java
@@ -16,6 +16,8 @@ package com.google.gerrit.extensions.api.projects;
 
 import com.google.gerrit.extensions.api.access.ProjectAccessInfo;
 import com.google.gerrit.extensions.api.access.ProjectAccessInput;
+import com.google.gerrit.extensions.api.config.AccessCheckInfo;
+import com.google.gerrit.extensions.api.config.AccessCheckInput;
 import com.google.gerrit.extensions.common.ChangeInfo;
 import com.google.gerrit.extensions.common.ProjectInfo;
 import com.google.gerrit.extensions.restapi.NotImplementedException;
@@ -39,6 +41,8 @@ public interface ProjectApi {
 
   ChangeInfo accessChange(ProjectAccessInput p) throws RestApiException;
 
+  AccessCheckInfo checkAccess(AccessCheckInput in) throws RestApiException;
+
   ConfigInfo config() throws RestApiException;
 
   ConfigInfo config(ConfigInput in) throws RestApiException;
@@ -180,11 +184,21 @@ public interface ProjectApi {
       throw new NotImplementedException();
     }
 
+    @Override
+    public ProjectAccessInfo access(ProjectAccessInput p) throws RestApiException {
+      throw new NotImplementedException();
+    }
+
     @Override
     public ChangeInfo accessChange(ProjectAccessInput input) throws RestApiException {
       throw new NotImplementedException();
     }
 
+    @Override
+    public AccessCheckInfo checkAccess(AccessCheckInput in) throws RestApiException {
+      throw new NotImplementedException();
+    }
+
     @Override
     public ConfigInfo config() throws RestApiException {
       throw new NotImplementedException();
@@ -195,11 +209,6 @@ public interface ProjectApi {
       throw new NotImplementedException();
     }
 
-    @Override
-    public ProjectAccessInfo access(ProjectAccessInput p) throws RestApiException {
-      throw new NotImplementedException();
-    }
-
     @Override
     public void description(DescriptionInput in) throws RestApiException {
       throw new NotImplementedException();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/api/config/ServerImpl.java b/gerrit-server/src/main/java/com/google/gerrit/server/api/config/ServerImpl.java
index 87118c7015..2148d9752a 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/api/config/ServerImpl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/api/config/ServerImpl.java
@@ -17,8 +17,6 @@ package com.google.gerrit.server.api.config;
 import static com.google.gerrit.server.api.ApiUtil.asRestApiException;
 
 import com.google.gerrit.common.Version;
-import com.google.gerrit.extensions.api.config.AccessCheckInfo;
-import com.google.gerrit.extensions.api.config.AccessCheckInput;
 import com.google.gerrit.extensions.api.config.ConsistencyCheckInfo;
 import com.google.gerrit.extensions.api.config.ConsistencyCheckInput;
 import com.google.gerrit.extensions.api.config.Server;
@@ -26,7 +24,6 @@ import com.google.gerrit.extensions.client.DiffPreferencesInfo;
 import com.google.gerrit.extensions.client.GeneralPreferencesInfo;
 import com.google.gerrit.extensions.common.ServerInfo;
 import com.google.gerrit.extensions.restapi.RestApiException;
-import com.google.gerrit.server.config.CheckAccess;
 import com.google.gerrit.server.config.CheckConsistency;
 import com.google.gerrit.server.config.ConfigResource;
 import com.google.gerrit.server.config.GetDiffPreferences;
@@ -46,7 +43,6 @@ public class ServerImpl implements Server {
   private final SetDiffPreferences setDiffPreferences;
   private final GetServerInfo getServerInfo;
   private final Provider<CheckConsistency> checkConsistency;
-  private final Provider<CheckAccess> checkAccess;
 
