Merge changes from topic 'permission-backend'

* changes: Convert modifyAccount to PermissionBackend Convert maintainServer to PermissionBackend Convert viewQueue to PermissionBackend
2017-04-19 09:47:04 +00:00
parent cae3c5ef56 b168511335
commit eacabe9154
30 changed files with 325 additions and 149 deletions
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/accounts/AccountIT.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/api/accounts/AccountIT.java
@@ -511,7 +511,7 @@ public class AccountIT extends AbstractDaemonTest {
    // user cannot delete email of admin
    exception.expect(AuthException.class);
-    exception.expectMessage("not allowed to delete email address");
+    exception.expectMessage("modify account not permitted");
    gApi.accounts().id(admin.id.get()).deleteEmail(admin.email);
  }
@@ -896,7 +896,7 @@ public class AccountIT extends AbstractDaemonTest {
    // user cannot reindex any account
    exception.expect(AuthException.class);
-    exception.expectMessage("not allowed to index account");
+    exception.expectMessage("modify account not permitted");
    gApi.accounts().id(admin.username).index();
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -87,26 +87,11 @@ public class CapabilityControl {
    return canEmailReviewers;
  }
  /** @return true if the user can modify an account for another user. */
  public boolean canModifyAccount() {
    return canPerform(GlobalCapability.MODIFY_ACCOUNT) || canAdministrateServer();
  }
  /** @return true if the user can view all accounts. */
  public boolean canViewAllAccounts() {
    return canPerform(GlobalCapability.VIEW_ALL_ACCOUNTS) || canAdministrateServer();
  }
  /** @return true if the user can perform basic server maintenance. */
  public boolean canMaintainServer() {
    return canPerform(GlobalCapability.MAINTAIN_SERVER) || canAdministrateServer();
  }
  /** @return true if the user can view the entire queue. */
  public boolean canViewQueue() {
    return canPerform(GlobalCapability.VIEW_QUEUE) || canMaintainServer();
  }
  /** @return true if the user can access the database (with gsql). */
  public boolean canAccessDatabase() {
    try {
@@ -238,24 +223,23 @@ public class CapabilityControl {
        return canAdministrateServer();
      case EMAIL_REVIEWERS:
        return canEmailReviewers();
      case MAINTAIN_SERVER:
        return canMaintainServer();
      case MODIFY_ACCOUNT:
        return canModifyAccount();
      case VIEW_ALL_ACCOUNTS:
        return canViewAllAccounts();
      case VIEW_QUEUE:
        return canViewQueue();
      case FLUSH_CACHES:
      case KILL_TASK:
      case RUN_GC:
      case VIEW_CACHES:
-        return canPerform(perm.permissionName()) || canMaintainServer();
+      case VIEW_QUEUE:
        return canPerform(perm.permissionName())
            || canPerform(GlobalCapability.MAINTAIN_SERVER)
            || canAdministrateServer();
      case CREATE_ACCOUNT:
      case CREATE_GROUP:
      case CREATE_PROJECT:
      case MAINTAIN_SERVER:
      case MODIFY_ACCOUNT:
      case STREAM_EVENTS:
      case VIEW_CONNECTIONS:
      case VIEW_PLUGINS:
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CreateEmail.java
@@ -32,6 +32,9 @@ import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.config.AuthConfig;
 import com.google.gerrit.server.mail.send.OutgoingEmailValidator;
 import com.google.gerrit.server.mail.send.RegisterNewEmailSender;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -50,6 +53,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
  private final Provider<CurrentUser> self;
  private final Realm realm;
  private final PermissionBackend permissionBackend;
  private final AccountManager accountManager;
  private final RegisterNewEmailSender.Factory registerNewEmailFactory;
  private final PutPreferred putPreferred;
@@ -60,6 +64,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
  CreateEmail(
      Provider<CurrentUser> self,
      Realm realm,
      PermissionBackend permissionBackend,
      AuthConfig authConfig,
      AccountManager accountManager,
      RegisterNewEmailSender.Factory registerNewEmailFactory,
@@ -67,6 +72,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
      @Assisted String email) {
    this.self = self;
    this.realm = realm;
    this.permissionBackend = permissionBackend;
    this.accountManager = accountManager;
    this.registerNewEmailFactory = registerNewEmailFactory;
    this.putPreferred = putPreferred;
@@ -78,9 +84,9 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
  public Response<EmailInfo> apply(AccountResource rsrc, EmailInput input)
      throws AuthException, BadRequestException, ResourceConflictException,
          ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
-          IOException, ConfigInvalidException {
+          IOException, ConfigInvalidException, PermissionBackendException {
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+    if (self.get() != rsrc.getUser() || input.noConfirmation) {
-      throw new AuthException("not allowed to add email address");
+      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    if (input == null) {
@@ -91,10 +97,6 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
      throw new BadRequestException("invalid email address");
    }
    if (input.noConfirmation && !self.get().getCapabilities().canModifyAccount()) {
      throw new AuthException("not allowed to use no_confirmation");
    }
    if (!realm.allowsEdit(AccountFieldName.REGISTER_NEW_EMAIL)) {
      throw new MethodNotAllowedException("realm does not allow adding emails");
    }
@@ -105,7 +107,7 @@ public class CreateEmail implements RestModifyView<AccountResource, EmailInput>
  public Response<EmailInfo> apply(IdentifiedUser user, EmailInput input)
      throws AuthException, BadRequestException, ResourceConflictException,
          ResourceNotFoundException, OrmException, EmailException, MethodNotAllowedException,
-          IOException, ConfigInvalidException {
+          IOException, ConfigInvalidException, PermissionBackendException {
    if (input.email != null && !email.equals(input.email)) {
      throw new BadRequestException("email address must match URL");
    }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/DeleteEmail.java
@@ -29,6 +29,9 @@ import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.DeleteEmail.Input;
 import com.google.gerrit.server.account.externalids.ExternalId;
 import com.google.gerrit.server.account.externalids.ExternalIds;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -43,6 +46,7 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
  private final Provider<CurrentUser> self;
  private final Realm realm;
  private final PermissionBackend permissionBackend;
  private final Provider<ReviewDb> dbProvider;
  private final AccountManager accountManager;
  private final ExternalIds externalIds;
@@ -51,11 +55,13 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
  DeleteEmail(
      Provider<CurrentUser> self,
      Realm realm,
      PermissionBackend permissionBackend,
      Provider<ReviewDb> dbProvider,
      AccountManager accountManager,
      ExternalIds externalIds) {
    this.self = self;
    this.realm = realm;
