SONAR-13489 Fix permission issue with hotspot assign action

diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java
index fc90f0c2fce8887090cff69c058915f046f81eff..29d2ba6aec8119b87b4903ac62f97fda92cb0035 100644 (file)
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java
@@ -74,7 +74,7 @@ public class AssignAction implements HotspotsWsAction {
       .setExampleValue(Uuids.UUID_EXAMPLE_01);
 
     action.createParam(PARAM_ASSIGNEE)
-      .setDescription("Login of the assignee")
+      .setDescription("Login of the assignee with 'Browse' project permission")
       .setRequired(true)
       .setExampleValue("admin");
 
@@ -129,11 +129,12 @@ public class AssignAction implements HotspotsWsAction {
     return checkFound(dbClient.userDao().selectActiveUserByLogin(dbSession, assignee), "Unknown user: %s", assignee);
   }
 
-  private void checkAssigneeProjectPermission(DbSession dbSession, UserDto assignee, String projectUuid) {
-    ComponentDto componentDto = checkFoundWithOptional(dbClient.componentDao().selectByUuid(dbSession, projectUuid),
+  private void checkAssigneeProjectPermission(DbSession dbSession, UserDto assignee, String issueProjectUuid) {
+    ComponentDto componentDto = checkFoundWithOptional(dbClient.componentDao().selectByUuid(dbSession, issueProjectUuid),
       "Could not find project for issue");
-    if (componentDto.isPrivate() && !hasProjectPermission(dbSession, assignee.getUuid(), projectUuid)) {
-      throw new IllegalArgumentException(String.format("Provided user with login '%s' does not have access to project", assignee.getLogin()));
+    String mainProjectUuid = componentDto.getMainBranchProjectUuid() == null ? componentDto.uuid() : componentDto.getMainBranchProjectUuid();
+    if (componentDto.isPrivate() && !hasProjectPermission(dbSession, assignee.getUuid(), mainProjectUuid)) {
+      throw new IllegalArgumentException(String.format("Provided user with login '%s' does not have 'Browse' permission to project", assignee.getLogin()));
     }
   }
 

diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java
index cb9973b5bdabcf51c6762f0e1e0156d2b897c451..f5798c2d9511d7cc8340d0e2cd5131972b6aac5b 100644 (file)
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java
@@ -140,7 +140,24 @@ public class AssignActionTest {
     ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
     IssueDto hotspot = dbTester.issues().insertHotspot(project, file);
 
-    insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.USER);
+    insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER);
+    UserDto assignee = insertUserWithProjectUserPermission(randomAlphanumeric(15), project);
+
+    when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true);
+
+    executeRequest(hotspot, assignee.getLogin(), null);
+
+    verifyFieldSetters(assignee, null);
+  }
+
+  @Test
+  public void assign_hotspot_to_someone_for_private_project_branch() {
+    ComponentDto project = dbTester.components().insertPrivateProject();
+    ComponentDto branch = dbTester.components().insertProjectBranch(project);
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(branch));
+    IssueDto hotspot = dbTester.issues().insertHotspot(branch, file);
+
+    insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER);
     UserDto assignee = insertUserWithProjectUserPermission(randomAlphanumeric(15), project);
 
     when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true);
@@ -156,14 +173,31 @@ public class AssignActionTest {
     ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
     IssueDto hotspot = dbTester.issues().insertHotspot(project, file);
 
-    insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.USER);
+    insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER);
+    UserDto assignee = insertUser(randomAlphanumeric(15));
+
+    when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true);
+
+    assertThatThrownBy(() -> executeRequest(hotspot, assignee.getLogin(), null))
+      .isInstanceOf(IllegalArgumentException.class)
+      .hasMessage("Provided user with login '%s' does not have 'Browse' permission to project", assignee.getLogin());
+  }
+
+  @Test
+  public void fail_if_assignee_does_not_have_access_for_private_project_branch() {
+    ComponentDto project = dbTester.components().insertPrivateProject();
+    ComponentDto branch = dbTester.components().insertProjectBranch(project);
+    ComponentDto file = dbTester.components().insertComponent(newFileDto(branch));
+    IssueDto hotspot = dbTester.issues().insertHotspot(branch, file);
+
+    insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER);
     UserDto assignee = insertUser(randomAlphanumeric(15));
 
     when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true);
 
     assertThatThrownBy(() -> executeRequest(hotspot, assignee.getLogin(), null))
       .isInstanceOf(IllegalArgumentException.class)
-      .hasMessage("Provided user with login '%s' does not have access to project", assignee.getLogin());
+      .hasMessage("Provided user with login '%s' does not have 'Browse' permission to project", assignee.getLogin());
   }
 
   @Test
@@ -173,7 +207,7 @@ public class AssignActionTest {
     ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
     IssueDto hotspot = dbTester.issues().insertHotspot(project, file);
 
-    UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.USER);
+    UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER);
 
     when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(me), any(IssueChangeContext.class))).thenReturn(true);
 
@@ -298,7 +332,7 @@ public class AssignActionTest {
     ComponentDto file = dbTester.components().insertComponent(newFileDto(project));
     IssueDto hotspot = dbTester.issues().insertHotspot(project, file);
 
-    UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.CODEVIEWER);
+    UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.CODEVIEWER);
 
     when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(me), any(IssueChangeContext.class))).thenReturn(true);
 
@@ -439,12 +473,11 @@ public class AssignActionTest {
     return insertUserWithProjectPermission(login, project, UserRole.USER);
   }
 
-  private UserDto insertAndLoginAsUserWithProjectUserPermission(String login, IssueDto issue, ComponentDto project, String permission) {
+  private UserDto insertAndLoginAsUserWithProjectUserPermission(String login, ComponentDto project, String permission) {
     UserDto user = insertUserWithProjectUserPermission(login, project);
     userSessionRule.logIn(user)
       .addProjectPermission(permission,
-        dbClient.componentDao().selectByUuid(dbTester.getSession(), issue.getProjectUuid()).get(),
-        dbClient.componentDao().selectByUuid(dbTester.getSession(), issue.getComponentUuid()).get());
+        dbClient.componentDao().selectByUuid(dbTester.getSession(), project.uuid()).get());
     return user;
   }