Merge changes from topic 'permission-backend'
* changes: Convert modifyAccount to PermissionBackend Convert maintainServer to PermissionBackend Convert viewQueue to PermissionBackend
This commit is contained in:
David Pursehouse
@@ -87,26 +87,11 @@ public class CapabilityControl {
|
||||
return canEmailReviewers;
|
||||
}
|
||||
|
||||
/** @return true if the user can modify an account for another user. */
|
||||
public boolean canModifyAccount() {
|
||||
return canPerform(GlobalCapability.MODIFY_ACCOUNT) || canAdministrateServer();
|
||||
}
|
||||
|
||||
/** @return true if the user can view all accounts. */
|
||||
public boolean canViewAllAccounts() {
|
||||
return canPerform(GlobalCapability.VIEW_ALL_ACCOUNTS) || canAdministrateServer();
|
||||
}
|
||||
|
||||
/** @return true if the user can perform basic server maintenance. */
|
||||
public boolean canMaintainServer() {
|
||||
return canPerform(GlobalCapability.MAINTAIN_SERVER) || canAdministrateServer();
|
||||
}
|
||||
|
||||
/** @return true if the user can view the entire queue. */
|
||||
public boolean canViewQueue() {
|
||||
return canPerform(GlobalCapability.VIEW_QUEUE) || canMaintainServer();
|
||||
}
|
||||
|
||||
/** @return true if the user can access the database (with gsql). */
|
||||
public boolean canAccessDatabase() {
|
||||
try {
|
||||
@@ -238,24 +223,23 @@ public class CapabilityControl {
|
||||
return canAdministrateServer();
|
||||
case EMAIL_REVIEWERS:
|
||||
return canEmailReviewers();
|
||||
case MAINTAIN_SERVER:
|
||||
return canMaintainServer();
|
||||
case MODIFY_ACCOUNT:
|
||||
return canModifyAccount();
|
||||
case VIEW_ALL_ACCOUNTS:
|
||||
return canViewAllAccounts();
|
||||
case VIEW_QUEUE:
|
||||
return canViewQueue();
|
||||
|
||||
case FLUSH_CACHES:
|
||||
case KILL_TASK:
|
||||
case RUN_GC:
|
||||
case VIEW_CACHES:
|
||||
return canPerform(perm.permissionName()) || canMaintainServer();
|
||||
case VIEW_QUEUE:
|
||||
return canPerform(perm.permissionName())
|
||||
|| canPerform(GlobalCapability.MAINTAIN_SERVER)
|
||||
|| canAdministrateServer();
|
||||
|
||||
case CREATE_ACCOUNT:
|
||||
case CREATE_GROUP:
|
||||
case CREATE_PROJECT:
|
||||
case MAINTAIN_SERVER:
|
||||
case MODIFY_ACCOUNT:
|
||||
case STREAM_EVENTS:
|
||||
case VIEW_CONNECTIONS:
|
||||
case VIEW_PLUGINS:
|
||||
|
||||
@@ -32,6 +32,9 @@ import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.config.AuthConfig;
|
||||
import com.google.gerrit.server.mail.send.OutgoingEmailValidator;
|
||||
import com.google.gerrit.server.mail.send.RegisterNewEmailSender;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
@@ -50,6 +53,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Realm realm;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final AccountManager accountManager;
|
||||
private final RegisterNewEmailSender.Factory registerNewEmailFactory;
|
||||
private final PutPreferred putPreferred;
|
||||
@@ -60,6 +64,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
|
||||
CreateEmail(
|
||||
Provider<CurrentUser> self,
|
||||
Realm realm,
|
||||
PermissionBackend permissionBackend,
|
||||
AuthConfig authConfig,
|
||||
AccountManager accountManager,
|
||||
RegisterNewEmailSender.Factory registerNewEmailFactory,
|
||||
@@ -67,6 +72,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
|
||||
@Assisted String email) {
|
||||
this.self = self;
|
||||
this.realm = realm;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.accountManager = accountManager;
|
||||
this.registerNewEmailFactory = registerNewEmailFactory;
|
||||
this.putPreferred = putPreferred;
|
||||
@@ -78,9 +84,9 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
|
||||
public Response<EmailInfo> apply(AccountResource rsrc, EmailInput input)
|
||||
throws AuthException, BadRequestException, ResourceConflictException,
|
||||
ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
|
||||
IOException, ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to add email address");
|
||||
IOException, ConfigInvalidException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser() || input.noConfirmation) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
if (input == null) {
|
||||
@@ -91,10 +97,6 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
|
||||
throw new BadRequestException("invalid email address");
|
||||
}
|
||||
|
||||
if (input.noConfirmation && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to use no_confirmation");
|
||||
}
|
||||
|
||||
if (!realm.allowsEdit(AccountFieldName.REGISTER_NEW_EMAIL)) {
|
||||
throw new MethodNotAllowedException("realm does not allow adding emails");
|
||||
}
|
||||
@@ -105,7 +107,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
|
||||
public Response<EmailInfo> apply(IdentifiedUser user, EmailInput input)
|
||||
throws AuthException, BadRequestException, ResourceConflictException,
|
||||
ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
|
||||
IOException, ConfigInvalidException {
|
||||
IOException, ConfigInvalidException, PermissionBackendException {
|
||||
if (input.email != null && !email.equals(input.email)) {
|
||||
throw new BadRequestException("email address must match URL");
|
||||
}
|
||||
|
||||
