From 1cbe9227baf6241fd77d818d658dd6d17fa2ae7d Mon Sep 17 00:00:00 2001
From: Eric Hartmann <hartmann.eric@gmail.com>
Date: Thu, 22 Feb 2018 11:36:20 +0100
Subject: [PATCH] SONAR-10323 Fix WS not checking SCAN global permission

---
 .../java/org/sonar/server/projectbranch/ws/ListAction.java   | 4 +++-
 .../main/java/org/sonar/server/setting/ws/ValuesAction.java  | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
index 53a3199b341..cc1023cbfc7 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
@@ -39,6 +39,7 @@ import org.sonar.db.component.ComponentDto;
 import org.sonar.db.component.SnapshotDto;
 import org.sonar.db.measure.MeasureDto;
 import org.sonar.db.metric.MetricDto;
+import org.sonar.db.permission.OrganizationPermission;
 import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.issue.index.BranchStatistics;
 import org.sonar.server.issue.index.IssueIndex;
@@ -164,7 +165,8 @@ public class ListAction implements BranchWsAction {
 
   private void checkPermission(ComponentDto component) {
     if (!userSession.hasComponentPermission(UserRole.USER, component) &&
-      !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+      !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
       throw insufficientPrivilegesException();
     }
   }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
index 2225743c0a4..863ddd27410 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
@@ -38,6 +38,7 @@ import org.sonar.api.server.ws.WebService;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.component.ComponentDto;
+import org.sonar.db.permission.OrganizationPermission;
 import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.user.UserSession;
 import org.sonarqube.ws.Settings;
@@ -152,7 +153,9 @@ public class ValuesAction implements SettingsWsAction {
       return Optional.empty();
     }
     ComponentDto component = componentFinder.getByKeyAndOptionalBranch(dbSession, componentKey, valuesRequest.getBranch());
-    if (!userSession.hasComponentPermission(USER, component) && !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+    if (!userSession.hasComponentPermission(USER, component) &&
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+      !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
       throw insufficientPrivilegesException();
     }
     return Optional.of(component);
-- 
2.39.5