    this.permissionBackend = permissionBackend;
    this.dbProvider = dbProvider;
    this.accountManager = accountManager;
    this.externalIds = externalIds;
@@ -64,9 +70,10 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
  @Override
  public Response<?> apply(AccountResource.Email rsrc, Input input)
      throws AuthException, ResourceNotFoundException, ResourceConflictException,
-          MethodNotAllowedException, OrmException, IOException, ConfigInvalidException {
+          MethodNotAllowedException, OrmException, IOException, ConfigInvalidException,
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+          PermissionBackendException {
-      throw new AuthException("not allowed to delete email address");
+    if (self.get() != rsrc.getUser()) {
      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    return apply(rsrc.getUser(), rsrc.getEmail());
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetEditPreferences.java
@@ -24,6 +24,9 @@ import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.config.AllUsersName;
 import com.google.gerrit.server.git.GitRepositoryManager;
 import com.google.gerrit.server.git.UserConfigSections;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -35,22 +38,27 @@ import org.eclipse.jgit.lib.Repository;
@Singleton
 public class GetEditPreferences implements RestReadView<AccountResource> {
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  private final AllUsersName allUsersName;
  private final GitRepositoryManager gitMgr;
  @Inject
  GetEditPreferences(
-      Provider<CurrentUser> self, AllUsersName allUsersName, GitRepositoryManager gitMgr) {
+      Provider<CurrentUser> self,
      PermissionBackend permissionBackend,
      AllUsersName allUsersName,
      GitRepositoryManager gitMgr) {
    this.self = self;
    this.permissionBackend = permissionBackend;
    this.allUsersName = allUsersName;
    this.gitMgr = gitMgr;
  }
  @Override
  public EditPreferencesInfo apply(AccountResource rsrc)
-      throws AuthException, IOException, ConfigInvalidException {
+      throws AuthException, IOException, ConfigInvalidException, PermissionBackendException {
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+    if (self.get() != rsrc.getUser()) {
-      throw new AuthException("requires Modify Account capability");
+      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    return readFromGit(rsrc.getUser().getAccountId(), gitMgr, allUsersName, null);
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetPreferences.java
@@ -19,6 +19,9 @@ import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.Account;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -26,18 +29,22 @@ import com.google.inject.Singleton;
@Singleton
 public class GetPreferences implements RestReadView<AccountResource> {
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  private final AccountCache accountCache;
  @Inject
-  GetPreferences(Provider<CurrentUser> self, AccountCache accountCache) {
+  GetPreferences(
      Provider<CurrentUser> self, PermissionBackend permissionBackend, AccountCache accountCache) {
    this.self = self;
    this.permissionBackend = permissionBackend;
    this.accountCache = accountCache;
  }
  @Override
-  public GeneralPreferencesInfo apply(AccountResource rsrc) throws AuthException {
+  public GeneralPreferencesInfo apply(AccountResource rsrc)
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+      throws AuthException, PermissionBackendException {
-      throw new AuthException("requires Modify Account capability");
+    if (self.get() != rsrc.getUser()) {
      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    Account.Id id = rsrc.getUser().getAccountId();
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetSshKeys.java
@@ -22,6 +22,9 @@ import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.AccountSshKey;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -35,20 +38,25 @@ import org.eclipse.jgit.errors.RepositoryNotFoundException;
 public class GetSshKeys implements RestReadView<AccountResource> {
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  private final VersionedAuthorizedKeys.Accessor authorizedKeys;
  @Inject
-  GetSshKeys(Provider<CurrentUser> self, VersionedAuthorizedKeys.Accessor authorizedKeys) {
+  GetSshKeys(
      Provider<CurrentUser> self,
      PermissionBackend permissionBackend,
      VersionedAuthorizedKeys.Accessor authorizedKeys) {
    this.self = self;
    this.permissionBackend = permissionBackend;
    this.authorizedKeys = authorizedKeys;
  }
  @Override
  public List<SshKeyInfo> apply(AccountResource rsrc)
      throws AuthException, OrmException, RepositoryNotFoundException, IOException,
-          ConfigInvalidException {
+          ConfigInvalidException, PermissionBackendException {
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+    if (self.get() != rsrc.getUser()) {
-      throw new AuthException("not allowed to get SSH keys");
+      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    return apply(rsrc.getUser());
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/Index.java
@@ -19,6 +19,9 @@ import com.google.gerrit.extensions.restapi.Response;
 import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.account.Index.Input;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -29,18 +32,22 @@ public class Index implements RestModifyView<AccountResource, Input> {
  public static class Input {}
  private final AccountCache accountCache;
  private final PermissionBackend permissionBackend;
  private final Provider<CurrentUser> self;
  @Inject
-  Index(AccountCache accountCache, Provider<CurrentUser> self) {
+  Index(
      AccountCache accountCache, PermissionBackend permissionBackend, Provider<CurrentUser> self) {
    this.accountCache = accountCache;
    this.permissionBackend = permissionBackend;
    this.self = self;
  }
  @Override
-  public Response<?> apply(AccountResource rsrc, Input input) throws IOException, AuthException {
+  public Response<?> apply(AccountResource rsrc, Input input)
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+      throws IOException, AuthException, PermissionBackendException {
-      throw new AuthException("not allowed to index account");
+    if (self.get() != rsrc.getUser()) {
      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    // evicting the account from the cache, reindexes the account
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutName.java
@@ -27,6 +27,9 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.PutName.Input;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.AtomicUpdate;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -42,6 +45,7 @@ public class PutName implements RestModifyView<AccountResource, Input> {
  private final Provider<CurrentUser> self;
  private final Realm realm;
  private final PermissionBackend permissionBackend;
  private final Provider<ReviewDb> dbProvider;
  private final AccountCache byIdCache;
@@ -49,10 +53,12 @@ public class PutName implements RestModifyView<AccountResource, Input> {
  PutName(
      Provider<CurrentUser> self,
      Realm realm,
      PermissionBackend permissionBackend,
      Provider<ReviewDb> dbProvider,