@@ -29,6 +29,9 @@ import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.account.DeleteEmail.Input;
|
||||
import com.google.gerrit.server.account.externalids.ExternalId;
|
||||
import com.google.gerrit.server.account.externalids.ExternalIds;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
@@ -43,6 +46,7 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Realm realm;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<ReviewDb> dbProvider;
|
||||
private final AccountManager accountManager;
|
||||
private final ExternalIds externalIds;
|
||||
@@ -51,11 +55,13 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
|
||||
DeleteEmail(
|
||||
Provider<CurrentUser> self,
|
||||
Realm realm,
|
||||
PermissionBackend permissionBackend,
|
||||
Provider<ReviewDb> dbProvider,
|
||||
AccountManager accountManager,
|
||||
ExternalIds externalIds) {
|
||||
this.self = self;
|
||||
this.realm = realm;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.dbProvider = dbProvider;
|
||||
this.accountManager = accountManager;
|
||||
this.externalIds = externalIds;
|
||||
@@ -64,9 +70,10 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
|
||||
@Override
|
||||
public Response<?> apply(AccountResource.Email rsrc, Input input)
|
||||
throws AuthException, ResourceNotFoundException, ResourceConflictException,
|
||||
MethodNotAllowedException, OrmException, IOException, ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to delete email address");
|
||||
MethodNotAllowedException, OrmException, IOException, ConfigInvalidException,
|
||||
PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
return apply(rsrc.getUser(), rsrc.getEmail());
|
||||
}
|
||||
|
||||
@@ -24,6 +24,9 @@ import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.config.AllUsersName;
|
||||
import com.google.gerrit.server.git.GitRepositoryManager;
|
||||
import com.google.gerrit.server.git.UserConfigSections;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -35,22 +38,27 @@ import org.eclipse.jgit.lib.Repository;
|
||||
@Singleton
|
||||
public class GetEditPreferences implements RestReadView<AccountResource> {
|
||||
private final Provider<CurrentUser> self;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final AllUsersName allUsersName;
|
||||
private final GitRepositoryManager gitMgr;
|
||||
|
||||
@Inject
|
||||
GetEditPreferences(
|
||||
Provider<CurrentUser> self, AllUsersName allUsersName, GitRepositoryManager gitMgr) {
|
||||
Provider<CurrentUser> self,
|
||||
PermissionBackend permissionBackend,
|
||||
AllUsersName allUsersName,
|
||||
GitRepositoryManager gitMgr) {
|
||||
this.self = self;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.allUsersName = allUsersName;
|
||||
this.gitMgr = gitMgr;
|
||||
}
|
||||
|
||||
@Override
|
||||
public EditPreferencesInfo apply(AccountResource rsrc)
|
||||
throws AuthException, IOException, ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("requires Modify Account capability");
|
||||
throws AuthException, IOException, ConfigInvalidException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
return readFromGit(rsrc.getUser().getAccountId(), gitMgr, allUsersName, null);
|
||||
|
||||
@@ -19,6 +19,9 @@ import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.extensions.restapi.RestReadView;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -26,18 +29,22 @@ import com.google.inject.Singleton;
|
||||
@Singleton
|
||||
public class GetPreferences implements RestReadView<AccountResource> {
|
||||
private final Provider<CurrentUser> self;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final AccountCache accountCache;
|
||||
|
||||
@Inject
|
||||
GetPreferences(Provider<CurrentUser> self, AccountCache accountCache) {
|
||||
GetPreferences(
|
||||
Provider<CurrentUser> self, PermissionBackend permissionBackend, AccountCache accountCache) {
|
||||
this.self = self;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.accountCache = accountCache;
|
||||
}
|
||||
|
||||
@Override
|
||||
public GeneralPreferencesInfo apply(AccountResource rsrc) throws AuthException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("requires Modify Account capability");
|
||||
public GeneralPreferencesInfo apply(AccountResource rsrc)
|
||||
throws AuthException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
Account.Id id = rsrc.getUser().getAccountId();
|
||||
|
||||
@@ -22,6 +22,9 @@ import com.google.gerrit.extensions.restapi.RestReadView;
|
||||
import com.google.gerrit.reviewdb.client.AccountSshKey;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
@@ -35,20 +38,25 @@ import org.eclipse.jgit.errors.RepositoryNotFoundException;
|
||||
public class GetSshKeys implements RestReadView<AccountResource> {
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final VersionedAuthorizedKeys.Accessor authorizedKeys;
|
||||
|
||||
@Inject
|
||||
GetSshKeys(Provider<CurrentUser> self, VersionedAuthorizedKeys.Accessor authorizedKeys) {
|
||||
GetSshKeys(
|
||||
Provider<CurrentUser> self,
|
||||
PermissionBackend permissionBackend,
|
||||
VersionedAuthorizedKeys.Accessor authorizedKeys) {
|
||||
this.self = self;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.authorizedKeys = authorizedKeys;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<SshKeyInfo> apply(AccountResource rsrc)
