*/
package org.sonar.server.user.ws;
+import java.util.List;
+import javax.annotation.Nullable;
import org.sonar.api.server.ws.Request;
import org.sonar.api.server.ws.Response;
import org.sonar.api.server.ws.WebService.NewAction;
import org.sonar.api.server.ws.WebService.Param;
import org.sonar.api.utils.Paging;
import org.sonar.api.utils.text.JsonWriter;
+import org.sonar.core.permission.GlobalPermissions;
import org.sonar.core.persistence.DbSession;
import org.sonar.core.user.GroupMembershipDto;
import org.sonar.core.user.GroupMembershipQuery;
import org.sonar.core.user.UserDto;
import org.sonar.server.db.DbClient;
-
-import javax.annotation.Nullable;
-
-import java.util.List;
+import org.sonar.server.user.UserSession;
public class GroupsAction implements UsersWsAction {
private static final String PARAM_SELECTED = "selected";
private static final String SELECTION_ALL = "all";
- private static final String SELECTION_SELECTED = "selected";
+ private static final String SELECTION_SELECTED = PARAM_SELECTED;
private static final String SELECTION_DESELECTED = "deselected";
+ private static final String FIELD_SELECTED = PARAM_SELECTED;
+ private static final String FIELD_DESCRIPTION = "description";
+ private static final String FIELD_NAME = "name";
+
private final DbClient dbClient;
+ private final UserSession userSession;
- public GroupsAction(DbClient dbClient) {
+ public GroupsAction(DbClient dbClient, UserSession userSession) {
this.dbClient = dbClient;
+ this.userSession = userSession;
}
@Override
@Override
public void handle(Request request, Response response) throws Exception {
+ userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
+
String login = request.mandatoryParam(PARAM_LOGIN);
int pageSize = request.mandatoryParamAsInt(Param.PAGE_SIZE);
int page = request.mandatoryParamAsInt(Param.PAGE);
json.name("groups").beginArray();
for (GroupMembershipDto group : groups) {
json.beginObject()
- .prop("name", group.getName())
- .prop("description", group.getDescription())
- .prop("selected", group.getUserId() != null)
+ .prop(FIELD_NAME, group.getName())
+ .prop(FIELD_DESCRIPTION, group.getDescription())
+ .prop(FIELD_SELECTED, group.getUserId() != null)
.endObject();
}
json.endArray();
import org.sonar.api.server.ws.WebService.Param;
import org.sonar.api.utils.Paging;
import org.sonar.api.utils.text.JsonWriter;
+import org.sonar.core.permission.GlobalPermissions;
import org.sonar.core.persistence.DbSession;
import org.sonar.core.persistence.MyBatis;
import org.sonar.core.user.GroupMembershipQuery;
import org.sonar.core.user.UserMembershipDto;
import org.sonar.core.user.UserMembershipQuery;
import org.sonar.server.db.DbClient;
+import org.sonar.server.user.UserSession;
public class UsersAction implements UserGroupsWsAction {
private static final String PARAM_SELECTED = "selected";
private static final String SELECTION_ALL = "all";
- private static final String SELECTION_SELECTED = "selected";
+ private static final String SELECTION_SELECTED = PARAM_SELECTED;
private static final String SELECTION_DESELECTED = "deselected";
+ private static final String FIELD_SELECTED = PARAM_SELECTED;
+ private static final String FIELD_NAME = "name";
+ private static final String FIELD_LOGIN = "login";
+
private final DbClient dbClient;
+ private final UserSession userSession;
- public UsersAction(DbClient dbClient) {
+ public UsersAction(DbClient dbClient, UserSession userSession) {
this.dbClient = dbClient;
+ this.userSession = userSession;
}
@Override
@Override
public void handle(Request request, Response response) throws Exception {
+ userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
+
Long groupId = request.mandatoryParamAsLong(PARAM_ID);
int pageSize = request.mandatoryParamAsInt(Param.PAGE_SIZE);
int page = request.mandatoryParamAsInt(Param.PAGE);
