SONAR-6382 updating plugin is restricted to system admins

author Sébastien Lesaint <sebastien.lesaint@sonarsource.com>

Thu, 23 Apr 2015 09:05:38 +0000 (11:05 +0200)

committer Sébastien Lesaint <sebastien.lesaint@sonarsource.com>

Thu, 23 Apr 2015 14:16:49 +0000 (16:16 +0200)
author Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Thu, 23 Apr 2015 09:05:38 +0000 (11:05 +0200)
committer Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
Thu, 23 Apr 2015 14:16:49 +0000 (16:16 +0200)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java b/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java

index c013dac195101b841bf6a0cd4109fb77e8633db9..888d9bead36a9ecbeb0481bf5b17408c1c5ba7c8 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java
@@ -24,8 +24,10 @@ import com.google.common.collect.Iterables;
  import org.sonar.api.server.ws.Request;
  import org.sonar.api.server.ws.Response;
  import org.sonar.api.server.ws.WebService;
+import org.sonar.core.permission.GlobalPermissions;
  import org.sonar.server.plugins.PluginDownloader;
  import org.sonar.server.plugins.UpdateCenterMatrixFactory;
+import org.sonar.server.user.UserSession;
  import org.sonar.updatecenter.common.PluginUpdate;
  
  import javax.annotation.Nonnull;
@@ -53,7 +55,9 @@ public class UpdatePluginsWsAction implements PluginsWsAction {
    public void define(WebService.NewController controller) {
      WebService.NewAction action = controller.createAction("update")
        .setPost(true)
-      .setDescription("Updates a plugin specified by its key to the latest version compatible with the SonarQube instance")
+      .setDescription("Updates a plugin specified by its key to the latest version compatible with the SonarQube instance." +
+          "<br/>" +
+          "Requires user to be authenticated with Administer System permissions")
        .setHandler(this);
  
      action.createParam(PARAM_KEY)
@@ -63,6 +67,7 @@ public class UpdatePluginsWsAction implements PluginsWsAction {
  
    @Override
    public void handle(Request request, Response response) throws Exception {
+    UserSession.get().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
      String key = request.mandatoryParam(PARAM_KEY);
      PluginUpdate pluginUpdate = findPluginUpdateByKey(key);
      pluginDownloader.download(key, pluginUpdate.getRelease().getVersion());
diff --git a/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java

index ee2aa106e99edd51380385f201802c1a775de109..021cacb08c6b12b6c2cb5f22f897a55658698629 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java
@@ -26,11 +26,15 @@ import org.junit.Test;
  import org.junit.rules.ExpectedException;
  import org.sonar.api.server.ws.Request;
  import org.sonar.api.server.ws.WebService;
+import org.sonar.core.permission.GlobalPermissions;
+import org.sonar.server.exceptions.ForbiddenException;
  import org.sonar.server.plugins.PluginDownloader;
  import org.sonar.server.plugins.UpdateCenterMatrixFactory;
+import org.sonar.server.user.MockUserSession;
  import org.sonar.server.ws.WsTester;
  import org.sonar.updatecenter.common.Plugin;
  import org.sonar.updatecenter.common.PluginUpdate;
+import org.sonar.updatecenter.common.PluginUpdate.Status;
  import org.sonar.updatecenter.common.Release;
  import org.sonar.updatecenter.common.UpdateCenter;
  import org.sonar.updatecenter.common.Version;
@@ -64,6 +68,19 @@ public class UpdatePluginsWsActionTest {
    @Before
    public void setUp() throws Exception {
      when(updateCenterFactory.getUpdateCenter(anyBoolean())).thenReturn(updateCenter);
+
+    MockUserSession.set().setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
+  }
+
+  @Test
+  public void user_must_have_system_admin_permission() throws Exception {
+    expectedException.expect(ForbiddenException.class);
+    expectedException.expectMessage("Insufficient privileges");
+
+    // no permission on user
+    MockUserSession.set().setGlobalPermissions();
+
+    underTest.handle(validRequest, response);
    }
  
    @Test
@@ -109,7 +126,7 @@ public class UpdatePluginsWsActionTest {
    public void if_plugin_has_an_update_download_is_triggered_with_latest_version_from_updatecenter() throws Exception {
      Version version = Version.create("1.0");
      when(updateCenter.findPluginUpdates()).thenReturn(ImmutableList.of(
-      PluginUpdate.createWithStatus(new Release(new Plugin(PLUGIN_KEY), version), PluginUpdate.Status.COMPATIBLE)
+      PluginUpdate.createWithStatus(new Release(new Plugin(PLUGIN_KEY), version), Status.COMPATIBLE)
        ));
  
      underTest.handle(validRequest, response);
author	Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
	Thu, 23 Apr 2015 09:05:38 +0000 (11:05 +0200)
committer	Sébastien Lesaint <sebastien.lesaint@sonarsource.com>
	Thu, 23 Apr 2015 14:16:49 +0000 (16:16 +0200)
server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java		patch \| blob \| history