SONAR-5819 Check sourceviewer permission on /api/sources/lines WS

author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Wed, 3 Dec 2014 14:43:17 +0000 (15:43 +0100)

committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Wed, 3 Dec 2014 14:51:43 +0000 (15:51 +0100)
author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Wed, 3 Dec 2014 14:43:17 +0000 (15:43 +0100)
committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Wed, 3 Dec 2014 14:51:43 +0000 (15:51 +0100)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/source/ws/LinesAction.java b/server/sonar-server/src/main/java/org/sonar/server/source/ws/LinesAction.java

index 3d7808019769449affe2ad1f79038e6d9bf1bbe2..9f0451682b209bf2c39559526529779d3ae25b06 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/source/ws/LinesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/source/ws/LinesAction.java
@@ -27,10 +27,14 @@ import org.sonar.api.server.ws.Response;
  import org.sonar.api.server.ws.WebService;
  import org.sonar.api.utils.DateUtils;
  import org.sonar.api.utils.text.JsonWriter;
+import org.sonar.api.web.UserRole;
+import org.sonar.core.component.ComponentDto;
+import org.sonar.server.component.ComponentService;
  import org.sonar.server.exceptions.NotFoundException;
  import org.sonar.server.source.HtmlSourceDecorator;
  import org.sonar.server.source.index.SourceLineDoc;
  import org.sonar.server.source.index.SourceLineIndex;
+import org.sonar.server.user.UserSession;
  
  import java.util.Date;
  import java.util.List;
@@ -39,10 +43,12 @@ public class LinesAction implements RequestHandler {
  
    private final SourceLineIndex sourceLineIndex;
    private final HtmlSourceDecorator htmlSourceDecorator;
+  private final ComponentService componentService;
  
-  public LinesAction(SourceLineIndex sourceLineIndex, HtmlSourceDecorator htmlSourceDecorator) {
+  public LinesAction(SourceLineIndex sourceLineIndex, HtmlSourceDecorator htmlSourceDecorator, ComponentService componentService) {
      this.sourceLineIndex = sourceLineIndex;
      this.htmlSourceDecorator = htmlSourceDecorator;
+    this.componentService = componentService;
    }
  
    void define(WebService.NewController controller) {
@@ -82,6 +88,9 @@ public class LinesAction implements RequestHandler {
    @Override
    public void handle(Request request, Response response) {
      String fileUuid = request.mandatoryParam("uuid");
+    ComponentDto component = componentService.getByUuid(fileUuid);
+    UserSession.get().checkComponentPermission(UserRole.CODEVIEWER, component.key());
+
      int from = Math.max(request.mandatoryParamAsInt("from"), 1);
      int to = (Integer) ObjectUtils.defaultIfNull(request.paramAsInt("to"), Integer.MAX_VALUE);
  
diff --git a/server/sonar-server/src/test/java/org/sonar/server/source/ws/LinesActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/source/ws/LinesActionTest.java

index 9059a316e18bcb3f5429f87c34fcf2eddc2eeab9..2039584edec9846a900c73ca0c9a5b41f9a7102c 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/source/ws/LinesActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/source/ws/LinesActionTest.java
@@ -31,12 +31,17 @@ import org.mockito.Mock;
  import org.mockito.invocation.InvocationOnMock;
  import org.mockito.runners.MockitoJUnitRunner;
  import org.mockito.stubbing.Answer;
+import org.sonar.api.web.UserRole;
+import org.sonar.core.component.ComponentDto;
+import org.sonar.server.component.ComponentService;
+import org.sonar.server.exceptions.ForbiddenException;
  import org.sonar.server.exceptions.NotFoundException;
  import org.sonar.server.search.BaseNormalizer;
  import org.sonar.server.source.HtmlSourceDecorator;
  import org.sonar.server.source.index.SourceLineDoc;
  import org.sonar.server.source.index.SourceLineIndex;
  import org.sonar.server.source.index.SourceLineIndexDefinition;
+import org.sonar.server.user.MockUserSession;
  import org.sonar.server.ws.WsTester;
  
  import java.util.Date;
@@ -60,6 +65,9 @@ public class LinesActionTest {
    @Mock
    HtmlSourceDecorator htmlSourceDecorator;
  
+  @Mock
+  ComponentService componentService;
+
    WsTester tester;
  
    @Before
@@ -69,7 +77,7 @@ public class LinesActionTest {
          mock(ShowAction.class),
          mock(RawAction.class),
          mock(ScmAction.class),
-        new LinesAction(sourceLineIndex, htmlSourceDecorator),
+        new LinesAction(sourceLineIndex, htmlSourceDecorator, componentService),
          mock(HashAction.class)
        )
      );
@@ -142,6 +150,10 @@ public class LinesActionTest {
        line3
      ));
  
+    String componentKey = "componentKey";
+    when(componentService.getByUuid(componentUuid)).thenReturn(new ComponentDto().setKey(componentKey));
+    MockUserSession.set().setLogin("login").addComponentPermission(UserRole.CODEVIEWER, "polop", componentKey);
+
      WsTester.TestRequest request = tester.newGetRequest("api/sources", "lines").setParam("uuid", componentUuid);
      // Using non-strict match b/c of dates
      request.execute().assertJson(getClass(), "show_source.json", false);
@@ -149,11 +161,15 @@ public class LinesActionTest {
  
