4011 Commits

Author SHA1 Message Date
David Ostrovsky
c055d46280 Close security hole allowing normal user to become admin
Icc105c39e introduced severe security problem, allowing non admin
users that was granted modifyAccount capability to modify SSH keys
of all users, including administrators. But that means such a user
can change the authentication of an existing administrator and then
impersonate the admin to elevate their own account status to that
of an admin.

Rectify it but restricting changing of SSH keys for a user only to
members of administrators group.

Change-Id: If82965391369121b282b969e7072a2bfa3074be9
2014-10-03 09:53:34 +00:00
Khai Do
cf9bce2191 Remove the generateHttpPassword capability
Remove the Generate HTTP Password capability because it exposes a
security vulnerability.  Any user that is granted this capability
can modify an administrator's http password and impersonate the
admin user.  Other reasons for removing this capability are that
the usage of it is inconsistent with the modifyAccount capability
and this capability encourages adding additional capabilities to
restrict permissions, which is not desired.

With this change only administrators are allowed to generate and
delete other users' http passwords.

The motivation behind this change is from comments in changes
Ib1971fad and If8296539.

Change-Id: Id907cc103591eed029fd08af700bb1bb6a618ff8
2014-09-29 15:21:06 -07:00
David Pursehouse
1d613e231d Merge "Fix name of method in WebLinks class that returns file web links" 2014-09-25 01:00:05 +00:00
David Ostrovsky
5bba6faf32 Notedb: Fix wrong patch set id on upload new patch set
ReceiveCommit with notedb enabled site uses erroneously old patch set
id in ChangeUpdate on upload of new patch set. This bug was hidden
because no tests were enabled that targeting Notedb backend during push
operation. Fix this by enabling standard push tests also for Notedb
configuration.

Test Plan: When approval provided during push operation by passing
-l parameter to magic branch, verify that the approval is referencing
the right patch set. That means, pushing a change with %l=Code-Review+1
and uploading a subsequent patch set with %l=Code-Review+2 produces the
following commits on meta branch:

Uploaded patch set 1.

Patch-set: 1
Label: Code-Review=+1

Uploaded patch set 2.

Patch-set: 2
Label: Code-Review=+2

Without this change the last two lines are:

Patch-set: 1
Label: Code-Review=+2

and as result the test: testPushForMasterWithApprovals() was failing
because CRVW+2 was referencing wrong patch set (1 instead of 2).

Change-Id: I231e736a3d5f44555b1c2e4bdb5ef43be035c624
2014-09-24 19:34:50 +00:00
Edwin Kempin
ef6f5f15c2 Fix name of method in WebLinks class that returns file web links
In the early iterations of the file links implementation 'file links'
were called 'patch links'. When the rename to 'file links' was
done this one method in the WebLinks class stayed with the old name.
Do the rename now to have all names consistent.

Change-Id: Id784ae5983dfb5f20d9b8f00403a8458f783c5d2
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
2014-09-24 16:49:29 +02:00
John L. Villalovos
2a53365ce3 ACL: Fix transitions check & a '1' in RefName
In determining which access pattern has precedence, the 1st check is
which pattern is closer via Levenshtein distance.  The 2nd criteria is
if they differ on finite vs inifite.  The 3rd criteria is based on
number of transitions in the pattern, where it is supposed to be the
pattern with the  greatest number of transitions having precedence.  The
check of using the number of transitions had the check reversed.  This
caused the pattern with the fewest number of transitions to have
precedence.

When determining the Levenshtein distance of a glob style pattern the
trailing '*' would be changed to a '1'.  The issue with doing this is
that it could cause a different access pattern to take precedence if a
RefName contained a '1' character as that would cause the Levenshtein
distance to become decreased by one.

Change-Id: Ibdcd483c303d24565ef43001b3831f6463c2ed8f
Signed-off-by: John L. Villalovos <john.l.villalovos@intel.com>
2014-09-24 06:20:40 -07:00
David Ostrovsky
7eb9213476 ChangeApiImpl: It is useless to use provider on singletons
Change-Id: Ic262faf10be101c7b960fc3a7ec73b7eab8a5c84
2014-09-21 13:11:53 +02:00
Dave Borowitz
c8c17ec5fb EmailReviewComments: Throw OutOfScopeException for current user
This matches the behavior of ChangeMergeQueue's RequestContext
implementation, and replaces a lurking NPE with a more descriptive
error.

