SONAR-10323 Fix WS not checking SCAN global permission

author Eric Hartmann <hartmann.eric@gmail.com>

Thu, 22 Feb 2018 10:36:20 +0000 (11:36 +0100)

committer Eric Hartmann <hartmann.eric@gmail.Com>

Thu, 22 Feb 2018 15:07:25 +0000 (16:07 +0100)
author Eric Hartmann <hartmann.eric@gmail.com>
Thu, 22 Feb 2018 10:36:20 +0000 (11:36 +0100)
committer Eric Hartmann <hartmann.eric@gmail.Com>
Thu, 22 Feb 2018 15:07:25 +0000 (16:07 +0100)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java

index ca822de18f8e512d52ba7879d6aba305368e8739..4583eb92be9efb734637c7827abb9e05f5d080ba 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java
@@ -39,6 +39,7 @@ import org.sonar.db.component.BranchType;
  import org.sonar.db.component.ComponentDto;
  import org.sonar.db.component.SnapshotDto;
  import org.sonar.db.measure.LiveMeasureDto;
+import org.sonar.db.permission.OrganizationPermission;
  import org.sonar.server.component.ComponentFinder;
  import org.sonar.server.issue.index.BranchStatistics;
  import org.sonar.server.issue.index.IssueIndex;
@@ -163,7 +164,8 @@ public class ListAction implements BranchWsAction {
  
    private void checkPermission(ComponentDto component) {
      if (!userSession.hasComponentPermission(UserRole.USER, component) &&
-      !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+      !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
        throw insufficientPrivilegesException();
      }
    }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java

index 273e8a8a568965b427df9c3d459b05aabefa1514..4a947af76aedc3c2856c9f2d6733c50d468d0afd 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
@@ -39,6 +39,7 @@ import org.sonar.api.server.ws.WebService;
  import org.sonar.db.DbClient;
  import org.sonar.db.DbSession;
  import org.sonar.db.component.ComponentDto;
+import org.sonar.db.permission.OrganizationPermission;
  import org.sonar.server.component.ComponentFinder;
  import org.sonar.server.user.UserSession;
  import org.sonarqube.ws.Settings;
@@ -154,8 +155,10 @@ public class ValuesAction implements SettingsWsAction {
        return Optional.empty();
      }
      ComponentDto component = componentFinder.getByKeyAndOptionalBranch(dbSession, componentKey, valuesRequest.getBranch());
-    if (!userSession.hasComponentPermission(USER, component) && !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
-      throw insufficientPrivilegesException();
+    if (!userSession.hasComponentPermission(USER, component) &&
+        !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+        !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
+        throw insufficientPrivilegesException();
      }
      return Optional.of(component);
    }
author	Eric Hartmann <hartmann.eric@gmail.com>
	Thu, 22 Feb 2018 10:36:20 +0000 (11:36 +0100)
committer	Eric Hartmann <hartmann.eric@gmail.Com>
	Thu, 22 Feb 2018 15:07:25 +0000 (16:07 +0100)
server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java		patch \| blob \| history
server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java		patch \| blob \| history