|
||||
throws AuthException, OrmException, RepositoryNotFoundException, IOException,
|
||||
ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to get SSH keys");
|
||||
ConfigInvalidException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
return apply(rsrc.getUser());
|
||||
}
|
||||
|
||||
@@ -19,6 +19,9 @@ import com.google.gerrit.extensions.restapi.Response;
|
||||
import com.google.gerrit.extensions.restapi.RestModifyView;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.Index.Input;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -29,18 +32,22 @@ public class Index implements RestModifyView<AccountResource, Input> {
|
||||
public static class Input {}
|
||||
|
||||
private final AccountCache accountCache;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<CurrentUser> self;
|
||||
|
||||
@Inject
|
||||
Index(AccountCache accountCache, Provider<CurrentUser> self) {
|
||||
Index(
|
||||
AccountCache accountCache, PermissionBackend permissionBackend, Provider<CurrentUser> self) {
|
||||
this.accountCache = accountCache;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.self = self;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response<?> apply(AccountResource rsrc, Input input) throws IOException, AuthException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to index account");
|
||||
public Response<?> apply(AccountResource rsrc, Input input)
|
||||
throws IOException, AuthException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
// evicting the account from the cache, reindexes the account
|
||||
|
||||
@@ -27,6 +27,9 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.account.PutName.Input;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.AtomicUpdate;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
@@ -42,6 +45,7 @@ public class PutName implements RestModifyView<AccountResource, Input> {
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Realm realm;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<ReviewDb> dbProvider;
|
||||
private final AccountCache byIdCache;
|
||||
|
||||
@@ -49,10 +53,12 @@ public class PutName implements RestModifyView<AccountResource, Input> {
|
||||
PutName(
|
||||
Provider<CurrentUser> self,
|
||||
Realm realm,
|
||||
PermissionBackend permissionBackend,
|
||||
Provider<ReviewDb> dbProvider,
|
||||
AccountCache byIdCache) {
|
||||
this.self = self;
|
||||
this.realm = realm;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.dbProvider = dbProvider;
|
||||
this.byIdCache = byIdCache;
|
||||
}
|
||||
@@ -60,9 +66,9 @@ public class PutName implements RestModifyView<AccountResource, Input> {
|
||||
@Override
|
||||
public Response<String> apply(AccountResource rsrc, Input input)
|
||||
throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
|
||||
IOException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to change name");
|
||||
IOException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
return apply(rsrc.getUser(), input);
|
||||
}
|
||||
|
||||
@@ -23,6 +23,9 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.account.PutPreferred.Input;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.AtomicUpdate;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
@@ -37,20 +40,27 @@ public class PutPreferred implements RestModifyView<AccountResource.Email, Input
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Provider<ReviewDb> dbProvider;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final AccountCache byIdCache;
|
||||
|
||||
@Inject
|
||||
PutPreferred(Provider<CurrentUser> self, Provider<ReviewDb> dbProvider, AccountCache byIdCache) {
|
||||
PutPreferred(
|
||||
Provider<CurrentUser> self,
|
||||
Provider<ReviewDb> dbProvider,
|
||||
PermissionBackend permissionBackend,
|
||||
AccountCache byIdCache) {
|
||||
this.self = self;
|
||||
this.dbProvider = dbProvider;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.byIdCache = byIdCache;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response<String> apply(AccountResource.Email rsrc, Input input)
|
||||
throws AuthException, ResourceNotFoundException, OrmException, IOException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to set preferred email address");
|
||||
throws AuthException, ResourceNotFoundException, OrmException, IOException,
|
||||
PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
return apply(rsrc.getUser(), rsrc.getEmail());
|
||||
}
|
||||
|
||||
@@ -25,6 +25,9 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.account.PutStatus.Input;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.AtomicUpdate;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
@@ -46,20 +49,27 @@ public class PutStatus implements RestModifyView<AccountResource, Input> {
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Provider<ReviewDb> dbProvider;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final AccountCache byIdCache;
|
||||
|
||||
@Inject
|
||||
PutStatus(Provider<CurrentUser> self, Provider<ReviewDb> dbProvider, AccountCache byIdCache) {
|
||||
PutStatus(
|
||||
Provider<CurrentUser> self,
|
||||
Provider<ReviewDb> dbProvider,
|
||||
PermissionBackend permissionBackend,
|
