Merge "Remove CapabilityControl from CurrentUser"
This commit is contained in:
David Pursehouse
Gerrit Code Review
commit
f80e91155b
@ -20,6 +20,7 @@ import static java.util.concurrent.TimeUnit.MINUTES;
|
||||
import static javax.servlet.http.HttpServletResponse.SC_SERVICE_UNAVAILABLE;
|
||||
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.config.GerritServerConfig;
|
||||
import com.google.gerrit.server.git.QueueProvider;
|
||||
import com.google.gerrit.server.git.WorkQueue.CancelableRunnable;
|
||||
@ -69,7 +70,6 @@ public class ProjectQoSFilter implements Filter {
|
||||
private static final Pattern URI_PATTERN = Pattern.compile(FILTER_RE);
|
||||
|
||||
public static class Module extends ServletModule {
|
||||
|
||||
@Override
|
||||
protected void configureServlets() {
|
||||
bind(QueueProvider.class).to(CommandExecutorQueueProvider.class).in(SINGLETON);
|
||||
@ -77,18 +77,20 @@ public class ProjectQoSFilter implements Filter {
|
||||
}
|
||||
}
|
||||
|
||||
private final CapabilityControl.Factory capabilityFactory;
|
||||
private final Provider<CurrentUser> user;
|
||||
private final QueueProvider queue;
|
||||
|
||||
private final ServletContext context;
|
||||
private final long maxWait;
|
||||
|
||||
@Inject
|
||||
ProjectQoSFilter(
|
||||
CapabilityControl.Factory capabilityFactory,
|
||||
Provider<CurrentUser> user,
|
||||
QueueProvider queue,
|
||||
ServletContext context,
|
||||
@GerritServerConfig Config cfg) {
|
||||
this.capabilityFactory = capabilityFactory;
|
||||
this.user = user;
|
||||
this.queue = queue;
|
||||
this.context = context;
|
||||
@ -137,7 +139,8 @@ public class ProjectQoSFilter implements Filter {
|
||||
}
|
||||
|
||||
private ScheduledThreadPoolExecutor getExecutor() {
|
||||
return queue.getQueue(user.get().getCapabilities().getQueueType());
|
||||
QueueProvider.QueueType qt = capabilityFactory.create(user.get()).getQueueType();
|
||||
return queue.getQueue(qt);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -32,7 +32,6 @@ import com.google.gerrit.server.account.AccountCacheImpl;
|
||||
import com.google.gerrit.server.account.AccountVisibility;
|
||||
import com.google.gerrit.server.account.AccountVisibilityProvider;
|
||||
import com.google.gerrit.server.account.CapabilityCollection;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.FakeRealm;
|
||||
import com.google.gerrit.server.account.GroupCacheImpl;
|
||||
import com.google.gerrit.server.account.GroupIncludeCacheImpl;
|
||||
@ -164,7 +163,6 @@ public class BatchProgramModule extends FactoryModule {
|
||||
install(MergeabilityCacheImpl.module());
|
||||
install(TagCache.module());
|
||||
factory(CapabilityCollection.Factory.class);
|
||||
factory(CapabilityControl.Factory.class);
|
||||
factory(ChangeData.Factory.class);
|
||||
factory(ProjectState.Factory.class);
|
||||
|
||||
|
||||
@ -14,20 +14,13 @@
|
||||
|
||||
package com.google.gerrit.server;
|
||||
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.gerrit.server.account.ListGroupMembership;
|
||||
import com.google.gerrit.server.group.SystemGroupBackend;
|
||||
import com.google.inject.Inject;
|
||||
import java.util.Collections;
|
||||
|
||||
/** An anonymous user who has not yet authenticated. */
|
||||
public class AnonymousUser extends CurrentUser {
|
||||
@Inject
|
||||
AnonymousUser(CapabilityControl.Factory capabilityControlFactory) {
|
||||
super(capabilityControlFactory);
|
||||
}
|
||||
|
||||
@Override
|
||||
public GroupMembership getEffectiveGroups() {
|
||||
return new ListGroupMembership(Collections.singleton(SystemGroupBackend.ANONYMOUS_USERS));
|
||||
|
||||
@ -16,7 +16,6 @@ package com.google.gerrit.server;
|
||||
|
||||
import com.google.gerrit.common.Nullable;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.gerrit.server.account.externalids.ExternalId;
|
||||
import com.google.inject.servlet.RequestScoped;
|
||||
@ -40,16 +39,9 @@ public abstract class CurrentUser {
|
||||
private PropertyKey() {}
|
||||
}
|
||||
|
||||
private final CapabilityControl.Factory capabilityControlFactory;
|
||||
private AccessPath accessPath = AccessPath.UNKNOWN;
|
||||
|
||||
private CapabilityControl capabilities;
|
||||
private PropertyKey<ExternalId.Key> lastLoginExternalIdPropertyKey = PropertyKey.create();
|
||||
|
||||
protected CurrentUser(CapabilityControl.Factory capabilityControlFactory) {
|
||||
this.capabilityControlFactory = capabilityControlFactory;
|
||||
}
|
||||
|
||||
/** How this user is accessing the Gerrit Code Review application. */
|
||||
public final AccessPath getAccessPath() {
|
||||
return accessPath;
|
||||
@ -98,14 +90,6 @@ public abstract class CurrentUser {
|
||||
return null;
|
||||
}
|
||||
|
||||
/** Capabilities available to this user account. */
|
||||
public CapabilityControl getCapabilities() {
|
||||
if (capabilities == null) {
|
||||
capabilities = capabilityControlFactory.create(this);
|
||||
}
|
||||
return capabilities;
|
||||
}
|
||||
|
||||
/** Check if user is the IdentifiedUser */
|
||||
public boolean isIdentifiedUser() {
|
||||
return false;
|
||||
|
||||
@ -21,7 +21,6 @@ import com.google.gerrit.common.Nullable;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.server.account.AccountCache;
|
||||
import com.google.gerrit.server.account.AccountState;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupBackend;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.gerrit.server.account.ListGroupMembership;
|
||||
@ -55,7 +54,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
/** Create an IdentifiedUser, ignoring any per-request state. */
|
||||
@Singleton
|
||||
public static class GenericFactory {
|
||||
private final CapabilityControl.Factory capabilityControlFactory;
|
||||
private final AuthConfig authConfig;
|
||||
private final Realm realm;
|
||||
private final String anonymousCowardName;
|
||||
@ -66,7 +64,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
|
||||
@Inject
|
||||
public GenericFactory(
|
||||
@Nullable CapabilityControl.Factory capabilityControlFactory,
|
||||
AuthConfig authConfig,
|
||||
Realm realm,
|
||||
@AnonymousCowardName String anonymousCowardName,
|
||||
@ -74,7 +71,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
@DisableReverseDnsLookup Boolean disableReverseDnsLookup,
|
||||
AccountCache accountCache,
|
||||
GroupBackend groupBackend) {
|
||||
this.capabilityControlFactory = capabilityControlFactory;
|
||||
this.authConfig = authConfig;
|
||||
this.realm = realm;
|
||||
this.anonymousCowardName = anonymousCowardName;
|
||||
@ -86,7 +82,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
|
||||
public IdentifiedUser create(AccountState state) {
|
||||
return new IdentifiedUser(
|
||||
capabilityControlFactory,
|
||||
authConfig,
|
||||
realm,
|
||||
anonymousCowardName,
|
||||
@ -110,7 +105,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
public IdentifiedUser runAs(
|
||||
SocketAddress remotePeer, Account.Id id, @Nullable CurrentUser caller) {
|
||||
return new IdentifiedUser(
|
||||
capabilityControlFactory,
|
||||
authConfig,
|
||||
realm,
|
||||
anonymousCowardName,
|
||||
@ -132,7 +126,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
*/
|
||||
@Singleton
|
||||
public static class RequestFactory {
|
||||
private final CapabilityControl.Factory capabilityControlFactory;
|
||||
private final AuthConfig authConfig;
|
||||
private final Realm realm;
|
||||
private final String anonymousCowardName;
|
||||
@ -144,7 +137,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
|
||||
@Inject
|
||||
RequestFactory(
|
||||
CapabilityControl.Factory capabilityControlFactory,
|
||||
AuthConfig authConfig,
|
||||
Realm realm,
|
||||
@AnonymousCowardName String anonymousCowardName,
|
||||
@ -153,7 +145,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
GroupBackend groupBackend,
|
||||
@DisableReverseDnsLookup Boolean disableReverseDnsLookup,
