SONAR-8262 verify authorization on organization

diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java
index 89e52894966a58412324dac6bd8954ba6b8795ce..cee272fe693764232dd9c4168be6fc4b4ec48457 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveGroupAction.java
@@ -79,7 +79,7 @@ public class RemoveGroupAction implements PermissionsWsAction {
       GroupIdOrAnyone group = support.findGroup(dbSession, request);
       Optional<ProjectId> projectId = support.findProject(dbSession, request);
 
-      checkProjectAdmin(userSession, projectId);
+      checkProjectAdmin(userSession, group.getOrganizationUuid(), projectId);
 
       PermissionChange change = new GroupPermissionChange(
         PermissionChange.Operation.REMOVE,

diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
index e931111f633025aacc954b786d0c33ccdce5f060..fedd1eab4541add160bb19aa021df7c5c53a3807 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
@@ -82,7 +82,7 @@ public class RemoveUserAction implements PermissionsWsAction {
       Optional<ProjectId> projectId = support.findProject(dbSession, request);
       OrganizationDto org = support.findOrganization(dbSession, request.param(PARAM_ORGANIZATION_KEY));
 
-      checkProjectAdmin(userSession, projectId);
+      checkProjectAdmin(userSession, org.getUuid(), projectId);
 
       PermissionChange change = new UserPermissionChange(
         PermissionChange.Operation.REMOVE,

diff --git a/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java
index 14f5b84d03875bd6c0a361cde041d8406bb50e47..a0d30f01d856dd4e0c38d39b03d3c846882770d0 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/permission/ws/RemoveGroupActionTest.java
@@ -23,6 +23,7 @@ import org.junit.Before;
 import org.junit.Test;
 import org.sonar.api.web.UserRole;
 import org.sonar.db.component.ComponentDto;
+import org.sonar.db.organization.OrganizationDto;
 import org.sonar.db.user.GroupDto;
 import org.sonar.server.exceptions.BadRequestException;
 import org.sonar.server.exceptions.ForbiddenException;
@@ -316,7 +317,11 @@ public class RemoveGroupActionTest extends BasePermissionWsTest<RemoveGroupActio
   }
 
   private void loginAsAdmin() {
-    userSession.login().setGlobalPermissions(SYSTEM_ADMIN);
+    loginAsOrganizationAdmin(db.getDefaultOrganization());
+  }
+
+  private void loginAsOrganizationAdmin(OrganizationDto org) {
+    userSession.login().addOrganizationPermission(org.getUuid(), SYSTEM_ADMIN);
   }
 
 }