jenkins: use uploader for validation
In order to determine if a user is authorized for CI, we look them up in
Gerrit groups. We should use the uploader for this and not the owner,
because otherwise anyone with a Gerrit account could forge a patch-set
that was created by an authorized committer and get Jenkins to do the
testing (when it should not have been).
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I4fc8415dee35004ebb68b2aea040be27bf521168
diff --git a/jenkins/userid-validation b/jenkins/userid-validation
index 3f3989c..35b2e81 100755
--- a/jenkins/userid-validation
+++ b/jenkins/userid-validation
@@ -20,7 +20,7 @@
echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"
-COMMITTER_USERNAME=$("${GERRIT_SSH_CMD[@]}" query "${GERRIT_CHANGE_NUMBER}" --format json | jq -r '.owner.username | select (. != null )')
+COMMITTER_USERNAME=$("${GERRIT_SSH_CMD[@]}" query "${GERRIT_CHANGE_NUMBER}" --current-patch-set --format json | jq -r '.currentPatchSet.uploader.username | select (. != null )')
echo "USERNAME: $COMMITTER_USERNAME"
if [ "${COMMITTER_USERNAME}" = "" ]; then
echo "Unable to determine github user for ${COMMITTER_EMAIL}."