FROM group_roles gr, projects p
WHERE
gr.role=#{role}
- and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
- and (gr.resource_id = p.root_id or gr.resource_id = p.id) and
- <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
+ and (gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
+ and
+ (gr.resource_id is null or gr.resource_id = p.root_id or gr.resource_id = p.id) and
+ <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
UNION
SELECT p.kee
FROM user_roles ur, projects p
WHERE
ur.role=#{role}
- and ur.user_id=#{userId} and
+ and ur.user_id=#{userId}
+ and (ur.resource_id is null or ur.resource_id = p.root_id or ur.resource_id = p.id) and
<foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
</select>
assertThat(componentIds).isEmpty();
}
+ @Test
+ public void user_should_have_global_authorization() {
+ // is not in an authorized group
+ setupData("user_should_have_global_permission");
+
+ AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+ Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
+ Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+ USER, "project_admin");
+
+ assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
+
+ // user does not have the role "profile_admin"
+ componentIds = authorization.keepAuthorizedComponentKeys(
+ Sets.<String>newHashSet(PROJECT, PACKAGE, FILE),
+ USER, "profile_admin");
+ assertThat(componentIds).isEmpty();
+ }
+
@Test
public void group_should_be_authorized() {
// user is in an authorized group
assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
+ // user is in group that doesn't have user right
+ componentIds = authorization.keepAuthorizedComponentKeys(
+ Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+ 200, "user");
+
+ assertThat(componentIds).containsOnly(EMPTY_PROJECT);
+
// group does not have the role "admin"
componentIds = authorization.keepAuthorizedComponentKeys(
Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
<!-- user 100 has no direct grant access, but is in the group 200 that has the role "user"
on the project 300 -->
+ <!-- user 200 has no grant access either, but is in the group 300 that has no role on project 300 -->
<user_roles id="1" user_id="100" resource_id="999" role="user"/>
+ <user_roles id="2" user_id="200" resource_id="999" role="user"/>
+
<groups_users user_id="100" group_id="200"/>
+ <groups_users user_id="200" group_id="300"/>
+
<group_roles id="1" group_id="200" resource_id="300" role="user"/>
<group_roles id="2" group_id="200" resource_id="400" role="user"/>
+ <group_roles id="3" group_id="300" resource_id="400" role="user"/>
<projects id="301" kee="pj-w-snapshot:package" root_id="300" />
<projects id="302" kee="pj-w-snapshot:file" root_id="300" />
--- /dev/null
+<dataset>
+
+ <!-- user 100 has the role "project_admin" on all resources -->
+ <user_roles id="1" user_id="100" resource_id="[null]" role="project_admin"/>
+
+ <projects id="301" kee="pj-w-snapshot:package" root_id="300" />
+ <projects id="302" kee="pj-w-snapshot:file" root_id="300" />
+ <projects id="303" kee="pj-w-snapshot:other" root_id="300" />
+ <projects id="300" kee="pj-w-snapshot" />
+ <projects id="400" kee="pj-wo-snapshot" />
+
+</dataset>