Check the committer rather than the Gerrit owner.

Guarding based on the Gerrit owner can be circumvented by an arbitrary user uploading a different patch with a Change-Id that is non-unique, with the other copy being owned by a Googler. Change-Id: I5414b679e361d4c38d70bf9c4516c122f668fc49
2015-01-12 16:23:53 -08:00
parent 8d50e16aa9
commit b4060330aa
3 changed files with 67 additions and 16 deletions
--- a/tools/bionicbb/gerrit.py
+++ b/tools/bionicbb/gerrit.py
@@ -24,6 +24,11 @@ class GerritError(RuntimeError):
        super(GerritError, self).__init__('Error {}: {}'.format(code, url))


+def get_commit(change_id, revision):
+    return json.loads(
+        call('/changes/{}/revisions/{}/commit'.format(change_id, revision)))
+
+
 def call(endpoint, method='GET'):
    if method != 'GET':
        raise NotImplementedError('Currently only HTTP GET is supported.')