|
||||
@RemotePeer Provider<SocketAddress> remotePeerProvider) {
|
||||
this.capabilityControlFactory = capabilityControlFactory;
|
||||
this.authConfig = authConfig;
|
||||
this.realm = realm;
|
||||
this.anonymousCowardName = anonymousCowardName;
|
||||
@ -166,7 +157,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
|
||||
public IdentifiedUser create(Account.Id id) {
|
||||
return new IdentifiedUser(
|
||||
capabilityControlFactory,
|
||||
authConfig,
|
||||
realm,
|
||||
anonymousCowardName,
|
||||
@ -181,7 +171,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
|
||||
public IdentifiedUser runAs(Account.Id id, CurrentUser caller) {
|
||||
return new IdentifiedUser(
|
||||
capabilityControlFactory,
|
||||
authConfig,
|
||||
realm,
|
||||
anonymousCowardName,
|
||||
@ -219,7 +208,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
private Map<PropertyKey<Object>, Object> properties;
|
||||
|
||||
private IdentifiedUser(
|
||||
CapabilityControl.Factory capabilityControlFactory,
|
||||
AuthConfig authConfig,
|
||||
Realm realm,
|
||||
String anonymousCowardName,
|
||||
@ -231,7 +219,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
AccountState state,
|
||||
@Nullable CurrentUser realUser) {
|
||||
this(
|
||||
capabilityControlFactory,
|
||||
authConfig,
|
||||
realm,
|
||||
anonymousCowardName,
|
||||
@ -246,7 +233,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
}
|
||||
|
||||
private IdentifiedUser(
|
||||
CapabilityControl.Factory capabilityControlFactory,
|
||||
AuthConfig authConfig,
|
||||
Realm realm,
|
||||
String anonymousCowardName,
|
||||
@ -257,7 +243,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
@Nullable Provider<SocketAddress> remotePeerProvider,
|
||||
Account.Id id,
|
||||
@Nullable CurrentUser realUser) {
|
||||
super(capabilityControlFactory);
|
||||
this.canonicalUrl = canonicalUrl;
|
||||
this.accountCache = accountCache;
|
||||
this.groupBackend = groupBackend;
|
||||
@ -465,7 +450,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
* @return copy of the identified user
|
||||
*/
|
||||
public IdentifiedUser materializedCopy() {
|
||||
CapabilityControl capabilities = getCapabilities();
|
||||
Provider<SocketAddress> remotePeer;
|
||||
try {
|
||||
remotePeer = Providers.of(remotePeerProvider.get());
|
||||
@ -479,13 +463,6 @@ public class IdentifiedUser extends CurrentUser {
|
||||
};
|
||||
}
|
||||
return new IdentifiedUser(
|
||||
new CapabilityControl.Factory() {
|
||||
|
||||
@Override
|
||||
public CapabilityControl create(CurrentUser user) {
|
||||
return capabilities;
|
||||
}
|
||||
},
|
||||
authConfig,
|
||||
realm,
|
||||
anonymousCowardName,
|
||||
|
||||
@ -14,10 +14,7 @@
|
||||
|
||||
package com.google.gerrit.server;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.inject.Inject;
|
||||
|
||||
/**
|
||||
* User identity for plugin code that needs an identity.
|
||||
@ -33,12 +30,6 @@ public class InternalUser extends CurrentUser {
|
||||
InternalUser create();
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
@Inject
|
||||
public InternalUser(CapabilityControl.Factory capabilityControlFactory) {
|
||||
super(capabilityControlFactory);
|
||||
}
|
||||
|
||||
@Override
|
||||
public GroupMembership getEffectiveGroups() {
|
||||
return GroupMembership.EMPTY;
|
||||
|
||||
@ -14,7 +14,6 @@
|
||||
|
||||
package com.google.gerrit.server;
|
||||
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.assistedinject.Assisted;
|
||||
@ -32,9 +31,7 @@ public class PeerDaemonUser extends CurrentUser {
|
||||
private final SocketAddress peer;
|
||||
|
||||
@Inject
|
||||
protected PeerDaemonUser(
|
||||
CapabilityControl.Factory capabilityControlFactory, @Assisted SocketAddress peer) {
|
||||
super(capabilityControlFactory);
|
||||
protected PeerDaemonUser(@Assisted SocketAddress peer) {
|
||||
this.peer = peer;
|
||||
}
|
||||
|
||||
|
||||
@ -14,7 +14,6 @@
|
||||
|
||||
package com.google.gerrit.server;
|
||||
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.assistedinject.Assisted;
|
||||
|
||||
@ -27,9 +26,7 @@ public class PluginUser extends InternalUser {
|
||||
private final String pluginName;
|
||||
|
||||
@Inject
|
||||
protected PluginUser(
|
||||
CapabilityControl.Factory capabilityControlFactory, @Assisted String pluginName) {
|
||||
super(capabilityControlFactory);
|
||||
protected PluginUser(@Assisted String pluginName) {
|
||||
this.pluginName = pluginName;
|
||||
}
|
||||
|
||||
|
||||
@ -18,12 +18,16 @@ import static java.util.stream.Collectors.toSet;
|
||||
|
||||
import com.google.gerrit.common.data.PermissionRule;
|
||||
import com.google.gerrit.common.errors.NoSuchGroupException;
|
||||
import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.reviewdb.client.AccountGroup;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.git.AccountsSection;
|
||||
import com.google.gerrit.server.group.SystemGroupBackend;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
@ -32,6 +36,7 @@ import java.util.Set;
|
||||
/** Access control management for one account's access to other accounts. */
|
||||
public class AccountControl {
|
||||
public static class Factory {
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final ProjectCache projectCache;
|
||||
private final GroupControl.Factory groupControlFactory;
|
||||
private final Provider<CurrentUser> user;
|
||||
@ -40,11 +45,13 @@ public class AccountControl {
|
||||
|
||||
@Inject
|
||||
Factory(
|
||||
final ProjectCache projectCache,
|
||||
final GroupControl.Factory groupControlFactory,
|
||||
final Provider<CurrentUser> user,
|
||||
final IdentifiedUser.GenericFactory userFactory,
|
||||
final AccountVisibility accountVisibility) {
|
||||
PermissionBackend permissionBackend,
|
||||
ProjectCache projectCache,
|
||||
GroupControl.Factory groupControlFactory,
|
||||
Provider<CurrentUser> user,
|
||||
IdentifiedUser.GenericFactory userFactory,
|
||||
AccountVisibility accountVisibility) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.projectCache = projectCache;
|
||||
this.groupControlFactory = groupControlFactory;
|
||||
this.user = user;
|
||||
@ -54,24 +61,34 @@ public class AccountControl {
|
||||
|
||||
public AccountControl get() {
|
||||
return new AccountControl(
|
||||
projectCache, groupControlFactory, user.get(), userFactory, accountVisibility);
|
||||
permissionBackend,
|
||||
projectCache,
|
||||
groupControlFactory,
|
||||
user.get(),
|
||||
userFactory,
|
||||
accountVisibility);
|
||||
}
|
||||
}
|
||||
|
||||
private final AccountsSection accountsSection;
|
||||
private final GroupControl.Factory groupControlFactory;
|
||||
private final PermissionBackend.WithUser perm;
|
||||
private final CurrentUser user;
|
||||
private final IdentifiedUser.GenericFactory userFactory;
|
||||
private final AccountVisibility accountVisibility;
|
||||
|
||||
private Boolean viewAll;
|
||||
|
||||
AccountControl(
|
||||
final ProjectCache projectCache,
|
||||
final GroupControl.Factory groupControlFactory,
|
||||
final CurrentUser user,
|
||||
final IdentifiedUser.GenericFactory userFactory,
|
||||
final AccountVisibility accountVisibility) {
|
||||
PermissionBackend permissionBackend,
|
||||
ProjectCache projectCache,
|
||||
GroupControl.Factory groupControlFactory,
|
||||
CurrentUser user,
|
||||
IdentifiedUser.GenericFactory userFactory,
|
||||
AccountVisibility accountVisibility) {
|
||||
this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
|
||||
this.groupControlFactory = groupControlFactory;
|
||||
this.perm = permissionBackend.user(user);
|
||||
this.user = user;
|
||||
this.userFactory = userFactory;
|
||||
this.accountVisibility = accountVisibility;
|
||||
@ -137,17 +154,16 @@ public class AccountControl {
|
||||
}
|
||||
|
||||
private boolean canSee(OtherUser otherUser) {
|
||||
// Special case: I can always see myself.
