Skip to content

Commit 77d2a55

Browse files
lucamilanesiolucamilanesio
committed
Disallow the discovery of other user's membership
GitHub may not allow users to discover other people's group membership and instead throw an error permanently. Having a group resolution to fail permanently causes disruption due to the GitHub API throttling. Do not throw any exceptions for not breaking the Gerrit UI but simply return an empty membership which will be gracefully rendered. Change-Id: I41059be5cdbb86b0772f60aae0207571e4bf9b30
1 parent ba777ed commit 77d2a55

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

github-plugin/src/main/java/com/googlesource/gerrit/plugins/github/group/GitHubGroupBackend.java

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
import com.google.gerrit.server.account.GroupMembership;
3131
import com.google.gerrit.server.project.ProjectState;
3232
import com.google.inject.Inject;
33+
import com.google.inject.Provider;
3334
import java.util.Collection;
3435
import java.util.Collections;
3536
import java.util.Set;
@@ -41,12 +42,16 @@ public class GitHubGroupBackend implements GroupBackend {
4142
private static final Logger log = LoggerFactory.getLogger(GitHubGroupBackend.class);
4243
private final GitHubGroupMembership.Factory ghMembershipProvider;
4344
private final GitHubGroupsCache ghOrganisationCache;
45+
private final Provider<CurrentUser> currentUserProvider;
4446

4547
@Inject
4648
GitHubGroupBackend(
47-
GitHubGroupMembership.Factory ghMembershipProvider, GitHubGroupsCache ghOrganisationCache) {
49+
GitHubGroupMembership.Factory ghMembershipProvider,
50+
GitHubGroupsCache ghOrganisationCache,
51+
Provider<CurrentUser> currentUserProvider) {
4852
this.ghMembershipProvider = ghMembershipProvider;
4953
this.ghOrganisationCache = ghOrganisationCache;
54+
this.currentUserProvider = currentUserProvider;
5055
}
5156

5257
@Override
@@ -112,6 +117,13 @@ public Set<GroupReference> listByPrefix(String orgNamePrefix) {
112117

113118
@Override
114119
public GroupMembership membershipsOf(CurrentUser user) {
120+
CurrentUser currentUser = currentUserProvider.get();
121+
if (!currentUser.isIdentifiedUser()
122+
|| !currentUser.asIdentifiedUser().getAccountId().equals(user.getAccountId())) {
123+
// Do not allow to perform group discovery of other users
124+
return GroupMembership.EMPTY;
125+
}
126+
115127
String username = user.getUserName().orElse(null);
116128
if (Strings.isNullOrEmpty(username)) {
117129
return GroupMembership.EMPTY;

0 commit comments

Comments
 (0)