SONAR-1330 Check edit permission via group

author Julien Lancelot <julien.lancelot@sonarsource.com>

Wed, 27 Sep 2017 12:14:05 +0000 (14:14 +0200)

committer Stas Vilchik <stas.vilchik@sonarsource.com>

Mon, 2 Oct 2017 15:18:15 +0000 (17:18 +0200)
author Julien Lancelot <julien.lancelot@sonarsource.com>
Wed, 27 Sep 2017 12:14:05 +0000 (14:14 +0200)
committer Stas Vilchik <stas.vilchik@sonarsource.com>
Mon, 2 Oct 2017 15:18:15 +0000 (17:18 +0200)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java

index 7e092cb5231df645c70338b9636873bb0109566c..8e9a37d367b614ae8ebb9fde5efead695937922e 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java
@@ -90,7 +90,7 @@ public class AddGroupAction implements QProfileWsAction {
      try (DbSession dbSession = dbClient.openSession(false)) {
        OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
        QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
        GroupDto user = wsSupport.getGroup(dbSession, organization, request.mandatoryParam(PARAM_GROUP));
        addGroup(dbSession, profile, user);
      }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java

index eb29e55d7834c14cad73c48a5a6889b4d8c8416f..a58cd4c4f19fdbe885ecc18554397627492afc7f 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java
@@ -90,7 +90,7 @@ public class AddUserAction implements QProfileWsAction {
      try (DbSession dbSession = dbClient.openSession(false)) {
        OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
        QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
        UserDto user = wsSupport.getUser(dbSession, organization, request.mandatoryParam(PARAM_LOGIN));
        addUser(dbSession, profile, user);
      }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java

index 38c11723d0959442f00efe30f90a24a8e4727a77..6fb6e0702d8218c4815f69836abed6c1abb8daa5 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java
@@ -124,18 +124,19 @@ public class QProfileWsSupport {
      userSession.checkPermission(OrganizationPermission.ADMINISTER_QUALITY_PROFILES, organization);
    }
  
-  public void checkCanEdit(DbSession dbSession, QProfileDto profile) {
+  public void checkCanEdit(DbSession dbSession, OrganizationDto organization, QProfileDto profile) {
      checkNotBuiltInt(profile);
-    OrganizationDto organization = getOrganization(dbSession, profile);
      userSession.checkLoggedIn();
      if (userSession.hasPermission(OrganizationPermission.ADMINISTER_QUALITY_PROFILES, organization)) {
        return;
      }
      UserDto user = dbClient.userDao().selectByLogin(dbSession, userSession.getLogin());
      checkState(user != null, "User from session does not exist");
-    if (dbClient.qProfileEditUsersDao().exists(dbSession, profile, user)) {
+    if (dbClient.qProfileEditUsersDao().exists(dbSession, profile, user)
+      || dbClient.qProfileEditGroupsDao().selectQProfileUuidsByOrganizationAndGroups(dbSession, organization, userSession.getGroups()).contains(profile.getKee())) {
        return;
      }
+
      throw insufficientPrivilegesException();
    }
  
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java

index 9c94c4f3289e48b5569d18b6e5c0e549d4283525..83fb547bbf8e8fcf6c6a65501494a615b938b4bb 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java
@@ -86,7 +86,7 @@ public class RemoveGroupAction implements QProfileWsAction {
      try (DbSession dbSession = dbClient.openSession(false)) {
        OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
        QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
        GroupDto group = wsSupport.getGroup(dbSession, organization, request.mandatoryParam(PARAM_GROUP));
        removeGroup(dbSession, profile, group);
      }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java

index e299c3fd7b083fd6b3860b3e1a704f3780a0d871..d2b8c6cc89ef36cdde2b3f299baab333dc9b072e 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java
@@ -86,7 +86,7 @@ public class RemoveUserAction implements QProfileWsAction {
      try (DbSession dbSession = dbClient.openSession(false)) {
        OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
        QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
        UserDto user = wsSupport.getUser(dbSession, organization, request.mandatoryParam(PARAM_LOGIN));
        removeUser(dbSession, profile, user);
      }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java

index dffbefe4e3ebb3c56d028ee1c0556c78d1b8e2e8..b0cc85b5a6c240ef5082f3500d78dc3266fa2b1b 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java
@@ -110,7 +110,7 @@ public class SearchGroupsAction implements QProfileWsAction {
      try (DbSession dbSession = dbClient.openSession(false)) {
        OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, wsRequest.getOrganization());
        QProfileDto profile = wsSupport.getProfile(dbSession, organization, wsRequest.getQualityProfile(), wsRequest.getLanguage());
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
  
        SearchGroupsQuery query = builder()
          .setOrganization(organization)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java

index 44945638c0f40d46b74ff2b78936664199914964..1dcc251448167edf305ff7c80fd796c688c4564e 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java
@@ -114,7 +114,7 @@ public class SearchUsersAction implements QProfileWsAction {
      try (DbSession dbSession = dbClient.openSession(false)) {
        OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, wsRequest.getOrganization());
        QProfileDto profile = wsSupport.getProfile(dbSession, organization, wsRequest.getQualityProfile(), wsRequest.getLanguage());
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
  
        SearchUsersQuery query = builder()
          .setOrganization(organization)
diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java

index 8b3d1051c0d8a4e99b660a13af1e6e445ce560ea..e7e738802b05cee42c4f6c406cb80330c35cf4e0 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java
@@ -129,7 +129,7 @@ public class AddGroupActionTest {
    }
  
    @Test
-  public void qp_editors_can_add_group() {
+  public void can_add_group_with_user_edit_permission() {
      OrganizationDto organization = db.organizations().insert();
      QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO));
      GroupDto group = db.users().insertGroup(organization);
@@ -147,6 +147,25 @@ public class AddGroupActionTest {
      assertThat(db.getDbClient().qProfileEditGroupsDao().exists(db.getSession(), profile, group)).isTrue();
    }
  
+  @Test
+  public void can_add_group_with_group_edit_permission() {
+    OrganizationDto organization = db.organizations().insert();
+    QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO));
+    GroupDto group = db.users().insertGroup(organization);
+    UserDto userAllowedToEditProfile = db.users().insertUser();
+    db.qualityProfiles().addGroupPermission(profile, group);
+    userSession.logIn(userAllowedToEditProfile).setGroups(group);
+
+    ws.newRequest()
+      .setParam(PARAM_QUALITY_PROFILE, profile.getName())
+      .setParam(PARAM_LANGUAGE, XOO)
+      .setParam(PARAM_GROUP, group.getName())
+      .setParam(PARAM_ORGANIZATION, organization.getKey())
+      .execute();
+
+    assertThat(db.getDbClient().qProfileEditGroupsDao().exists(db.getSession(), profile, group)).isTrue();
+  }
+
    @Test
    public void uses_default_organization_when_no_organization() {
      OrganizationDto organization = db.getDefaultOrganization();
author	Julien Lancelot <julien.lancelot@sonarsource.com>
	Wed, 27 Sep 2017 12:14:05 +0000 (14:14 +0200)
committer	Stas Vilchik <stas.vilchik@sonarsource.com>
	Mon, 2 Oct 2017 15:18:15 +0000 (17:18 +0200)
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java		patch \| blob \| history