|
||||
if (user.isIdentifiedUser() && user.getAccountId().equals(otherUser.getId())) {
|
||||
if (accountVisibility == AccountVisibility.ALL) {
|
||||
return true;
|
||||
}
|
||||
if (user.getCapabilities().canViewAllAccounts()) {
|
||||
} else if (user.isIdentifiedUser() && user.getAccountId().equals(otherUser.getId())) {
|
||||
// I can always see myself.
|
||||
return true;
|
||||
} else if (viewAll()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
switch (accountVisibility) {
|
||||
case ALL:
|
||||
return true;
|
||||
case SAME_GROUP:
|
||||
{
|
||||
Set<AccountGroup.UUID> usersGroups = groupsOf(otherUser.getUser());
|
||||
@ -178,12 +194,25 @@ public class AccountControl {
|
||||
}
|
||||
case NONE:
|
||||
break;
|
||||
case ALL:
|
||||
default:
|
||||
throw new IllegalStateException("Bad AccountVisibility " + accountVisibility);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean viewAll() {
|
||||
if (viewAll == null) {
|
||||
try {
|
||||
perm.check(GlobalPermission.VIEW_ALL_ACCOUNTS);
|
||||
viewAll = true;
|
||||
} catch (AuthException | PermissionBackendException e) {
|
||||
viewAll = false;
|
||||
}
|
||||
}
|
||||
return viewAll;
|
||||
}
|
||||
|
||||
private Set<AccountGroup.UUID> groupsOf(IdentifiedUser user) {
|
||||
return user.getEffectiveGroups()
|
||||
.getKnownGroups()
|
||||
|
||||
@ -30,12 +30,9 @@ import com.google.gerrit.server.git.QueueProvider;
|
||||
import com.google.gerrit.server.group.SystemGroupBackend;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ChangeControl;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.gerrit.server.project.ProjectControl;
|
||||
import com.google.gerrit.server.project.RefControl;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.assistedinject.Assisted;
|
||||
import com.google.inject.Singleton;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
@ -45,41 +42,40 @@ import java.util.Map;
|
||||
|
||||
/** Access control management for server-wide capabilities. */
|
||||
public class CapabilityControl {
|
||||
public interface Factory {
|
||||
CapabilityControl create(CurrentUser user);
|
||||
private static final CurrentUser.PropertyKey<CapabilityControl> SELF =
|
||||
CurrentUser.PropertyKey.create();
|
||||
|
||||
@Singleton
|
||||
public static class Factory {
|
||||
private final ProjectCache projectCache;
|
||||
|
||||
@Inject
|
||||
Factory(ProjectCache projectCache) {
|
||||
this.projectCache = projectCache;
|
||||
}
|
||||
|
||||
public CapabilityControl create(CurrentUser user) {
|
||||
CapabilityControl ctl = user.get(SELF);
|
||||
if (ctl == null) {
|
||||
ctl = new CapabilityControl(projectCache, user);
|
||||
user.put(SELF, ctl);
|
||||
}
|
||||
return ctl;
|
||||
}
|
||||
}
|
||||
|
||||
private final CapabilityCollection capabilities;
|
||||
private final CurrentUser user;
|
||||
private final Map<String, List<PermissionRule>> effective;
|
||||
|
||||
private Boolean canAdministrateServer;
|
||||
private Boolean canEmailReviewers;
|
||||
|
||||
@Inject
|
||||
CapabilityControl(ProjectCache projectCache, @Assisted CurrentUser currentUser) {
|
||||
private CapabilityControl(ProjectCache projectCache, CurrentUser currentUser) {
|
||||
capabilities = projectCache.getAllProjects().getCapabilityCollection();
|
||||
user = currentUser;
|
||||
effective = new HashMap<>();
|
||||
}
|
||||
|
||||
/**
|
||||
* <b>Do not use.</b> Determine if the user can administer this server.
|
||||
*
|
||||
* <p>This method is visible only for the benefit of the following transitional classes:
|
||||
*
|
||||
* <ul>
|
||||
* <li>{@link ProjectControl}
|
||||
* <li>{@link RefControl}
|
||||
* <li>{@link ChangeControl}
|
||||
* <li>{@link GroupControl}
|
||||
* </ul>
|
||||
*
|
||||
* Other callers should not use this method, as it is slated to go away.
|
||||
*
|
||||
* @return true if the user can administer this server.
|
||||
*/
|
||||
public boolean isAdmin_DoNotUse() {
|
||||
private boolean isAdmin() {
|
||||
if (canAdministrateServer == null) {
|
||||
if (user.getRealUser() != user) {
|
||||
canAdministrateServer = false;
|
||||
@ -93,18 +89,9 @@ public class CapabilityControl {
|
||||
}
|
||||
|
||||
/** @return true if the user can email reviewers. */
|
||||
public boolean canEmailReviewers() {
|
||||
if (canEmailReviewers == null) {
|
||||
canEmailReviewers =
|
||||
matchAny(capabilities.emailReviewers, ALLOWED_RULE)
|
||||
|| !matchAny(capabilities.emailReviewers, not(ALLOWED_RULE));
|
||||
}
|
||||
return canEmailReviewers;
|
||||
}
|
||||
|
||||
/** @return true if the user can view all accounts. */
|
||||
public boolean canViewAllAccounts() {
|
||||
return canPerform(GlobalCapability.VIEW_ALL_ACCOUNTS) || isAdmin_DoNotUse();
|
||||
private boolean canEmailReviewers() {
|
||||
return matchAny(capabilities.emailReviewers, ALLOWED_RULE)
|
||||
|| !matchAny(capabilities.emailReviewers, not(ALLOWED_RULE));
|
||||
}
|
||||
|
||||
/** @return which priority queue the user's tasks should be submitted to. */
|
||||
@ -226,7 +213,7 @@ public class CapabilityControl {
|
||||
} else if (perm instanceof PluginPermission) {
|
||||
PluginPermission pluginPermission = (PluginPermission) perm;
|
||||
return canPerform(pluginPermission.permissionName())
|
||||
|| (pluginPermission.fallBackToAdmin() && isAdmin_DoNotUse());
|
||||
|| (pluginPermission.fallBackToAdmin() && isAdmin());
|
||||
}
|
||||
throw new PermissionBackendException(perm + " unsupported");
|
||||
}
|
||||
@ -234,11 +221,9 @@ public class CapabilityControl {
|
||||
private boolean can(GlobalPermission perm) throws PermissionBackendException {
|
||||
switch (perm) {
|
||||
case ADMINISTRATE_SERVER:
|
||||
return isAdmin_DoNotUse();
|
||||
return isAdmin();
|
||||
case EMAIL_REVIEWERS:
|
||||
return canEmailReviewers();
|
||||
case VIEW_ALL_ACCOUNTS:
|
||||
return canViewAllAccounts();
|
||||
|
||||
case FLUSH_CACHES:
|
||||
case KILL_TASK:
|
||||
@ -247,7 +232,7 @@ public class CapabilityControl {
|
||||
case VIEW_QUEUE:
|
||||
return canPerform(perm.permissionName())
|
||||
|| canPerform(GlobalCapability.MAINTAIN_SERVER)
|
||||
|| isAdmin_DoNotUse();
|
||||
|| isAdmin();
|
||||
|
||||
case CREATE_ACCOUNT:
|
||||
case CREATE_GROUP:
|
||||
@ -255,9 +240,10 @@ public class CapabilityControl {
|
||||
case MAINTAIN_SERVER:
|
||||
case MODIFY_ACCOUNT:
|
||||
case STREAM_EVENTS:
|
||||
case VIEW_ALL_ACCOUNTS:
|
||||
case VIEW_CONNECTIONS:
|
||||
case VIEW_PLUGINS:
|
||||
return canPerform(perm.permissionName()) || isAdmin_DoNotUse();
|
||||
return canPerform(perm.permissionName()) || isAdmin();
|
||||
|
||||
case ACCESS_DATABASE:
|
||||
case RUN_AS:
|
||||
|
||||
@ -56,15 +56,18 @@ class GetCapabilities implements RestReadView<AccountResource> {
|
||||
private Set<String> query;
|
||||
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final CapabilityControl.Factory capabilityFactory;
|
||||
private final Provider<CurrentUser> self;
|
||||
private final DynamicMap<CapabilityDefinition> pluginCapabilities;
|
||||
|
||||
@Inject
|
||||
GetCapabilities(
|
||||
PermissionBackend permissionBackend,
|
||||
