SONAR-5819 Add check for codeviewer permission on /api/sources/show

author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Wed, 3 Dec 2014 15:57:35 +0000 (16:57 +0100)

committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Wed, 3 Dec 2014 15:57:35 +0000 (16:57 +0100)
author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Wed, 3 Dec 2014 15:57:35 +0000 (16:57 +0100)
committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Wed, 3 Dec 2014 15:57:35 +0000 (16:57 +0100)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java b/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java

index 962f6dfab02fd5036177547d34ba4cc1e853422d..7145d6f70c4784a1def64d46f0f08934327bddfa 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java
@@ -26,11 +26,13 @@ import org.sonar.api.server.ws.RequestHandler;
  import org.sonar.api.server.ws.Response;
  import org.sonar.api.server.ws.WebService;
  import org.sonar.api.utils.text.JsonWriter;
+import org.sonar.api.web.UserRole;
  import org.sonar.core.component.ComponentDto;
  import org.sonar.core.persistence.DbSession;
  import org.sonar.server.db.DbClient;
  import org.sonar.server.exceptions.NotFoundException;
  import org.sonar.server.source.SourceService;
+import org.sonar.server.user.UserSession;
  
  import java.util.List;
  
@@ -77,6 +79,8 @@ public class ShowAction implements RequestHandler {
    @Override
    public void handle(Request request, Response response) {
      String fileKey = request.mandatoryParam("key");
+    UserSession.get().checkComponentPermission(UserRole.CODEVIEWER, fileKey);
+
      int from = Math.max(request.mandatoryParamAsInt("from"), 1);
      int to = (Integer) ObjectUtils.defaultIfNull(request.paramAsInt("to"), Integer.MAX_VALUE);
  
diff --git a/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java

index 379c0c2b668ddc930bd33450e265bc024377f0b1..5c9df69e4ec8a29712b6e674e7f4e2387e0c6599 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java
@@ -24,12 +24,15 @@ import org.junit.Test;
  import org.junit.runner.RunWith;
  import org.mockito.Mock;
  import org.mockito.runners.MockitoJUnitRunner;
+import org.sonar.api.web.UserRole;
  import org.sonar.core.component.ComponentDto;
  import org.sonar.core.persistence.DbSession;
  import org.sonar.server.component.ComponentTesting;
  import org.sonar.server.component.db.ComponentDao;
  import org.sonar.server.db.DbClient;
+import org.sonar.server.exceptions.ForbiddenException;
  import org.sonar.server.source.SourceService;
+import org.sonar.server.user.MockUserSession;
  import org.sonar.server.ws.WsTester;
  
  import static com.google.common.collect.Lists.newArrayList;
@@ -70,6 +73,7 @@ public class ShowActionTest {
    @Test
    public void show_source() throws Exception {
      String fileKey = "src/Foo.java";
+    MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey);
      when(componentDao.getByKey(session, fileKey)).thenReturn(file);
      when(sourceService.getLinesAsHtml(eq(file.uuid()), anyInt(), anyInt())).thenReturn(newArrayList(
        "/*",
@@ -87,6 +91,7 @@ public class ShowActionTest {
    @Test
    public void show_source_with_from_and_to_params() throws Exception {
      String fileKey = "src/Foo.java";
+    MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey);
      when(componentDao.getByKey(session, fileKey)).thenReturn(file);
      when(sourceService.getLinesAsHtml(file.uuid(), 3, 5)).thenReturn(newArrayList(
        " */",
@@ -104,6 +109,7 @@ public class ShowActionTest {
    @Test
    public void show_source_accept_from_less_than_one() throws Exception {
      String fileKey = "src/Foo.java";
+    MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey);
      when(componentDao.getByKey(session, fileKey)).thenReturn(file);
      when(sourceService.getLinesAsHtml(file.uuid(), 1, 5)).thenReturn(newArrayList(
        " */",
@@ -119,4 +125,10 @@ public class ShowActionTest {
      verify(sourceService).getLinesAsHtml(file.uuid(), 1, 5);
    }
  
+  @Test(expected = ForbiddenException.class)
+  public void require_code_viewer() throws Exception {
+    String fileKey = "src/Foo.java";
+    MockUserSession.set();
+    tester.newGetRequest("api/sources", "show").setParam("key", fileKey).execute();
+  }
  }
author	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Wed, 3 Dec 2014 15:57:35 +0000 (16:57 +0100)
committer	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Wed, 3 Dec 2014 15:57:35 +0000 (16:57 +0100)
server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java		patch \| blob \| history