Change-Id: I35dfd750980df70173a797b5b2147ee88d715b77
2014-09-19 11:35:40 -07:00
Dave Borowitz
ebc0f424a8 ChangeEditUtil: Provide CurrentUser instead of IdentifiedUser
The implementation of Provider<IdentifiedUser> in
ThreadLocalRequestContext throws a ProvisionException in get() before
we can call isIdentifiedUser() on it. This fix should throw the proper
exception when the user is not signed in.

Change-Id: I404564652176897a24c4570734475c5b9f5c2bca
2014-09-18 15:01:22 -07:00
Orgad Shaneh
20984b0500 GetRelated: Discard single commit by its hash instead of change/ps
change/ps is only available for open changes.

Change-Id: I04e96635b01a231918f2adf83fd759376b9be80a
2014-09-18 14:32:05 +03:00
David Pursehouse
c892dd6817 Add support for hashtags in change inserter
Change-Id: Ibf3b1d32c302d738a46cbb475c7e9e8db69faacc
2014-09-18 09:19:06 +09:00
Dave Borowitz
93ca7e03b9 Include submitter in ChangeMessage on submission
Change-Id: I2136577857b3307ddcd91fa0d77265acd6532ea0
2014-09-17 13:20:13 -07:00
Saša Živkov
32018141d2 Merge "Add diff pref whether the diff table header should be auto hidden" 2014-09-17 15:24:55 +00:00
David Pursehouse
a13f8e38be Remove unused import in GetHashtags
Change-Id: Ie2b04a4367ed120504eb14df17b83db8c943ff50
2014-09-17 23:35:41 +09:00
Edwin Kempin
1b6c6d843c Add diff pref whether the diff table header should be auto hidden
Add a new diff preference that allows the user to decide whether the
diff table header with the patch set selection should be automatically
hidden when scrolling down more than half of a page. At the moment
this behaviour cannot be disabled, but some users find it annoying
that the header disappears and that they need to scroll up to be able
to change the patch set selection.

By default the diff table header is automatically hidden as this is
the current behaviour.

Change-Id: I1d65c5058222c924ccaf3276f7d2d83fac7f4d32
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
2014-09-17 16:03:59 +02:00
Sven Selberg
6524774b4f Sort hashtags alphabetically in ChangeNotes
Change-Id: Ifa85623b80ef4f36d4c0dd288e5d3b3fea2d522f
2014-09-17 14:55:30 +02:00
David Pursehouse
b7fa82eeed Move functionality from PostHashtags to HashtagsUtil
So that it can be reused from the change inserter.

Change-Id: I133ef4684f482311a703cd052407988a1450271d
2014-09-17 10:09:57 +09:00
David Pursehouse
f4b48cc997 Add setHashtags method on the change API
Change-Id: I4653857e3266d673f7d04e063da5324f880e5cba
2014-09-16 19:43:09 +09:00
David Pursehouse
9d56774ade Move hashtags input class to the extensions API
Change-Id: Icc9cdb8c7894664b3c134618603334991ddb58fa
2014-09-16 19:33:06 +09:00
David Pursehouse
7d12df7eaf Hashtags: use Collections.emptySet() instead of ImmutableSet.of()
Change-Id: I33f7a46ef6c0535ebb2ee034ea8dd3e01b347f61
2014-09-16 19:31:31 +09:00
David Pursehouse
1fe4ed6457 Allow plugins to perform validation of hashtag changes.
Plugins can validate and reject additions or removals of hashtags
on changes.

Change-Id: I138094a9dec428f0872e7182c40a77cc742cac2a
2014-09-14 16:42:34 +09:00
David Pursehouse
e1f4061606 Remove unused imports in ReviewerSuggestionCache
Change-Id: I49133e0312823d99b72a0f3ebf7aa70ef43d9b90
2014-09-13 08:31:54 +02:00
Edwin Kempin
853db98a5d Merge "Add stream event and hook for hashtag changes" 2014-09-12 16:20:21 +00:00
Edwin Kempin
6b31be27f1 Merge "Hashtags: Refactoring of the REST API" 2014-09-12 15:26:32 +00:00
Edwin Kempin
89664c0c65 Merge "Don't show "null" for version in daemon console log" 2014-09-12 15:26:23 +00:00
Sven Selberg
42d9d297d5 Full text search in memory for review suggestions
This change also makes it possible to configure maximum
displayed reviewers.

