Split auth check in account REST endpoints from implementation
This allows to reuse the code with a different permission check (e.g. in a plugin). Change-Id: I51a22a933e69387b991ccd8a0f783a0838a7ba1b Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
This commit is contained in:
Edwin Kempin
@@ -26,6 +26,7 @@ import com.google.gerrit.extensions.restapi.RestModifyView;
|
|||||||
import com.google.gerrit.reviewdb.client.AuthType;
|
import com.google.gerrit.reviewdb.client.AuthType;
|
||||||
import com.google.gerrit.reviewdb.client.Account.FieldName;
|
import com.google.gerrit.reviewdb.client.Account.FieldName;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
import com.google.gerrit.server.account.CreateEmail.Input;
|
import com.google.gerrit.server.account.CreateEmail.Input;
|
||||||
import com.google.gerrit.server.account.GetEmails.EmailInfo;
|
import com.google.gerrit.server.account.GetEmails.EmailInfo;
|
||||||
import com.google.gerrit.server.config.AuthConfig;
|
import com.google.gerrit.server.config.AuthConfig;
|
||||||
@@ -87,36 +88,43 @@ public class CreateEmail implements RestModifyView<AccountResource, Input> {
|
|||||||
throw new AuthException("not allowed to add email address");
|
throw new AuthException("not allowed to add email address");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!realm.allowsEdit(FieldName.REGISTER_NEW_EMAIL)) {
|
|
||||||
throw new MethodNotAllowedException("realm does not allow adding emails");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (input == null) {
|
if (input == null) {
|
||||||
input = new Input();
|
input = new Input();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (input.email != null && !email.equals(input.email)) {
|
|
||||||
throw new BadRequestException("email address must match URL");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (input.noConfirmation
|
if (input.noConfirmation
|
||||||
&& !self.get().getCapabilities().canAdministrateServer()) {
|
&& !self.get().getCapabilities().canAdministrateServer()) {
|
||||||
throw new AuthException("must be administrator to use no_confirmation");
|
throw new AuthException("must be administrator to use no_confirmation");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return apply(rsrc.getUser(), input);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Response<EmailInfo> apply(IdentifiedUser user, Input input)
|
||||||
|
throws AuthException, BadRequestException, ResourceConflictException,
|
||||||
|
ResourceNotFoundException, OrmException, EmailException,
|
||||||
|
MethodNotAllowedException {
|
||||||
|
if (!realm.allowsEdit(FieldName.REGISTER_NEW_EMAIL)) {
|
||||||
|
throw new MethodNotAllowedException("realm does not allow adding emails");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (input.email != null && !email.equals(input.email)) {
|
||||||
|
throw new BadRequestException("email address must match URL");
|
||||||
|
}
|
||||||
|
|
||||||
EmailInfo info = new EmailInfo();
|
EmailInfo info = new EmailInfo();
|
||||||
info.email = email;
|
info.email = email;
|
||||||
if (input.noConfirmation
|
if (input.noConfirmation
|
||||||
|| authConfig.getAuthType() == AuthType.DEVELOPMENT_BECOME_ANY_ACCOUNT) {
|
|| authConfig.getAuthType() == AuthType.DEVELOPMENT_BECOME_ANY_ACCOUNT) {
|
||||||
try {
|
try {
|
||||||
accountManager.link(rsrc.getUser().getAccountId(),
|
accountManager.link(user.getAccountId(),
|
||||||
AuthRequest.forEmail(email));
|
AuthRequest.forEmail(email));
|
||||||
} catch (AccountException e) {
|
} catch (AccountException e) {
|
||||||
throw new ResourceConflictException(e.getMessage());
|
throw new ResourceConflictException(e.getMessage());
