Icc105c39e introduced severe security problem, allowing non admin
users that was granted modifyAccount capability to modify SSH keys
of all users, including administrators. But that means such a user
can change the authentication of an existing administrator and then
impersonate the admin to elevate their own account status to that
of an admin.
Rectify it but restricting changing of SSH keys for a user only to
members of administrators group.
Change-Id: If82965391369121b282b969e7072a2bfa3074be9
Remove the Generate HTTP Password capability because it exposes a
security vulnerability. Any user that is granted this capability
can modify an administrator's http password and impersonate the
admin user. Other reasons for removing this capability are that
the usage of it is inconsistent with the modifyAccount capability
and this capability encourages adding additional capabilities to
restrict permissions, which is not desired.
With this change only administrators are allowed to generate and
delete other users' http passwords.
The motivation behind this change is from comments in changes
Ib1971fad and If8296539.
Change-Id: Id907cc103591eed029fd08af700bb1bb6a618ff8
ReceiveCommit with notedb enabled site uses erroneously old patch set
id in ChangeUpdate on upload of new patch set. This bug was hidden
because no tests were enabled that targeting Notedb backend during push
operation. Fix this by enabling standard push tests also for Notedb
configuration.
Test Plan: When approval provided during push operation by passing
-l parameter to magic branch, verify that the approval is referencing
the right patch set. That means, pushing a change with %l=Code-Review+1
and uploading a subsequent patch set with %l=Code-Review+2 produces the
following commits on meta branch:
Uploaded patch set 1.
Patch-set: 1
Label: Code-Review=+1
Uploaded patch set 2.
Patch-set: 2
Label: Code-Review=+2
Without this change the last two lines are:
Patch-set: 1
Label: Code-Review=+2
and as result the test: testPushForMasterWithApprovals() was failing
because CRVW+2 was referencing wrong patch set (1 instead of 2).
Change-Id: I231e736a3d5f44555b1c2e4bdb5ef43be035c624
In the early iterations of the file links implementation 'file links'
were called 'patch links'. When the rename to 'file links' was
done this one method in the WebLinks class stayed with the old name.
Do the rename now to have all names consistent.
Change-Id: Id784ae5983dfb5f20d9b8f00403a8458f783c5d2
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
In determining which access pattern has precedence, the 1st check is
which pattern is closer via Levenshtein distance. The 2nd criteria is
if they differ on finite vs inifite. The 3rd criteria is based on
number of transitions in the pattern, where it is supposed to be the
pattern with the greatest number of transitions having precedence. The
check of using the number of transitions had the check reversed. This
caused the pattern with the fewest number of transitions to have
precedence.
When determining the Levenshtein distance of a glob style pattern the
trailing '*' would be changed to a '1'. The issue with doing this is
that it could cause a different access pattern to take precedence if a
RefName contained a '1' character as that would cause the Levenshtein
distance to become decreased by one.
Change-Id: Ibdcd483c303d24565ef43001b3831f6463c2ed8f
Signed-off-by: John L. Villalovos <john.l.villalovos@intel.com>
This matches the behavior of ChangeMergeQueue's RequestContext
implementation, and replaces a lurking NPE with a more descriptive
error.
Change-Id: I35dfd750980df70173a797b5b2147ee88d715b77
The implementation of Provider<IdentifiedUser> in
ThreadLocalRequestContext throws a ProvisionException in get() before
we can call isIdentifiedUser() on it. This fix should throw the proper
exception when the user is not signed in.
Change-Id: I404564652176897a24c4570734475c5b9f5c2bca
Add a new diff preference that allows the user to decide whether the
diff table header with the patch set selection should be automatically
hidden when scrolling down more than half of a page. At the moment
this behaviour cannot be disabled, but some users find it annoying
that the header disappears and that they need to scroll up to be able
to change the patch set selection.
By default the diff table header is automatically hidden as this is
the current behaviour.
Change-Id: I1d65c5058222c924ccaf3276f7d2d83fac7f4d32
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
This change also makes it possible to configure maximum
displayed reviewers.
