SONAR-7628 WS api/qualitygates/project_status requires admin or browse permission

diff --git a/server/sonar-server/src/main/java/org/sonar/server/measure/ws/ComponentTreeDataLoader.java b/server/sonar-server/src/main/java/org/sonar/server/measure/ws/ComponentTreeDataLoader.java
index aa82944b8b64191dd9d185e3cd48f5975e863b69..3878a6491ac5f22c3f1aabcd21ce9f61e0c38834 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/measure/ws/ComponentTreeDataLoader.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/measure/ws/ComponentTreeDataLoader.java
@@ -351,8 +351,7 @@ public class ComponentTreeDataLoader {
 
   private void checkPermissions(ComponentDto baseComponent) {
     String projectUuid = firstNonNull(baseComponent.projectUuid(), baseComponent.uuid());
-    if (!userSession.hasPermission(GlobalPermissions.SYSTEM_ADMIN) &&
-      !userSession.hasComponentUuidPermission(UserRole.ADMIN, projectUuid) &&
+    if (!userSession.hasComponentUuidPermission(UserRole.ADMIN, projectUuid) &&
       !userSession.hasComponentUuidPermission(UserRole.USER, projectUuid)) {
       throw insufficientPrivilegesException();
     }

diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualitygate/ws/ProjectStatusAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualitygate/ws/ProjectStatusAction.java
index 0278ac0857c5eaa4a9f42ed9a1c38c006b5348d4..0201259bef8c591a9d4f73194d3ba36694ecfef0 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/qualitygate/ws/ProjectStatusAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualitygate/ws/ProjectStatusAction.java
@@ -32,6 +32,7 @@ import org.sonar.api.measures.CoreMetrics;
 import org.sonar.api.server.ws.Request;
 import org.sonar.api.server.ws.Response;
 import org.sonar.api.server.ws.WebService;
+import org.sonar.api.web.UserRole;
 import org.sonar.core.util.Uuids;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
@@ -47,8 +48,6 @@ import org.sonarqube.ws.WsQualityGates.ProjectStatusWsResponse;
 import org.sonarqube.ws.client.qualitygate.ProjectStatusWsRequest;
 
 import static com.google.common.base.Strings.isNullOrEmpty;
-import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
-import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
 import static org.sonar.server.user.AbstractUserSession.insufficientPrivilegesException;
 import static org.sonar.server.ws.WsUtils.checkFound;
 import static org.sonar.server.ws.WsUtils.checkRequest;
@@ -86,7 +85,12 @@ public class ProjectStatusAction implements QGateWsAction {
         MSG_ONE_PARAMETER_ONLY + "<br />" +
         "The different statuses returned are: %s. The %s status is returned when there is no quality gate associated with the analysis.<br />" +
         "Returns an HTTP code 404 if the analysis associated with the task is not found or does not exist.<br />" +
-        "Requires 'Administer System' or 'Execute Analysis' permission.", QG_STATUSES_ONE_LINE, ProjectStatusWsResponse.Status.NONE))
+        "Requires one of the following permissions:" +
+        "<ul>" +
+        "<li>'Administer System'</li>" +
+        "<li>'Administer' rights on the specified project</li>" +
+        "<li>'Browse' on the specified project</li>" +
+        "</ul>", QG_STATUSES_ONE_LINE, ProjectStatusWsResponse.Status.NONE))
       .setResponseExample(getClass().getResource("project_status-example.json"))
       .setSince("5.3")
       .setHandler(this);
@@ -193,8 +197,8 @@ public class ProjectStatusAction implements QGateWsAction {
   }
 
   private void checkPermission(String projectUuid) {
-    if (!userSession.hasPermission(SYSTEM_ADMIN)
-      && !userSession.hasComponentUuidPermission(SCAN_EXECUTION, projectUuid)) {
+    if (!userSession.hasComponentUuidPermission(UserRole.ADMIN, projectUuid) &&
+      !userSession.hasComponentUuidPermission(UserRole.USER, projectUuid)) {
       throw insufficientPrivilegesException();
     }
   }

diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualitygate/ws/ProjectStatusActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualitygate/ws/ProjectStatusActionTest.java
index 8df4871a69239ccc8d440b1904aad98107d6e8ba..438423722b32cef4de7703455b38441261ed6ec0 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/qualitygate/ws/ProjectStatusActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/qualitygate/ws/ProjectStatusActionTest.java
@@ -28,6 +28,7 @@ import org.junit.Test;
 import org.junit.rules.ExpectedException;
 import org.sonar.api.measures.CoreMetrics;
 import org.sonar.api.utils.System2;
+import org.sonar.api.web.UserRole;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.DbTester;
@@ -47,7 +48,6 @@ import org.sonarqube.ws.WsQualityGates.ProjectStatusWsResponse.Status;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.sonar.core.permission.GlobalPermissions.PROVISIONING;
-import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
 import static org.sonar.db.component.ComponentTesting.newProjectDto;
 import static org.sonar.db.component.SnapshotTesting.newSnapshotForProject;
@@ -82,7 +82,7 @@ public class ProjectStatusActionTest {
 
   @Test
   public void json_example() throws IOException {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+    userSession.setGlobalPermissions(SYSTEM_ADMIN);
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project)
@@ -111,7 +111,7 @@ public class ProjectStatusActionTest {
 
   @Test
   public void return_status_by_project_id() throws IOException {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+    userSession.setGlobalPermissions(SYSTEM_ADMIN);
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project)
@@ -140,7 +140,7 @@ public class ProjectStatusActionTest {
 
   @Test
   public void return_status_by_project_key() throws IOException {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+    userSession.setGlobalPermissions(SYSTEM_ADMIN);
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid").setKey("project-key"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project)
@@ -169,7 +169,7 @@ public class ProjectStatusActionTest {
 
   @Test
   public void return_undefined_status_if_measure_is_not_found() {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+    userSession.setGlobalPermissions(SYSTEM_ADMIN);
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project));
@@ -183,7 +183,7 @@ public class ProjectStatusActionTest {
 
   @Test
   public void return_undefined_status_if_snapshot_is_not_found() {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+    userSession.setGlobalPermissions(SYSTEM_ADMIN);
     componentDb.insertComponent(newProjectDto("project-uuid"));
 
     ProjectStatusWsResponse result = callByProjectUuid("project-uuid");
@@ -193,8 +193,8 @@ public class ProjectStatusActionTest {
   }
 
   @Test
-  public void not_fail_with_system_admin_permission() {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+  public void not_fail_with_project_admin_permission() {
+    userSession.addProjectUuidPermissions(UserRole.ADMIN, "project-uuid");
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project));
@@ -204,8 +204,8 @@ public class ProjectStatusActionTest {
   }
 
   @Test
-  public void not_fail_with_global_scan_permission() {
-    userSession.login("john").setGlobalPermissions(SCAN_EXECUTION);
+  public void not_fail_with_browse_permission() {
+    userSession.addProjectUuidPermissions(UserRole.USER, "project-uuid");
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project));
@@ -214,20 +214,9 @@ public class ProjectStatusActionTest {
     call(snapshot.getId().toString());
   }
 
-  @Test
-  public void not_fail_with_project_scan_permission() {
-    ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
-    SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project));
-    dbSession.commit();
-
-    userSession.login("john").addProjectUuidPermissions(SCAN_EXECUTION, project.uuid());
-
-    call(snapshot.getId().toString());
-  }
-
   @Test
   public void fail_if_no_snapshot_id_found() {
-    userSession.login("john").setGlobalPermissions(SYSTEM_ADMIN);
+    userSession.setGlobalPermissions(SYSTEM_ADMIN);
 
     expectedException.expect(NotFoundException.class);
     expectedException.expectMessage("Analysis with id 'task-uuid' is not found");
@@ -237,7 +226,7 @@ public class ProjectStatusActionTest {
 
   @Test
   public void fail_if_insufficient_privileges() {
-    userSession.login("john").setGlobalPermissions(PROVISIONING);
+    userSession.setGlobalPermissions(PROVISIONING);
 
     ComponentDto project = componentDb.insertComponent(newProjectDto("project-uuid"));
     SnapshotDto snapshot = dbClient.snapshotDao().insert(dbSession, newSnapshotForProject(project));