diff --git a/java/com/google/gerrit/server/git/validators/RefOperationValidators.java b/java/com/google/gerrit/server/git/validators/RefOperationValidators.java index e5a056e93b..6b43d55117 100644 --- a/java/com/google/gerrit/server/git/validators/RefOperationValidators.java +++ b/java/com/google/gerrit/server/git/validators/RefOperationValidators.java @@ -149,7 +149,8 @@ public class RefOperationValidators { } } - if (refEvent.command.getRefName().startsWith(RefNames.REFS_GROUPS)) { + if (refEvent.command.getRefName().startsWith(RefNames.REFS_GROUPS) + || refEvent.command.getRefName().equals(RefNames.REFS_GROUPNAMES)) { if (refEvent.command.getType().equals(ReceiveCommand.Type.CREATE)) { throw new ValidationException("Not allowed to create group branch."); } else if (refEvent.command.getType().equals(ReceiveCommand.Type.DELETE)) { diff --git a/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java b/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java index a000d9e380..49a82e710d 100644 --- a/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java +++ b/javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java @@ -985,10 +985,36 @@ public class GroupsIT extends AbstractDaemonTest { @Test @Sandboxed public void cannotCreateGroupBranch() throws Exception { - grant(allUsers, RefNames.REFS_GROUPS + "*", Permission.CREATE); - grant(allUsers, RefNames.REFS_GROUPS + "*", Permission.PUSH); + testCannotCreateGroupBranch( + RefNames.REFS_GROUPS + "*", RefNames.refsGroups(new AccountGroup.UUID(name("foo")))); + } + + @Test + @Sandboxed + public void cannotCreateGroupNamesBranch() throws Exception { + assume().that(groupsInNoteDb()).isTrue(); + + // Manually delete group names ref + try (Repository repo = repoManager.openRepository(allUsers); + RevWalk rw = new RevWalk(repo)) { + RevCommit commit = rw.parseCommit(repo.exactRef(RefNames.REFS_GROUPNAMES).getObjectId()); + RefUpdate updateRef = repo.updateRef(RefNames.REFS_GROUPNAMES); + updateRef.setExpectedOldObjectId(commit.toObjectId()); + updateRef.setNewObjectId(ObjectId.zeroId()); + updateRef.setForceUpdate(true); + assertThat(updateRef.delete()).isEqualTo(RefUpdate.Result.FORCED); + } + + // refs/meta/group-names is only visible with ACCESS_DATABASE + allowGlobalCapabilities(REGISTERED_USERS, GlobalCapability.ACCESS_DATABASE); + + testCannotCreateGroupBranch(RefNames.REFS_GROUPNAMES, RefNames.REFS_GROUPNAMES); + } + + private void testCannotCreateGroupBranch(String refPattern, String groupRef) throws Exception { + grant(allUsers, refPattern, Permission.CREATE); + grant(allUsers, refPattern, Permission.PUSH); - String groupRef = RefNames.refsGroups(new AccountGroup.UUID(name("foo"))); TestRepository allUsersRepo = cloneProject(allUsers); PushOneCommit.Result r = pushFactory.create(db, admin.getIdent(), allUsersRepo).to(groupRef); r.assertErrorStatus(); @@ -1003,9 +1029,23 @@ public class GroupsIT extends AbstractDaemonTest { @Sandboxed public void cannotDeleteGroupBranch() throws Exception { assume().that(groupsInNoteDb()).isTrue(); + testCannotDeleteGroupBranch(RefNames.REFS_GROUPS + "*", RefNames.refsGroups(adminGroupUuid())); + } + + @Test + @Sandboxed + public void cannotDeleteGroupNamesBranch() throws Exception { + assume().that(groupsInNoteDb()).isTrue(); + + // refs/meta/group-names is only visible with ACCESS_DATABASE + allowGlobalCapabilities(REGISTERED_USERS, GlobalCapability.ACCESS_DATABASE); + + testCannotDeleteGroupBranch(RefNames.REFS_GROUPNAMES, RefNames.REFS_GROUPNAMES); + } + + private void testCannotDeleteGroupBranch(String refPattern, String groupRef) throws Exception { + grant(allUsers, refPattern, Permission.DELETE, true, REGISTERED_USERS); - grant(allUsers, RefNames.REFS_GROUPS + "*", Permission.DELETE, true, REGISTERED_USERS); - String groupRef = RefNames.refsGroups(adminGroupUuid()); TestRepository allUsersRepo = cloneProject(allUsers); PushResult r = deleteRef(allUsersRepo, groupRef); RemoteRefUpdate refUpdate = r.getRemoteUpdate(groupRef);