Fix Incorrect owner group matching behaviour for creating projects

This change fixes a critical bug that might add a wrong group as an owner of a project being created by ssh commands. Before this fix, when the --owner argument does not match any group, the commands tried to find a group whose name starts with the argument instead of throwing an error to notify the user. This behaviour seemed to be insecure and this fix prevents the commands to create the project and throws an error if the --owner argument is not valid, that is, if there is no exact match for the group name. In total, the ssh commands that are affected by this change are: CreateGroupCommand, CreateProjectCommand, ListGroupsCommand, and SetMembersCommand. Moreover, it makes more sense to use exactSuggestion instead of bestSuggestion for those commands as well. Bug: Issue 3655 Change-Id: Icec00651b4268a2b70799f1cba739db5248b04f5
2015-11-05 14:29:27 -05:00
parent 81de6fcbe0
commit fe1a9138fa
2 changed files with 57 additions and 1 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/args4j/AccountGroupUUIDHandler.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/args4j/AccountGroupUUIDHandler.java
@@ -43,7 +43,7 @@ public class AccountGroupUUIDHandler extends OptionHandler<AccountGroup.UUID> {
  public final int parseArguments(final Parameters params)
      throws CmdLineException {
    final String n = params.getParameter(0);
-    final GroupReference group = GroupBackends.findBestSuggestion(groupBackend, n);
+    GroupReference group = GroupBackends.findExactSuggestion(groupBackend, n);
    if (group == null) {
      throw new CmdLineException(owner, "Group \"" + n + "\" does not exist");
    }