From: Jean-Baptiste Lievremont Date: Wed, 3 Dec 2014 15:57:35 +0000 (+0100) Subject: SONAR-5819 Add check for codeviewer permission on /api/sources/show X-Git-Tag: 5.0-RC1~81 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=c1388e9acd68a7ea0544eaab7ece033c8715ef6c;p=sonarqube.git SONAR-5819 Add check for codeviewer permission on /api/sources/show --- diff --git a/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java b/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java index 962f6dfab02..7145d6f70c4 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/source/ws/ShowAction.java @@ -26,11 +26,13 @@ import org.sonar.api.server.ws.RequestHandler; import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; import org.sonar.api.utils.text.JsonWriter; +import org.sonar.api.web.UserRole; import org.sonar.core.component.ComponentDto; import org.sonar.core.persistence.DbSession; import org.sonar.server.db.DbClient; import org.sonar.server.exceptions.NotFoundException; import org.sonar.server.source.SourceService; +import org.sonar.server.user.UserSession; import java.util.List; @@ -77,6 +79,8 @@ public class ShowAction implements RequestHandler { @Override public void handle(Request request, Response response) { String fileKey = request.mandatoryParam("key"); + UserSession.get().checkComponentPermission(UserRole.CODEVIEWER, fileKey); + int from = Math.max(request.mandatoryParamAsInt("from"), 1); int to = (Integer) ObjectUtils.defaultIfNull(request.paramAsInt("to"), Integer.MAX_VALUE); diff --git a/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java index 379c0c2b668..5c9df69e4ec 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/source/ws/ShowActionTest.java @@ -24,12 +24,15 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.runners.MockitoJUnitRunner; +import org.sonar.api.web.UserRole; import org.sonar.core.component.ComponentDto; import org.sonar.core.persistence.DbSession; import org.sonar.server.component.ComponentTesting; import org.sonar.server.component.db.ComponentDao; import org.sonar.server.db.DbClient; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.source.SourceService; +import org.sonar.server.user.MockUserSession; import org.sonar.server.ws.WsTester; import static com.google.common.collect.Lists.newArrayList; @@ -70,6 +73,7 @@ public class ShowActionTest { @Test public void show_source() throws Exception { String fileKey = "src/Foo.java"; + MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey); when(componentDao.getByKey(session, fileKey)).thenReturn(file); when(sourceService.getLinesAsHtml(eq(file.uuid()), anyInt(), anyInt())).thenReturn(newArrayList( "/*", @@ -87,6 +91,7 @@ public class ShowActionTest { @Test public void show_source_with_from_and_to_params() throws Exception { String fileKey = "src/Foo.java"; + MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey); when(componentDao.getByKey(session, fileKey)).thenReturn(file); when(sourceService.getLinesAsHtml(file.uuid(), 3, 5)).thenReturn(newArrayList( " */", @@ -104,6 +109,7 @@ public class ShowActionTest { @Test public void show_source_accept_from_less_than_one() throws Exception { String fileKey = "src/Foo.java"; + MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey); when(componentDao.getByKey(session, fileKey)).thenReturn(file); when(sourceService.getLinesAsHtml(file.uuid(), 1, 5)).thenReturn(newArrayList( " */", @@ -119,4 +125,10 @@ public class ShowActionTest { verify(sourceService).getLinesAsHtml(file.uuid(), 1, 5); } + @Test(expected = ForbiddenException.class) + public void require_code_viewer() throws Exception { + String fileKey = "src/Foo.java"; + MockUserSession.set(); + tester.newGetRequest("api/sources", "show").setParam("key", fileKey).execute(); + } }