import org.sonar.api.server.ws.Response;
import org.sonar.api.server.ws.WebService.NewAction;
import org.sonar.api.server.ws.WebService.NewController;
-import org.sonar.core.permission.GlobalPermissions;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.user.UserDto;
import org.sonar.server.user.UserSession;
import static java.lang.String.format;
+import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
import static org.sonar.server.usergroups.ws.GroupWsSupport.PARAM_GROUP_ID;
import static org.sonar.server.usergroups.ws.GroupWsSupport.PARAM_GROUP_NAME;
import static org.sonar.server.usergroups.ws.GroupWsSupport.PARAM_LOGIN;
@Override
public void handle(Request request, Response response) throws Exception {
- userSession.checkLoggedIn().checkPermission(GlobalPermissions.SYSTEM_ADMIN);
+ userSession.checkLoggedIn();
try (DbSession dbSession = dbClient.openSession(false)) {
GroupId group = support.findGroup(dbSession, request);
+ userSession.checkOrganizationPermission(group.getOrganizationUuid(), SYSTEM_ADMIN);
String login = request.mandatoryParam(PARAM_LOGIN);
UserDto user = getUser(dbSession, login);
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserMembershipDto;
import org.sonar.db.user.UserMembershipQuery;
+import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.organization.TestDefaultOrganizationProvider;
import org.sonar.server.tester.UserSessionRule;
public void does_nothing_if_user_is_not_in_group() throws Exception {
GroupDto group = db.users().insertGroup(db.getDefaultOrganization(), "admins");
UserDto user = db.users().insertUser("my-admin");
+ loginAsAdminOnDefaultOrganization();
- loginAsAdmin();
newRequest()
.setParam("id", group.getId().toString())
.setParam("login", user.getLogin())
GroupDto users = db.users().insertGroup(db.getDefaultOrganization(), "users");
UserDto user = db.users().insertUser("my-admin");
db.users().insertMember(users, user);
+ loginAsAdminOnDefaultOrganization();
- loginAsAdmin();
newRequest()
.setParam("id", users.getId().toString())
.setParam("login", user.getLogin())
GroupDto group = db.users().insertGroup(db.getDefaultOrganization(), "group_name");
UserDto user = db.users().insertUser("user_login");
db.users().insertMember(group, user);
+ loginAsAdminOnDefaultOrganization();
- loginAsAdmin();
newRequest()
.setParam(PARAM_GROUP_NAME, group.getName())
.setParam(PARAM_LOGIN, user.getLogin())
UserDto user = db.users().insertUser("user_login");
db.users().insertMember(group, user);
- loginAsAdmin();
+ loginAsAdmin(org);
+
newRequest()
.setParam(PARAM_ORGANIZATION_KEY, org.getKey())
.setParam(PARAM_GROUP_NAME, group.getName())
UserDto user = db.users().insertUser("user");
db.users().insertMember(users, user);
db.users().insertMember(admins, user);
+ loginAsAdminOnDefaultOrganization();
- loginAsAdmin();
newRequest()
.setParam("id", admins.getId().toString())
.setParam("login", user.getLogin())
expectedException.expect(NotFoundException.class);
- loginAsAdmin();
+ loginAsAdminOnDefaultOrganization();
newRequest()
.setParam("id", "42")
.setParam("login", user.getLogin())
expectedException.expect(NotFoundException.class);
- loginAsAdmin();
+ loginAsAdminOnDefaultOrganization();
newRequest()
.setParam("id", group.getId().toString())
.setParam("login", "my-admin")
GroupDto adminGroup = db.users().insertAdminGroup();
UserDto user1 = db.users().insertRootByGroupPermission("user1", adminGroup);
UserDto user2 = db.users().insertRootByGroupPermission("user2", adminGroup);
- loginAsAdmin();
+ loginAsAdminOnDefaultOrganization();
executeRequest(adminGroup, user1);
verifyUserNotInGroup(user1, adminGroup);
UserDto adminUserBySingleGroup = db.users().insertUser("adminUserBySingleGroup");
GroupDto adminGroup2 = db.users().insertAdminGroup();
db.users().insertMembers(adminGroup2, adminUserByUserPermission, adminUserByTwoGroups, adminUserBySingleGroup);
- loginAsAdmin();
+ loginAsAdminOnDefaultOrganization();
executeRequest(adminGroup2, adminUserByUserPermission);
verifyUserNotInGroup(adminUserByUserPermission, adminGroup2);
verifyRootFlagUpdated(adminUserBySingleGroup, false);
}
+ @Test
+ public void throw_ForbiddenException_if_not_administrator_of_organization() throws Exception {
+ OrganizationDto org = db.organizations().insert();
+ GroupDto group = db.users().insertGroup(org, "a-group");
+ UserDto user = db.users().insertUser();
+ db.users().insertMember(group, user);
+ loginAsAdminOnDefaultOrganization();
+
+ expectedException.expect(ForbiddenException.class);
+ expectedException.expectMessage("Insufficient privileges");
+
+ newRequest()
+ .setParam("id", group.getId().toString())
+ .setParam("login", user.getLogin())
+ .execute();
+ }
+
private void executeRequest(GroupDto group, UserDto user) throws Exception {
newRequest()
.setParam("id", group.getId().toString())
return ws.newPostRequest("api/user_groups", "remove_user");
}
- private void loginAsAdmin() {
- userSession.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
+ private void loginAsAdminOnDefaultOrganization() {
+ loginAsAdmin(db.getDefaultOrganization());
+ }
+
+ private void loginAsAdmin(OrganizationDto org) {
+ userSession.login("admin").addOrganizationPermission(org.getUuid(), GlobalPermissions.SYSTEM_ADMIN);
}
private void verifyUnchanged(UserDto user) {
projects / sonarqube.git / commitdiff