SONAR-6611 ws custom_measures/update check permissions before fetching logged user

diff --git a/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java b/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java
index c11392989aba228232c994846133a038c3e7270c..a5edb38b2f065c162a5aaeec2291186ea4a80dcc 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java
@@ -97,9 +97,9 @@ public class UpdateAction implements CustomMeasuresWsAction {
       CustomMeasureDto customMeasure = dbClient.customMeasureDao().selectById(dbSession, id);
       MetricDto metric = dbClient.metricDao().selectById(dbSession, customMeasure.getMetricId());
       ComponentDto component = dbClient.componentDao().selectByUuid(dbSession, customMeasure.getComponentUuid());
+      checkPermissions(component);
       User user = userIndex.getByLogin(userSession.getLogin());
 
-      checkPermissions(component);
 
       setValue(customMeasure, value, metric);
       setDescription(customMeasure, description);

diff --git a/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java
index 188dd68ea11356b598cc3d77f9963afbb30596b3..57031a6fa0d4157b0c23814a74df6111260d2d0f 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java
@@ -44,6 +44,7 @@ import org.sonar.server.es.EsTester;
 import org.sonar.server.exceptions.ForbiddenException;
 import org.sonar.server.exceptions.NotFoundException;
 import org.sonar.server.exceptions.ServerException;
+import org.sonar.server.exceptions.UnauthorizedException;
 import org.sonar.server.measure.custom.persistence.CustomMeasureDao;
 import org.sonar.server.metric.persistence.MetricDao;
 import org.sonar.server.metric.ws.MetricTesting;
@@ -279,6 +280,31 @@ public class UpdateActionTest {
       .execute();
   }
 
+  @Test
+  public void fail_if_not_logged_in() throws Exception {
+    userSessionRule.anonymous();
+    expectedException.expect(UnauthorizedException.class);
+    MetricDto metric = MetricTesting.newMetricDto().setEnabled(true).setValueType(ValueType.STRING.name());
+    dbClient.metricDao().insert(dbSession, metric);
+    ComponentDto component = ComponentTesting.newProjectDto("project-uuid");
+    dbClient.componentDao().insert(dbSession, component);
+    CustomMeasureDto customMeasure = newCustomMeasureDto()
+      .setMetricId(metric.getId())
+      .setComponentId(component.getId())
+      .setComponentUuid(component.uuid())
+      .setCreatedAt(system.now())
+      .setDescription("custom-measure-description")
+      .setTextValue("text-measure-value");
+    dbClient.customMeasureDao().insert(dbSession, customMeasure);
+    dbSession.commit();
+
+    ws.newPostRequest(CustomMeasuresWs.ENDPOINT, UpdateAction.ACTION)
+      .setParam(PARAM_ID, String.valueOf(customMeasure.getId()))
+      .setParam(PARAM_DESCRIPTION, "new-custom-measure-description")
+      .setParam(PARAM_VALUE, "1984")
+      .execute();
+  }
+
   @Test
   public void fail_if_custom_measure_id_is_missing_in_request() throws Exception {
     expectedException.expect(IllegalArgumentException.class);