Disable administrative permissions during X-Gerrit-RunAs

When executing an action on behalf of an administrator, disable the administrateServer capability during the request. This may limit the damage a compromised role account could cause by avoiding any permissions that are not explicitly granted. Change-Id: I263e1d8e1a645617842f11b7712f79f5c009c6ca
2013-06-12 11:21:35 -07:00
parent 8597ecf620
commit f3ffd088ef
6 changed files with 70 additions and 17 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -65,8 +65,12 @@ public class CapabilityControl {
  /** @return true if the user can administer this server. */
  public boolean canAdministrateServer() {
    if (canAdministrateServer == null) {
-      canAdministrateServer = user instanceof PeerDaemonUser
-          || matchAny(capabilities.administrateServer, ALLOWED_RULE);
+      if (user.getRealUser() != user) {
+        canAdministrateServer = false;
+      } else {
+        canAdministrateServer = user instanceof PeerDaemonUser
+            || matchAny(capabilities.administrateServer, ALLOWED_RULE);
+      }
    }
    return canAdministrateServer;
  }