|
||||||
}
|
}
|
||||||
if (input.preferred) {
|
if (input.preferred) {
|
||||||
putPreferredProvider.get().apply(
|
putPreferredProvider.get().apply(
|
||||||
new AccountResource.Email(rsrc.getUser(), email),
|
new AccountResource.Email(user, email),
|
||||||
null);
|
null);
|
||||||
info.preferred = true;
|
info.preferred = true;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -24,6 +24,7 @@ import com.google.gerrit.reviewdb.client.Account.FieldName;
|
|||||||
import com.google.gerrit.reviewdb.client.AccountExternalId;
|
import com.google.gerrit.reviewdb.client.AccountExternalId;
|
||||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
import com.google.gerrit.server.account.DeleteEmail.Input;
|
import com.google.gerrit.server.account.DeleteEmail.Input;
|
||||||
import com.google.gwtorm.server.OrmException;
|
import com.google.gwtorm.server.OrmException;
|
||||||
import com.google.inject.Inject;
|
import com.google.inject.Inject;
|
||||||
@@ -55,18 +56,24 @@ public class DeleteEmail implements RestModifyView<AccountResource.Email, Input>
|
|||||||
&& !self.get().getCapabilities().canAdministrateServer()) {
|
&& !self.get().getCapabilities().canAdministrateServer()) {
|
||||||
throw new AuthException("not allowed to delete email address");
|
throw new AuthException("not allowed to delete email address");
|
||||||
}
|
}
|
||||||
|
return apply(rsrc.getUser(), rsrc.getEmail());
|
||||||
|
}
|
||||||
|
|
||||||
|
public Response<?> apply(IdentifiedUser user, String email)
|
||||||
|
throws ResourceNotFoundException, ResourceConflictException,
|
||||||
|
MethodNotAllowedException, OrmException {
|
||||||
if (!realm.allowsEdit(FieldName.REGISTER_NEW_EMAIL)) {
|
if (!realm.allowsEdit(FieldName.REGISTER_NEW_EMAIL)) {
|
||||||
throw new MethodNotAllowedException("realm does not allow deleting emails");
|
throw new MethodNotAllowedException("realm does not allow deleting emails");
|
||||||
}
|
}
|
||||||
AccountExternalId.Key key = new AccountExternalId.Key(
|
AccountExternalId.Key key = new AccountExternalId.Key(
|
||||||
AccountExternalId.SCHEME_MAILTO, rsrc.getEmail());
|
AccountExternalId.SCHEME_MAILTO, email);
|
||||||
AccountExternalId extId = dbProvider.get().accountExternalIds().get(key);
|
AccountExternalId extId = dbProvider.get().accountExternalIds().get(key);
|
||||||
if (extId == null) {
|
if (extId == null) {
|
||||||
throw new ResourceNotFoundException(rsrc.getEmail());
|
throw new ResourceNotFoundException(email);
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
accountManager.unlink(rsrc.getUser().getAccountId(),
|
accountManager.unlink(user.getAccountId(),
|
||||||
AuthRequest.forEmail(rsrc.getEmail()));
|
AuthRequest.forEmail(email));
|
||||||
} catch (AccountException e) {
|
} catch (AccountException e) {
|
||||||
throw new ResourceConflictException(e.getMessage());
|
throw new ResourceConflictException(e.getMessage());
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ import com.google.gerrit.extensions.restapi.RestReadView;
|
|||||||
import com.google.gerrit.reviewdb.client.AccountSshKey;
|
import com.google.gerrit.reviewdb.client.AccountSshKey;
|
||||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
import com.google.gwtorm.server.OrmException;
|
import com.google.gwtorm.server.OrmException;
|
||||||
import com.google.inject.Inject;
|
import com.google.inject.Inject;
|
||||||
import com.google.inject.Provider;
|
import com.google.inject.Provider;
|
||||||
@@ -45,10 +46,13 @@ public class GetSshKeys implements RestReadView<AccountResource> {
|
|||||||
&& !self.get().getCapabilities().canAdministrateServer()) {
|
&& !self.get().getCapabilities().canAdministrateServer()) {