||||
AccountCache byIdCache) {
|
||||
this.self = self;
|
||||
this.dbProvider = dbProvider;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.byIdCache = byIdCache;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response<String> apply(AccountResource rsrc, Input input)
|
||||
throws AuthException, ResourceNotFoundException, OrmException, IOException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("not allowed to set status");
|
||||
throws AuthException, ResourceNotFoundException, OrmException, IOException,
|
||||
PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
return apply(rsrc.getUser(), input);
|
||||
}
|
||||
|
||||
@@ -29,6 +29,9 @@ import com.google.gerrit.server.config.AllUsersName;
|
||||
import com.google.gerrit.server.git.GitRepositoryManager;
|
||||
import com.google.gerrit.server.git.MetaDataUpdate;
|
||||
import com.google.gerrit.server.git.UserConfigSections;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -41,6 +44,7 @@ public class SetDiffPreferences implements RestModifyView<AccountResource, DiffP
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
|
||||
private final AllUsersName allUsersName;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final GitRepositoryManager gitMgr;
|
||||
|
||||
@Inject
|
||||
@@ -48,19 +52,21 @@ public class SetDiffPreferences implements RestModifyView<AccountResource, DiffP
|
||||
Provider<CurrentUser> self,
|
||||
Provider<MetaDataUpdate.User> metaDataUpdateFactory,
|
||||
AllUsersName allUsersName,
|
||||
PermissionBackend permissionBackend,
|
||||
GitRepositoryManager gitMgr) {
|
||||
this.self = self;
|
||||
this.metaDataUpdateFactory = metaDataUpdateFactory;
|
||||
this.allUsersName = allUsersName;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.gitMgr = gitMgr;
|
||||
}
|
||||
|
||||
@Override
|
||||
public DiffPreferencesInfo apply(AccountResource rsrc, DiffPreferencesInfo in)
|
||||
throws AuthException, BadRequestException, ConfigInvalidException,
|
||||
RepositoryNotFoundException, IOException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("requires Modify Account capability");
|
||||
RepositoryNotFoundException, IOException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
if (in == null) {
|
||||
|
||||
@@ -28,6 +28,9 @@ import com.google.gerrit.server.config.AllUsersName;
|
||||
import com.google.gerrit.server.git.GitRepositoryManager;
|
||||
import com.google.gerrit.server.git.MetaDataUpdate;
|
||||
import com.google.gerrit.server.git.UserConfigSections;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -40,6 +43,7 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
|
||||
|
||||
private final Provider<CurrentUser> self;
|
||||
private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final GitRepositoryManager gitMgr;
|
||||
private final AllUsersName allUsersName;
|
||||
|
||||
@@ -47,10 +51,12 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
|
||||
SetEditPreferences(
|
||||
Provider<CurrentUser> self,
|
||||
Provider<MetaDataUpdate.User> metaDataUpdateFactory,
|
||||
PermissionBackend permissionBackend,
|
||||
GitRepositoryManager gitMgr,
|
||||
AllUsersName allUsersName) {
|
||||
this.self = self;
|
||||
this.metaDataUpdateFactory = metaDataUpdateFactory;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.gitMgr = gitMgr;
|
||||
this.allUsersName = allUsersName;
|
||||
}
|
||||
@@ -58,9 +64,9 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
|
||||
@Override
|
||||
public EditPreferencesInfo apply(AccountResource rsrc, EditPreferencesInfo in)
|
||||
throws AuthException, BadRequestException, RepositoryNotFoundException, IOException,
|
||||
ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("requires Modify Account capability");
|
||||
ConfigInvalidException, PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
if (in == null) {
|
||||
|
||||
@@ -36,6 +36,9 @@ import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.config.AllUsersName;
|
||||
import com.google.gerrit.server.git.MetaDataUpdate;
|
||||
import com.google.gerrit.server.git.UserConfigSections;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -51,6 +54,7 @@ import org.eclipse.jgit.lib.Config;
|
||||
public class SetPreferences implements RestModifyView<AccountResource, GeneralPreferencesInfo> {
|
||||
private final Provider<CurrentUser> self;
|
||||
private final AccountCache cache;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final GeneralPreferencesLoader loader;
|
||||
private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
|
||||
private final AllUsersName allUsersName;
|
||||
@@ -60,6 +64,7 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
|
||||
SetPreferences(
|
||||
Provider<CurrentUser> self,
|
||||
AccountCache cache,
|
||||
PermissionBackend permissionBackend,
|
||||
GeneralPreferencesLoader loader,
|
||||
Provider<MetaDataUpdate.User> metaDataUpdateFactory,
|
||||
AllUsersName allUsersName,
|
||||
@@ -67,6 +72,7 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
|
||||
this.self = self;
|
||||
this.loader = loader;
|
||||
this.cache = cache;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.metaDataUpdateFactory = metaDataUpdateFactory;
|
||||
this.allUsersName = allUsersName;
|
||||
