Sorry for the long summary, but I could not decide what is the best way to describe the issue, and whether it is a bug, or if it should be treated as a feature request. Hence, feel free to amend the summary.
I'm using Gerrit 2.8.4 in an installation where the "Forge Author Identity" access control is locked down; it is assigned exclusively to an empty group, and that works pretty well in preventing people from pushing for review someone else's patch.
However, this is still possible:
* user A creates patch P1 with ChangeId I0001; this sets A, the author of the patch, as the owner of the new change;
* user B (by setting himself as author of a new patch) can push patch P2 with the same ChangeId; this creates a new patchset in the change already owned by A, and the change is still owned by A.
Now, I would expect at least one of the following (hence my indecision with the subject):
* when user B pushes patch P2, since the owner of change I0001 is different from the author of P2, the "Forge Author Identity" of user B is tested; the rationale is that the author of the first patch was used to initialize the owner field of the change, so we should keep using the author of the patch to test push authorizations for an open change.
* alternatively, a "Forge Owner Identity" access control is provided. This access control provides authorization to push a patch in a change owned by another user, independently from the author and committer of the patch (that are governed through the usual access controls).
Thanks.