CapabilityControl.Factory capabilityFactory,
|
||||
Provider<CurrentUser> self,
|
||||
DynamicMap<CapabilityDefinition> pluginCapabilities) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.capabilityFactory = capabilityFactory;
|
||||
this.self = self;
|
||||
this.pluginCapabilities = pluginCapabilities;
|
||||
}
|
||||
@ -81,8 +84,10 @@ class GetCapabilities implements RestReadView<AccountResource> {
|
||||
for (GlobalOrPluginPermission p : perm.test(permissionsToTest())) {
|
||||
have.put(p.permissionName(), true);
|
||||
}
|
||||
addRanges(have, rsrc);
|
||||
addPriority(have, rsrc);
|
||||
|
||||
CapabilityControl cc = capabilityFactory.create(rsrc.getUser());
|
||||
addRanges(have, cc);
|
||||
addPriority(have, cc);
|
||||
|
||||
return OutputFormat.JSON
|
||||
.newGson()
|
||||
@ -112,8 +117,7 @@ class GetCapabilities implements RestReadView<AccountResource> {
|
||||
return query == null || query.contains(name.toLowerCase());
|
||||
}
|
||||
|
||||
private void addRanges(Map<String, Object> have, AccountResource rsrc) {
|
||||
CapabilityControl cc = rsrc.getUser().getCapabilities();
|
||||
private void addRanges(Map<String, Object> have, CapabilityControl cc) {
|
||||
for (String name : GlobalCapability.getRangeNames()) {
|
||||
if (want(name) && cc.hasExplicitRange(name)) {
|
||||
have.put(name, new Range(cc.getRange(name)));
|
||||
@ -121,8 +125,8 @@ class GetCapabilities implements RestReadView<AccountResource> {
|
||||
}
|
||||
}
|
||||
|
||||
private void addPriority(Map<String, Object> have, AccountResource rsrc) {
|
||||
QueueProvider.QueueType queue = rsrc.getUser().getCapabilities().getQueueType();
|
||||
private void addPriority(Map<String, Object> have, CapabilityControl cc) {
|
||||
QueueProvider.QueueType queue = cc.getQueueType();
|
||||
if (queue != QueueProvider.QueueType.INTERACTIVE
|
||||
|| (query != null && query.contains(PRIORITY))) {
|
||||
have.put(PRIORITY, queue);
|
||||
|
||||
@ -17,9 +17,13 @@ package com.google.gerrit.server.account;
|
||||
import com.google.gerrit.common.data.GroupDescription;
|
||||
import com.google.gerrit.common.data.GroupDescriptions;
|
||||
import com.google.gerrit.common.errors.NoSuchGroupException;
|
||||
import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.reviewdb.client.AccountGroup;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
@ -29,30 +33,38 @@ public class GroupControl {
|
||||
|
||||
@Singleton
|
||||
public static class GenericFactory {
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final GroupBackend groupBackend;
|
||||
|
||||
@Inject
|
||||
GenericFactory(GroupBackend gb) {
|
||||
GenericFactory(PermissionBackend permissionBackend, GroupBackend gb) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
groupBackend = gb;
|
||||
}
|
||||
|
||||
public GroupControl controlFor(CurrentUser who, AccountGroup.UUID groupId)
|
||||
throws NoSuchGroupException {
|
||||
final GroupDescription.Basic group = groupBackend.get(groupId);
|
||||
GroupDescription.Basic group = groupBackend.get(groupId);
|
||||
if (group == null) {
|
||||
throw new NoSuchGroupException(groupId);
|
||||
}
|
||||
return new GroupControl(who, group, groupBackend);
|
||||
return new GroupControl(who, group, permissionBackend, groupBackend);
|
||||
}
|
||||
}
|
||||
|
||||
public static class Factory {
|
||||
private final PermissionBackend permissionBackend;
|
||||
private final GroupCache groupCache;
|
||||
private final Provider<CurrentUser> user;
|
||||
private final GroupBackend groupBackend;
|
||||
|
||||
@Inject
|
||||
Factory(GroupCache gc, Provider<CurrentUser> cu, GroupBackend gb) {
|
||||
Factory(
|
||||
PermissionBackend permissionBackend,
|
||||
GroupCache gc,
|
||||
Provider<CurrentUser> cu,
|
||||
GroupBackend gb) {
|
||||
this.permissionBackend = permissionBackend;
|
||||
groupCache = gc;
|
||||
user = cu;
|
||||
groupBackend = gb;
|
||||
@ -79,7 +91,7 @@ public class GroupControl {
|
||||
}
|
||||
|
||||
public GroupControl controlFor(GroupDescription.Basic group) {
|
||||
return new GroupControl(user.get(), group, groupBackend);
|
||||
return new GroupControl(user.get(), group, permissionBackend, groupBackend);
|
||||
}
|
||||
|
||||
public GroupControl validateFor(AccountGroup.Id groupId) throws NoSuchGroupException {
|
||||
@ -102,11 +114,17 @@ public class GroupControl {
|
||||
private final CurrentUser user;
|
||||
private final GroupDescription.Basic group;
|
||||
private Boolean isOwner;
|
||||
private final PermissionBackend.WithUser perm;
|
||||
private final GroupBackend groupBackend;
|
||||
|
||||
GroupControl(CurrentUser who, GroupDescription.Basic gd, GroupBackend gb) {
|
||||
GroupControl(
|
||||
CurrentUser who,
|
||||
GroupDescription.Basic gd,
|
||||
PermissionBackend permissionBackend,
|
||||
GroupBackend gb) {
|
||||
user = who;
|
||||
group = gd;
|
||||
this.perm = permissionBackend.user(user);
|
||||
groupBackend = gb;
|
||||
}
|
||||
|
||||
@ -127,8 +145,8 @@ public class GroupControl {
|
||||
return user.isInternalUser()
|
||||
|| groupBackend.isVisibleToAll(group.getGroupUUID())
|
||||
|| user.getEffectiveGroups().contains(group.getGroupUUID())
|
||||
|| user.getCapabilities().isAdmin_DoNotUse()
|
||||
|| isOwner();
|
||||
|| isOwner()
|
||||
|| canAdministrateServer();
|
||||
}
|
||||
|
||||
public boolean isOwner() {
|
||||
@ -137,13 +155,20 @@ public class GroupControl {
|
||||
isOwner = false;
|
||||
} else if (isOwner == null) {
|
||||
AccountGroup.UUID ownerUUID = accountGroup.getOwnerGroupUUID();
|
||||
isOwner =
|
||||
getUser().getEffectiveGroups().contains(ownerUUID)
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse();
|
||||
isOwner = getUser().getEffectiveGroups().contains(ownerUUID) || canAdministrateServer();
|
||||
}
|
||||
return isOwner;
|
||||
}
|
||||
|
||||
private boolean canAdministrateServer() {
|
||||
try {
|
||||
perm.check(GlobalPermission.ADMINISTRATE_SERVER);
|
||||
return true;
|
||||
} catch (AuthException | PermissionBackendException denied) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
public boolean canAddMember() {
|
||||
return isOwner();
|
||||
}
|
||||
|
||||
@ -85,7 +85,6 @@ import com.google.gerrit.server.account.AccountResolver;
|
||||
import com.google.gerrit.server.account.AccountVisibility;
|
||||
import com.google.gerrit.server.account.AccountVisibilityProvider;
|
||||
import com.google.gerrit.server.account.CapabilityCollection;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.ChangeUserName;
|
||||
import com.google.gerrit.server.account.EmailExpander;
|
||||
import com.google.gerrit.server.account.GroupCacheImpl;
|
||||
@ -245,7 +244,6 @@ public class GerritGlobalModule extends FactoryModule {
|
||||
factory(DeleteReviewerSender.Factory.class);
|
||||
factory(AddKeySender.Factory.class);
|
||||
factory(CapabilityCollection.Factory.class);
|
||||
factory(CapabilityControl.Factory.class);
|
||||
factory(ChangeData.Factory.class);
|
||||
factory(ChangeJson.AssistedFactory.class);
|
||||
factory(CreateChangeSender.Factory.class);
|
||||
|
||||
@ -29,18 +29,20 @@ class ReceiveConfig {
|
||||