   @Inject
   ServerImpl(
@@ -55,15 +51,13 @@ public class ServerImpl implements Server {
       GetDiffPreferences getDiffPreferences,
       SetDiffPreferences setDiffPreferences,
       GetServerInfo getServerInfo,
-      Provider<CheckConsistency> checkConsistency,
-      Provider<CheckAccess> checkAccess) {
+      Provider<CheckConsistency> checkConsistency) {
     this.getPreferences = getPreferences;
     this.setPreferences = setPreferences;
     this.getDiffPreferences = getDiffPreferences;
     this.setDiffPreferences = setDiffPreferences;
     this.getServerInfo = getServerInfo;
     this.checkConsistency = checkConsistency;
-    this.checkAccess = checkAccess;
   }
 
   @Override
@@ -126,13 +120,4 @@ public class ServerImpl implements Server {
       throw asRestApiException("Cannot check consistency", e);
     }
   }
-
-  @Override
-  public AccessCheckInfo checkAccess(AccessCheckInput in) throws RestApiException {
-    try {
-      return checkAccess.get().apply(new ConfigResource(), in);
-    } catch (Exception e) {
-      throw asRestApiException("Cannot check access", e);
-    }
-  }
 }
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/api/projects/ProjectApiImpl.java b/gerrit-server/src/main/java/com/google/gerrit/server/api/projects/ProjectApiImpl.java
index 60dc474bd5..5012280d76 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/api/projects/ProjectApiImpl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/api/projects/ProjectApiImpl.java
@@ -19,6 +19,8 @@ import static com.google.gerrit.server.project.DashboardsCollection.DEFAULT_DASH
 
 import com.google.gerrit.extensions.api.access.ProjectAccessInfo;
 import com.google.gerrit.extensions.api.access.ProjectAccessInput;
+import com.google.gerrit.extensions.api.config.AccessCheckInfo;
+import com.google.gerrit.extensions.api.config.AccessCheckInput;
 import com.google.gerrit.extensions.api.projects.BranchApi;
 import com.google.gerrit.extensions.api.projects.BranchInfo;
 import com.google.gerrit.extensions.api.projects.ChildProjectApi;
@@ -44,6 +46,7 @@ import com.google.gerrit.extensions.restapi.TopLevelResource;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
+import com.google.gerrit.server.project.CheckAccess;
 import com.google.gerrit.server.project.ChildProjectsCollection;
 import com.google.gerrit.server.project.CommitsCollection;
 import com.google.gerrit.server.project.CreateAccessChange;
@@ -100,6 +103,7 @@ public class ProjectApiImpl implements ProjectApi {
   private final CommitsCollection commitsCollection;
   private final CommitApiImpl.Factory commitApi;
   private final DashboardApiImpl.Factory dashboardApi;
+  private final CheckAccess checkAccess;
 
   @AssistedInject
   ProjectApiImpl(
@@ -127,6 +131,7 @@ public class ProjectApiImpl implements ProjectApi {
       CommitsCollection commitsCollection,
       CommitApiImpl.Factory commitApi,
       DashboardApiImpl.Factory dashboardApi,
+      CheckAccess checkAccess,
       @Assisted ProjectResource project) {
     this(
         user,
@@ -154,6 +159,7 @@ public class ProjectApiImpl implements ProjectApi {
         commitsCollection,
         commitApi,
         dashboardApi,
+        checkAccess,
         null);
   }
 
@@ -183,6 +189,7 @@ public class ProjectApiImpl implements ProjectApi {
       CommitsCollection commitsCollection,
       CommitApiImpl.Factory commitApi,
       DashboardApiImpl.Factory dashboardApi,
+      CheckAccess checkAccess,
       @Assisted String name) {
     this(
         user,
@@ -210,6 +217,7 @@ public class ProjectApiImpl implements ProjectApi {
         commitsCollection,
         commitApi,
         dashboardApi,
+        checkAccess,
         name);
   }
 
