From: Jacek Date: Wed, 24 Jun 2020 12:50:47 +0000 (+0200) Subject: SONAR-13489 Fix permission issue with hotspot assign action X-Git-Tag: 8.4.0.35506~69 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=88131a33e07fe611f32883079614d1e768f60076;p=sonarqube.git SONAR-13489 Fix permission issue with hotspot assign action --- diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java index fc90f0c2fce..29d2ba6aec8 100644 --- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java +++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/hotspot/ws/AssignAction.java @@ -74,7 +74,7 @@ public class AssignAction implements HotspotsWsAction { .setExampleValue(Uuids.UUID_EXAMPLE_01); action.createParam(PARAM_ASSIGNEE) - .setDescription("Login of the assignee") + .setDescription("Login of the assignee with 'Browse' project permission") .setRequired(true) .setExampleValue("admin"); @@ -129,11 +129,12 @@ public class AssignAction implements HotspotsWsAction { return checkFound(dbClient.userDao().selectActiveUserByLogin(dbSession, assignee), "Unknown user: %s", assignee); } - private void checkAssigneeProjectPermission(DbSession dbSession, UserDto assignee, String projectUuid) { - ComponentDto componentDto = checkFoundWithOptional(dbClient.componentDao().selectByUuid(dbSession, projectUuid), + private void checkAssigneeProjectPermission(DbSession dbSession, UserDto assignee, String issueProjectUuid) { + ComponentDto componentDto = checkFoundWithOptional(dbClient.componentDao().selectByUuid(dbSession, issueProjectUuid), "Could not find project for issue"); - if (componentDto.isPrivate() && !hasProjectPermission(dbSession, assignee.getUuid(), projectUuid)) { - throw new IllegalArgumentException(String.format("Provided user with login '%s' does not have access to project", assignee.getLogin())); + String mainProjectUuid = componentDto.getMainBranchProjectUuid() == null ? componentDto.uuid() : componentDto.getMainBranchProjectUuid(); + if (componentDto.isPrivate() && !hasProjectPermission(dbSession, assignee.getUuid(), mainProjectUuid)) { + throw new IllegalArgumentException(String.format("Provided user with login '%s' does not have 'Browse' permission to project", assignee.getLogin())); } } diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java index cb9973b5bda..f5798c2d951 100644 --- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java +++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/hotspot/ws/AssignActionTest.java @@ -140,7 +140,24 @@ public class AssignActionTest { ComponentDto file = dbTester.components().insertComponent(newFileDto(project)); IssueDto hotspot = dbTester.issues().insertHotspot(project, file); - insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.USER); + insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER); + UserDto assignee = insertUserWithProjectUserPermission(randomAlphanumeric(15), project); + + when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true); + + executeRequest(hotspot, assignee.getLogin(), null); + + verifyFieldSetters(assignee, null); + } + + @Test + public void assign_hotspot_to_someone_for_private_project_branch() { + ComponentDto project = dbTester.components().insertPrivateProject(); + ComponentDto branch = dbTester.components().insertProjectBranch(project); + ComponentDto file = dbTester.components().insertComponent(newFileDto(branch)); + IssueDto hotspot = dbTester.issues().insertHotspot(branch, file); + + insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER); UserDto assignee = insertUserWithProjectUserPermission(randomAlphanumeric(15), project); when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true); @@ -156,14 +173,31 @@ public class AssignActionTest { ComponentDto file = dbTester.components().insertComponent(newFileDto(project)); IssueDto hotspot = dbTester.issues().insertHotspot(project, file); - insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.USER); + insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER); + UserDto assignee = insertUser(randomAlphanumeric(15)); + + when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true); + + assertThatThrownBy(() -> executeRequest(hotspot, assignee.getLogin(), null)) + .isInstanceOf(IllegalArgumentException.class) + .hasMessage("Provided user with login '%s' does not have 'Browse' permission to project", assignee.getLogin()); + } + + @Test + public void fail_if_assignee_does_not_have_access_for_private_project_branch() { + ComponentDto project = dbTester.components().insertPrivateProject(); + ComponentDto branch = dbTester.components().insertProjectBranch(project); + ComponentDto file = dbTester.components().insertComponent(newFileDto(branch)); + IssueDto hotspot = dbTester.issues().insertHotspot(branch, file); + + insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER); UserDto assignee = insertUser(randomAlphanumeric(15)); when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(assignee), any(IssueChangeContext.class))).thenReturn(true); assertThatThrownBy(() -> executeRequest(hotspot, assignee.getLogin(), null)) .isInstanceOf(IllegalArgumentException.class) - .hasMessage("Provided user with login '%s' does not have access to project", assignee.getLogin()); + .hasMessage("Provided user with login '%s' does not have 'Browse' permission to project", assignee.getLogin()); } @Test @@ -173,7 +207,7 @@ public class AssignActionTest { ComponentDto file = dbTester.components().insertComponent(newFileDto(project)); IssueDto hotspot = dbTester.issues().insertHotspot(project, file); - UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.USER); + UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.USER); when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(me), any(IssueChangeContext.class))).thenReturn(true); @@ -298,7 +332,7 @@ public class AssignActionTest { ComponentDto file = dbTester.components().insertComponent(newFileDto(project)); IssueDto hotspot = dbTester.issues().insertHotspot(project, file); - UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), hotspot, project, UserRole.CODEVIEWER); + UserDto me = insertAndLoginAsUserWithProjectUserPermission(randomAlphanumeric(10), project, UserRole.CODEVIEWER); when(issueFieldsSetter.assign(eq(hotspot.toDefaultIssue()), userMatcher(me), any(IssueChangeContext.class))).thenReturn(true); @@ -439,12 +473,11 @@ public class AssignActionTest { return insertUserWithProjectPermission(login, project, UserRole.USER); } - private UserDto insertAndLoginAsUserWithProjectUserPermission(String login, IssueDto issue, ComponentDto project, String permission) { + private UserDto insertAndLoginAsUserWithProjectUserPermission(String login, ComponentDto project, String permission) { UserDto user = insertUserWithProjectUserPermission(login, project); userSessionRule.logIn(user) .addProjectPermission(permission, - dbClient.componentDao().selectByUuid(dbTester.getSession(), issue.getProjectUuid()).get(), - dbClient.componentDao().selectByUuid(dbTester.getSession(), issue.getComponentUuid()).get()); + dbClient.componentDao().selectByUuid(dbTester.getSession(), project.uuid()).get()); return user; }