Issue 2173: Submit access control not working for Project Owners
Status:  New
Owner: ----
Reported by romain.c...@gmail.com, Oct 8, 2013
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version: 2.7

What steps will reproduce the problem?
1. In all projects, grant 'Submit' rights to refs/heads/* to 'Project owners'
2. Create a project inheriting from all projects and grant ownership rights to a LDAP group to (for eg.) refs/heads/subsystem/*
3. Try to submit a patch while being part of that LDAP group.

What is the expected output? What do you see instead?

I expected the 'Submit' right to be granted to any patches submitted to branches starting with refs/heads/subsystem/*. All other rights (Abandon, Remove Reviewer for example) are properly inherited. However, this does not happen.

The weirdest thing is that if I explicitly (in the child project), grant submit rights to the SAME LDAP group as the owner right, it works.

So, to summarize:

All-Projects:
    - On refs/heads/*, ALLOW Submit to Project Owners

SubProject:
    - On refs/heads/subsystem/*:
        - ALLOW Owner to ldap/mygroup does not allow Submit to people in ldap/mygroup
        - ALLOW Submit to ldap/mygroup <- adding this makes it work

Please provide any additional information below.

I don't know if I am misunderstanding something and since I am new to Gerrit, please let me know if that is the case.

Thanks.