@@ -239,6 +247,7 @@ public class ProjectApiImpl implements ProjectApi {
       CommitsCollection commitsCollection,
       CommitApiImpl.Factory commitApi,
       DashboardApiImpl.Factory dashboardApi,
+      CheckAccess checkAccess,
       String name) {
     this.user = user;
     this.permissionBackend = permissionBackend;
@@ -251,7 +260,6 @@ public class ProjectApiImpl implements ProjectApi {
     this.children = children;
     this.projectJson = projectJson;
     this.project = project;
-    this.name = name;
     this.branchApi = branchApiFactory;
     this.tagApi = tagApiFactory;
     this.getAccess = getAccess;
@@ -266,6 +274,8 @@ public class ProjectApiImpl implements ProjectApi {
     this.commitApi = commitApi;
     this.createAccessChange = createAccessChange;
     this.dashboardApi = dashboardApi;
+    this.checkAccess = checkAccess;
+    this.name = name;
   }
 
   @Override
@@ -313,6 +323,15 @@ public class ProjectApiImpl implements ProjectApi {
     }
   }
 
+  @Override
+  public AccessCheckInfo checkAccess(AccessCheckInput in) throws RestApiException {
+    try {
+      return checkAccess.apply(checkExists(), in);
+    } catch (Exception e) {
+      throw asRestApiException("Cannot check access rights", e);
+    }
+  }
+
   @Override
   public ProjectAccessInfo access(ProjectAccessInput p) throws RestApiException {
     try {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/Module.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/Module.java
index 4f93a1a0d4..7bf5ad5ce0 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/Module.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/Module.java
@@ -37,7 +37,6 @@ public class Module extends RestApiModule {
     get(CONFIG_KIND, "version").to(GetVersion.class);
     get(CONFIG_KIND, "info").to(GetServerInfo.class);
     post(CONFIG_KIND, "check.consistency").to(CheckConsistency.class);
-    post(CONFIG_KIND, "check.access").to(CheckAccess.class);
     get(CONFIG_KIND, "preferences").to(GetPreferences.class);
     put(CONFIG_KIND, "preferences").to(SetPreferences.class);
     get(CONFIG_KIND, "preferences.diff").to(GetDiffPreferences.class);
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/CheckAccess.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/CheckAccess.java
similarity index 73%
rename from gerrit-server/src/main/java/com/google/gerrit/server/config/CheckAccess.java
rename to gerrit-server/src/main/java/com/google/gerrit/server/project/CheckAccess.java
index c89684c060..281e37e79b 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/CheckAccess.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/CheckAccess.java
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package com.google.gerrit.server.config;
+package com.google.gerrit.server.project;
 
 import com.google.common.base.Strings;
 import com.google.gerrit.extensions.api.config.AccessCheckInfo;
@@ -21,9 +21,9 @@ import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.BadRequestException;
 import com.google.gerrit.extensions.restapi.RestApiException;
 import com.google.gerrit.extensions.restapi.RestModifyView;
+import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.reviewdb.client.Branch;
-import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.AccountResolver;
@@ -32,7 +32,6 @@ import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.permissions.ProjectPermission;
 import com.google.gerrit.server.permissions.RefPermission;
-import com.google.gerrit.server.project.ProjectCache;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -42,35 +41,29 @@ import javax.servlet.http.HttpServletResponse;
 import org.eclipse.jgit.errors.ConfigInvalidException;
 
 @Singleton
-public class CheckAccess implements RestModifyView<ConfigResource, AccessCheckInput> {
-  private final Provider<IdentifiedUser> currentUser;
+public class CheckAccess implements RestModifyView<ProjectResource, AccessCheckInput> {
   private final AccountResolver accountResolver;
   private final Provider<ReviewDb> db;
   private final IdentifiedUser.GenericFactory userFactory;
-  private final ProjectCache projectCache;
   private final PermissionBackend permissionBackend;
 
