From 36d465d7caf7b048c7706a6a27295133e5608c42 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Lievremont Date: Wed, 3 Dec 2014 16:43:54 +0100 Subject: [PATCH] SONAR-5819 Add check for codeviewer permission on /api/sources/raw --- .../java/org/sonar/server/source/ws/RawAction.java | 3 +++ .../java/org/sonar/server/source/ws/RawActionTest.java | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/server/sonar-server/src/main/java/org/sonar/server/source/ws/RawAction.java b/server/sonar-server/src/main/java/org/sonar/server/source/ws/RawAction.java index b6fbb24a965..b2d6802ed8e 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/source/ws/RawAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/source/ws/RawAction.java @@ -27,10 +27,12 @@ import org.sonar.api.server.ws.Request; import org.sonar.api.server.ws.RequestHandler; import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; +import org.sonar.api.web.UserRole; import org.sonar.core.component.ComponentDto; import org.sonar.core.persistence.DbSession; import org.sonar.server.db.DbClient; import org.sonar.server.source.SourceService; +import org.sonar.server.user.UserSession; import java.io.IOException; import java.util.List; @@ -62,6 +64,7 @@ public class RawAction implements RequestHandler { @Override public void handle(Request request, Response response) { String fileKey = request.mandatoryParam("key"); + UserSession.get().checkComponentPermission(UserRole.CODEVIEWER, fileKey); DbSession session = dbClient.openSession(false); try { ComponentDto componentDto = dbClient.componentDao().getByKey(session, fileKey); diff --git a/server/sonar-server/src/test/java/org/sonar/server/source/ws/RawActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/source/ws/RawActionTest.java index 9eb4d918baa..a306752ce50 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/source/ws/RawActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/source/ws/RawActionTest.java @@ -25,12 +25,15 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.runners.MockitoJUnitRunner; +import org.sonar.api.web.UserRole; import org.sonar.core.component.ComponentDto; import org.sonar.core.persistence.DbSession; import org.sonar.server.component.ComponentTesting; import org.sonar.server.component.db.ComponentDao; import org.sonar.server.db.DbClient; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.source.SourceService; +import org.sonar.server.user.MockUserSession; import org.sonar.server.ws.WsTester; import static com.google.common.collect.Lists.newArrayList; @@ -69,6 +72,7 @@ public class RawActionTest { @Test public void get_txt() throws Exception { String fileKey = "src/Foo.java"; + MockUserSession.set().addComponentPermission(UserRole.CODEVIEWER, "polop", fileKey); when(componentDao.getByKey(session, fileKey)).thenReturn(file); when(sourceService.getLinesAsTxt(file.uuid(), null, null)).thenReturn(newArrayList( @@ -80,4 +84,10 @@ public class RawActionTest { String result = request.execute().outputAsString(); assertThat(result).isEqualTo("public class HelloWorld {\n}\n"); } + + @Test(expected = ForbiddenException.class) + public void requires_code_viewer_permission() throws Exception { + MockUserSession.set(); + tester.newGetRequest("api/sources", "raw").setParam("key", "any").execute(); + } } -- 2.39.5