On some Gerrit instances the full name is formatted like:
<given name> <surname>
and email like:
<given name>.<surname>@...
This would make it impossible to get reviewer suggestions from
surnames.
Since gwtorm doesn't support sql LIKE there is no straight forward
way of filtering on substring in the DB. Hence this in memory approach.
For performance reasons this implementation differs from the default
implementation in that it does not look at the email_address in
account_external_ids but only at the preferred_email of accounts.
The default implementation does only look for 10 matches and afterwards
filters out the acconts that are not allowed to view the change.
Configuration:
suggest.maxSuggestedReviewers
Maximum number of suggested reviewers (default 10).
suggest.fullTextSearch
Enable full text search (default "false").
suggest.fullTextSearchMaxMatches
Maximum number of matches to be checked for accessability when using
full text search (default 100).
Change-Id: Ia4c3a15263783bc144e66a05854c3915392095b5
Sending data with a DELETE is not a common standard. Replace the PUT and
DELETE endpoints with a POST method which accepts both adds and removals.
Instead of sending hashtags as a comma-separated list, send as a set and
raise HTTP 400 Bad Request if any hashtag contains a comma.
Return results as an ordered list. Having the results in a deterministic
order makes it easier to test.
Only perform notes db update and indexing if any tags were actually added
or removed.
Examples:
GET /a/changes/1/hashtags HTTP/1.1
Response:
HTTP/1.1 200 OK
[
"tag1",
"tag2"
]
POST /a/changes/1/hashtags HTTP/1.1
{ "add" : "tag3", "remove" : "tag2" }
Response:
HTTP/1.1 200 OK
[
"tag1",
"tag3"
]
Change-Id: Idde97697ecc6bc1a51404bef67baf645d8909555
Some plugins like uploadvalidator, will now not load because of missing
binding for SecureStore in CopyConfigModule.
To be able to bind SecureStoreProvider there we need to move it from pgm
module to server. Then because it is using IoUtils and
SiteLibraryLoaderUtil to common module and adjust BUCK configuration to
make it compile Gerrit.
Change-Id: I20d7f56750e5290872b984881cd4dbd1add5988c
Signed-off-by: Dariusz Luksza <dariusz@luksza.org>
* changes:
Handle edits in GetRelated
Store ChangeEdit in RevisionResource
Add Follow-Up change UiAction to change screen
Make edit's parent the base of the change
This may be looked up as soon as the revision is parsed, so later
code may want to access it without doing the lookup again.
Change-Id: Ic5a065e59df127ea9aa11223ce9b30a262bf6297
Without this check, we would throw a NPE and never let review
requests to be created without an explicit HEAD creation.
Change-Id: If28689c83c98663e571552146507795c48c8264d
The Hashtags will still be stored as case sensitive. A
future HashtagValidator/HashtagTransformer @Extensionpoint
could allow users to finetune how the hashtags are
stored and accepted.
Change-Id: Ibb6d6343a228fcafb6f482597655281792f85a62
When getList from secure store class returns empty list try to get value
from gerrit.config. JGit getStringList will return empty list for not
found value therefore it is safe to ask base config file for this
property.
Change-Id: Iee8b6256a5ab7a1de698c46d2415a5a272f7e0c0
Signed-off-by: Dariusz Luksza <dariusz@luksza.org>
Plugins can now control the target window in which a web link should
be opened.
This is an incompatible change and plugins implementing web links must
be adapted.
Change-Id: I5aec40ce425251b10fcb912131d547982d27cd55
Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
Administrators may want to inspect the full ref state of a repository
without having direct git access. Reuse the accessDatabase capability
within VisibleRefFilter for this purpose. Users with this capability
can access basically all data on the server, so we are not giving
them significantly more visibility.
Change-Id: I592557528915ab216acce5fa7e057df8f2fc1640
Sending a hashtag string to PutHashtags in any of these
formats:
* ","
* ",tag"
* "tag,"
* "tag1,,tag2"
...would create an empty tag which could not be deleted
using the RESTApi.
Change-Id: Ic37a5721de8bfe5846de1a84f6c1c95b96dd9906