   @Inject
   CheckAccess(
-      Provider<IdentifiedUser> currentUser,
       AccountResolver resolver,
       Provider<ReviewDb> db,
       IdentifiedUser.GenericFactory userFactory,
-      ProjectCache projectCache,
       PermissionBackend permissionBackend) {
-    this.currentUser = currentUser;
     this.accountResolver = resolver;
     this.db = db;
     this.userFactory = userFactory;
-    this.projectCache = projectCache;
     this.permissionBackend = permissionBackend;
   }
 
   @Override
-  public AccessCheckInfo apply(ConfigResource unused, AccessCheckInput input)
+  public AccessCheckInfo apply(ProjectResource rsrc, AccessCheckInput input)
       throws OrmException, PermissionBackendException, RestApiException, IOException,
           ConfigInvalidException {
-    permissionBackend.user(currentUser.get()).check(GlobalPermission.ADMINISTRATE_SERVER);
+    permissionBackend.user(rsrc.getUser()).check(GlobalPermission.ADMINISTRATE_SERVER);
 
     if (input == null) {
       throw new BadRequestException("input is required");
@@ -78,32 +71,23 @@ public class CheckAccess implements RestModifyView<ConfigResource, AccessCheckIn
     if (Strings.isNullOrEmpty(input.account)) {
       throw new BadRequestException("input requires 'account'");
     }
-    if (Strings.isNullOrEmpty(input.project)) {
-      throw new BadRequestException("input requires 'project'");
-    }
 
     Account match = accountResolver.find(db.get(), input.account);
     if (match == null) {
-      throw new BadRequestException(String.format("cannot find account %s", input.account));
+      throw new UnprocessableEntityException(
+          String.format("cannot find account %s", input.account));
     }
 
     AccessCheckInfo info = new AccessCheckInfo();
 
-    Project.NameKey key = new Project.NameKey(input.project);
-    if (projectCache.get(key) == null) {
-      info.message = String.format("project %s does not exist", key);
-      info.status = HttpServletResponse.SC_NOT_FOUND;
-      return info;
-    }
-
     IdentifiedUser user = userFactory.create(match.getId());
     try {
-      permissionBackend.user(user).project(key).check(ProjectPermission.ACCESS);
+      permissionBackend.user(user).project(rsrc.getNameKey()).check(ProjectPermission.ACCESS);
     } catch (AuthException | PermissionBackendException e) {
       info.message =
           String.format(
               "user %s (%s) cannot see project %s",
-              user.getNameEmail(), user.getAccount().getId(), key);
+              user.getNameEmail(), user.getAccount().getId(), rsrc.getName());
       info.status = HttpServletResponse.SC_FORBIDDEN;
       return info;
     }
@@ -112,14 +96,14 @@ public class CheckAccess implements RestModifyView<ConfigResource, AccessCheckIn
       try {
         permissionBackend
             .user(user)
-            .ref(new Branch.NameKey(key, input.ref))
+            .ref(new Branch.NameKey(rsrc.getNameKey(), input.ref))
             .check(RefPermission.READ);
       } catch (AuthException | PermissionBackendException e) {
         info.status = HttpServletResponse.SC_FORBIDDEN;
         info.message =
             String.format(
                 "user %s (%s) cannot see ref %s in project %s",
-                user.getNameEmail(), user.getAccount().getId(), input.ref, key);
+                user.getNameEmail(), user.getAccount().getId(), input.ref, rsrc.getName());
         return info;
       }
     }
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/project/Module.java b/gerrit-server/src/main/java/com/google/gerrit/server/project/Module.java
index 1f33bc3357..d0753eb297 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/project/Module.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/project/Module.java
@@ -49,6 +49,7 @@ public class Module extends RestApiModule {
     get(PROJECT_KIND, "access").to(GetAccess.class);
     post(PROJECT_KIND, "access").to(SetAccess.class);
     put(PROJECT_KIND, "access:review").to(CreateAccessChange.class);
+    post(PROJECT_KIND, "check.access").to(CheckAccess.class);
 
     get(PROJECT_KIND, "parent").to(GetParent.class);
     put(PROJECT_KIND, "parent").to(SetParent.class);