this.downloadSchemes = downloadSchemes;
|
||||
@@ -74,9 +80,10 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
|
||||
|
||||
@Override
|
||||
public GeneralPreferencesInfo apply(AccountResource rsrc, GeneralPreferencesInfo i)
|
||||
throws AuthException, BadRequestException, IOException, ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new AuthException("requires Modify Account capability");
|
||||
throws AuthException, BadRequestException, IOException, ConfigInvalidException,
|
||||
PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
}
|
||||
|
||||
checkDownloadScheme(i.downloadScheme);
|
||||
|
||||
@@ -15,6 +15,7 @@
|
||||
package com.google.gerrit.server.account;
|
||||
|
||||
import com.google.gerrit.extensions.registration.DynamicMap;
|
||||
import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.extensions.restapi.ChildCollection;
|
||||
import com.google.gerrit.extensions.restapi.IdString;
|
||||
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
|
||||
@@ -22,6 +23,9 @@ import com.google.gerrit.extensions.restapi.RestView;
|
||||
import com.google.gerrit.reviewdb.client.AccountSshKey;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
@@ -34,6 +38,7 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
|
||||
private final DynamicMap<RestView<AccountResource.SshKey>> views;
|
||||
private final GetSshKeys list;
|
||||
private final Provider<CurrentUser> self;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final VersionedAuthorizedKeys.Accessor authorizedKeys;
|
||||
|
||||
@Inject
|
||||
@@ -41,10 +46,12 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
|
||||
DynamicMap<RestView<AccountResource.SshKey>> views,
|
||||
GetSshKeys list,
|
||||
Provider<CurrentUser> self,
|
||||
PermissionBackend permissionBackend,
|
||||
VersionedAuthorizedKeys.Accessor authorizedKeys) {
|
||||
this.views = views;
|
||||
this.list = list;
|
||||
this.self = self;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.authorizedKeys = authorizedKeys;
|
||||
}
|
||||
|
||||
@@ -55,9 +62,15 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
|
||||
|
||||
@Override
|
||||
public AccountResource.SshKey parse(AccountResource rsrc, IdString id)
|
||||
throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException {
|
||||
if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
|
||||
throw new ResourceNotFoundException();
|
||||
throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException,
|
||||
PermissionBackendException {
|
||||
if (self.get() != rsrc.getUser()) {
|
||||
try {
|
||||
permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
|
||||
} catch (AuthException e) {
|
||||
// If lacking MODIFY_ACCOUNT claim the resource does not exist.
|
||||
throw new ResourceNotFoundException();
|
||||
}
|
||||
}
|
||||
return parse(rsrc.getUser(), id);
|
||||
}
|
||||
|
||||
@@ -71,6 +71,7 @@ import com.google.gerrit.server.account.StarredChanges;
|
||||
import com.google.gerrit.server.account.Stars;
|
||||
import com.google.gerrit.server.change.ChangeResource;
|
||||
import com.google.gerrit.server.change.ChangesCollection;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.assistedinject.Assisted;
|
||||
@@ -234,14 +235,18 @@ public class AccountApiImpl implements AccountApi {
|
||||
|
||||
@Override
|
||||
public GeneralPreferencesInfo getPreferences() throws RestApiException {
|
||||
return getPreferences.apply(account);
|
||||
try {
|
||||
return getPreferences.apply(account);
|
||||
} catch (PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot get preferences", e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public GeneralPreferencesInfo setPreferences(GeneralPreferencesInfo in) throws RestApiException {
|
||||
try {
|
||||
return setPreferences.apply(account, in);
|
||||
} catch (IOException | ConfigInvalidException e) {
|
||||
} catch (IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot set preferences", e);
|
||||
}
|
||||
}
|
||||
@@ -259,7 +264,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
public DiffPreferencesInfo setDiffPreferences(DiffPreferencesInfo in) throws RestApiException {
|
||||
try {
|
||||
return setDiffPreferences.apply(account, in);
|
||||
} catch (IOException | ConfigInvalidException e) {
|
||||
} catch (IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot set diff preferences", e);
|
||||
}
|
||||
}
|
||||
@@ -268,7 +273,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
public EditPreferencesInfo getEditPreferences() throws RestApiException {
|
||||
try {
|
||||
return getEditPreferences.apply(account);
|
||||
} catch (IOException | ConfigInvalidException e) {
|
||||
} catch (IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot query edit preferences", e);
|
||||
}
|
||||
}
|
||||
@@ -277,7 +282,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
public EditPreferencesInfo setEditPreferences(EditPreferencesInfo in) throws RestApiException {
|
||||
try {
|
||||
return setEditPreferences.apply(account, in);
|
||||
} catch (IOException | ConfigInvalidException e) {
|
||||
} catch (IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot set edit preferences", e);
|
||||
}
|
||||
}
|
||||
@@ -372,7 +377,11 @@ public class AccountApiImpl implements AccountApi {
