From 39db83f50fc00ad01b2ed898bf6a8b39b51f4c9c Mon Sep 17 00:00:00 2001
From: Benoit <43733395+benoit-sns@users.noreply.github.com>
Date: Mon, 29 Oct 2018 10:43:07 +0000
Subject: [PATCH] SONAR-11220 Nb tokens is returned only for logged user or
 System Administrators (#885)

---
 .../sonar/server/user/ws/SearchAction.java    |  4 ++-
 .../server/user/ws/SearchActionTest.java      | 36 +++++++++++++++----
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java
index bfb1d3ad9e0..d4af058fba3 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java
@@ -92,6 +92,7 @@ public class SearchAction implements UsersWsAction {
     WebService.NewAction action = controller.createAction("search")
       .setDescription("Get a list of active users. <br/>" +
         "Administer System permission is required to show the 'groups' field.<br/>" +
+        "Field 'tokensCount' is only accessible to System Administrator and logged in user.<br/>" +
         "When accessed anonymously, only logins and names are returned.")
       .setSince("3.6")
       .setChangelog(
@@ -152,7 +153,7 @@ public class SearchAction implements UsersWsAction {
       setIfNeeded(FIELD_ACTIVE, fields, user.isActive(), userBuilder::setActive);
       setIfNeeded(FIELD_LOCAL, fields, user.isLocal(), userBuilder::setLocal);
       setIfNeeded(FIELD_EXTERNAL_PROVIDER, fields, user.getExternalIdentityProvider(), userBuilder::setExternalProvider);
-      setIfNeeded(FIELD_TOKENS_COUNT, fields, tokensCount, userBuilder::setTokensCount);
+      setIfNeeded(isNeeded(FIELD_TOKENS_COUNT, fields) && user.getLogin().equals(userSession.getLogin()), tokensCount, userBuilder::setTokensCount);
       setIfNeeded(isNeeded(FIELD_SCM_ACCOUNTS, fields) && !user.getScmAccountsAsList().isEmpty(), user.getScmAccountsAsList(),
         scm -> userBuilder.setScmAccounts(ScmAccounts.newBuilder().addAllScmAccounts(scm)));
     }
@@ -161,6 +162,7 @@ public class SearchAction implements UsersWsAction {
       setIfNeeded(isNeeded(FIELD_GROUPS, fields) && !groups.isEmpty(), groups,
         g -> userBuilder.setGroups(Groups.newBuilder().addAllGroups(g)));
       setIfNeeded(FIELD_EXTERNAL_IDENTITY, fields, user.getExternalLogin(), userBuilder::setExternalIdentity);
+      setIfNeeded(FIELD_TOKENS_COUNT, fields, tokensCount, userBuilder::setTokensCount);
     }
     return userBuilder.build();
   }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java
index 6def2160c4c..3d4db8c9073 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java
@@ -133,19 +133,43 @@ public class SearchActionTest {
   }
 
   @Test
-  public void return_tokens_count() {
+  public void return_tokens_count_for_logged_user() {
     UserDto user = db.users().insertUser();
     db.users().insertToken(user);
     db.users().insertToken(user);
     userIndexer.indexOnStartup(null);
+
     userSession.logIn();
+    assertThat(ws.newRequest()
+        .executeProtobuf(SearchWsResponse.class).getUsersList())
+        .extracting(User::getLogin, User::hasTokensCount)
+        .containsExactlyInAnyOrder(tuple(user.getLogin(), false));
 
-    SearchWsResponse response = ws.newRequest()
-      .executeProtobuf(SearchWsResponse.class);
+    userSession.logIn(user);
+    assertThat(ws.newRequest()
+        .executeProtobuf(SearchWsResponse.class).getUsersList())
+        .extracting(User::getLogin, User::getTokensCount)
+        .containsExactlyInAnyOrder(tuple(user.getLogin(), 2));
+  }
 
-    assertThat(response.getUsersList())
-      .extracting(User::getLogin, User::getTokensCount)
-      .containsExactlyInAnyOrder(tuple(user.getLogin(), 2));
+  @Test
+  public void return_tokens_count_when_system_administer() {
+    UserDto user = db.users().insertUser();
+    db.users().insertToken(user);
+    db.users().insertToken(user);
+    userIndexer.indexOnStartup(null);
+
+    userSession.logIn().setSystemAdministrator();
+    assertThat(ws.newRequest()
+      .executeProtobuf(SearchWsResponse.class).getUsersList())
+        .extracting(User::getLogin, User::getTokensCount)
+        .containsExactlyInAnyOrder(tuple(user.getLogin(), 2));
+
+    userSession.logIn();
+    assertThat(ws.newRequest()
+        .executeProtobuf(SearchWsResponse.class).getUsersList())
+        .extracting(User::getLogin, User::hasTokensCount)
+        .containsExactlyInAnyOrder(tuple(user.getLogin(), false));
   }
 
   @Test
-- 
2.39.5