      AccountCache byIdCache) {
    this.self = self;
    this.realm = realm;
    this.permissionBackend = permissionBackend;
    this.dbProvider = dbProvider;
    this.byIdCache = byIdCache;
  }
@@ -60,9 +66,9 @@ public class PutName implements RestModifyView<AccountResource, Input> {
  @Override
  public Response<String> apply(AccountResource rsrc, Input input)
      throws AuthException, MethodNotAllowedException, ResourceNotFoundException, OrmException,
-          IOException {
+          IOException, PermissionBackendException {
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+    if (self.get() != rsrc.getUser()) {
-      throw new AuthException("not allowed to change name");
+      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    return apply(rsrc.getUser(), input);
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutPreferred.java
@@ -23,6 +23,9 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.PutPreferred.Input;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.AtomicUpdate;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -37,20 +40,27 @@ public class PutPreferred implements RestModifyView<AccountResource.Email, Input
  private final Provider<CurrentUser> self;
  private final Provider<ReviewDb> dbProvider;
  private final PermissionBackend permissionBackend;
  private final AccountCache byIdCache;
  @Inject
-  PutPreferred(Provider<CurrentUser> self, Provider<ReviewDb> dbProvider, AccountCache byIdCache) {
+  PutPreferred(
      Provider<CurrentUser> self,
      Provider<ReviewDb> dbProvider,
      PermissionBackend permissionBackend,
      AccountCache byIdCache) {
    this.self = self;
    this.dbProvider = dbProvider;
    this.permissionBackend = permissionBackend;
    this.byIdCache = byIdCache;
  }
  @Override
  public Response<String> apply(AccountResource.Email rsrc, Input input)
-      throws AuthException, ResourceNotFoundException, OrmException, IOException {
+      throws AuthException, ResourceNotFoundException, OrmException, IOException,
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+          PermissionBackendException {
-      throw new AuthException("not allowed to set preferred email address");
+    if (self.get() != rsrc.getUser()) {
      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    return apply(rsrc.getUser(), rsrc.getEmail());
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/PutStatus.java
@@ -25,6 +25,9 @@ import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.PutStatus.Input;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.AtomicUpdate;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -46,20 +49,27 @@ public class PutStatus implements RestModifyView<AccountResource, Input> {
  private final Provider<CurrentUser> self;
  private final Provider<ReviewDb> dbProvider;
  private final PermissionBackend permissionBackend;
  private final AccountCache byIdCache;
  @Inject
-  PutStatus(Provider<CurrentUser> self, Provider<ReviewDb> dbProvider, AccountCache byIdCache) {
+  PutStatus(
      Provider<CurrentUser> self,
      Provider<ReviewDb> dbProvider,
      PermissionBackend permissionBackend,
      AccountCache byIdCache) {
    this.self = self;
    this.dbProvider = dbProvider;
    this.permissionBackend = permissionBackend;
    this.byIdCache = byIdCache;
  }
  @Override
  public Response<String> apply(AccountResource rsrc, Input input)
-      throws AuthException, ResourceNotFoundException, OrmException, IOException {
+      throws AuthException, ResourceNotFoundException, OrmException, IOException,
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+          PermissionBackendException {
-      throw new AuthException("not allowed to set status");
+    if (self.get() != rsrc.getUser()) {
      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    return apply(rsrc.getUser(), input);
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetDiffPreferences.java
@@ -29,6 +29,9 @@ import com.google.gerrit.server.config.AllUsersName;
 import com.google.gerrit.server.git.GitRepositoryManager;
 import com.google.gerrit.server.git.MetaDataUpdate;
 import com.google.gerrit.server.git.UserConfigSections;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -41,6 +44,7 @@ public class SetDiffPreferences implements RestModifyView<AccountResource, DiffP
  private final Provider<CurrentUser> self;
  private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
  private final AllUsersName allUsersName;
  private final PermissionBackend permissionBackend;
  private final GitRepositoryManager gitMgr;
  @Inject
@@ -48,19 +52,21 @@ public class SetDiffPreferences implements RestModifyView<AccountResource, DiffP
      Provider<CurrentUser> self,
      Provider<MetaDataUpdate.User> metaDataUpdateFactory,
      AllUsersName allUsersName,
      PermissionBackend permissionBackend,
      GitRepositoryManager gitMgr) {
    this.self = self;
    this.metaDataUpdateFactory = metaDataUpdateFactory;
    this.allUsersName = allUsersName;
    this.permissionBackend = permissionBackend;
    this.gitMgr = gitMgr;
  }
  @Override
  public DiffPreferencesInfo apply(AccountResource rsrc, DiffPreferencesInfo in)
      throws AuthException, BadRequestException, ConfigInvalidException,
-          RepositoryNotFoundException, IOException {
+          RepositoryNotFoundException, IOException, PermissionBackendException {
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+    if (self.get() != rsrc.getUser()) {
-      throw new AuthException("requires Modify Account capability");
+      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    if (in == null) {
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetEditPreferences.java
@@ -28,6 +28,9 @@ import com.google.gerrit.server.config.AllUsersName;
 import com.google.gerrit.server.git.GitRepositoryManager;
 import com.google.gerrit.server.git.MetaDataUpdate;
 import com.google.gerrit.server.git.UserConfigSections;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -40,6 +43,7 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
  private final Provider<CurrentUser> self;
  private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
  private final PermissionBackend permissionBackend;
  private final GitRepositoryManager gitMgr;
  private final AllUsersName allUsersName;
@@ -47,10 +51,12 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
  SetEditPreferences(
      Provider<CurrentUser> self,
      Provider<MetaDataUpdate.User> metaDataUpdateFactory,
      PermissionBackend permissionBackend,
      GitRepositoryManager gitMgr,
      AllUsersName allUsersName) {
    this.self = self;
    this.metaDataUpdateFactory = metaDataUpdateFactory;
    this.permissionBackend = permissionBackend;
    this.gitMgr = gitMgr;
    this.allUsersName = allUsersName;
  }
@@ -58,9 +64,9 @@ public class SetEditPreferences implements RestModifyView<AccountResource, EditP
  @Override
  public EditPreferencesInfo apply(AccountResource rsrc, EditPreferencesInfo in)
      throws AuthException, BadRequestException, RepositoryNotFoundException, IOException,
-          ConfigInvalidException {
+          ConfigInvalidException, PermissionBackendException {
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+    if (self.get() != rsrc.getUser()) {