|
||||
AccountResource.Email rsrc = new AccountResource.Email(account.getUser(), input.email);
|
||||
try {
|
||||
createEmailFactory.create(input.email).apply(rsrc, input);
|
||||
} catch (EmailException | OrmException | IOException | ConfigInvalidException e) {
|
||||
} catch (EmailException
|
||||
| OrmException
|
||||
| IOException
|
||||
| ConfigInvalidException
|
||||
| PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot add email", e);
|
||||
}
|
||||
}
|
||||
@@ -382,7 +391,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
AccountResource.Email rsrc = new AccountResource.Email(account.getUser(), email);
|
||||
try {
|
||||
deleteEmail.apply(rsrc, null);
|
||||
} catch (OrmException | IOException | ConfigInvalidException e) {
|
||||
} catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot delete email", e);
|
||||
}
|
||||
}
|
||||
@@ -392,7 +401,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
PutStatus.Input in = new PutStatus.Input(status);
|
||||
try {
|
||||
putStatus.apply(account, in);
|
||||
} catch (OrmException | IOException e) {
|
||||
} catch (OrmException | IOException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot set status", e);
|
||||
}
|
||||
}
|
||||
@@ -401,7 +410,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
public List<SshKeyInfo> listSshKeys() throws RestApiException {
|
||||
try {
|
||||
return getSshKeys.apply(account);
|
||||
} catch (OrmException | IOException | ConfigInvalidException e) {
|
||||
} catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot list SSH keys", e);
|
||||
}
|
||||
}
|
||||
@@ -423,7 +432,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
AccountResource.SshKey sshKeyRes =
|
||||
sshKeys.parse(account, IdString.fromDecoded(Integer.toString(seq)));
|
||||
deleteSshKey.apply(sshKeyRes, null);
|
||||
} catch (OrmException | IOException | ConfigInvalidException e) {
|
||||
} catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot delete SSH key", e);
|
||||
}
|
||||
}
|
||||
@@ -476,7 +485,7 @@ public class AccountApiImpl implements AccountApi {
|
||||
public void index() throws RestApiException {
|
||||
try {
|
||||
index.apply(account, new Index.Input());
|
||||
} catch (IOException e) {
|
||||
} catch (IOException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot index account", e);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -572,7 +572,7 @@ class ChangeApiImpl implements ChangeApi {
|
||||
public ChangeInfo check(FixInput fix) throws RestApiException {
|
||||
try {
|
||||
return check.apply(change, fix).value();
|
||||
} catch (OrmException e) {
|
||||
} catch (OrmException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot check change", e);
|
||||
}
|
||||
}
|
||||
@@ -581,7 +581,7 @@ class ChangeApiImpl implements ChangeApi {
|
||||
public void index() throws RestApiException {
|
||||
try {
|
||||
index.apply(change, new Index.Input());
|
||||
} catch (IOException | OrmException e) {
|
||||
} catch (IOException | OrmException | PermissionBackendException e) {
|
||||
throw new RestApiException("Cannot index change", e);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,21 +17,29 @@ package com.google.gerrit.server.change;
|
||||
import com.google.gerrit.extensions.api.changes.FixInput;
|
||||
import com.google.gerrit.extensions.client.ListChangesOption;
|
||||
import com.google.gerrit.extensions.common.ChangeInfo;
|
||||
import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.extensions.restapi.Response;
|
||||
import com.google.gerrit.extensions.restapi.RestApiException;
|
||||
import com.google.gerrit.extensions.restapi.RestModifyView;
|
||||
import com.google.gerrit.extensions.restapi.RestReadView;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ChangeControl;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
|
||||
public class Check
|
||||
implements RestReadView<ChangeResource>, RestModifyView<ChangeResource, FixInput> {
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<CurrentUser> user;
|
||||
private final ChangeJson.Factory jsonFactory;
|
||||
|
||||
@Inject
|
||||
Check(ChangeJson.Factory json) {
|
||||
Check(PermissionBackend permissionBackend, Provider<CurrentUser> user, ChangeJson.Factory json) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.user = user;
|
||||
this.jsonFactory = json;
|
||||
}
|
||||
|
||||
@@ -42,12 +50,10 @@ public class Check
|
||||
|
||||
@Override
|
||||
public Response<ChangeInfo> apply(ChangeResource rsrc, FixInput input)
|
||||
throws RestApiException, OrmException {
|
||||
throws RestApiException, OrmException, PermissionBackendException {
|
||||
ChangeControl ctl = rsrc.getControl();
|
||||
if (!ctl.isOwner()
|
||||
&& !ctl.getProjectControl().isOwner()
|
||||
&& !ctl.getUser().getCapabilities().canMaintainServer()) {
|
||||
throw new AuthException("Cannot fix change");
|
||||
if (!ctl.isOwner() && !ctl.getProjectControl().isOwner()) {
|
||||
permissionBackend.user(user).check(GlobalPermission.MAINTAIN_SERVER);
|
||||
}
|
||||
return Response.withMustRevalidate(newChangeJson().fix(input).format(rsrc));
|
||||
}
|
||||
|
||||
@@ -18,8 +18,12 @@ import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.extensions.restapi.Response;