final boolean checkReferencedObjectsAreReachable;
|
||||
final boolean allowDrafts;
|
||||
private final int systemMaxBatchChanges;
|
||||
private final CapabilityControl.Factory capabilityFactory;
|
||||
|
||||
@Inject
|
||||
ReceiveConfig(@GerritServerConfig Config config) {
|
||||
ReceiveConfig(@GerritServerConfig Config config, CapabilityControl.Factory capabilityFactory) {
|
||||
checkMagicRefs = config.getBoolean("receive", null, "checkMagicRefs", true);
|
||||
checkReferencedObjectsAreReachable =
|
||||
config.getBoolean("receive", null, "checkReferencedObjectsAreReachable", true);
|
||||
allowDrafts = config.getBoolean("change", null, "allowDrafts", true);
|
||||
systemMaxBatchChanges = config.getInt("receive", "maxBatchChanges", 0);
|
||||
this.capabilityFactory = capabilityFactory;
|
||||
}
|
||||
|
||||
public int getEffectiveMaxBatchChangesLimit(CurrentUser user) {
|
||||
CapabilityControl cap = user.getCapabilities();
|
||||
CapabilityControl cap = capabilityFactory.create(user);
|
||||
if (cap.hasExplicitRange(BATCH_CHANGES_LIMIT)) {
|
||||
return cap.getRange(BATCH_CHANGES_LIMIT).getMax();
|
||||
}
|
||||
|
||||
@ -19,6 +19,7 @@ import com.google.common.collect.ListMultimap;
|
||||
import com.google.gerrit.common.errors.EmailException;
|
||||
import com.google.gerrit.extensions.api.changes.NotifyHandling;
|
||||
import com.google.gerrit.extensions.api.changes.RecipientType;
|
||||
import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.reviewdb.client.AccountGroup;
|
||||
import com.google.gerrit.reviewdb.client.Change;
|
||||
@ -37,6 +38,8 @@ import com.google.gerrit.server.patch.PatchList;
|
||||
import com.google.gerrit.server.patch.PatchListEntry;
|
||||
import com.google.gerrit.server.patch.PatchListNotAvailableException;
|
||||
import com.google.gerrit.server.patch.PatchSetInfoNotAvailableException;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
import com.google.gerrit.server.project.ProjectState;
|
||||
import com.google.gerrit.server.query.change.ChangeData;
|
||||
import com.google.gwtorm.server.OrmException;
|
||||
@ -94,8 +97,12 @@ public abstract class ChangeEmail extends NotificationEmail {
|
||||
super.setFrom(id);
|
||||
|
||||
/** Is the from user in an email squelching group? */
|
||||
final IdentifiedUser user = args.identifiedUserFactory.create(id);
|
||||
emailOnlyAuthors = !user.getCapabilities().canEmailReviewers();
|
||||
try {
|
||||
IdentifiedUser user = args.identifiedUserFactory.create(id);
|
||||
args.permissionBackend.user(user).check(GlobalPermission.EMAIL_REVIEWERS);
|
||||
} catch (AuthException | PermissionBackendException e) {
|
||||
emailOnlyAuthors = true;
|
||||
}
|
||||
}
|
||||
|
||||
public void setPatchSet(PatchSet ps) {
|
||||
|
||||
@ -24,7 +24,6 @@ import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.IdentifiedUser.GenericFactory;
|
||||
import com.google.gerrit.server.StarredChangesUtil;
|
||||
import com.google.gerrit.server.account.AccountCache;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupBackend;
|
||||
import com.google.gerrit.server.account.GroupIncludeCache;
|
||||
import com.google.gerrit.server.config.AllProjectsName;
|
||||
@ -36,6 +35,7 @@ import com.google.gerrit.server.mail.EmailSettings;
|
||||
import com.google.gerrit.server.notedb.ChangeNotes;
|
||||
import com.google.gerrit.server.patch.PatchListCache;
|
||||
import com.google.gerrit.server.patch.PatchSetInfoFactory;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.project.ProjectCache;
|
||||
import com.google.gerrit.server.query.account.InternalAccountQuery;
|
||||
import com.google.gerrit.server.query.change.ChangeData;
|
||||
@ -52,6 +52,7 @@ import org.eclipse.jgit.lib.PersonIdent;
|
||||
public class EmailArguments {
|
||||
final GitRepositoryManager server;
|
||||
final ProjectCache projectCache;
|
||||
final PermissionBackend permissionBackend;
|
||||
final GroupBackend groupBackend;
|
||||
final GroupIncludeCache groupIncludes;
|
||||
final AccountCache accountCache;
|
||||
@ -61,7 +62,6 @@ public class EmailArguments {
|
||||
final EmailSender emailSender;
|
||||
final PatchSetInfoFactory patchSetInfoFactory;
|
||||
final IdentifiedUser.GenericFactory identifiedUserFactory;
|
||||
final CapabilityControl.Factory capabilityControlFactory;
|
||||
final ChangeNotes.Factory changeNotesFactory;
|
||||
final AnonymousUser anonymousUser;
|
||||
final String anonymousCowardName;
|
||||
@ -86,6 +86,7 @@ public class EmailArguments {
|
||||
EmailArguments(
|
||||
GitRepositoryManager server,
|
||||
ProjectCache projectCache,
|
||||
PermissionBackend permissionBackend,
|
||||
GroupBackend groupBackend,
|
||||
GroupIncludeCache groupIncludes,
|
||||
AccountCache accountCache,
|
||||
@ -95,7 +96,6 @@ public class EmailArguments {
|
||||
EmailSender emailSender,
|
||||
PatchSetInfoFactory patchSetInfoFactory,
|
||||
GenericFactory identifiedUserFactory,
|
||||
CapabilityControl.Factory capabilityControlFactory,
|
||||
ChangeNotes.Factory changeNotesFactory,
|
||||
AnonymousUser anonymousUser,
|
||||
@AnonymousCowardName String anonymousCowardName,
|
||||
@ -116,6 +116,7 @@ public class EmailArguments {
|
||||
OutgoingEmailValidator validator) {
|
||||
this.server = server;
|
||||
this.projectCache = projectCache;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.groupBackend = groupBackend;
|
||||
this.groupIncludes = groupIncludes;
|
||||
this.accountCache = accountCache;
|
||||
@ -125,7 +126,6 @@ public class EmailArguments {
|
||||
this.emailSender = emailSender;
|
||||
this.patchSetInfoFactory = patchSetInfoFactory;
|
||||
this.identifiedUserFactory = identifiedUserFactory;
|
||||
this.capabilityControlFactory = capabilityControlFactory;
|
||||
this.changeNotesFactory = changeNotesFactory;
|
||||
this.anonymousUser = anonymousUser;
|
||||
this.anonymousCowardName = anonymousCowardName;
|
||||
|
||||
@ -141,7 +141,7 @@ public class ProjectWatch {
|
||||
|
||||
private void add(Watchers matching, NotifyConfig nc) throws OrmException, QueryParseException {
|
||||
for (GroupReference ref : nc.getGroups()) {
|
||||
CurrentUser user = new SingleGroupUser(args.capabilityControlFactory, ref.getUUID());
|
||||
CurrentUser user = new SingleGroupUser(ref.getUUID());
|
||||
if (filterMatch(user, nc.getFilter())) {
|
||||
deliverToMembers(matching.list(nc.getHeader()), ref.getUUID());
|
||||
}
|
||||
|
||||
@ -247,9 +247,8 @@ public class ChangeControl {
|
||||
return (isOwner() // owner (aka creator) of the change can abandon
|
||||
|| getRefControl().isOwner() // branch owner can abandon
|
||||
|| getProjectControl().isOwner() // project owner can abandon
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse() // site administers are god
|
||||
|| getRefControl().canAbandon() // user can abandon a specific ref
|
||||
)
|
||||
|| getProjectControl().isAdmin())
|
||||
&& !isPatchSetLocked(db);
|
||||
}
|
||||
|
||||
@ -266,13 +265,11 @@ public class ChangeControl {
|
||||
|
||||
switch (status) {
|
||||
case DRAFT:
|
||||
return isOwner()
|
||||
|| getRefControl().canDeleteDrafts()
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse();