    @Test
    public void fail_to_show_source_if_no_source_found() throws Exception {
-    String componentKey = "src/Foo.java";
+    String componentUuid = "abcd";
      when(sourceLineIndex.getLines(anyString(), anyInt(), anyInt())).thenReturn(Lists.<SourceLineDoc>newArrayList());
  
+    String componentKey = "componentKey";
+    when(componentService.getByUuid(componentUuid)).thenReturn(new ComponentDto().setKey(componentKey));
+    MockUserSession.set().setLogin("login").addComponentPermission(UserRole.CODEVIEWER, "polop", componentKey);
+
      try {
-      WsTester.TestRequest request = tester.newGetRequest("api/sources", "lines").setParam("uuid", componentKey);
+      WsTester.TestRequest request = tester.newGetRequest("api/sources", "lines").setParam("uuid", componentUuid);
        request.execute();
        fail();
      } catch (Exception e) {
@@ -163,7 +179,7 @@ public class LinesActionTest {
  
    @Test
    public void show_source_with_from_and_to_params() throws Exception {
-    String fileKey = "src/Foo.java";
+    String fileUuid = "efgh";
      Map<String, Object> fieldMap = Maps.newHashMap();
      fieldMap.put(SourceLineIndexDefinition.FIELD_PROJECT_UUID, "abcd");
      fieldMap.put(SourceLineIndexDefinition.FIELD_FILE_UUID, "efgh");
@@ -179,14 +195,32 @@ public class LinesActionTest {
      fieldMap.put(SourceLineIndexDefinition.FIELD_OVERALL_COVERED_CONDITIONS, null);
      fieldMap.put(SourceLineIndexDefinition.FIELD_DUPLICATIONS, null);
      fieldMap.put(BaseNormalizer.UPDATED_AT_FIELD, new Date());
-    when(sourceLineIndex.getLines(fileKey, 3, 3)).thenReturn(newArrayList(
+
+    String componentKey = "componentKey";
+    when(componentService.getByUuid(fileUuid)).thenReturn(new ComponentDto().setKey(componentKey));
+    MockUserSession.set().setLogin("login").addComponentPermission(UserRole.CODEVIEWER, "polop", componentKey);
+
+    when(sourceLineIndex.getLines(fileUuid, 3, 3)).thenReturn(newArrayList(
        new SourceLineDoc(fieldMap)
      ));
      WsTester.TestRequest request = tester
        .newGetRequest("api/sources", "lines")
-      .setParam("uuid", fileKey)
+      .setParam("uuid", fileUuid)
        .setParam("from", "3")
        .setParam("to", "3");
      request.execute().assertJson(getClass(), "show_source_with_params_from_and_to.json");
    }
+
+  @Test(expected = ForbiddenException.class)
+  public void should_check_permission() throws Exception {
+    String fileUuid = "efgh";
+
+    String componentKey = "componentKey";
+    when(componentService.getByUuid(fileUuid)).thenReturn(new ComponentDto().setKey(componentKey));
+    MockUserSession.set().setLogin("login");
+
+    tester.newGetRequest("api/sources", "lines")
+      .setParam("uuid", fileUuid)
+      .execute();
+  }
  }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/source/ws/SourcesWsTest.java b/server/sonar-server/src/test/java/org/sonar/server/source/ws/SourcesWsTest.java

index b562d89d504a49a7afae501fbfcb8ec9a6277609..20aed4eee31136633cbc66e7c1185e9ac955c326 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/source/ws/SourcesWsTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/source/ws/SourcesWsTest.java
@@ -23,6 +23,7 @@ package org.sonar.server.source.ws;
  import org.junit.Test;
  import org.sonar.api.server.ws.WebService;
  import org.sonar.core.source.db.FileSourceDao;
+import org.sonar.server.component.ComponentService;
  import org.sonar.server.db.DbClient;
  import org.sonar.server.source.HtmlSourceDecorator;
  import org.sonar.server.source.SourceService;
@@ -37,7 +38,7 @@ public class SourcesWsTest {
    ShowAction showAction = new ShowAction(mock(SourceService.class), mock(DbClient.class));
    RawAction rawAction = new RawAction(mock(DbClient.class), mock(SourceService.class));
    ScmAction scmAction = new ScmAction(mock(SourceService.class), new ScmWriter());
-  LinesAction linesAction = new LinesAction(mock(SourceLineIndex.class), mock(HtmlSourceDecorator.class));
+  LinesAction linesAction = new LinesAction(mock(SourceLineIndex.class), mock(HtmlSourceDecorator.class), mock(ComponentService.class));
    HashAction hashAction = new HashAction(mock(DbClient.class), mock(FileSourceDao.class));
    WsTester tester = new WsTester(new SourcesWs(showAction, rawAction, scmAction, linesAction, hashAction));
author	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Wed, 3 Dec 2014 14:43:17 +0000 (15:43 +0100)
committer	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Wed, 3 Dec 2014 14:51:43 +0000 (15:51 +0100)
server/sonar-server/src/main/java/org/sonar/server/source/ws/LinesAction.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/source/ws/LinesActionTest.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/source/ws/SourcesWsTest.java		patch \| blob \| history