Use Provider<CurrentUser> instead of relying on the caller to pass the
IdentifiedUser. Both callers are running in a scope where CurrentUser
can be automatically provided by Guice.
Don't return String on error and null on success, this is an ugly API
for callers to work with. Follow the pattern used throughout the
PermissionBackend and REST API to return void on success and throw
AuthException when denied. Use the AuthException's message to explain
the detailed reason for the denial.
Run the forRef.check(UPDATE) permission first. This avoids a possibly
expensive RevWalk checking connectivity against other existing heads
and tags if the user is permitted to fast-forward the branch anyway.
Change-Id: I32b1899f0f41f33d3a1ad3e4f34e5eb66cec3bd5
0486f45312