opendev/gerrit
Code Issues Proposed changes

AccessSection.getPermissions: Return defensive copy of list

Browse Source 
If AccessSection directly returns its modifyable list, callers can
modify the list outside of AccessSection. This is bad because this way
it is possible to violate assumptions of the AccessSection class. E.g.
AccessSection makes sure that the permission list cannot contain
duplicate permissions. Having duplicate permissions in the permission
list can lead to severe problems. E.g. duplicate permissions on an
access section of the All-Projects project make the permissions of the
All-Project project unreadable and Gerrit effectively stops working.
This is because ProjectState#getLocalAccessSections() filters out some
permissions on the All-Projects project by getting the list of
permissions from AccessSection and setting the filtered list back on
AccessSection. If the list that was retrieved from AccessSection
contained duplicate permissions, setting back the list failed with
IllegalArgumentException since
AccessSection#setPermissions(List<Permission>) doesn't allow duplicate
permissions.

A similar issue was already fixed by change I5222cd9174 and change
Ief24c6e82f.

Ideally we would return an ImmutableList from
AccessSection.getPermissions() but we cannot use ImmutableList in
classes that are used by the GWT UI.

Change-Id: I61f0baf6deb5c4ba1b609aacaabeb1f149f444d9
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit is contained in:
Edwin Kempin
2018-07-05 13:16:55 +02:00
parent a6309f75bb
commit f3c75eae24
4 changed files with 40 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
gerrit-gwtui/src/main/java/com/google/gerrit/client/admin/AccessSectionEditor.java
View File

@@ -169,7 +169,7 @@ public class AccessSectionEditor extends Composite
@Override
public void setValue(AccessSection value) {
Collections.sort(value.getPermissions());
sortPermissions(value);
this.value = value;
this.readOnly = !editing || !(projectAccess.isOwnerOf(value) || projectAccess.canUpload());
@@ -204,6 +204,12 @@ public class AccessSectionEditor extends Composite
}
}
private void sortPermissions(AccessSection accessSection) {
List<Permission> permissionList = new ArrayList<>(accessSection.getPermissions());
Collections.sort(permissionList);
accessSection.setPermissions(permissionList);
}
void setEditing(boolean editing) {
this.editing = editing;
}