Project list permission

47 views
Skip to first unread message

Marcelo Ávila de Oliveira

unread,
Jun 20, 2016, 2:48:31 PM6/20/16
to Repo and Gerrit Discussion
Hello everyone,

Which Gerrit access control grants/denies permisson to "see" a project in Projects > List menu?

Thanks.

--
Marcelo Ávila de Oliveira

Gaurav Negi

unread,
Jun 20, 2016, 3:47:49 PM6/20/16
to Marcelo Ávila de Oliveira, Repo and Gerrit Discussion
Try out read permission for refs/* of that project.



Sent from my iPhone
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Marcelo Ávila de Oliveira

unread,
Jun 20, 2016, 3:54:40 PM6/20/16
to Gaurav Negi, Repo and Gerrit Discussion
I've tried... the refs/* has no effect in Project > List menu but...

I found that READ in refs/meta/dashboards/* do the job. This is kinda unexpected, isn't it? But this is the way it works...

--
Marcelo Ávila de Oliveira

Marcelo Ávila de Oliveira

unread,
Jun 24, 2016, 3:04:35 PM6/24/16
to Gaurav Negi, Repo and Gerrit Discussion
This is really annoying because we need to grant READ permission on refs/meta/dashboards/* to Registered Users in all-projects (because we have generic dashboards defined in all-projects) but if we do that every project (name and description) are exposed to everyone (including who doen't have READ permission on refs/*). :-(

I will need to redefine the dashboards in different places...

--
Marcelo Ávila de Oliveira

Jonathan Nieder

unread,
Jun 24, 2016, 3:18:54 PM6/24/16
to Marcelo Ávila de Oliveira, Gaurav Negi, Repo and Gerrit Discussion
You can use DENY on refs/* to stop people from viewing a particular project.

Marcelo Ávila de Oliveira

unread,
Jun 24, 2016, 3:47:15 PM6/24/16
to Jonathan Nieder, Gaurav Negi, Repo and Gerrit Discussion
Unfortunately no... this is exactly the issue. If you grant READ on ref/meta/dashboards/* people can see the project in Projects > List (or gerrit ls-projects) even if they don't have READ on refs/*.

--
Marcelo Ávila de Oliveira

Björn Pedersen

unread,
Jun 27, 2016, 4:59:48 AM6/27/16
to Repo and Gerrit Discussion
Hi,

I checked in the code how ProjectControl.isVisible() seems to work:

A project is considered visible if any ref is visible.

If you then check Demystifying access controls, then an explicit Read on refs/meta/dashboard in a parent has a higher priority then a deny on refs/*.
So this explains your observed  behaviour. 


Björn

Marcelo Ávila de Oliveira

unread,
Jun 27, 2016, 7:47:34 AM6/27/16
to Björn Pedersen, Repo and Gerrit Discussion
2016-06-27 5:59 GMT-03:00 'Björn Pedersen' via Repo and Gerrit Discussion <repo-d...@googlegroups.com>:
Hi,

I checked in the code how ProjectControl.isVisible() seems to work:

A project is considered visible if any ref is visible.

Ok... maybe it should have a more specifc way to configure this.
 
If you then check Demystifying access controls, then an explicit Read on refs/meta/dashboard in a parent has a higher priority then a deny on refs/*.

Very useful document.
 
So this explains your observed behaviour.

Yes it does...

Thanks a lot. 
Reply all
Reply to author
Forward
0 new messages