|
||||
import com.google.gerrit.extensions.restapi.RestModifyView;
|
||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.change.Index.Input;
|
||||
import com.google.gerrit.server.index.change.ChangeIndexer;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ChangeControl;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
import com.google.inject.Inject;
|
||||
@@ -32,20 +36,28 @@ public class Index implements RestModifyView<ChangeResource, Input> {
|
||||
public static class Input {}
|
||||
|
||||
private final Provider<ReviewDb> db;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<CurrentUser> user;
|
||||
private final ChangeIndexer indexer;
|
||||
|
||||
@Inject
|
||||
Index(Provider<ReviewDb> db, ChangeIndexer indexer) {
|
||||
Index(
|
||||
Provider<ReviewDb> db,
|
||||
PermissionBackend permissionBackend,
|
||||
Provider<CurrentUser> user,
|
||||
ChangeIndexer indexer) {
|
||||
this.db = db;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.user = user;
|
||||
this.indexer = indexer;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response<?> apply(ChangeResource rsrc, Input input)
|
||||
throws IOException, AuthException, OrmException {
|
||||
throws IOException, AuthException, OrmException, PermissionBackendException {
|
||||
ChangeControl ctl = rsrc.getControl();
|
||||
if (!ctl.isOwner() && !ctl.getUser().getCapabilities().canMaintainServer()) {
|
||||
throw new AuthException("Only change owner or server maintainer can reindex");
|
||||
if (!ctl.isOwner()) {
|
||||
permissionBackend.user(user).check(GlobalPermission.MAINTAIN_SERVER);
|
||||
}
|
||||
indexer.index(db.get(), rsrc.getChange());
|
||||
return Response.none();
|
||||
|
||||
@@ -23,6 +23,9 @@ import com.google.gerrit.extensions.restapi.Response;
|
||||
import com.google.gerrit.extensions.restapi.RestModifyView;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.config.FlushCache.Input;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@@ -34,17 +37,20 @@ public class FlushCache implements RestModifyView<CacheResource, Input> {
|
||||
|
||||
public static final String WEB_SESSIONS = "web_sessions";
|
||||
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final Provider<CurrentUser> self;
|
||||
|
||||
@Inject
|
||||
public FlushCache(Provider<CurrentUser> self) {
|
||||
public FlushCache(PermissionBackend permissionBackend, Provider<CurrentUser> self) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.self = self;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response<String> apply(CacheResource rsrc, Input input) throws AuthException {
|
||||
if (WEB_SESSIONS.equals(rsrc.getName()) && !self.get().getCapabilities().canMaintainServer()) {
|
||||
throw new AuthException(String.format("only site maintainers can flush %s", WEB_SESSIONS));
|
||||
public Response<String> apply(CacheResource rsrc, Input input)
|
||||
throws AuthException, PermissionBackendException {
|
||||
if (WEB_SESSIONS.equals(rsrc.getName())) {
|
||||
permissionBackend.user(self).check(GlobalPermission.MAINTAIN_SERVER);
|
||||
}
|
||||
|
||||
rsrc.getCache().invalidateAll();
|
||||
|
||||
@@ -19,11 +19,13 @@ import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.extensions.restapi.RestReadView;
|
||||
import com.google.gerrit.reviewdb.client.Project;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.git.TaskInfoFactory;
|
||||
import com.google.gerrit.server.git.WorkQueue;
|
||||
import com.google.gerrit.server.git.WorkQueue.ProjectTask;
|
||||
import com.google.gerrit.server.git.WorkQueue.Task;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.gerrit.server.project.ProjectState;
|
||||
import com.google.gerrit.server.util.IdGenerator;
|
||||
@@ -41,30 +43,40 @@ import java.util.concurrent.TimeUnit;
|
||||
|
||||
@Singleton
|
||||
public class ListTasks implements RestReadView<ConfigResource> {
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final WorkQueue workQueue;
|
||||
private final ProjectCache projectCache;
|
||||
private final Provider<IdentifiedUser> self;
|
||||
private final Provider<CurrentUser> self;
|
||||
|
||||
@Inject
|
||||
public ListTasks(WorkQueue workQueue, ProjectCache projectCache, Provider<IdentifiedUser> self) {
|
||||
public ListTasks(
|
||||
PermissionBackend permissionBackend,
|
||||
WorkQueue workQueue,
|
||||
ProjectCache projectCache,
|
||||
Provider<CurrentUser> self) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.workQueue = workQueue;
|
||||
this.projectCache = projectCache;
|
||||
this.self = self;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<TaskInfo> apply(ConfigResource resource) throws AuthException {
|
||||
public List<TaskInfo> apply(ConfigResource resource)
|
||||
throws AuthException, PermissionBackendException {
|
||||
CurrentUser user = self.get();
|
||||
if (!user.isIdentifiedUser()) {
|
||||
throw new AuthException("Authentication required");
|
||||
}
|
||||
|
||||
List<TaskInfo> allTasks = getTasks();
|
||||
if (user.getCapabilities().canViewQueue()) {
|
||||
try {
|
||||
permissionBackend.user(user).check(GlobalPermission.VIEW_QUEUE);
|
||||
return allTasks;
|
||||
} catch (AuthException e) {
|
||||
// Fall through to filter tasks.
