com.google.gerrit.server.project.RemoveReviewerControl Maven / Gradle / Ivy
The newest version!
// Copyright (C) 2017 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.server.project;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.Change;
import com.google.gerrit.entities.PatchSetApproval;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.ChangePermission;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.inject.Inject;
import com.google.inject.Singleton;
@Singleton
public class RemoveReviewerControl {
private final PermissionBackend permissionBackend;
private final ChangeData.Factory changeDataFactory;
@Inject
RemoveReviewerControl(PermissionBackend permissionBackend, ChangeData.Factory changeDataFactory) {
this.permissionBackend = permissionBackend;
this.changeDataFactory = changeDataFactory;
}
/**
* Checks if removing the given reviewer and patch set approval is OK.
*
* @throws AuthException if this user is not allowed to remove this approval.
* @throws PermissionBackendException on failure of permission checks.
* @throws ResourceConflictException if the approval cannot be removed because the change is
* merged
*/
public void checkRemoveReviewer(
ChangeNotes notes, CurrentUser currentUser, PatchSetApproval approval)
throws PermissionBackendException, AuthException, ResourceConflictException {
if (notes.getChange().isMerged() && approval.value() != 0) {
throw new ResourceConflictException("cannot remove votes from merged change");
}
checkRemoveReviewer(notes, currentUser, approval.accountId(), approval.value());
}
/**
* Checks if removing the given reviewer is OK. Does not check if removing any approvals the
* reviewer might have given is OK.
*
* @throws AuthException if this user is not allowed to remove this approval.
* @throws PermissionBackendException on failure of permission checks.
*/
public void checkRemoveReviewer(ChangeNotes notes, CurrentUser currentUser, Account.Id reviewer)
throws PermissionBackendException, AuthException {
checkRemoveReviewer(notes, currentUser, reviewer, 0);
}
/** Returns true if the user is allowed to remove this reviewer. */
public boolean testRemoveReviewer(
ChangeNotes notes, CurrentUser currentUser, PatchSetApproval approval)
throws PermissionBackendException {
return testRemoveReviewer(notes, currentUser, approval.accountId(), approval.value());
}
/** Returns true if the user is allowed to remove this reviewer. */
public boolean testRemoveReviewer(
ChangeNotes notes, CurrentUser currentUser, Account.Id reviewer, int value)
throws PermissionBackendException {
return testRemoveReviewer(changeDataFactory.create(notes), currentUser, reviewer, value);
}
/** Returns true if the user is allowed to remove this reviewer. */
public boolean testRemoveReviewer(
ChangeData cd, CurrentUser currentUser, Account.Id reviewer, int value)
throws PermissionBackendException {
if (cd.change().isMerged() && value != 0) {
return false;
}
if (canRemoveReviewerWithoutPermissionCheck(cd.change(), currentUser, reviewer, value)) {
return true;
}
// Users with the remove reviewer permission, the branch owner, project
// owner and site admin can remove anyone
PermissionBackend.WithUser withUser = permissionBackend.user(currentUser);
PermissionBackend.ForProject forProject = withUser.project(cd.project());
return (forProject.ref(cd.change().getDest().branch()).test(RefPermission.WRITE_CONFIG)
|| withUser.test(GlobalPermission.ADMINISTRATE_SERVER))
|| withUser.change(cd).test(ChangePermission.REMOVE_REVIEWER);
}
private void checkRemoveReviewer(
ChangeNotes notes, CurrentUser currentUser, Account.Id reviewer, int value)
throws PermissionBackendException, AuthException {
if (canRemoveReviewerWithoutPermissionCheck(notes.getChange(), currentUser, reviewer, value)) {
return;
}
// Users with the remove reviewer permission, the branch owner, project
// owner and site admin can remove anyone
PermissionBackend.WithUser withUser = permissionBackend.user(currentUser);
PermissionBackend.ForProject forProject = withUser.project(notes.getProjectName());
if (forProject.ref(notes.getChange().getDest().branch()).test(RefPermission.WRITE_CONFIG)
|| withUser.test(GlobalPermission.ADMINISTRATE_SERVER)) {
return;
}
permissionBackend.user(currentUser).change(notes).check(ChangePermission.REMOVE_REVIEWER);
}
public static boolean canRemoveReviewerWithoutPermissionCheck(
Change change, CurrentUser currentUser, Account.Id reviewer, int value) {
if (currentUser.isIdentifiedUser()) {
Account.Id aId = currentUser.getAccountId();
if (aId.equals(reviewer)) {
return true; // A user can always remove themselves.
} else if (aId.equals(change.getOwner()) && 0 <= value) {
return true; // The change owner may remove any zero or positive score.
}
}
return false;
}
}