FROM group_roles gr, projects p
WHERE
gr.role=#{role}
- and (gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
- and
- (gr.resource_id is null or gr.resource_id = p.root_id or gr.resource_id = p.id) and
- <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
+ and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
+ and (gr.resource_id = p.root_id or gr.resource_id = p.id) and
+ <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
UNION
SELECT p.kee
FROM user_roles ur, projects p
WHERE
ur.role=#{role}
- and ur.user_id=#{userId}
- and (ur.resource_id is null or ur.resource_id = p.root_id or ur.resource_id = p.id) and
+ and ur.user_id=#{userId} and
<foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
</select>
assertThat(componentIds).isEmpty();
}
- @Test
- public void user_should_have_global_authorization() {
- // is not in an authorized group
- setupData("user_should_have_global_permission");
-
- AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
- Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
- Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
- USER, "project_admin");
-
- assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
-
- // user does not have the role "profile_admin"
- componentIds = authorization.keepAuthorizedComponentKeys(
- Sets.<String>newHashSet(PROJECT, PACKAGE, FILE),
- USER, "profile_admin");
- assertThat(componentIds).isEmpty();
- }
-
@Test
public void group_should_be_authorized() {
// user is in an authorized group
assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
- // user is in group that doesn't have user right
- componentIds = authorization.keepAuthorizedComponentKeys(
- Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
- 200, "user");
-
- assertThat(componentIds).containsOnly(EMPTY_PROJECT);
-
// group does not have the role "admin"
componentIds = authorization.keepAuthorizedComponentKeys(
Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
<!-- user 100 has no direct grant access, but is in the group 200 that has the role "user"
on the project 300 -->
- <!-- user 200 has no grant access either, but is in the group 300 that has no role on project 300 -->
<user_roles id="1" user_id="100" resource_id="999" role="user"/>
- <user_roles id="2" user_id="200" resource_id="999" role="user"/>
-
<groups_users user_id="100" group_id="200"/>
- <groups_users user_id="200" group_id="300"/>
-
<group_roles id="1" group_id="200" resource_id="300" role="user"/>
<group_roles id="2" group_id="200" resource_id="400" role="user"/>
- <group_roles id="3" group_id="300" resource_id="400" role="user"/>
<projects id="301" kee="pj-w-snapshot:package" root_id="300" />
<projects id="302" kee="pj-w-snapshot:file" root_id="300" />
+++ /dev/null
-<dataset>
-
- <!-- user 100 has the role "project_admin" on all resources -->
- <user_roles id="1" user_id="100" resource_id="[null]" role="project_admin"/>
-
- <projects id="301" kee="pj-w-snapshot:package" root_id="300" />
- <projects id="302" kee="pj-w-snapshot:file" root_id="300" />
- <projects id="303" kee="pj-w-snapshot:other" root_id="300" />
- <projects id="300" kee="pj-w-snapshot" />
- <projects id="400" kee="pj-wo-snapshot" />
-
-</dataset>