json.name("users").beginArray();
for (UserMembershipDto user : users) {
json.beginObject()
- .prop("login", user.getLogin())
- .prop("name", user.getName())
- .prop("selected", user.getGroupId() != null)
+ .prop(FIELD_LOGIN, user.getLogin())
+ .prop(FIELD_NAME, user.getName())
+ .prop(FIELD_SELECTED, user.getGroupId() != null)
.endObject();
}
json.endArray();
import org.junit.After;
import org.junit.Before;
import org.junit.ClassRule;
+import org.junit.Rule;
import org.junit.Test;
-import org.sonar.api.server.ws.WebService;
import org.sonar.api.server.ws.WebService.Param;
import org.sonar.api.utils.System2;
+import org.sonar.core.permission.GlobalPermissions;
import org.sonar.core.persistence.DbSession;
import org.sonar.core.persistence.DbTester;
import org.sonar.core.user.GroupDto;
import org.sonar.core.user.UserDto;
import org.sonar.core.user.UserGroupDto;
import org.sonar.server.db.DbClient;
+import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
+import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.user.db.GroupDao;
import org.sonar.server.user.db.UserDao;
import org.sonar.server.user.db.UserGroupDao;
@ClassRule
public static final DbTester dbTester = new DbTester();
-
- WebService.Controller controller;
+ @Rule
+ public UserSessionRule userSession = UserSessionRule.standalone();
WsTester tester;
-
DbClient dbClient;
-
DbSession session;
@Before
session = dbClient.openSession(false);
session.commit();
- tester = new WsTester(new UsersWs(new GroupsAction(dbClient)));
- controller = tester.controller("api/users");
-
+ tester = new WsTester(new UsersWs(new GroupsAction(dbClient, userSession)));
+ userSession.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
}
@After
.setParam("login", "john").execute();
}
+ @Test(expected = ForbiddenException.class)
+ public void fail_on_missing_permission() throws Exception {
+ userSession.login("not-admin");
+ tester.newGetRequest("api/users", "groups")
+ .setParam("login", "john").execute();
+ }
+
@Test
public void empty_groups() throws Exception {
createUser();
package org.sonar.server.usergroups.ws;
-import org.sonar.server.ws.WsTester.TestRequest;
-
import org.junit.After;
import org.junit.Before;
import org.junit.ClassRule;
+import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.sonar.api.utils.System2;
+import org.sonar.core.permission.GlobalPermissions;
import org.sonar.core.persistence.DbSession;
import org.sonar.core.persistence.DbTester;
import org.sonar.core.user.GroupDto;
import org.sonar.core.user.UserDto;
import org.sonar.core.user.UserGroupDto;
import org.sonar.server.db.DbClient;
+import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
+import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.user.db.GroupDao;
import org.sonar.server.user.db.UserDao;
import org.sonar.server.user.db.UserGroupDao;
import org.sonar.server.ws.WsTester;
+import org.sonar.server.ws.WsTester.TestRequest;
import org.sonar.test.DbTests;
@Category(DbTests.class)
@ClassRule
public static final DbTester dbTester = new DbTester();
+ @Rule
+ public UserSessionRule userSession = UserSessionRule.standalone();
WsTester wsTester;
DbClient dbClient;
session = dbClient.openSession(false);
session.commit();
- wsTester = new WsTester(new UserGroupsWs(new UsersAction(dbClient)));
+ wsTester = new WsTester(new UserGroupsWs(new UsersAction(dbClient, userSession)));
+ userSession.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
}
.setParam("login", "john").execute();
}
+ @Test(expected = ForbiddenException.class)
+ public void fail_on_missing_permission() throws Exception {
+ userSession.login("not-admin");
+ newUsersRequest()
+ .setParam("id", "42")
+ .setParam("login", "john").execute();
+ }
+
private TestRequest newUsersRequest() {
return wsTester.newGetRequest("api/usergroups", "users");
}