|
||||
return isOwner() || getRefControl().canDeleteDrafts() || getProjectControl().isAdmin();
|
||||
case NEW:
|
||||
case ABANDONED:
|
||||
return (isOwner() && getRefControl().canDeleteOwnChanges())
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse();
|
||||
|| getProjectControl().isAdmin();
|
||||
case MERGED:
|
||||
default:
|
||||
return false;
|
||||
@ -410,7 +407,7 @@ public class ChangeControl {
|
||||
if (getRefControl().canRemoveReviewer() // has removal permissions
|
||||
|| getRefControl().isOwner() // branch owner
|
||||
|| getProjectControl().isOwner() // project owner
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse()) {
|
||||
|| getProjectControl().isAdmin()) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
@ -424,9 +421,8 @@ public class ChangeControl {
|
||||
return isOwner() // owner (aka creator) of the change can edit topic
|
||||
|| getRefControl().isOwner() // branch owner can edit topic
|
||||
|| getProjectControl().isOwner() // project owner can edit topic
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse() // site administers are god
|
||||
|| getRefControl().canEditTopicName() // user can edit topic on a specific ref
|
||||
;
|
||||
|| getProjectControl().isAdmin();
|
||||
}
|
||||
return getRefControl().canForceEditTopicName();
|
||||
}
|
||||
@ -437,8 +433,7 @@ public class ChangeControl {
|
||||
return isOwner() // owner (aka creator) of the change can edit desc
|
||||
|| getRefControl().isOwner() // branch owner can edit desc
|
||||
|| getProjectControl().isOwner() // project owner can edit desc
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse() // site administers are god
|
||||
;
|
||||
|| getProjectControl().isAdmin();
|
||||
}
|
||||
return false;
|
||||
}
|
||||
@ -455,8 +450,8 @@ public class ChangeControl {
|
||||
return isOwner() // owner (aka creator) of the change can edit hashtags
|
||||
|| getRefControl().isOwner() // branch owner can edit hashtags
|
||||
|| getProjectControl().isOwner() // project owner can edit hashtags
|
||||
|| getUser().getCapabilities().isAdmin_DoNotUse() // site administers are god
|
||||
|| getRefControl().canEditHashtags(); // user can edit hashtag on a specific ref
|
||||
|| getRefControl().canEditHashtags() // user can edit hashtag on a specific ref
|
||||
|| getProjectControl().isAdmin();
|
||||
}
|
||||
|
||||
private boolean match(String destBranch, String refPattern) {
|
||||
|
||||
@ -21,6 +21,7 @@ import com.google.gerrit.extensions.api.access.GlobalOrPluginPermission;
|
||||
import com.google.gerrit.extensions.restapi.AuthException;
|
||||
import com.google.gerrit.reviewdb.client.Project;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.permissions.FailedPermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackendException;
|
||||
@ -34,10 +35,12 @@ import java.util.Set;
|
||||
@Singleton
|
||||
public class DefaultPermissionBackend extends PermissionBackend {
|
||||
private final ProjectCache projectCache;
|
||||
private final CapabilityControl.Factory capabilityFactory;
|
||||
|
||||
@Inject
|
||||
DefaultPermissionBackend(ProjectCache projectCache) {
|
||||
DefaultPermissionBackend(ProjectCache projectCache, CapabilityControl.Factory capabilityFactory) {
|
||||
this.projectCache = projectCache;
|
||||
this.capabilityFactory = capabilityFactory;
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -47,6 +50,7 @@ public class DefaultPermissionBackend extends PermissionBackend {
|
||||
|
||||
class WithUserImpl extends WithUser {
|
||||
private final CurrentUser user;
|
||||
private CapabilityControl cap;
|
||||
|
||||
WithUserImpl(CurrentUser user) {
|
||||
this.user = checkNotNull(user, "user");
|
||||
@ -86,7 +90,10 @@ public class DefaultPermissionBackend extends PermissionBackend {
|
||||
}
|
||||
|
||||
private boolean can(GlobalOrPluginPermission perm) throws PermissionBackendException {
|
||||
return user.getCapabilities().doCanForDefaultPermissionBackend(perm);
|
||||
if (cap == null) {
|
||||
cap = capabilityFactory.create(user);
|
||||
}
|
||||
return cap.doCanForDefaultPermissionBackend(perm);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -47,6 +47,8 @@ import com.google.gerrit.server.git.VisibleRefFilter;
|
||||
import com.google.gerrit.server.group.SystemGroupBackend;
|
||||
import com.google.gerrit.server.notedb.ChangeNotes;
|
||||
import com.google.gerrit.server.permissions.FailedPermissionBackend;
|
||||
import com.google.gerrit.server.permissions.GlobalPermission;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend.ForChange;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend.ForProject;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend.ForRef;
|
||||
@ -132,6 +134,7 @@ public class ProjectControl {
|
||||
private final Set<AccountGroup.UUID> receiveGroups;
|
||||
|
||||
private final String canonicalWebUrl;
|
||||
private final PermissionBackend.WithUser perm;
|
||||
private final CurrentUser user;
|
||||
private final ProjectState state;
|
||||
private final ChangeControl.Factory changeControlFactory;
|
||||
@ -157,6 +160,7 @@ public class ProjectControl {
|
||||
VisibleRefFilter.Factory refFilter,
|
||||
Provider<InternalChangeQuery> queryProvider,
|
||||
@CanonicalWebUrl @Nullable String canonicalWebUrl,
|
||||
PermissionBackend permissionBackend,
|
||||
@Assisted CurrentUser who,
|
||||
@Assisted ProjectState ps,
|
||||
Metrics metrics) {
|
||||
@ -169,6 +173,7 @@ public class ProjectControl {
|
||||
this.canonicalWebUrl = canonicalWebUrl;
|
||||
this.queryProvider = queryProvider;
|
||||
this.metrics = metrics;
|
||||
this.perm = permissionBackend.user(who);
|
||||
user = who;
|
||||
state = ps;
|
||||
}
|
||||
@ -264,8 +269,16 @@ public class ProjectControl {
|
||||
|
||||
/** Is this user a project owner? */
|
||||
public boolean isOwner() {
|
||||
return (isDeclaredOwner() && !controlForRef("refs/*").isBlocked(Permission.OWNER))
|
||||
|| user.getCapabilities().isAdmin_DoNotUse();
|
||||
return (isDeclaredOwner() && !controlForRef("refs/*").isBlocked(Permission.OWNER)) || isAdmin();
|
||||
}
|
||||
|
||||
boolean isAdmin() {
|
||||
try {
|
||||
perm.check(GlobalPermission.ADMINISTRATE_SERVER);
|
||||
return true;
|
||||
} catch (AuthException | PermissionBackendException e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isDeclaredOwner() {
|
||||
@ -278,7 +291,7 @@ public class ProjectControl {
|
||||
|
||||
/** Does this user have ownership on at least one reference name? */
|
||||
public boolean isOwnerAnyRef() {
|
||||
return canPerformOnAnyRef(Permission.OWNER) || user.getCapabilities().isAdmin_DoNotUse();
|
||||
return canPerformOnAnyRef(Permission.OWNER) || isAdmin();
|
||||
}
|
||||
|
||||
/** @return true if the user can upload to at least one reference */
|
||||
|
||||
@ -201,8 +201,7 @@ public class RefControl {
|
||||
// On the AllProjects project the owner access right cannot be assigned,
|
||||
// this why for the AllProjects project we allow administrators to push
|
||||
// configuration changes if they have push without being project owner.