On some Gerrit instances the full name is formatted like:
<given name> <surname>
and email like:
<given name>.<surname>@...
This would make it impossible to get reviewer suggestions from
surnames.
Since gwtorm doesn't support sql LIKE there is no straight forward
way of filtering on substring in the DB. Hence this in memory approach.

For performance reasons this implementation differs from the default
implementation in that it does not look at the email_address in
account_external_ids but only at the preferred_email of accounts.
The default implementation does only look for 10 matches and afterwards
filters out the acconts that are not allowed to view the change.

Configuration:
suggest.maxSuggestedReviewers
Maximum number of suggested reviewers (default 10).

suggest.fullTextSearch
Enable full text search (default "false").

suggest.fullTextSearchMaxMatches
Maximum number of matches to be checked for accessability when using
full text search (default 100).

Change-Id: Ia4c3a15263783bc144e66a05854c3915392095b5
2014-09-12 15:11:41 +00:00
David Pursehouse
cb2e4853c9 Add stream event and hook for hashtag changes
The stream event is fired and the hook is executed when hashtags
are added or removed.

Change-Id: Ifa66db4d5ea3d5aecd9bf56830cd50688cc6af29
2014-09-12 16:45:54 +02:00
David Pursehouse
6b15344e38 Hashtags: Refactoring of the REST API
Sending data with a DELETE is not a common standard. Replace the PUT and
DELETE endpoints with a POST method which accepts both adds and removals.

Instead of sending hashtags as a comma-separated list, send as a set and
raise HTTP 400 Bad Request if any hashtag contains a comma.

Return results as an ordered list. Having the results in a deterministic
order makes it easier to test.

Only perform notes db update and indexing if any tags were actually added
or removed.

Examples:

  GET /a/changes/1/hashtags HTTP/1.1

  Response:
  HTTP/1.1 200 OK
  [
    "tag1",
    "tag2"
  ]

  POST /a/changes/1/hashtags HTTP/1.1
  { "add" : "tag3", "remove" : "tag2" }

  Response:
  HTTP/1.1 200 OK
  [
    "tag1",
    "tag3"
  ]

Change-Id: Idde97697ecc6bc1a51404bef67baf645d8909555
2014-09-12 16:45:54 +02:00
Edwin Kempin
ce4b4e434f Merge "Fix SecureStore binding for plugins" 2014-09-12 14:13:06 +00:00
Dariusz Luksza
7f4662fd4a Fix SecureStore binding for plugins
Some plugins like uploadvalidator, will now not load because of missing
binding for SecureStore in CopyConfigModule.

To be able to bind SecureStoreProvider there we need to move it from pgm
module to server. Then because it is using IoUtils and
SiteLibraryLoaderUtil to common module and adjust BUCK configuration to
make it compile Gerrit.

Change-Id: I20d7f56750e5290872b984881cd4dbd1add5988c
Signed-off-by: Dariusz Luksza <dariusz@luksza.org>
2014-09-12 14:12:38 +00:00
Dave Borowitz
cfe696251d Set default value for ChangeNotes.hashtags to avoid NPE
Change-Id: I039077301bf62ca4fa8f882bf2b98331ffdd0d2a
2014-09-12 13:53:08 +00:00
Edwin Kempin
4c51f70302 Merge "Allow to control target of web links" 2014-09-12 12:09:27 +00:00
David Pursehouse
1f26ed1982 Merge "Make Lucene case insensitive when searching for hashtags" 2014-09-12 11:04:58 +00:00
David Pursehouse
2d06b17074 Merge "ConfigSuite: Allow specifying default config for all tests" 2014-09-12 10:39:17 +00:00
Dave Borowitz
cd72cb1d37 Merge topic 'inline-bugfix'
* changes:
  Handle edits in GetRelated
  Store ChangeEdit in RevisionResource
  Add Follow-Up change UiAction to change screen
  Make edit's parent the base of the change
2014-09-12 10:18:11 +00:00
Dave Borowitz
9091ccf6f1 Handle edits in GetRelated
GetRelated collects all patch sets of all open changes, but was not
including the edit itself.

