My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1588: Security with draft patch sets over anonymous HTTP
2 people starred this issue and may be notified of changes. Back to list
Status:  WontFix
Owner:  ----
Closed:  Sep 2012


Sign in to add a comment
 
Reported by hughdave...@gmail.com, Sep 27, 2012
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version:

What steps will reproduce the problem?
1. Create a draft patchset, available at refs/changes/yz/wxyz on project foo.git
2. git ls-remote http://gerrit.fqdn/p/foo.git | grep refs/changes/yz/wxyz
3. git fetch http://gerrit.fqdn/p/foo.git refs/changes/yz/wxyz

What is the expected output? What do you see instead?
Expected that the git over HTTP access should align with the
web page that anonymous users are shown.

Please provide any additional information below.
Currently, if an anonymous user passes the
allRefsAreVisible() method on the ProjectControl
class then they can see everything. This method
only takes into account the READ permission and
not draft status.
 
If that function fails, then a VisibleRefFilter class
is instantiated to filter out what the user can see.
This filter calls that same method, but as it returned
false before, it will do the same now. It then finds
all the visible changes for that project (taking into
account the draft status).

This means that to enforce drafts when the anonymous
user has READ permissions on the entire project, the
allRefsAreVisible() method needs to take into account
the actual patch status of the ref.

I have a partial solution to this, with a few issues
but am happy to submit it to whereever you want it
to get feedback.
Sep 27, 2012
#1 sop@google.com
If you grant a user Read on refs/*... they can read any reference, including the entire refs/changes/ namespace. Since drafts are stored there, they can also read a draft. Hiding a draft in the web UI is a "feature" in the sense that we are hiding something they maybe aren't interested in, but at the Git level the admin said the user can read it so they can.

If you want to hide draft refs from a user, don't grant them read on the entire space. Instead grant them Read only on refs/heads/*, so that the branch filtering will apply.
Status: WontFix
Sep 27, 2012
#2 hughdave...@gmail.com
Ah, I'm sure I tried that, but now that I did that works fine. Sorry for inconvenience :D
Sign in to add a comment

Powered by Google Project Hosting