| commit | e5f0ef3d2a0511600d247787b664d839db3db7f2 | [log] [tgz] |
|---|---|---|
| author | Edwin Kempin <ekempin@google.com> | Wed Aug 14 08:41:05 2024 +0000 |
| committer | Edwin Kempin <ekempin@google.com> | Mon Aug 19 08:25:26 2024 +0000 |
| tree | 7757abf824797b5da852cd9873532ea163f62d06 | |
| parent | b6955d1057fd9ae0fe5e2c8f1c97455651641404 [diff] |
Allow all users to call the Check Code Owner REST endpoint So far calling the Check Code Owner REST endpoint required the caller to be an admin (have the 'Administrate Server' capability or the 'Check Code Owner Capability'). Due to this normal users couldn't debug issues with OWNERS files on their own, but had to file tickets to find someone that calls the REST endpoint and explains them the result. To reduce the ticket load we are offering the Check Code Owner REST endpoint as a self-service now so that every user can invoke it. Most of the information that is provided by the REST endpoint is not sensitive and can be shown to normal users as they already have access to this information via other REST endpoints (via the code owner suggestion they can find out if a user is a code owner, the inspected code owner config files are already returned via the code owner suggestion REST endpoint, whether an email is resolvable can be checked via the account API, whether a user can see a change can be checked by trying to add the user as a reviewer to the change, whether a user can vote on a change is contained in ChangeInfo when the user is a reviewer). The returned debug logs however may contain information which should only be shown to admins (e.g. messages that explain why a code owner email is not resolvable reveal information about whether an email exists). This is why with change Ib28802d38 we distinguish between messages that can be shown to all users vs. admins only. Now we are making use of this and return user messages for normal users and admin messages for admins. The 'user' option of the Check Code Owner REST endpoint checks the code ownership of a user on behal of another user. This is something that only admins should be able to do, hence we keep this disabled for normal users (e.g. normal users should not be able to check code ownership on behalf of an admin user as this would reveal accounts that the admin user can see, but which are not visible to the calling user). So far the Check Code Owner REST endpoint only checked the visibility of code owners when a user was specified to check whether that user can see the code owners (the 'user' option). If a user was not specified the code owner visibility was not checked, since the REST endpoint could only be invoked by admins this was not necessary and it was intended that they could see all accounts. Now that also normal users can call the REST endpoint we do check the code owner visibility when the calling user is not an admin. Bug: Google b/345161989 Change-Id: I3a2d5d9cc6fde0bb1b4dd690008111ce7c311cf5 Signed-off-by: Edwin Kempin <ekempin@google.com>
This plugin provides support for defining code owners for files in a repository.
If the code-owners plugin is enabled, changes can only be submitted if all touched files are covered by approvals from code owners.
For a detailed description of the plugin functionality please refer to the plugin documentation.
IMPORTANT: Before installing/enabling the plugin follow the instructions from the setup guide.
NOTE: The plugin documentation only renders correctly when the plugin is installed in Gerrit and the documentation is accessed via https:///plugins/code-owners/Documentation/index.html. If you want to read the documentation before installing the plugin, you can find it properly rendered here.
From the root of the gerrit repository.
bazel test //plugins/code-owners/web:karma_test
For testing the plugin with the Gerrit FE Dev Helper the command below builds
bazel build //plugins/code-owners/web:code-owners
ln -s bazel-bin/plugins/code-owners/web/code-owners.js polygerrit-ui/app/plugins/
and let the Dev Helper redirect from .+/plugins/code-owners/static/code-owners.js to http://localhost:8081/plugins/code-owners.js.