SONAR-6525 Fix security bypass on plugin-contributed pages

author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Tue, 5 May 2015 09:35:56 +0000 (11:35 +0200)

committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Tue, 5 May 2015 09:47:19 +0000 (11:47 +0200)
author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Tue, 5 May 2015 09:35:56 +0000 (11:35 +0200)
committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Tue, 5 May 2015 09:47:19 +0000 (11:47 +0200)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java b/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java

index de4cc75d909837a3792d7fbeed1725f65c8651c2..3beb0bbbbeb464eca82f53bcee5cc7497af43e60 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java
@@ -285,9 +285,7 @@ public class ViewProxy<V extends View> implements Comparable<ViewProxy> {
    public boolean isUserAuthorized(ComponentDto component) {
      boolean authorized = userRoles.length == 0;
      for (String userRole : getUserRoles()) {
-      authorized |= (UserRole.VIEWER.equals(userRole)
-        || UserRole.USER.equals(userRole)
-        || UserSession.get().hasProjectPermissionByUuid(userRole, component.uuid()));
+      authorized |= UserSession.get().hasProjectPermissionByUuid(userRole, component.uuid());
      }
      return authorized;
    }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java b/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java

index ab93684bfc0eaf265907418ded6722e25fa1f5cf..60a335023aa0469ce34e21692d2fd2a45bcdca4d 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java
@@ -348,40 +348,6 @@ public class ViewProxyTest {
      MockUserSession.set().addProjectUuidPermissions("pilip", "abcd");
      assertThat(proxy.isUserAuthorized(newProjectDto("abcd"))).isFalse();
    }
-
-  @Test
-  public void is_authorized_on_component_viewer_bypass() {
-
-    @NavigationSection(NavigationSection.RESOURCE)
-    @UserRole(UserRole.VIEWER)
-    class MyView extends FakeView {
-      MyView() {
-        super("fake");
-      }
-    }
-
-    ViewProxy proxy = new ViewProxy<View>(new MyView());
-
-    MockUserSession.set();
-    assertThat(proxy.isUserAuthorized(newProjectDto("abcd"))).isTrue();
-  }
-
-  @Test
-  public void is_authorized_on_component_user_bypass() {
-
-    @NavigationSection(NavigationSection.RESOURCE)
-    @UserRole(UserRole.USER)
-    class MyView extends FakeView {
-      MyView() {
-        super("fake");
-      }
-    }
-
-    ViewProxy proxy = new ViewProxy<View>(new MyView());
-
-    MockUserSession.set();
-    assertThat(proxy.isUserAuthorized(newProjectDto("abcd"))).isTrue();
-  }
  }
  
  class FakeView implements View {
@@ -392,10 +358,12 @@ class FakeView implements View {
      this.id = id;
    }
  
+  @Override
    public String getId() {
      return id;
    }
  
+  @Override
    public String getTitle() {
      return id;
    }
@@ -407,10 +375,12 @@ class FakeView implements View {
    @WidgetProperty(key = "third_prop", type = WidgetPropertyType.INTEGER)
  })
  class EditableWidget implements Widget {
+  @Override
    public String getId() {
      return "w1";
    }
  
+  @Override
    public String getTitle() {
      return "W1";
    }
@@ -418,10 +388,12 @@ class EditableWidget implements Widget {
  
  @WidgetProperties(@WidgetProperty(key = "message", defaultValue = "", type = WidgetPropertyType.TEXT))
  class TextWidget implements Widget {
+  @Override
    public String getId() {
      return "text";
    }
  
+  @Override
    public String getTitle() {
      return "TEXT";
    }
@@ -429,10 +401,12 @@ class TextWidget implements Widget {
  
  @WidgetScope("GLOBAL")
  class GlobalWidget implements Widget {
+  @Override
    public String getId() {
      return "global";
    }
  
+  @Override
    public String getTitle() {
      return "Global";
    }
@@ -440,10 +414,12 @@ class GlobalWidget implements Widget {
  
  @WidgetScope("INVALID")
  class WidgetWithInvalidScope implements Widget {
+  @Override
    public String getId() {
      return "invalidScope";
    }
  
+  @Override
    public String getTitle() {
      return "InvalidScope";
    }
@@ -454,10 +430,12 @@ class WidgetWithInvalidScope implements Widget {
    @WidgetProperty(key = "bar")
  })
  class WidgetWithOptionalProperties implements Widget {
+  @Override
    public String getId() {
      return "w2";
    }
  
+  @Override
    public String getTitle() {
      return "W2";
    }
author	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Tue, 5 May 2015 09:35:56 +0000 (11:35 +0200)
committer	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Tue, 5 May 2015 09:47:19 +0000 (11:47 +0200)
server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java		patch \| blob \| history