From: Sébastien Lesaint Date: Thu, 23 Apr 2015 09:05:38 +0000 (+0200) Subject: SONAR-6382 updating plugin is restricted to system admins X-Git-Tag: 5.2-RC1~2134 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fpull%2F251%2Fhead;p=sonarqube.git SONAR-6382 updating plugin is restricted to system admins --- diff --git a/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java b/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java index c013dac1951..888d9bead36 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/plugins/ws/UpdatePluginsWsAction.java @@ -24,8 +24,10 @@ import com.google.common.collect.Iterables; import org.sonar.api.server.ws.Request; import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; +import org.sonar.core.permission.GlobalPermissions; import org.sonar.server.plugins.PluginDownloader; import org.sonar.server.plugins.UpdateCenterMatrixFactory; +import org.sonar.server.user.UserSession; import org.sonar.updatecenter.common.PluginUpdate; import javax.annotation.Nonnull; @@ -53,7 +55,9 @@ public class UpdatePluginsWsAction implements PluginsWsAction { public void define(WebService.NewController controller) { WebService.NewAction action = controller.createAction("update") .setPost(true) - .setDescription("Updates a plugin specified by its key to the latest version compatible with the SonarQube instance") + .setDescription("Updates a plugin specified by its key to the latest version compatible with the SonarQube instance." + + "
" + + "Requires user to be authenticated with Administer System permissions") .setHandler(this); action.createParam(PARAM_KEY) @@ -63,6 +67,7 @@ public class UpdatePluginsWsAction implements PluginsWsAction { @Override public void handle(Request request, Response response) throws Exception { + UserSession.get().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN); String key = request.mandatoryParam(PARAM_KEY); PluginUpdate pluginUpdate = findPluginUpdateByKey(key); pluginDownloader.download(key, pluginUpdate.getRelease().getVersion()); diff --git a/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java index ee2aa106e99..021cacb08c6 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/plugins/ws/UpdatePluginsWsActionTest.java @@ -26,11 +26,15 @@ import org.junit.Test; import org.junit.rules.ExpectedException; import org.sonar.api.server.ws.Request; import org.sonar.api.server.ws.WebService; +import org.sonar.core.permission.GlobalPermissions; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.plugins.PluginDownloader; import org.sonar.server.plugins.UpdateCenterMatrixFactory; +import org.sonar.server.user.MockUserSession; import org.sonar.server.ws.WsTester; import org.sonar.updatecenter.common.Plugin; import org.sonar.updatecenter.common.PluginUpdate; +import org.sonar.updatecenter.common.PluginUpdate.Status; import org.sonar.updatecenter.common.Release; import org.sonar.updatecenter.common.UpdateCenter; import org.sonar.updatecenter.common.Version; @@ -64,6 +68,19 @@ public class UpdatePluginsWsActionTest { @Before public void setUp() throws Exception { when(updateCenterFactory.getUpdateCenter(anyBoolean())).thenReturn(updateCenter); + + MockUserSession.set().setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN); + } + + @Test + public void user_must_have_system_admin_permission() throws Exception { + expectedException.expect(ForbiddenException.class); + expectedException.expectMessage("Insufficient privileges"); + + // no permission on user + MockUserSession.set().setGlobalPermissions(); + + underTest.handle(validRequest, response); } @Test @@ -109,7 +126,7 @@ public class UpdatePluginsWsActionTest { public void if_plugin_has_an_update_download_is_triggered_with_latest_version_from_updatecenter() throws Exception { Version version = Version.create("1.0"); when(updateCenter.findPluginUpdates()).thenReturn(ImmutableList.of( - PluginUpdate.createWithStatus(new Release(new Plugin(PLUGIN_KEY), version), PluginUpdate.Status.COMPATIBLE) + PluginUpdate.createWithStatus(new Release(new Plugin(PLUGIN_KEY), version), Status.COMPATIBLE) )); underTest.handle(validRequest, response);