|
||||||
throw new AuthException("not allowed to get SSH keys");
|
throw new AuthException("not allowed to get SSH keys");
|
||||||
}
|
}
|
||||||
|
return apply(rsrc.getUser());
|
||||||
|
}
|
||||||
|
|
||||||
|
public List<SshKeyInfo> apply(IdentifiedUser user) throws OrmException {
|
||||||
List<SshKeyInfo> sshKeys = Lists.newArrayList();
|
List<SshKeyInfo> sshKeys = Lists.newArrayList();
|
||||||
for (AccountSshKey sshKey : dbProvider.get().accountSshKeys()
|
for (AccountSshKey sshKey : dbProvider.get().accountSshKeys()
|
||||||
.byAccount(rsrc.getUser().getAccountId()).toList()) {
|
.byAccount(user.getAccountId()).toList()) {
|
||||||
sshKeys.add(new SshKeyInfo(sshKey));
|
sshKeys.add(new SshKeyInfo(sshKey));
|
||||||
}
|
}
|
||||||
return sshKeys;
|
return sshKeys;
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ import com.google.gerrit.extensions.restapi.RestModifyView;
|
|||||||
import com.google.gerrit.reviewdb.client.AccountExternalId;
|
import com.google.gerrit.reviewdb.client.AccountExternalId;
|
||||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
import com.google.gerrit.server.account.PutHttpPassword.Input;
|
import com.google.gerrit.server.account.PutHttpPassword.Input;
|
||||||
import com.google.gwtorm.server.OrmException;
|
import com.google.gwtorm.server.OrmException;
|
||||||
import com.google.inject.Inject;
|
import com.google.inject.Inject;
|
||||||
@@ -94,21 +95,24 @@ public class PutHttpPassword implements RestModifyView<AccountResource, Input> {
|
|||||||
}
|
}
|
||||||
newPassword = input.httpPassword;
|
newPassword = input.httpPassword;
|
||||||
}
|
}
|
||||||
|
return apply(rsrc.getUser(), newPassword);
|
||||||
|
}
|
||||||
|
|
||||||
if (rsrc.getUser().getUserName() == null) {
|
public Response<String> apply(IdentifiedUser user, String newPassword)
|
||||||
|
throws ResourceNotFoundException, ResourceConflictException, OrmException {
|
||||||
|
if (user.getUserName() == null) {
|
||||||
throw new ResourceConflictException("username must be set");
|
throw new ResourceConflictException("username must be set");
|
||||||
}
|
}
|
||||||
|
|
||||||
AccountExternalId id = dbProvider.get().accountExternalIds()
|
AccountExternalId id = dbProvider.get().accountExternalIds()
|
||||||
.get(new AccountExternalId.Key(
|
.get(new AccountExternalId.Key(
|
||||||
SCHEME_USERNAME,
|
SCHEME_USERNAME, user.getUserName()));
|
||||||
rsrc.getUser().getUserName()));
|
|
||||||
if (id == null) {
|
if (id == null) {
|
||||||
throw new ResourceNotFoundException();
|
throw new ResourceNotFoundException();
|
||||||
}
|
}
|
||||||
id.setPassword(newPassword);
|
id.setPassword(newPassword);
|
||||||
dbProvider.get().accountExternalIds().update(Collections.singleton(id));
|
dbProvider.get().accountExternalIds().update(Collections.singleton(id));
|
||||||
accountCache.evict(rsrc.getUser().getAccountId());
|
accountCache.evict(user.getAccountId());
|
||||||
|
|
||||||
return Strings.isNullOrEmpty(newPassword)
|
return Strings.isNullOrEmpty(newPassword)
|
||||||
? Response.<String>none()
|
? Response.<String>none()
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ import com.google.gerrit.reviewdb.client.Account;
|
|||||||
import com.google.gerrit.reviewdb.client.Account.FieldName;
|
import com.google.gerrit.reviewdb.client.Account.FieldName;
|
||||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
import com.google.gerrit.server.account.PutName.Input;
|
import com.google.gerrit.server.account.PutName.Input;
|
||||||
import com.google.gwtorm.server.OrmException;
|
import com.google.gwtorm.server.OrmException;
|
||||||
import com.google.inject.Inject;
|
import com.google.inject.Inject;