Change-Id: Iff6389a11ea1befd998d6b21616661f14e2665e2
2014-09-12 10:17:34 +00:00
Edwin Kempin
afae7d5936 Merge "Ignore new-change-for-all-not-in-target for root commit" 2014-09-12 10:12:02 +00:00
Dave Borowitz
59039f507d Store ChangeEdit in RevisionResource
This may be looked up as soon as the revision is parsed, so later
code may want to access it without doing the lookup again.

Change-Id: Ic5a065e59df127ea9aa11223ce9b30a262bf6297
2014-09-12 12:11:46 +02:00
David Ostrovsky
ceef9ffcda Add Follow-Up change UiAction to change screen
Change-Id: If4c9ef331a4646c736720f22fa9f921962f7147f
2014-09-12 12:11:46 +02:00
David Ostrovsky
0619f65b17 Make edit's parent the base of the change
Change-Id: I53186d485638e9c761720630149e575a461f2001
2014-09-12 12:11:45 +02:00
Deniz Türkoglu
c391fc8489 Ignore new-change-for-all-not-in-target for root commit
Without this check, we would throw a NPE and never let review
requests to be created without an explicit HEAD creation.

Change-Id: If28689c83c98663e571552146507795c48c8264d
2014-09-12 12:00:19 +02:00
Dave Borowitz
585fe4696b ConfigSuite: Allow specifying default config for all tests
Change-Id: Icce7086b20942e99238144d9a9de01ef5f620a03
2014-09-12 11:27:27 +02:00
Gustaf Lundh
bfc79d408e Make Lucene case insensitive when searching for hashtags
The Hashtags will still be stored as case sensitive. A
future HashtagValidator/HashtagTransformer @Extensionpoint
could allow users to finetune how the hashtags are
stored and accepted.

Change-Id: Ibb6d6343a228fcafb6f482597655281792f85a62
2014-09-12 08:30:16 +00:00
Dariusz Luksza
0f8fcab555 Fix getStringList in GerritConfig wrapper class
When getList from secure store class returns empty list try to get value
from gerrit.config. JGit getStringList will return empty list for not
found value therefore it is safe to ask base config file for this
property.

Change-Id: Iee8b6256a5ab7a1de698c46d2415a5a272f7e0c0
Signed-off-by: Dariusz Luksza <dariusz@luksza.org>
2014-09-12 10:09:16 +02:00
Edwin Kempin
ceeed6b48a Allow to control target of web links
Plugins can now control the target window in which a web link should
be opened.

This is an incompatible change and plugins implementing web links must
be adapted.

Change-Id: I5aec40ce425251b10fcb912131d547982d27cd55
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
2014-09-12 10:08:22 +02:00
Dave Borowitz
d9b8b39088 Allow users with accessDatabase to view metadata refs
Administrators may want to inspect the full ref state of a repository
without having direct git access. Reuse the accessDatabase capability
within VisibleRefFilter for this purpose. Users with this capability
can access basically all data on the server, so we are not giving
them significantly more visibility.

Change-Id: I592557528915ab216acce5fa7e057df8f2fc1640
2014-09-12 09:10:54 +02:00
David Pursehouse
9c1393279f Hashtags: trim input and remove empty strings when deleting hashtags
Change-Id: Icd0412c218aeb6bc70d6136f755dba7686b8a965
2014-09-12 07:30:35 +02:00
Gustaf Lundh
2970f85486 Fix: Do not allow empty Hashtags
Sending a hashtag string to PutHashtags in any of these
formats:

* ","
* ",tag"
* "tag,"
* "tag1,,tag2"

...would create an empty tag which could not be deleted
using the RESTApi.

Change-Id: Ic37a5721de8bfe5846de1a84f6c1c95b96dd9906
2014-09-11 15:32:50 +00:00
David Pursehouse
30565e12aa Merge branch 'stable-2.10'
* stable-2.10:
  Fix broken test compilation

Change-Id: If13a19701b754c1810788ea8ab2339e068d94d0e
2014-09-11 17:18:53 +02:00
David Pursehouse
23e841476e Fix broken test compilation
Change-Id: Id4bd313626142f115357c747a47107025e233e8a
2014-09-11 17:02:17 +02:00