]> source.dussan.org Git - sonarqube.git/commitdiff
projects / sonarqube.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 06942cb)
SONAR-8716 fallback on organization permission in api/ce/submit
authorSimon Brandhof <simon.brandhof@sonarsource.com>
Tue, 7 Feb 2017 15:11:28 +0000 (16:11 +0100)
committerSimon Brandhof <simon.brandhof@sonarsource.com>
Wed, 8 Feb 2017 16:18:43 +0000 (17:18 +0100)
For "legacy" reasons, the permission "scan" is available on both
project and organization scopes. If the user who submits analysis
report does not have the project permission, then it must have
the organization permission.

server/sonar-server/src/main/java/org/sonar/server/computation/queue/ReportSubmitter.java patch | blob | history
server/sonar-server/src/test/java/org/sonar/server/computation/queue/ReportSubmitterTest.java patch | blob | history

diff --git a/server/sonar-server/src/main/java/org/sonar/server/computation/queue/ReportSubmitter.java b/server/sonar-server/src/main/java/org/sonar/server/computation/queue/ReportSubmitter.java
index e2bb3fbafb17fe42f9f0fe3f1fb89c1468d93165..6289d8155e6b3641d67d6bde36126621bcdc76be 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/computation/queue/ReportSubmitter.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/computation/queue/ReportSubmitter.java
@@ -76,11 +76,23 @@ public class ReportSubmitter {
       Optional<ComponentDto> opt = dbClient.componentDao().selectByKey(dbSession, effectiveProjectKey);
       ensureOrganizationIsConsistent(opt, organizationDto);
       ComponentDto project = opt.or(() -> createProject(dbSession, organizationDto.getUuid(), projectKey, projectBranch, projectName));
-      userSession.checkComponentPermission(SCAN_EXECUTION, project);
+      checkScanPermission(project);
       return submitReport(dbSession, reportInput, project);
     }
   }
 
+  private void checkScanPermission(ComponentDto project) {
+    // this is a specific and inconsistent behavior. For legacy reasons, "technical users"
+    // defined on an organization should be able to analyze a project even if
+    // they don't have the direct permission on the project.
+    // That means that dropping the permission on the project does not have any effects
+    // if user has still the permission on the organization
+    if (!userSession.hasComponentPermission(SCAN_EXECUTION, project) &&
+      !userSession.hasOrganizationPermission(project.getOrganizationUuid(), SCAN_EXECUTION)) {
+      throw insufficientPrivilegesException();
+    }
+  }
+
   private OrganizationDto getOrganizationDtoOrFail(DbSession dbSession, String organizationKey) {
     return dbClient.organizationDao().selectByKey(dbSession, organizationKey)
       .orElseThrow(() -> new NotFoundException(format("Organization with key '%s' does not exist", organizationKey)));
diff --git a/server/sonar-server/src/test/java/org/sonar/server/computation/queue/ReportSubmitterTest.java b/server/sonar-server/src/test/java/org/sonar/server/computation/queue/ReportSubmitterTest.java
index 7cf54341b874bdb699f57e4da6845fdd4f28a05f..67b69e8032f10143fe8a17ca176f9080c7e15ae8 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/computation/queue/ReportSubmitterTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/computation/queue/ReportSubmitterTest.java
@@ -31,7 +31,6 @@ import org.sonar.api.utils.System2;
 import org.sonar.ce.queue.CeQueue;
 import org.sonar.ce.queue.CeQueueImpl;
 import org.sonar.ce.queue.CeTaskSubmit;
-import org.sonar.core.permission.GlobalPermissions;
 import org.sonar.db.DbSession;
 import org.sonar.db.DbTester;
 import org.sonar.db.ce.CeTaskTypes;
@@ -203,14 +202,14 @@ public class ReportSubmitterTest {
   }
 
   @Test
-  public void submit_a_report_on_existing_project_with_scan_permission_on_organization() {
-    userSession.setGlobalPermissions(SCAN_EXECUTION);
-
-    ComponentDto project = db.components().insertProject(db.getDefaultOrganization());
+  public void user_with_scan_permission_on_organization_is_allowed_to_submit_a_report_on_existing_project() {
+    OrganizationDto org = db.organizations().insert();
+    ComponentDto project = db.components().insertProject(org);
+    userSession.addOrganizationPermission(org, SCAN_EXECUTION);
 
     mockSuccessfulPrepareSubmitCall();
 
-    underTest.submit(defaultOrganizationKey, project.getKey(), null, project.name(), IOUtils.toInputStream("{binary}"));
+    underTest.submit(org.getKey(), project.getKey(), null, project.name(), IOUtils.toInputStream("{binary}"));
 
     verify(queue).submit(any(CeTaskSubmit.class));
   }
@@ -229,9 +228,8 @@ public class ReportSubmitterTest {
 
   @Test
   public void fail_with_forbidden_exception_when_no_scan_permission() {
-    userSession.setGlobalPermissions(GlobalPermissions.QUALITY_GATE_ADMIN);
-
     thrown.expect(ForbiddenException.class);
+
     underTest.submit(defaultOrganizationKey, PROJECT_KEY, null, PROJECT_NAME, IOUtils.toInputStream("{binary}"));
   }
 
Continuous Inspection: https://github.com/SonarSource/sonarqube