-      throw new AuthException("requires Modify Account capability");
+      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    if (in == null) {
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SetPreferences.java
@@ -36,6 +36,9 @@ import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.config.AllUsersName;
 import com.google.gerrit.server.git.MetaDataUpdate;
 import com.google.gerrit.server.git.UserConfigSections;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -51,6 +54,7 @@ import org.eclipse.jgit.lib.Config;
 public class SetPreferences implements RestModifyView<AccountResource, GeneralPreferencesInfo> {
  private final Provider<CurrentUser> self;
  private final AccountCache cache;
  private final PermissionBackend permissionBackend;
  private final GeneralPreferencesLoader loader;
  private final Provider<MetaDataUpdate.User> metaDataUpdateFactory;
  private final AllUsersName allUsersName;
@@ -60,6 +64,7 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
  SetPreferences(
      Provider<CurrentUser> self,
      AccountCache cache,
      PermissionBackend permissionBackend,
      GeneralPreferencesLoader loader,
      Provider<MetaDataUpdate.User> metaDataUpdateFactory,
      AllUsersName allUsersName,
@@ -67,6 +72,7 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
    this.self = self;
    this.loader = loader;
    this.cache = cache;
    this.permissionBackend = permissionBackend;
    this.metaDataUpdateFactory = metaDataUpdateFactory;
    this.allUsersName = allUsersName;
    this.downloadSchemes = downloadSchemes;
@@ -74,9 +80,10 @@ public class SetPreferences implements RestModifyView<AccountResource, GeneralPr
  @Override
  public GeneralPreferencesInfo apply(AccountResource rsrc, GeneralPreferencesInfo i)
-      throws AuthException, BadRequestException, IOException, ConfigInvalidException {
+      throws AuthException, BadRequestException, IOException, ConfigInvalidException,
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+          PermissionBackendException {
-      throw new AuthException("requires Modify Account capability");
+    if (self.get() != rsrc.getUser()) {
      permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
    }
    checkDownloadScheme(i.downloadScheme);
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/SshKeys.java
@@ -15,6 +15,7 @@
 package com.google.gerrit.server.account;
 import com.google.gerrit.extensions.registration.DynamicMap;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.ChildCollection;
 import com.google.gerrit.extensions.restapi.IdString;
 import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
@@ -22,6 +23,9 @@ import com.google.gerrit.extensions.restapi.RestView;
 import com.google.gerrit.reviewdb.client.AccountSshKey;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -34,6 +38,7 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
  private final DynamicMap<RestView<AccountResource.SshKey>> views;
  private final GetSshKeys list;
  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  private final VersionedAuthorizedKeys.Accessor authorizedKeys;
  @Inject
@@ -41,10 +46,12 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
      DynamicMap<RestView<AccountResource.SshKey>> views,
      GetSshKeys list,
      Provider<CurrentUser> self,
      PermissionBackend permissionBackend,
      VersionedAuthorizedKeys.Accessor authorizedKeys) {
    this.views = views;
    this.list = list;
    this.self = self;
    this.permissionBackend = permissionBackend;
    this.authorizedKeys = authorizedKeys;
  }
@@ -55,10 +62,16 @@ public class SshKeys implements ChildCollection<AccountResource, AccountResource
  @Override
  public AccountResource.SshKey parse(AccountResource rsrc, IdString id)
-      throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException {
+      throws ResourceNotFoundException, OrmException, IOException, ConfigInvalidException,
-    if (self.get() != rsrc.getUser() && !self.get().getCapabilities().canModifyAccount()) {
+          PermissionBackendException {
    if (self.get() != rsrc.getUser()) {
      try {
        permissionBackend.user(self).check(GlobalPermission.MODIFY_ACCOUNT);
      } catch (AuthException e) {
        // If lacking MODIFY_ACCOUNT claim the resource does not exist.
        throw new ResourceNotFoundException();
      }
    }
    return parse(rsrc.getUser(), id);
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/api/accounts/AccountApiImpl.java
@@ -71,6 +71,7 @@ import com.google.gerrit.server.account.StarredChanges;
 import com.google.gerrit.server.account.Stars;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.change.ChangesCollection;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.assistedinject.Assisted;
@@ -234,14 +235,18 @@ public class AccountApiImpl implements AccountApi {
  @Override
  public GeneralPreferencesInfo getPreferences() throws RestApiException {
    try {
      return getPreferences.apply(account);
    } catch (PermissionBackendException e) {
      throw new RestApiException("Cannot get preferences", e);
    }
  }
  @Override
  public GeneralPreferencesInfo setPreferences(GeneralPreferencesInfo in) throws RestApiException {
    try {
      return setPreferences.apply(account, in);
-    } catch (IOException | ConfigInvalidException e) {
+    } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot set preferences", e);
    }
  }
@@ -259,7 +264,7 @@ public class AccountApiImpl implements AccountApi {
  public DiffPreferencesInfo setDiffPreferences(DiffPreferencesInfo in) throws RestApiException {
    try {
      return setDiffPreferences.apply(account, in);
-    } catch (IOException | ConfigInvalidException e) {
+    } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot set diff preferences", e);
    }
  }
@@ -268,7 +273,7 @@ public class AccountApiImpl implements AccountApi {
  public EditPreferencesInfo getEditPreferences() throws RestApiException {
    try {
      return getEditPreferences.apply(account);
-    } catch (IOException | ConfigInvalidException e) {
+    } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot query edit preferences", e);
    }
  }
@@ -277,7 +282,7 @@ public class AccountApiImpl implements AccountApi {
  public EditPreferencesInfo setEditPreferences(EditPreferencesInfo in) throws RestApiException {
    try {
      return setEditPreferences.apply(account, in);
-    } catch (IOException | ConfigInvalidException e) {
+    } catch (IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot set edit preferences", e);
    }
  }
@@ -372,7 +377,11 @@ public class AccountApiImpl implements AccountApi {
    AccountResource.Email rsrc = new AccountResource.Email(account.getUser(), input.email);
    try {
      createEmailFactory.create(input.email).apply(rsrc, input);
-    } catch (EmailException | OrmException | IOException | ConfigInvalidException e) {
+    } catch (EmailException
        | OrmException
        | IOException
        | ConfigInvalidException
        | PermissionBackendException e) {
      throw new RestApiException("Cannot add email", e);
    }
  }
@@ -382,7 +391,7 @@ public class AccountApiImpl implements AccountApi {
