@Override
public void define(WebService.NewController controller) {
WebService.NewAction action = controller.createAction("search")
- .setDescription("Get a list of active users. Requires Administer System permission.")
+ .setDescription("Get a list of active users. Administer System permission is required to show the 'groups' field.")
.setSince("3.6")
.setHandler(this)
.setResponseExample(getClass().getResource("example-search.json"));
@Override
public void handle(Request request, Response response) throws Exception {
- userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
-
SearchOptions options = new SearchOptions()
.setPage(request.mandatoryParamAsInt(Param.PAGE), request.mandatoryParamAsInt(Param.PAGE_SIZE));
List<String> fields = request.paramAsStrings(Param.FIELDS);
}
private void writeGroupsIfNeeded(JsonWriter json, Collection<String> groups, @Nullable List<String> fields) {
- if (fieldIsWanted(FIELD_GROUPS, fields)) {
+ if (fieldIsWanted(FIELD_GROUPS, fields) && userSession.hasGlobalPermission(GlobalPermissions.SYSTEM_ADMIN)) {
json.name(FIELD_GROUPS).beginArray();
for (String groupName : groups) {
json.value(groupName);
import org.sonar.core.user.UserGroupDto;
import org.sonar.server.db.DbClient;
import org.sonar.server.es.EsTester;
-import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.user.db.GroupDao;
import org.sonar.server.user.db.UserDao;
@Test
public void search_empty() throws Exception {
- loginAsAdmin();
tester.newGetRequest("api/users", "search").execute().assertJson(getClass(), "empty.json");
}
public void search_without_parameters() throws Exception {
injectUsers(5);
- loginAsAdmin();
tester.newGetRequest("api/users", "search").execute().assertJson(getClass(), "five_users.json");
}
public void search_with_query() throws Exception {
injectUsers(5);
- loginAsAdmin();
tester.newGetRequest("api/users", "search").setParam("q", "user-1").execute().assertJson(getClass(), "user_one.json");
}
public void search_with_paging() throws Exception {
injectUsers(10);
- loginAsAdmin();
tester.newGetRequest("api/users", "search").setParam(Param.PAGE_SIZE, "5").execute().assertJson(getClass(), "page_one.json");
tester.newGetRequest("api/users", "search").setParam(Param.PAGE_SIZE, "5").setParam(Param.PAGE, "2").execute().assertJson(getClass(), "page_two.json");
}
public void search_with_fields() throws Exception {
injectUsers(1);
- loginAsAdmin();
-
assertThat(tester.newGetRequest("api/users", "search").execute().outputAsString())
.contains("login")
.contains("name")
.contains("email")
.contains("scmAccounts")
- .contains("groups");
+ .doesNotContain("groups");
assertThat(tester.newGetRequest("api/users", "search").setParam(Param.FIELDS, "").execute().outputAsString())
.contains("login")
.contains("name")
.contains("email")
.contains("scmAccounts")
- .contains("groups");
+ .doesNotContain("groups");
assertThat(tester.newGetRequest("api/users", "search").setParam(Param.FIELDS, "login").execute().outputAsString())
.contains("login")
.contains("scmAccounts")
.doesNotContain("groups");
+ assertThat(tester.newGetRequest("api/users", "search").setParam(Param.FIELDS, "groups").execute().outputAsString())
+ .doesNotContain("login")
+ .doesNotContain("name")
+ .doesNotContain("email")
+ .doesNotContain("scmAccounts")
+ .doesNotContain("groups");
+
+ loginAsAdmin();
+
+ assertThat(tester.newGetRequest("api/users", "search").execute().outputAsString())
+ .contains("login")
+ .contains("name")
+ .contains("email")
+ .contains("scmAccounts")
+ .contains("groups");
+
assertThat(tester.newGetRequest("api/users", "search").setParam(Param.FIELDS, "groups").execute().outputAsString())
.doesNotContain("login")
.doesNotContain("name")
tester.newGetRequest("api/users", "search").execute().assertJson(getClass(), "user_with_groups.json");
}
- @Test(expected = ForbiddenException.class)
- public void fail_on_missing_permission() throws Exception {
- userSession.login("not-admin");
- tester.newGetRequest("api/users", "search").execute();
- }
-
private List<UserDto> injectUsers(int numberOfUsers) throws Exception {
List<UserDto> userDtos = Lists.newArrayList();
long createdAt = System.currentTimeMillis();