Disable administrative permissions during X-Gerrit-RunAs

When executing an action on behalf of an administrator, disable the administrateServer capability during the request. This may limit the damage a compromised role account could cause by avoiding any permissions that are not explicitly granted. Change-Id: I263e1d8e1a645617842f11b7712f79f5c009c6ca
2013-06-12 11:21:35 -07:00
parent 8597ecf620
commit f3ffd088ef
6 changed files with 70 additions and 17 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/CurrentUser.java
@@ -50,6 +50,20 @@ public abstract class CurrentUser {
    accessPath = path;
  }

+  /**
+   * Identity of the authenticated user.
+   * <p>
+   * In the normal case where a user authenticates as themselves
+   * {@code getRealUser() == this}.
+   * <p>
+   * If {@code X-Gerrit-RunAs} or {@code suexec} was used this method returns
+   * the identity of the account that has permission to act on behalf of this
+   * user.
+   */
+  public CurrentUser getRealUser() {
+    return this;
+  }
+
  /**
   * Get the set of groups the user is currently a member of.
   * <p>
@@ -76,11 +90,9 @@ public abstract class CurrentUser {

  /** Capabilities available to this user account. */
  public CapabilityControl getCapabilities() {
-    CapabilityControl ctl = capabilities;
-    if (ctl == null) {
-      ctl = capabilityControlFactory.create(this);
-      capabilities = ctl;
+    if (capabilities == null) {
+      capabilities = capabilityControlFactory.create(this);
    }
-    return ctl;
+    return capabilities;
  }
 }