|
||||
if (!(projectControl.getProjectState().isAllProjects()
|
||||
&& getUser().getCapabilities().isAdmin_DoNotUse())) {
|
||||
if (!(projectControl.getProjectState().isAllProjects() && projectControl.isAdmin())) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
@ -229,8 +228,7 @@ public class RefControl {
|
||||
case UNKNOWN:
|
||||
case WEB_BROWSER:
|
||||
default:
|
||||
return getUser().getCapabilities().isAdmin_DoNotUse()
|
||||
|| (isOwner() && !isForceBlocked(Permission.PUSH));
|
||||
return (isOwner() && !isForceBlocked(Permission.PUSH)) || projectControl.isAdmin();
|
||||
}
|
||||
}
|
||||
|
||||
@ -376,10 +374,10 @@ public class RefControl {
|
||||
case UNKNOWN:
|
||||
case WEB_BROWSER:
|
||||
default:
|
||||
return getUser().getCapabilities().isAdmin_DoNotUse()
|
||||
|| (isOwner() && !isForceBlocked(Permission.PUSH))
|
||||
return (isOwner() && !isForceBlocked(Permission.PUSH))
|
||||
|| canPushWithForce()
|
||||
|| canPerform(Permission.DELETE);
|
||||
|| canPerform(Permission.DELETE)
|
||||
|| projectControl.isAdmin();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -24,6 +24,7 @@ import com.google.gerrit.metrics.Field;
|
||||
import com.google.gerrit.metrics.MetricMaker;
|
||||
import com.google.gerrit.metrics.Timer1;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.index.Index;
|
||||
import com.google.gerrit.server.index.IndexCollection;
|
||||
import com.google.gerrit.server.index.IndexConfig;
|
||||
@ -61,6 +62,7 @@ public abstract class QueryProcessor<T> {
|
||||
|
||||
protected final Provider<CurrentUser> userProvider;
|
||||
|
||||
private final CapabilityControl.Factory capabilityFactory;
|
||||
private final Metrics metrics;
|
||||
private final SchemaDefinitions<T> schemaDef;
|
||||
private final IndexConfig indexConfig;
|
||||
@ -76,6 +78,7 @@ public abstract class QueryProcessor<T> {
|
||||
|
||||
protected QueryProcessor(
|
||||
Provider<CurrentUser> userProvider,
|
||||
CapabilityControl.Factory capabilityFactory,
|
||||
Metrics metrics,
|
||||
SchemaDefinitions<T> schemaDef,
|
||||
IndexConfig indexConfig,
|
||||
@ -83,6 +86,7 @@ public abstract class QueryProcessor<T> {
|
||||
IndexRewriter<T> rewriter,
|
||||
String limitField) {
|
||||
this.userProvider = userProvider;
|
||||
this.capabilityFactory = capabilityFactory;
|
||||
this.metrics = metrics;
|
||||
this.schemaDef = schemaDef;
|
||||
this.indexConfig = indexConfig;
|
||||
@ -231,7 +235,10 @@ public abstract class QueryProcessor<T> {
|
||||
|
||||
private int getPermittedLimit() {
|
||||
if (enforceVisibility) {
|
||||
return userProvider.get().getCapabilities().getRange(GlobalCapability.QUERY_LIMIT).getMax();
|
||||
return capabilityFactory
|
||||
.create(userProvider.get())
|
||||
.getRange(GlobalCapability.QUERY_LIMIT)
|
||||
.getMax();
|
||||
}
|
||||
return Integer.MAX_VALUE;
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@ import static com.google.gerrit.server.query.account.AccountQueryBuilder.FIELD_L
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.AccountControl;
|
||||
import com.google.gerrit.server.account.AccountState;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.index.IndexConfig;
|
||||
import com.google.gerrit.server.index.IndexPredicate;
|
||||
import com.google.gerrit.server.index.account.AccountIndexCollection;
|
||||
@ -44,6 +45,7 @@ public class AccountQueryProcessor extends QueryProcessor<AccountState> {
|
||||
@Inject
|
||||
protected AccountQueryProcessor(
|
||||
Provider<CurrentUser> userProvider,
|
||||
CapabilityControl.Factory capabilityFactory,
|
||||
Metrics metrics,
|
||||
IndexConfig indexConfig,
|
||||
AccountIndexCollection indexes,
|
||||
@ -51,6 +53,7 @@ public class AccountQueryProcessor extends QueryProcessor<AccountState> {
|
||||
AccountControl.Factory accountControlFactory) {
|
||||
super(
|
||||
userProvider,
|
||||
capabilityFactory,
|
||||
metrics,
|
||||
AccountSchemaDefinitions.INSTANCE,
|
||||
indexConfig,
|
||||
|
||||
@ -41,7 +41,6 @@ import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.StarredChangesUtil;
|
||||
import com.google.gerrit.server.account.AccountCache;
|
||||
import com.google.gerrit.server.account.AccountResolver;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupBackend;
|
||||
import com.google.gerrit.server.account.GroupBackends;
|
||||
import com.google.gerrit.server.account.VersionedAccountDestinations;
|
||||
@ -196,7 +195,6 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
final AllProjectsName allProjectsName;
|
||||
final AllUsersName allUsersName;
|
||||
final PermissionBackend permissionBackend;
|
||||
final CapabilityControl.Factory capabilityControlFactory;
|
||||
final ChangeControl.GenericFactory changeControlGenericFactory;
|
||||
final ChangeData.Factory changeDataFactory;
|
||||
final ChangeIndex index;
|
||||
@ -236,7 +234,6 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
IdentifiedUser.GenericFactory userFactory,
|
||||
Provider<CurrentUser> self,
|
||||
PermissionBackend permissionBackend,
|
||||
CapabilityControl.Factory capabilityControlFactory,
|
||||
ChangeControl.GenericFactory changeControlGenericFactory,
|
||||
ChangeNotes.Factory notesFactory,
|
||||
ChangeData.Factory changeDataFactory,
|
||||
@ -269,7 +266,6 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
userFactory,
|
||||
self,
|
||||
permissionBackend,
|
||||
capabilityControlFactory,
|
||||
changeControlGenericFactory,
|
||||
notesFactory,
|
||||
changeDataFactory,
|
||||
@ -304,7 +300,6 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
IdentifiedUser.GenericFactory userFactory,
|
||||
Provider<CurrentUser> self,
|
||||
PermissionBackend permissionBackend,
|
||||
CapabilityControl.Factory capabilityControlFactory,
|
||||
ChangeControl.GenericFactory changeControlGenericFactory,
|
||||
ChangeNotes.Factory notesFactory,
|
||||
ChangeData.Factory changeDataFactory,
|
||||
@ -335,7 +330,6 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
this.userFactory = userFactory;
|
||||
this.self = self;
|
||||
this.permissionBackend = permissionBackend;
|
||||
this.capabilityControlFactory = capabilityControlFactory;
|
||||
this.notesFactory = notesFactory;
|
||||
this.changeControlGenericFactory = changeControlGenericFactory;
|
||||
this.changeDataFactory = changeDataFactory;
|
||||
@ -372,7 +366,6 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
userFactory,
|
||||
Providers.of(otherUser),
|
||||
permissionBackend,
|
||||
capabilityControlFactory,
|
||||
changeControlGenericFactory,
|
||||
notesFactory,
|
||||
changeDataFactory,
|
||||
@ -933,7 +926,7 @@ public class ChangeQueryBuilder extends QueryBuilder<ChangeData> {
|
||||
for (GroupReference ref : suggestions) {
|
||||
ids.add(ref.getUUID());
|
||||
}
|
||||
return visibleto(new SingleGroupUser(args.capabilityControlFactory, ids));
|
||||
return visibleto(new SingleGroupUser(ids));
|
||||
}
|
||||
|
||||
throw error("No user or group matches \"" + who + "\".");
|
||||
|
||||
@ -21,6 +21,7 @@ import com.google.gerrit.extensions.common.PluginDefinedInfo;
|
||||
import com.google.gerrit.extensions.registration.DynamicMap;
|
||||
import com.google.gerrit.reviewdb.server.ReviewDb;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.index.IndexConfig;
|
||||
import com.google.gerrit.server.index.IndexPredicate;
|
||||
import com.google.gerrit.server.index.QueryOptions;
|
||||
@ -65,6 +66,7 @@ public class ChangeQueryProcessor extends QueryProcessor<ChangeData>
|
||||
@Inject
|
||||
ChangeQueryProcessor(
|
||||
Provider<CurrentUser> userProvider,
|
||||
CapabilityControl.Factory capabilityFactory,
|
||||
Metrics metrics,
|
||||
IndexConfig indexConfig,
|
||||
ChangeIndexCollection indexes,
|
||||
@ -75,6 +77,7 @@ public class ChangeQueryProcessor extends QueryProcessor<ChangeData>
|
||||
DynamicMap<ChangeAttributeFactory> attributeFactories) {
|
||||
super(
|
||||
userProvider,
|
||||
capabilityFactory,
|
||||
metrics,
|
||||
ChangeSchemaDefinitions.INSTANCE,
|
||||
indexConfig,
|
||||
|
||||
@ -14,25 +14,21 @@
|
||||
|
||||
package com.google.gerrit.server.query.change;
|
||||
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
import com.google.gerrit.reviewdb.client.AccountGroup;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.gerrit.server.account.ListGroupMembership;
