Make read access to refs/meta/config by default exclusive to project owners

When initializing a new site a set of default access rights is
configured on the wild project. These default access right include
read access on refs/* for Anonymous Users and read access on
refs/meta/config for Project Owners. Since the read access on
refs/meta/config for Project Owners was not exclusive, Anonymous users
were able to access the refs/meta/config branch which by default should
only be accessible by the project owners.

Change-Id: I4b42418ed2d2a1e7d8bd1458513cc37830be4e0d
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>

gerrit-server/src/main/java/com/google/gerrit/server/schema/SchemaCreator.java

@@ -252,8 +252,9 @@ public class SchemaCreator {
       all.getPermission(Permission.FORGE_AUTHOR, true) //
           .add(rule(config, registered));
 
-      meta.getPermission(Permission.READ, true) //
+      Permission metaReadPermission = meta.getPermission(Permission.READ, true);
-          .add(rule(config, owners));
+      metaReadPermission.setExclusiveGroup(true);
+      metaReadPermission.add(rule(config, owners));
 
       md.setMessage("Initialized Gerrit Code Review " + Version.getVersion());
       if (!config.commit(md)) {