    AccountResource.Email rsrc = new AccountResource.Email(account.getUser(), email);
    try {
      deleteEmail.apply(rsrc, null);
-    } catch (OrmException | IOException | ConfigInvalidException e) {
+    } catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot delete email", e);
    }
  }
@@ -392,7 +401,7 @@ public class AccountApiImpl implements AccountApi {
    PutStatus.Input in = new PutStatus.Input(status);
    try {
      putStatus.apply(account, in);
-    } catch (OrmException | IOException e) {
+    } catch (OrmException | IOException | PermissionBackendException e) {
      throw new RestApiException("Cannot set status", e);
    }
  }
@@ -401,7 +410,7 @@ public class AccountApiImpl implements AccountApi {
  public List<SshKeyInfo> listSshKeys() throws RestApiException {
    try {
      return getSshKeys.apply(account);
-    } catch (OrmException | IOException | ConfigInvalidException e) {
+    } catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot list SSH keys", e);
    }
  }
@@ -423,7 +432,7 @@ public class AccountApiImpl implements AccountApi {
      AccountResource.SshKey sshKeyRes =
          sshKeys.parse(account, IdString.fromDecoded(Integer.toString(seq)));
      deleteSshKey.apply(sshKeyRes, null);
-    } catch (OrmException | IOException | ConfigInvalidException e) {
+    } catch (OrmException | IOException | ConfigInvalidException | PermissionBackendException e) {
      throw new RestApiException("Cannot delete SSH key", e);
    }
  }
@@ -476,7 +485,7 @@ public class AccountApiImpl implements AccountApi {
  public void index() throws RestApiException {
    try {
      index.apply(account, new Index.Input());
-    } catch (IOException e) {
+    } catch (IOException | PermissionBackendException e) {
      throw new RestApiException("Cannot index account", e);
    }
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/api/changes/ChangeApiImpl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/api/changes/ChangeApiImpl.java
@@ -572,7 +572,7 @@ class ChangeApiImpl implements ChangeApi {
  public ChangeInfo check(FixInput fix) throws RestApiException {
    try {
      return check.apply(change, fix).value();
-    } catch (OrmException e) {
+    } catch (OrmException | PermissionBackendException e) {
      throw new RestApiException("Cannot check change", e);
    }
  }
@@ -581,7 +581,7 @@ class ChangeApiImpl implements ChangeApi {
  public void index() throws RestApiException {
    try {
      index.apply(change, new Index.Input());
-    } catch (IOException | OrmException e) {
+    } catch (IOException | OrmException | PermissionBackendException e) {
      throw new RestApiException("Cannot index change", e);
    }
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/change/Check.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/change/Check.java
@@ -17,21 +17,29 @@ package com.google.gerrit.server.change;
 import com.google.gerrit.extensions.api.changes.FixInput;
 import com.google.gerrit.extensions.client.ListChangesOption;
 import com.google.gerrit.extensions.common.ChangeInfo;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.Response;
 import com.google.gerrit.extensions.restapi.RestApiException;
 import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ChangeControl;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 public class Check
    implements RestReadView<ChangeResource>, RestModifyView<ChangeResource, FixInput> {
  private final PermissionBackend permissionBackend;
  private final Provider<CurrentUser> user;
  private final ChangeJson.Factory jsonFactory;
  @Inject
-  Check(ChangeJson.Factory json) {
+  Check(PermissionBackend permissionBackend, Provider<CurrentUser> user, ChangeJson.Factory json) {
    this.permissionBackend = permissionBackend;
    this.user = user;
    this.jsonFactory = json;
  }
@@ -42,12 +50,10 @@ public class Check
  @Override
  public Response<ChangeInfo> apply(ChangeResource rsrc, FixInput input)
-      throws RestApiException, OrmException {
+      throws RestApiException, OrmException, PermissionBackendException {
    ChangeControl ctl = rsrc.getControl();
-    if (!ctl.isOwner()
+    if (!ctl.isOwner() && !ctl.getProjectControl().isOwner()) {
-        && !ctl.getProjectControl().isOwner()
+      permissionBackend.user(user).check(GlobalPermission.MAINTAIN_SERVER);
        && !ctl.getUser().getCapabilities().canMaintainServer()) {
      throw new AuthException("Cannot fix change");
    }
    return Response.withMustRevalidate(newChangeJson().fix(input).format(rsrc));
  }
--- a/gerrit-server/src/main/java/com/google/gerrit/server/change/Index.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/change/Index.java
@@ -18,8 +18,12 @@ import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.Response;
 import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.reviewdb.server.ReviewDb;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.change.Index.Input;
 import com.google.gerrit.server.index.change.ChangeIndexer;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ChangeControl;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Inject;
@@ -32,20 +36,28 @@ public class Index implements RestModifyView<ChangeResource, Input> {
  public static class Input {}
  private final Provider<ReviewDb> db;
  private final PermissionBackend permissionBackend;
  private final Provider<CurrentUser> user;
  private final ChangeIndexer indexer;
  @Inject
-  Index(Provider<ReviewDb> db, ChangeIndexer indexer) {
+  Index(
      Provider<ReviewDb> db,
      PermissionBackend permissionBackend,
      Provider<CurrentUser> user,
      ChangeIndexer indexer) {
    this.db = db;
    this.permissionBackend = permissionBackend;
    this.user = user;
    this.indexer = indexer;
  }
  @Override
  public Response<?> apply(ChangeResource rsrc, Input input)
-      throws IOException, AuthException, OrmException {
+      throws IOException, AuthException, OrmException, PermissionBackendException {
    ChangeControl ctl = rsrc.getControl();
-    if (!ctl.isOwner() && !ctl.getUser().getCapabilities().canMaintainServer()) {
+    if (!ctl.isOwner()) {
-      throw new AuthException("Only change owner or server maintainer can reindex");
+      permissionBackend.user(user).check(GlobalPermission.MAINTAIN_SERVER);
    }
    indexer.index(db.get(), rsrc.getChange());
    return Response.none();
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/FlushCache.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/FlushCache.java
@@ -23,6 +23,9 @@ import com.google.gerrit.extensions.restapi.Response;
 import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.config.FlushCache.Input;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -34,17 +37,20 @@ public class FlushCache implements RestModifyView<CacheResource, Input> {
  public static final String WEB_SESSIONS = "web_sessions";
  private final PermissionBackend permissionBackend;
  private final Provider<CurrentUser> self;
  @Inject
-  public FlushCache(Provider<CurrentUser> self) {
+  public FlushCache(PermissionBackend permissionBackend, Provider<CurrentUser> self) {
    this.permissionBackend = permissionBackend;
    this.self = self;
  }
  @Override