|
||||
import java.util.Collections;
|
||||
import java.util.Set;
|
||||
|
||||
public final class SingleGroupUser extends CurrentUser {
|
||||
private final GroupMembership groups;
|
||||
|
||||
public SingleGroupUser(
|
||||
CapabilityControl.Factory capabilityControlFactory, AccountGroup.UUID groupId) {
|
||||
this(capabilityControlFactory, Collections.singleton(groupId));
|
||||
public SingleGroupUser(AccountGroup.UUID groupId) {
|
||||
this(ImmutableSet.of(groupId));
|
||||
}
|
||||
|
||||
public SingleGroupUser(
|
||||
CapabilityControl.Factory capabilityControlFactory, Set<AccountGroup.UUID> groups) {
|
||||
super(capabilityControlFactory);
|
||||
public SingleGroupUser(Set<AccountGroup.UUID> groups) {
|
||||
this.groups = new ListGroupMembership(groups);
|
||||
}
|
||||
|
||||
|
||||
@ -19,6 +19,7 @@ import static com.google.gerrit.server.query.group.GroupQueryBuilder.FIELD_LIMIT
|
||||
|
||||
import com.google.gerrit.reviewdb.client.AccountGroup;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupControl;
|
||||
import com.google.gerrit.server.index.IndexConfig;
|
||||
import com.google.gerrit.server.index.IndexPredicate;
|
||||
@ -44,6 +45,7 @@ public class GroupQueryProcessor extends QueryProcessor<AccountGroup> {
|
||||
@Inject
|
||||
protected GroupQueryProcessor(
|
||||
Provider<CurrentUser> userProvider,
|
||||
CapabilityControl.Factory capabilityFactory,
|
||||
Metrics metrics,
|
||||
IndexConfig indexConfig,
|
||||
GroupIndexCollection indexes,
|
||||
@ -51,6 +53,7 @@ public class GroupQueryProcessor extends QueryProcessor<AccountGroup> {
|
||||
GroupControl.GenericFactory groupControlFactory) {
|
||||
super(
|
||||
userProvider,
|
||||
capabilityFactory,
|
||||
metrics,
|
||||
GroupSchemaDefinitions.INSTANCE,
|
||||
indexConfig,
|
||||
|
||||
@ -20,7 +20,6 @@ import static com.google.inject.Scopes.SINGLETON;
|
||||
import com.google.gerrit.common.TimeUtil;
|
||||
import com.google.gerrit.reviewdb.client.Account;
|
||||
import com.google.gerrit.server.account.AccountCache;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.FakeRealm;
|
||||
import com.google.gerrit.server.account.GroupBackend;
|
||||
import com.google.gerrit.server.account.Realm;
|
||||
@ -36,7 +35,6 @@ import com.google.inject.AbstractModule;
|
||||
import com.google.inject.Guice;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Injector;
|
||||
import com.google.inject.util.Providers;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
@ -93,8 +91,6 @@ public class IdentifiedUserTest {
|
||||
.toInstance("http://localhost:8080/");
|
||||
bind(AccountCache.class).toInstance(accountCache);
|
||||
bind(GroupBackend.class).to(SystemGroupBackend.class).in(SINGLETON);
|
||||
bind(CapabilityControl.Factory.class)
|
||||
.toProvider(Providers.<CapabilityControl.Factory>of(null));
|
||||
bind(Realm.class).toInstance(mockRealm);
|
||||
}
|
||||
};
|
||||
|
||||
@ -27,8 +27,8 @@ public class FakeQueryBuilder extends ChangeQueryBuilder {
|
||||
new FakeQueryBuilder.Definition<>(FakeQueryBuilder.class),
|
||||
new ChangeQueryBuilder.Arguments(
|
||||
null, null, null, null, null, null, null, null, null, null, null, null, null, null,
|
||||
null, null, null, null, null, null, null, null, indexes, null, null, null, null, null,
|
||||
null, null, null, null));
|
||||
null, null, null, null, null, null, null, indexes, null, null, null, null, null, null,
|
||||
null, null, null));
|
||||
}
|
||||
|
||||
@Operator
|
||||
|
||||
@ -35,7 +35,6 @@ import com.google.gerrit.server.GerritPersonIdent;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.InternalUser;
|
||||
import com.google.gerrit.server.account.AccountCache;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.FakeRealm;
|
||||
import com.google.gerrit.server.account.GroupBackend;
|
||||
import com.google.gerrit.server.account.Realm;
|
||||
@ -158,8 +157,6 @@ public abstract class AbstractChangeNotesTest extends GerritBaseTests {
|
||||
bind(NotesMigration.class).toInstance(MIGRATION);
|
||||
bind(GitRepositoryManager.class).toInstance(repoManager);
|
||||
bind(ProjectCache.class).toProvider(Providers.<ProjectCache>of(null));
|
||||
bind(CapabilityControl.Factory.class)
|
||||
.toProvider(Providers.<CapabilityControl.Factory>of(null));
|
||||
bind(Config.class).annotatedWith(GerritServerConfig.class).toInstance(testConfig);
|
||||
bind(String.class)
|
||||
.annotatedWith(AnonymousCowardName.class)
|
||||
@ -199,7 +196,7 @@ public abstract class AbstractChangeNotesTest extends GerritBaseTests {
|
||||
changeOwner = userFactory.create(co.getId());
|
||||
otherUser = userFactory.create(ou.getId());
|
||||
otherUserId = otherUser.getAccountId();
|
||||
internalUser = new InternalUser(null);
|
||||
internalUser = new InternalUser();
|
||||
}
|
||||
|
||||
private void setTimeForTesting() {
|
||||
|
||||
@ -48,7 +48,6 @@ import com.google.gerrit.rules.PrologEnvironment;
|
||||
import com.google.gerrit.rules.RulesCache;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityCollection;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.account.GroupMembership;
|
||||
import com.google.gerrit.server.account.ListGroupMembership;
|
||||
import com.google.gerrit.server.config.AllProjectsName;
|
||||
@ -58,6 +57,7 @@ import com.google.gerrit.server.config.AllUsersNameProvider;
|
||||
import com.google.gerrit.server.config.SitePaths;
|
||||
import com.google.gerrit.server.git.ProjectConfig;
|
||||
import com.google.gerrit.server.index.SingleVersionModule.SingleVersionListener;
|
||||
import com.google.gerrit.server.permissions.PermissionBackend;
|
||||
import com.google.gerrit.server.permissions.ProjectPermission;
|
||||
import com.google.gerrit.server.permissions.RefPermission;
|
||||
import com.google.gerrit.server.query.change.InternalChangeQuery;
|
||||
@ -206,8 +206,8 @@ public class RefControlTest {
|
||||
private ChangeControl.Factory changeControlFactory;
|
||||
private ReviewDb db;
|
||||
|
||||
@Inject private PermissionBackend permissionBackend;
|
||||
@Inject private CapabilityCollection.Factory capabilityCollectionFactory;
|
||||
@Inject private CapabilityControl.Factory capabilityControlFactory;
|
||||
@Inject private SchemaCreator schemaCreator;
|
||||
@Inject private SingleVersionListener singleVersionListener;
|
||||
@Inject private InMemoryDatabase schemaFactory;
|
||||
@ -910,6 +910,7 @@ public class RefControlTest {
|
||||
null, // refFilter
|
||||
queryProvider,
|
||||
canonicalWebUrl,
|
||||
permissionBackend,
|
||||
new MockUser(name, memberOf),
|
||||
newProjectState(local),
|
||||
metrics);
|
||||
@ -925,7 +926,6 @@ public class RefControlTest {
|
||||
private final GroupMembership groups;
|
||||
|
||||
MockUser(String name, AccountGroup.UUID[] groupId) {
|
||||
super(capabilityControlFactory);
|
||||
username = name;
|
||||
ArrayList<AccountGroup.UUID> groupIds = Lists.newArrayList(groupId);
|
||||
groupIds.add(REGISTERED_USERS);
|
||||
|
||||
@ -15,24 +15,27 @@
|
||||
package com.google.gerrit.sshd;
|
||||
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.account.CapabilityControl;
|
||||
import com.google.gerrit.server.git.QueueProvider;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import java.util.concurrent.ScheduledThreadPoolExecutor;
|
||||
|
||||
class CommandExecutorProvider implements Provider<ScheduledThreadPoolExecutor> {
|
||||
|
||||
private final CapabilityControl.Factory capabilityFactory;
|
||||
private final QueueProvider queues;
|
||||
private final CurrentUser user;
|
||||
|
||||
@Inject
|
||||
CommandExecutorProvider(QueueProvider queues, CurrentUser user) {
|
||||
CommandExecutorProvider(
|
||||
CapabilityControl.Factory capabilityFactory, QueueProvider queues, CurrentUser user) {
|
||||
this.capabilityFactory = capabilityFactory;
|
||||
this.queues = queues;
|
||||
this.user = user;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ScheduledThreadPoolExecutor get() {
|
||||
return queues.getQueue(user.getCapabilities().getQueueType());
|
||||
return queues.getQueue(capabilityFactory.create(user).getQueueType());
|
||||
}
|
||||
}
|
||||
|
||||
@ -1 +1 @@
|
||||
Subproject commit 2a4d0bfe10c63c79ca0d47be21756377703e46c0
|
||||
Subproject commit 1085b453039b0fe230c3584e0024a7965cc1e323
|
||||
Loading…
Reference in New Issue
Block a user