|
||||||
@@ -60,7 +61,11 @@ public class PutName implements RestModifyView<AccountResource, Input> {
|
|||||||
&& !self.get().getCapabilities().canAdministrateServer()) {
|
&& !self.get().getCapabilities().canAdministrateServer()) {
|
||||||
throw new AuthException("not allowed to change name");
|
throw new AuthException("not allowed to change name");
|
||||||
}
|
}
|
||||||
|
return apply(rsrc.getUser(), input);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Response<String> apply(IdentifiedUser user, Input input)
|
||||||
|
throws MethodNotAllowedException, ResourceNotFoundException, OrmException {
|
||||||
if (!realm.allowsEdit(FieldName.FULL_NAME)) {
|
if (!realm.allowsEdit(FieldName.FULL_NAME)) {
|
||||||
throw new MethodNotAllowedException("realm does not allow editing name");
|
throw new MethodNotAllowedException("realm does not allow editing name");
|
||||||
}
|
}
|
||||||
@@ -69,7 +74,7 @@ public class PutName implements RestModifyView<AccountResource, Input> {
|
|||||||
input = new Input();
|
input = new Input();
|
||||||
}
|
}
|
||||||
|
|
||||||
Account a = dbProvider.get().accounts().get(rsrc.getUser().getAccountId());
|
Account a = dbProvider.get().accounts().get(user.getAccountId());
|
||||||
if (a == null) {
|
if (a == null) {
|
||||||
throw new ResourceNotFoundException("account not found");
|
throw new ResourceNotFoundException("account not found");
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ import com.google.gerrit.extensions.restapi.RestModifyView;
|
|||||||
import com.google.gerrit.reviewdb.client.Account;
|
import com.google.gerrit.reviewdb.client.Account;
|
||||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||||
import com.google.gerrit.server.CurrentUser;
|
import com.google.gerrit.server.CurrentUser;
|
||||||
|
import com.google.gerrit.server.IdentifiedUser;
|
||||||
import com.google.gerrit.server.account.PutPreferred.Input;
|
import com.google.gerrit.server.account.PutPreferred.Input;
|
||||||
import com.google.gwtorm.server.OrmException;
|
import com.google.gwtorm.server.OrmException;
|
||||||
import com.google.inject.Inject;
|
import com.google.inject.Inject;
|
||||||
@@ -52,15 +53,19 @@ public class PutPreferred implements
|
|||||||
&& !self.get().getCapabilities().canAdministrateServer()) {
|
&& !self.get().getCapabilities().canAdministrateServer()) {
|
||||||
throw new AuthException("not allowed to set preferred email address");
|
throw new AuthException("not allowed to set preferred email address");
|
||||||
}
|
}
|
||||||
|
return apply(rsrc.getUser(), rsrc.getEmail());
|
||||||
|
}
|
||||||
|
|
||||||
Account a = dbProvider.get().accounts().get(rsrc.getUser().getAccountId());
|
public Response<String> apply(IdentifiedUser user, String email)
|
||||||
|
throws ResourceNotFoundException, OrmException {
|
||||||
|
Account a = dbProvider.get().accounts().get(user.getAccountId());
|
||||||
if (a == null) {
|
if (a == null) {
|
||||||
throw new ResourceNotFoundException("account not found");
|
throw new ResourceNotFoundException("account not found");
|
||||||
}
|
}
|
||||||
if (rsrc.getEmail().equals(a.getPreferredEmail())) {
|
if (email.equals(a.getPreferredEmail())) {
|
||||||
return Response.ok("");
|
return Response.ok("");
|
||||||
}
|
}
|
||||||
a.setPreferredEmail(rsrc.getEmail());
|
a.setPreferredEmail(email);
|
||||||
dbProvider.get().accounts().update(Collections.singleton(a));
|
dbProvider.get().accounts().update(Collections.singleton(a));
|
||||||
byIdCache.evict(a.getId());
|
byIdCache.evict(a.getId());
|
||||||
return Response.created("");
|
return Response.created("");
|
||||||
|
|||||||
Reference in New Issue
Block a user