-  public Response<String> apply(CacheResource rsrc, Input input) throws AuthException {
+  public Response<String> apply(CacheResource rsrc, Input input)
-    if (WEB_SESSIONS.equals(rsrc.getName()) && !self.get().getCapabilities().canMaintainServer()) {
+      throws AuthException, PermissionBackendException {
-      throw new AuthException(String.format("only site maintainers can flush %s", WEB_SESSIONS));
+    if (WEB_SESSIONS.equals(rsrc.getName())) {
      permissionBackend.user(self).check(GlobalPermission.MAINTAIN_SERVER);
    }
    rsrc.getCache().invalidateAll();
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/ListTasks.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/ListTasks.java
@@ -19,11 +19,13 @@ import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.restapi.RestReadView;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.git.TaskInfoFactory;
 import com.google.gerrit.server.git.WorkQueue;
 import com.google.gerrit.server.git.WorkQueue.ProjectTask;
 import com.google.gerrit.server.git.WorkQueue.Task;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.gerrit.server.util.IdGenerator;
@@ -41,30 +43,40 @@ import java.util.concurrent.TimeUnit;
@Singleton
 public class ListTasks implements RestReadView<ConfigResource> {
  private final PermissionBackend permissionBackend;
  private final WorkQueue workQueue;
  private final ProjectCache projectCache;
-  private final Provider<IdentifiedUser> self;
+  private final Provider<CurrentUser> self;
  @Inject
-  public ListTasks(WorkQueue workQueue, ProjectCache projectCache, Provider<IdentifiedUser> self) {
+  public ListTasks(
      PermissionBackend permissionBackend,
      WorkQueue workQueue,
      ProjectCache projectCache,
      Provider<CurrentUser> self) {
    this.permissionBackend = permissionBackend;
    this.workQueue = workQueue;
    this.projectCache = projectCache;
    this.self = self;
  }
  @Override
-  public List<TaskInfo> apply(ConfigResource resource) throws AuthException {
+  public List<TaskInfo> apply(ConfigResource resource)
      throws AuthException, PermissionBackendException {
    CurrentUser user = self.get();
    if (!user.isIdentifiedUser()) {
      throw new AuthException("Authentication required");
    }
    List<TaskInfo> allTasks = getTasks();
-    if (user.getCapabilities().canViewQueue()) {
+    try {
      permissionBackend.user(user).check(GlobalPermission.VIEW_QUEUE);
      return allTasks;
    } catch (AuthException e) {
      // Fall through to filter tasks.
    }
    Map<String, Boolean> visibilityCache = new HashMap<>();
    Map<String, Boolean> visibilityCache = new HashMap<>();
    List<TaskInfo> visibleTasks = new ArrayList<>();
    for (TaskInfo task : allTasks) {
      if (task.projectName != null) {
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/PostCaches.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/PostCaches.java
@@ -26,6 +26,7 @@ import com.google.gerrit.extensions.restapi.Response;
 import com.google.gerrit.extensions.restapi.RestModifyView;
 import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
 import com.google.gerrit.server.config.PostCaches.Input;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.inject.Inject;
 import com.google.inject.Singleton;
 import java.util.ArrayList;
@@ -66,7 +67,8 @@ public class PostCaches implements RestModifyView<ConfigResource, Input> {
  @Override
  public Response<String> apply(ConfigResource rsrc, Input input)
-      throws AuthException, BadRequestException, UnprocessableEntityException {
+      throws AuthException, BadRequestException, UnprocessableEntityException,
          PermissionBackendException {
    if (input == null || input.operation == null) {
      throw new BadRequestException("operation must be specified");
    }
@@ -90,7 +92,7 @@ public class PostCaches implements RestModifyView<ConfigResource, Input> {
    }
  }
-  private void flushAll() throws AuthException {
+  private void flushAll() throws AuthException, PermissionBackendException {
    for (DynamicMap.Entry<Cache<?, ?>> e : cacheMap) {
      CacheResource cacheResource =
          new CacheResource(e.getPluginName(), e.getExportName(), e.getProvider());
@@ -101,7 +103,8 @@ public class PostCaches implements RestModifyView<ConfigResource, Input> {
    }
  }
-  private void flush(List<String> cacheNames) throws UnprocessableEntityException, AuthException {
+  private void flush(List<String> cacheNames)
      throws UnprocessableEntityException, AuthException, PermissionBackendException {
    List<CacheResource> cacheResources = new ArrayList<>(cacheNames.size());
    for (String n : cacheNames) {
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/TasksCollection.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/TasksCollection.java
@@ -21,10 +21,12 @@ import com.google.gerrit.extensions.restapi.IdString;
 import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
 import com.google.gerrit.extensions.restapi.RestView;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.git.WorkQueue;
 import com.google.gerrit.server.git.WorkQueue.ProjectTask;
 import com.google.gerrit.server.git.WorkQueue.Task;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ProjectCache;
 import com.google.gerrit.server.project.ProjectState;
 import com.google.inject.Inject;
@@ -36,7 +38,8 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
  private final DynamicMap<RestView<TaskResource>> views;
  private final ListTasks list;
  private final WorkQueue workQueue;
-  private final Provider<IdentifiedUser> self;
+  private final Provider<CurrentUser> self;
  private final PermissionBackend permissionBackend;
  private final ProjectCache projectCache;
  @Inject
@@ -44,12 +47,14 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
      DynamicMap<RestView<TaskResource>> views,
      ListTasks list,
      WorkQueue workQueue,
-      Provider<IdentifiedUser> self,
+      Provider<CurrentUser> self,
      PermissionBackend permissionBackend,
      ProjectCache projectCache) {
    this.views = views;
    this.list = list;
    this.workQueue = workQueue;
    this.self = self;
    this.permissionBackend = permissionBackend;
    this.projectCache = projectCache;
  }
@@ -60,19 +65,29 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
  @Override
  public TaskResource parse(ConfigResource parent, IdString id)
-      throws ResourceNotFoundException, AuthException {
+      throws ResourceNotFoundException, AuthException, PermissionBackendException {
    CurrentUser user = self.get();
    if (!user.isIdentifiedUser()) {
      throw new AuthException("Authentication required");
    }
    int taskId;
    try {
-      int taskId = (int) Long.parseLong(id.get(), 16);
+      taskId = (int) Long.parseLong(id.get(), 16);
    } catch (NumberFormatException e) {
      throw new ResourceNotFoundException(id);
    }
    Task<?> task = workQueue.getTask(taskId);
    if (task != null) {
-        if (self.get().getCapabilities().canViewQueue()) {
+      try {
        permissionBackend.user(user).check(GlobalPermission.VIEW_QUEUE);
        return new TaskResource(task);
-        } else if (task instanceof ProjectTask) {
+      } catch (AuthException e) {
        // Fall through and try filtering.
