--- /dev/null
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+
+<mapper namespace="org.sonar.core.user.AuthorizationMapper">
+
+ <select id="keepAuthorizedComponentIdsForUser" parameterType="map" resultType="int">
+ SELECT s.project_id
+ FROM group_roles gr, snapshots s
+ WHERE
+ gr.role=#{role}
+ and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
+ and gr.resource_id = s.root_project_id
+ and s.project_id in <foreach item="componentId" index="index" collection="componentIds" open="(" separator="," close=")">#{componentId}</foreach>
+ and s.islast = ${_true}
+ UNION DISTINCT
+ SELECT s.project_id
+ FROM user_roles ur, snapshots s
+ WHERE
+ ur.role=#{role}
+ and ur.user_id=#{userId}
+ and s.project_id in <foreach item="componentId" index="index" collection="componentIds" open="(" separator="," close=")">#{componentId}</foreach>
+ and s.islast = ${_true}
+ </select>
+
+ <select id="keepAuthorizedComponentIdsForAnonymous" parameterType="map" resultType="int">
+ SELECT s.project_id
+ FROM group_roles gr, snapshots s
+ WHERE
+ gr.role=#{role}
+ and gr.group_id is null
+ and gr.resource_id = s.root_project_id
+ and s.project_id in <foreach item="componentId" index="index" collection="componentIds" open="(" separator="," close=")">#{componentId}</foreach>
+ </select>
+
+</mapper>
--- /dev/null
+/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2008-2012 SonarSource
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.core.user;
+
+import com.google.common.collect.Sets;
+import org.junit.Test;
+import org.sonar.core.persistence.AbstractDaoTestCase;
+
+import java.util.Set;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+public class AuthorizationDaoTest extends AbstractDaoTestCase {
+
+ private static final int USER = 100;
+ private static final int PROJECT = 300, PACKAGE = 301, FILE = 302, FILE_IN_OTHER_PROJECT = 999;
+
+ @Test
+ public void user_should_be_authorized() {
+ // but user is not in an authorized group
+ setupData("user_should_be_authorized");
+
+ AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+ Set<Integer> componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ USER, "user");
+
+ assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE);
+
+ // user does not have the role "admin"
+ componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE),
+ USER, "admin");
+ assertThat(componentIds).isEmpty();
+ }
+
+ @Test
+ public void group_should_be_authorized() {
+ // user is in an authorized group
+ setupData("group_should_be_authorized");
+
+ AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+ Set<Integer> componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ USER, "user");
+
+ assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE);
+
+ // group does not have the role "admin"
+ componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ USER, "admin");
+ assertThat(componentIds).isEmpty();
+ }
+
+ @Test
+ public void group_should_have_global_authorization() {
+ // user is in a group that has authorized access to all projects
+ setupData("group_should_have_global_authorization");
+
+ AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+ Set<Integer> componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ USER, "user");
+
+ assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE);
+
+ // group does not have the role "admin"
+ componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ USER, "admin");
+ assertThat(componentIds).isEmpty();
+ }
+
+ @Test
+ public void anonymous_should_be_authorized() {
+ setupData("anonymous_should_be_authorized");
+
+ AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+ Set<Integer> componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ null, "user");
+
+ assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE);
+
+ // group does not have the role "admin"
+ componentIds = authorization.keepAuthorizedComponentIds(
+ Sets.<Integer>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+ null, "admin");
+ assertThat(componentIds).isEmpty();
+ }
+}