SONAR-19577 allow 'project admin' to use api/ce/task

diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/ce/ws/TaskActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/ce/ws/TaskActionIT.java
index 42a6b28c5f425f31c568363a3853093fc6d9f1ce..33960fbc82fff9263957ee7bfddacb3f52d51850 100644 (file)
--- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/ce/ws/TaskActionIT.java
+++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/ce/ws/TaskActionIT.java
@@ -344,6 +344,14 @@ public class TaskActionIT {
     call(task.getUuid());
   }
 
+  @Test
+  public void get_project_queue_task_with_project_admin_permission() {
+    userSession.logIn().addProjectPermission(ADMIN, privateProject);
+    CeActivityDto task = createAndPersistArchivedTask(privateProject);
+
+    call(task.getUuid());
+  }
+
   @Test
   public void getting_project_queue_task_throws_ForbiddenException_if_no_admin_nor_scan_permissions() {
     UserDto user = db.users().insertUser();

diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/ce/ws/TaskAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/ce/ws/TaskAction.java
index a6e20362242e0ebccebfcca9a79ef5de14aadbdd..7024dd95a637ac6f6070e7d21b1bfceedc32dade 100644 (file)
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/ce/ws/TaskAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/ce/ws/TaskAction.java
@@ -69,15 +69,19 @@ public class TaskAction implements CeWsAction {
   public void define(WebService.NewController controller) {
     WebService.NewAction action = controller.createAction(ACTION)
       .setDescription("Give Compute Engine task details such as type, status, duration and associated component.<br/>" +
-        "Requires 'Administer System' or 'Execute Analysis' permission.<br/>" +
+        "Requires one of the following permissions: " +
+        "<ul>" +
+        "<li>'Administer' at global or project level</li>" +
+        "<li>'Execute Analysis' at global or project level</li>" +
+        "</ul>" +
         "Since 6.1, field \"logs\" is deprecated and its value is always false.")
       .setResponseExample(getClass().getResource("task-example.json"))
       .setSince("5.2")
       .setChangelog(
         new Change("6.6", "fields \"branch\" and \"branchType\" added"),
         new Change("10.1", "Warnings field will be now always be filled (it is not necessary to mention it explicitly in 'additionalFields'). "
-          + "'additionalFields' value `warning' is deprecated.")
-      )
+          + "'additionalFields' value `warning' is deprecated."),
+        new Change("10.1", "'Project Administrator' is added to the list of allowed permissions to access this endpoint"))
       .setHandler(this);
 
     action
@@ -126,17 +130,22 @@ public class TaskAction implements CeWsAction {
 
   private void checkPermission(Optional<ComponentDto> component) {
     if (component.isPresent()) {
-      if (!userSession.hasPermission(GlobalPermission.ADMINISTER) &&
-        !userSession.hasPermission(GlobalPermission.SCAN) &&
-        !userSession.hasComponentPermission(UserRole.SCAN, component.get())) {
-        throw insufficientPrivilegesException();
-      }
-
+      checkComponentPermission(component.get());
     } else {
       userSession.checkIsSystemAdministrator();
     }
   }
 
+  private void checkComponentPermission(ComponentDto component) {
+    if (userSession.hasPermission(GlobalPermission.ADMINISTER) ||
+      userSession.hasPermission(GlobalPermission.SCAN) ||
+      userSession.hasComponentPermission(UserRole.ADMIN, component) ||
+      userSession.hasComponentPermission(UserRole.SCAN, component)) {
+      return;
+    }
+    throw insufficientPrivilegesException();
+  }
+
   private static void maskErrorStacktrace(CeActivityDto ceActivityDto, Set<AdditionalField> additionalFields) {
     if (!additionalFields.contains(AdditionalField.STACKTRACE)) {
       ceActivityDto.setErrorStacktrace(null);