      }
      if (task instanceof ProjectTask) {
        ProjectTask<?> projectTask = ((ProjectTask<?>) task);
        ProjectState e = projectCache.get(projectTask.getProjectNameKey());
        if (e != null && e.controlFor(user).isVisible()) {
@@ -81,9 +96,6 @@ public class TasksCollection implements ChildCollection<ConfigResource, TaskReso
      }
    }
    throw new ResourceNotFoundException(id);
    } catch (NumberFormatException e) {
      throw new ResourceNotFoundException(id);
    }
  }
  @Override
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/ChangeArgumentParser.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/ChangeArgumentParser.java
@@ -16,6 +16,7 @@ package com.google.gerrit.sshd;
 import static java.util.stream.Collectors.toList;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.reviewdb.client.Change;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.reviewdb.server.ReviewDb;
@@ -24,6 +25,9 @@ import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.change.ChangesCollection;
 import com.google.gerrit.server.notedb.ChangeNotes;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.server.project.ChangeControl;
 import com.google.gerrit.server.project.NoSuchChangeException;
 import com.google.gerrit.server.project.ProjectControl;
@@ -43,6 +47,7 @@ public class ChangeArgumentParser {
  private final ReviewDb db;
  private final ChangeNotes.Factory changeNotesFactory;
  private final ChangeControl.GenericFactory changeControlFactory;
  private final PermissionBackend permissionBackend;
  @Inject
  ChangeArgumentParser(
@@ -51,13 +56,15 @@ public class ChangeArgumentParser {
      ChangeFinder changeFinder,
      ReviewDb db,
      ChangeNotes.Factory changeNotesFactory,
-      ChangeControl.GenericFactory changeControlFactory) {
+      ChangeControl.GenericFactory changeControlFactory,
      PermissionBackend permissionBackend) {
    this.currentUser = currentUser;
    this.changesCollection = changesCollection;
    this.changeFinder = changeFinder;
    this.db = db;
    this.changeNotesFactory = changeNotesFactory;
    this.changeControlFactory = changeControlFactory;
    this.permissionBackend = permissionBackend;
  }
  public void addChange(String id, Map<Change.Id, ChangeResource> changes)
@@ -80,9 +87,13 @@ public class ChangeArgumentParser {
    List<ChangeControl> matched =
        useIndex ? changeFinder.find(id, currentUser) : changeFromNotesFactory(id, currentUser);
    List<ChangeControl> toAdd = new ArrayList<>(changes.size());
-    boolean canMaintainServer =
+    boolean canMaintainServer;
-        currentUser.isIdentifiedUser()
+    try {
-            && currentUser.asIdentifiedUser().getCapabilities().canMaintainServer();
+      permissionBackend.user(currentUser).check(GlobalPermission.MAINTAIN_SERVER);
      canMaintainServer = true;
    } catch (AuthException | PermissionBackendException e) {
      canMaintainServer = false;
    }
    for (ChangeControl ctl : matched) {
      if (!changes.containsKey(ctl.getId())
          && inProject(projectControl, ctl.getProject())
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/FlushCaches.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/FlushCaches.java
@@ -26,6 +26,7 @@ import com.google.gerrit.server.config.ConfigResource;
 import com.google.gerrit.server.config.ListCaches;
 import com.google.gerrit.server.config.ListCaches.OutputFormat;
 import com.google.gerrit.server.config.PostCaches;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
 import com.google.inject.Inject;
@@ -81,6 +82,8 @@ final class FlushCaches extends SshCommand {
      }
    } catch (RestApiException e) {
      throw die(e.getMessage());
    } catch (PermissionBackendException e) {
      throw new Failure(1, "unavailable", e);
    }
  }
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/IndexChangesCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/IndexChangesCommand.java
@@ -18,6 +18,7 @@ import com.google.gerrit.extensions.restapi.RestApiException;
 import com.google.gerrit.reviewdb.client.Change;
 import com.google.gerrit.server.change.ChangeResource;
 import com.google.gerrit.server.change.Index;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.sshd.ChangeArgumentParser;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
@@ -57,7 +58,7 @@ final class IndexChangesCommand extends SshCommand {
    for (ChangeResource rsrc : changes.values()) {
      try {
        index.apply(rsrc, new Index.Input());
-      } catch (IOException | RestApiException | OrmException e) {
+      } catch (IOException | RestApiException | OrmException | PermissionBackendException e) {
        ok = false;
        writeError(
            "error", String.format("failed to index change %s: %s", rsrc.getId(), e.getMessage()));
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/KillCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/KillCommand.java
@@ -25,6 +25,7 @@ import com.google.gerrit.server.config.ConfigResource;
 import com.google.gerrit.server.config.DeleteTask;
 import com.google.gerrit.server.config.TaskResource;
 import com.google.gerrit.server.config.TasksCollection;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.sshd.AdminHighPriorityCommand;
 import com.google.gerrit.sshd.SshCommand;
 import com.google.inject.Inject;
@@ -50,7 +51,7 @@ final class KillCommand extends SshCommand {
      try {
        TaskResource taskRsrc = tasksCollection.parse(cfgRsrc, IdString.fromDecoded(id));
        deleteTask.apply(taskRsrc, null);
-      } catch (AuthException | ResourceNotFoundException e) {
+      } catch (AuthException | ResourceNotFoundException | PermissionBackendException e) {
        stderr.print("kill: " + id + ": No such task\n");
      }
    }
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
@@ -42,6 +42,7 @@ import com.google.gerrit.server.account.PutActive;
 import com.google.gerrit.server.account.PutHttpPassword;
 import com.google.gerrit.server.account.PutName;
