use of com.google.gerrit.server.permissions.RefPermission in project gerrit by GerritCodeReview.
the class CheckAccess method apply.
public Response<AccessCheckInfo> apply(ProjectResource rsrc, AccessCheckInput input) throws PermissionBackendException, RestApiException, IOException, ConfigInvalidException {
permissionBackend.user(rsrc.getUser()).check(GlobalPermission.VIEW_ACCESS);
rsrc.getProjectState().checkStatePermitsRead();
if (input == null) {
throw new BadRequestException("input is required");
}
if (Strings.isNullOrEmpty(input.account)) {
throw new BadRequestException("input requires 'account'");
}
try (TraceContext traceContext = TraceContext.open()) {
traceContext.enableAclLogging();
Account.Id match = accountResolver.resolve(input.account).asUnique().account().id();
try {
permissionBackend.absentUser(match).project(rsrc.getNameKey()).check(ProjectPermission.ACCESS);
} catch (AuthException e) {
return Response.ok(createInfo(HttpServletResponse.SC_FORBIDDEN, String.format("user %s cannot see project %s", match, rsrc.getName())));
}
RefPermission refPerm;
if (!Strings.isNullOrEmpty(input.permission)) {
if (Strings.isNullOrEmpty(input.ref)) {
throw new BadRequestException("must set 'ref' when specifying 'permission'");
}
Optional<RefPermission> rp = DefaultPermissionMappings.refPermission(input.permission);
if (!rp.isPresent()) {
throw new BadRequestException(String.format("'%s' is not recognized as ref permission", input.permission));
}
refPerm = rp.get();
} else {
refPerm = RefPermission.READ;
}
String message = null;
if (!Strings.isNullOrEmpty(input.ref)) {
try {
permissionBackend.absentUser(match).ref(BranchNameKey.create(rsrc.getNameKey(), input.ref)).check(refPerm);
} catch (AuthException e) {
return Response.ok(createInfo(HttpServletResponse.SC_FORBIDDEN, String.format("user %s lacks permission %s for %s in project %s", match, input.permission, input.ref, rsrc.getName())));
}
} else {
// as access denied looks the same as no branches to the user.
try (Repository repo = gitRepositoryManager.openRepository(rsrc.getNameKey())) {
if (repo.getRefDatabase().getRefsByPrefix(REFS_HEADS).isEmpty()) {
message = "access is OK, but repository has no branches under refs/heads/";
}
}
}
return Response.ok(createInfo(HttpServletResponse.SC_OK, message));
}
}
Aggregations