|
||||
}
|
||||
Map<String, Boolean> visibilityCache = new HashMap<>();
|
||||
|
||||
Map<String, Boolean> visibilityCache = new HashMap<>();
|
||||
List<TaskInfo> visibleTasks = new ArrayList<>();
|
||||
for (TaskInfo task : allTasks) {
|
||||
if (task.projectName != null) {
|
||||
|
||||
@@ -26,6 +26,7 @@ import com.google.gerrit.extensions.restapi.Response;
|
||||
import com.google.gerrit.extensions.restapi.RestModifyView;
|
||||
import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
|
||||
import com.google.gerrit.server.config.PostCaches.Input;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Singleton;
|
||||
import java.util.ArrayList;
|
||||
@@ -66,7 +67,8 @@ public class PostCaches implements RestModifyView<ConfigResource, Input> {
|
||||
|
||||
@Override
|
||||
public Response<String> apply(ConfigResource rsrc, Input input)
|
||||
throws AuthException, BadRequestException, UnprocessableEntityException {
|
||||
throws AuthException, BadRequestException, UnprocessableEntityException,
|
||||
PermissionBackendException {
|
||||
if (input == null || input.operation == null) {
|
||||
throw new BadRequestException("operation must be specified");
|
||||
}
|
||||
@@ -90,7 +92,7 @@ public class PostCaches implements RestModifyView<ConfigResource, Input> {
|
||||
}
|
||||
}
|
||||
|
||||
private void flushAll() throws AuthException {
|
||||
private void flushAll() throws AuthException, PermissionBackendException {
|
||||
for (DynamicMap.Entry<Cache<?, ?>> e : cacheMap) {
|
||||
CacheResource cacheResource =
|
||||
new CacheResource(e.getPluginName(), e.getExportName(), e.getProvider());
|
||||
@@ -101,7 +103,8 @@ public class PostCaches implements RestModifyView<ConfigResource, Input> {
|
||||
}
|
||||
}
|
||||
|
||||
private void flush(List<String> cacheNames) throws UnprocessableEntityException, AuthException {
|
||||
private void flush(List<String> cacheNames)
|
||||
throws UnprocessableEntityException, AuthException, PermissionBackendException {
|
||||
List<CacheResource> cacheResources = new ArrayList<>(cacheNames.size());
|
||||
|
||||
for (String n : cacheNames) {
|
||||
|
||||
@@ -21,10 +21,12 @@ import com.google.gerrit.extensions.restapi.IdString;
|
||||
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
|
||||
import com.google.gerrit.extensions.restapi.RestView;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.git.WorkQueue;
|
||||
import com.google.gerrit.server.git.WorkQueue.ProjectTask;
|
||||
import com.google.gerrit.server.git.WorkQueue.Task;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.gerrit.server.project.ProjectState;
|
||||
import com.google.inject.Inject;
|
||||
@@ -36,7 +38,8 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
|
||||
private final DynamicMap<RestView<TaskResource>> views;
|
||||
private final ListTasks list;
|
||||
private final WorkQueue workQueue;
|
||||
private final Provider<IdentifiedUser> self;
|
||||
private final Provider<CurrentUser> self;
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final ProjectCache projectCache;
|
||||
|
||||
@Inject
|
||||
@@ -44,12 +47,14 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
|
||||
DynamicMap<RestView<TaskResource>> views,
|
||||
ListTasks list,
|
||||
WorkQueue workQueue,
|
||||
Provider<IdentifiedUser> self,
|
||||
Provider<CurrentUser> self,
|
||||
PermissionBackend permissionBackend,
|
||||
ProjectCache projectCache) {
|
||||
this.views = views;
|
||||
this.list = list;
|
||||
this.workQueue = workQueue;
|
||||
this.self = self;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.projectCache = projectCache;
|
||||
}
|
||||
|
||||
@@ -60,30 +65,37 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
|
||||
|
||||
@Override
|
||||
public TaskResource parse(ConfigResource parent, IdString id)
|
||||
throws ResourceNotFoundException, AuthException {
|
||||
throws ResourceNotFoundException, AuthException, PermissionBackendException {
|
||||
CurrentUser user = self.get();
|
||||
if (!user.isIdentifiedUser()) {
|
||||
throw new AuthException("Authentication required");
|
||||
}
|
||||
|
||||
int taskId;
|
||||
try {
|
||||
int taskId = (int) Long.parseLong(id.get(), 16);
|
||||
Task<?> task = workQueue.getTask(taskId);
|
||||
if (task != null) {
|
||||
if (self.get().getCapabilities().canViewQueue()) {
|
||||
return new TaskResource(task);
|
||||
} else if (task instanceof ProjectTask) {
|
||||
ProjectTask<?> projectTask = ((ProjectTask<?>) task);
|
||||
ProjectState e = projectCache.get(projectTask.getProjectNameKey());
|
||||
if (e != null && e.controlFor(user).isVisible()) {
|
||||
return new TaskResource(task);
|
||||
}
|
||||
}
|
||||
}
|
||||
throw new ResourceNotFoundException(id);
|
||||
taskId = (int) Long.parseLong(id.get(), 16);
|
||||
} catch (NumberFormatException e) {
|
||||
throw new ResourceNotFoundException(id);
|
||||
}
|
||||
|
||||
Task<?> task = workQueue.getTask(taskId);
|
||||
if (task != null) {
|
||||
try {
|
||||
permissionBackend.user(user).check(GlobalPermission.VIEW_QUEUE);
|
||||
return new TaskResource(task);
|
||||
} catch (AuthException e) {
|
||||
// Fall through and try filtering.
|
||||
}
|
||||
|
||||
if (task instanceof ProjectTask) {
|
||||
ProjectTask<?> projectTask = ((ProjectTask<?>) task);
|
||||
ProjectState e = projectCache.get(projectTask.getProjectNameKey());
|
||||
if (e != null && e.controlFor(user).isVisible()) {
|
||||
return new TaskResource(task);
|
||||
}
|
||||
}
|
||||
}
|
||||
throw new ResourceNotFoundException(id);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
Reference in New Issue
Block a user