 import com.google.gerrit.server.account.PutPreferred;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
 import com.google.gwtorm.server.OrmException;
@@ -174,7 +175,8 @@ final class SetAccountCommand extends SshCommand {
  }
  private void setAccount()
-      throws OrmException, IOException, UnloggedFailure, ConfigInvalidException {
+      throws OrmException, IOException, UnloggedFailure, ConfigInvalidException,
          PermissionBackendException {
    user = genericUserFactory.create(id);
    rsrc = new AccountResource(user);
    try {
@@ -237,7 +239,7 @@ final class SetAccountCommand extends SshCommand {
  private void deleteSshKeys(List<String> sshKeys)
      throws RestApiException, OrmException, RepositoryNotFoundException, IOException,
-          ConfigInvalidException {
+          ConfigInvalidException, PermissionBackendException {
    List<SshKeyInfo> infos = getSshKeys.apply(rsrc);
    if (sshKeys.contains("ALL")) {
      for (SshKeyInfo i : infos) {
@@ -263,7 +265,8 @@ final class SetAccountCommand extends SshCommand {
  }
  private void addEmail(String email)
-      throws UnloggedFailure, RestApiException, OrmException, IOException, ConfigInvalidException {
+      throws UnloggedFailure, RestApiException, OrmException, IOException, ConfigInvalidException,
          PermissionBackendException {
    EmailInput in = new EmailInput();
    in.email = email;
    in.noConfirmation = true;
@@ -275,7 +278,8 @@ final class SetAccountCommand extends SshCommand {
  }
  private void deleteEmail(String email)
-      throws RestApiException, OrmException, IOException, ConfigInvalidException {
+      throws RestApiException, OrmException, IOException, ConfigInvalidException,
          PermissionBackendException {
    if (email.equals("ALL")) {
      List<EmailInfo> emails = getEmails.apply(rsrc);
      for (EmailInfo e : emails) {
@@ -286,7 +290,8 @@ final class SetAccountCommand extends SshCommand {
    }
  }
-  private void putPreferred(String email) throws RestApiException, OrmException, IOException {
+  private void putPreferred(String email)
      throws RestApiException, OrmException, IOException, PermissionBackendException {
    for (EmailInfo e : getEmails.apply(rsrc)) {
      if (e.email.equals(email)) {
        putPreferred.apply(new AccountResource.Email(user, email), null);
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowCaches.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowCaches.java
@@ -23,6 +23,7 @@ import com.google.gerrit.common.TimeUtil;
 import com.google.gerrit.common.Version;
 import com.google.gerrit.extensions.annotations.RequiresAnyCapability;
 import com.google.gerrit.extensions.events.LifecycleListener;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.config.ConfigResource;
 import com.google.gerrit.server.config.GetSummary;
@@ -34,6 +35,9 @@ import com.google.gerrit.server.config.GetSummary.ThreadSummaryInfo;
 import com.google.gerrit.server.config.ListCaches;
 import com.google.gerrit.server.config.ListCaches.CacheInfo;
 import com.google.gerrit.server.config.ListCaches.CacheType;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
 import com.google.gerrit.sshd.SshDaemon;
@@ -80,12 +84,10 @@ final class ShowCaches extends SshCommand {
  private boolean showThreads;
  @Inject private SshDaemon daemon;
  @Inject private ListCaches listCaches;
  @Inject private GetSummary getSummary;
  @Inject private CurrentUser self;
  @Inject private PermissionBackend permissionBackend;
  @Option(
    name = "--width",
@@ -168,7 +170,15 @@ final class ShowCaches extends SshCommand {
    printDiskCaches(caches);
    stdout.print('\n');
-    if (self.getCapabilities().canMaintainServer()) {
+    boolean showJvm;
    try {
      permissionBackend.user(self).check(GlobalPermission.MAINTAIN_SERVER);
      showJvm = true;
    } catch (AuthException | PermissionBackendException e) {
      // Silently ignore and do not display detailed JVM information.
      showJvm = false;
    }
    if (showJvm) {
      sshSummary();
      SummaryInfo summary = getSummary.setGc(gc).setJvm(showJVM).apply(new ConfigResource());
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowQueue.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/ShowQueue.java
@@ -27,6 +27,9 @@ import com.google.gerrit.server.config.ListTasks;
 import com.google.gerrit.server.config.ListTasks.TaskInfo;
 import com.google.gerrit.server.git.WorkQueue;
 import com.google.gerrit.server.git.WorkQueue.Task;
 import com.google.gerrit.server.permissions.GlobalPermission;
 import com.google.gerrit.server.permissions.PermissionBackend;
 import com.google.gerrit.server.permissions.PermissionBackendException;
 import com.google.gerrit.sshd.AdminHighPriorityCommand;
 import com.google.gerrit.sshd.CommandMetaData;
 import com.google.gerrit.sshd.SshCommand;
@@ -60,10 +63,9 @@ final class ShowQueue extends SshCommand {
  )
  private boolean groupByQueue;
  @Inject private PermissionBackend permissionBackend;
  @Inject private ListTasks listTasks;
  @Inject private IdentifiedUser currentUser;
  @Inject private WorkQueue workQueue;
  private int columns = 80;
@@ -83,7 +85,7 @@ final class ShowQueue extends SshCommand {
  }
  @Override
-  protected void run() throws UnloggedFailure {
+  protected void run() throws Failure {
    maxCommandWidth = wide ? Integer.MAX_VALUE : columns - 8 - 12 - 12 - 4 - 4;
    stdout.print(
        String.format(
@@ -97,10 +99,12 @@ final class ShowQueue extends SshCommand {
      tasks = listTasks.apply(new ConfigResource());
    } catch (AuthException e) {
      throw die(e);
    } catch (PermissionBackendException e) {
      throw new Failure(1, "permission backend unavailable", e);
    }
    boolean viewAll = currentUser.getCapabilities().canViewQueue();
    long now = TimeUtil.nowMs();
    boolean viewAll = permissionBackend.user(currentUser).testOrFalse(GlobalPermission.VIEW_QUEUE);
    long now = TimeUtil.nowMs();
    if (groupByQueue) {
      ListMultimap<String, TaskInfo> byQueue = byQueue(tasks);
      for (String queueName : byQueue.keySet()) {