From 43ba0f5b85c0c885bdf0b73111c4a41501353c9d Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Tue, 29 Sep 2015 20:39:56 +0200 Subject: [PATCH] SONAR-6833 requires project admin permission when componentId is set --- .../server/computation/ws/ActivityWsAction.java | 9 +++++++-- .../org/sonar/server/computation/ws/CeWsModule.java | 2 +- .../ws/{CeQueueWsAction.java => QueueWsAction.java} | 13 +++++++++---- .../server/computation/ws/ActivityWsActionTest.java | 2 +- .../server/computation/ws/QueueWsActionTest.java | 12 ++++++++++-- 5 files changed, 28 insertions(+), 10 deletions(-) rename server/sonar-server/src/main/java/org/sonar/server/computation/ws/{CeQueueWsAction.java => QueueWsAction.java} (82%) diff --git a/server/sonar-server/src/main/java/org/sonar/server/computation/ws/ActivityWsAction.java b/server/sonar-server/src/main/java/org/sonar/server/computation/ws/ActivityWsAction.java index dc0b9985784..fa161d85c6f 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/computation/ws/ActivityWsAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/computation/ws/ActivityWsAction.java @@ -29,12 +29,14 @@ import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; import org.sonar.api.utils.DateUtils; import org.sonar.api.web.UserRole; +import org.sonar.core.permission.GlobalPermissions; import org.sonar.core.util.Uuids; import org.sonar.db.DbClient; import org.sonar.db.DbSession; import org.sonar.db.ce.CeActivityDto; import org.sonar.db.ce.CeActivityQuery; import org.sonar.db.ce.CeTaskTypes; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.user.UserSession; import org.sonar.server.ws.WsUtils; import org.sonarqube.ws.Common; @@ -125,8 +127,11 @@ public class ActivityWsAction implements CeWsAction { if (componentUuid == null) { userSession.checkGlobalPermission(UserRole.ADMIN); } else { - userSession.checkProjectUuidPermission(UserRole.USER, componentUuid); - query.setComponentUuid(componentUuid); + if (userSession.hasGlobalPermission(GlobalPermissions.SYSTEM_ADMIN) || userSession.hasComponentUuidPermission(UserRole.ADMIN, componentUuid)) { + query.setComponentUuid(componentUuid); + } else { + throw new ForbiddenException("Requires administration permission"); + } } return query; } diff --git a/server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeWsModule.java b/server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeWsModule.java index 7c604823128..adc9e28533f 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeWsModule.java +++ b/server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeWsModule.java @@ -28,7 +28,7 @@ public class CeWsModule extends Module { ActivityWsAction.class, CancelWsAction.class, CancelAllWsAction.class, - CeQueueWsAction.class, + QueueWsAction.class, CeWs.class, IsQueueEmptyWs.class, LogsWsAction.class, diff --git a/server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeQueueWsAction.java b/server/sonar-server/src/main/java/org/sonar/server/computation/ws/QueueWsAction.java similarity index 82% rename from server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeQueueWsAction.java rename to server/sonar-server/src/main/java/org/sonar/server/computation/ws/QueueWsAction.java index 1a0cc711022..efb96a839ba 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/computation/ws/CeQueueWsAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/computation/ws/QueueWsAction.java @@ -24,14 +24,16 @@ import org.sonar.api.server.ws.Request; import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; import org.sonar.api.web.UserRole; +import org.sonar.core.permission.GlobalPermissions; import org.sonar.db.DbClient; import org.sonar.db.DbSession; import org.sonar.db.ce.CeQueueDto; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.user.UserSession; import org.sonar.server.ws.WsUtils; import org.sonarqube.ws.WsCe; -public class CeQueueWsAction implements CeWsAction { +public class QueueWsAction implements CeWsAction { public static final String PARAM_COMPONENT_UUID = "componentId"; @@ -39,7 +41,7 @@ public class CeQueueWsAction implements CeWsAction { private final DbClient dbClient; private final TaskFormatter formatter; - public CeQueueWsAction(UserSession userSession, DbClient dbClient, TaskFormatter formatter) { + public QueueWsAction(UserSession userSession, DbClient dbClient, TaskFormatter formatter) { this.userSession = userSession; this.dbClient = dbClient; this.formatter = formatter; @@ -69,8 +71,11 @@ public class CeQueueWsAction implements CeWsAction { dtos = dbClient.ceQueueDao().selectAllInAscOrder(dbSession); } else { // filter by component - userSession.checkProjectUuidPermission(UserRole.USER, componentUuid); - dtos = dbClient.ceQueueDao().selectByComponentUuid(dbSession, componentUuid); + if (userSession.hasGlobalPermission(GlobalPermissions.SYSTEM_ADMIN) || userSession.hasComponentUuidPermission(UserRole.ADMIN, componentUuid)) { + dtos = dbClient.ceQueueDao().selectByComponentUuid(dbSession, componentUuid); + } else { + throw new ForbiddenException("Requires administration permission"); + } } WsCe.QueueResponse.Builder wsResponseBuilder = WsCe.QueueResponse.newBuilder(); diff --git a/server/sonar-server/src/test/java/org/sonar/server/computation/ws/ActivityWsActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/computation/ws/ActivityWsActionTest.java index 4b63f72bdeb..2c5d42acb6b 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/computation/ws/ActivityWsActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/computation/ws/ActivityWsActionTest.java @@ -158,7 +158,7 @@ public class ActivityWsActionTest { @Test public void get_project_activity() { - userSession.addProjectUuidPermissions(UserRole.USER, "PROJECT_1"); + userSession.addProjectUuidPermissions(UserRole.ADMIN, "PROJECT_1"); insert("T1", "PROJECT_1", CeActivityDto.Status.SUCCESS); insert("T2", "PROJECT_2", CeActivityDto.Status.FAILED); diff --git a/server/sonar-server/src/test/java/org/sonar/server/computation/ws/QueueWsActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/computation/ws/QueueWsActionTest.java index 7ae3f6c8256..888d9d9937e 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/computation/ws/QueueWsActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/computation/ws/QueueWsActionTest.java @@ -32,6 +32,7 @@ import org.sonar.db.ce.CeQueueDto; import org.sonar.db.ce.CeTaskTypes; import org.sonar.server.computation.log.CeLogging; import org.sonar.server.computation.log.LogFileRef; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.plugins.MimeTypes; import org.sonar.server.tester.UserSessionRule; import org.sonar.server.ws.TestResponse; @@ -53,7 +54,7 @@ public class QueueWsActionTest { CeLogging ceLogging = mock(CeLogging.class); TaskFormatter formatter = new TaskFormatter(dbTester.getDbClient(), ceLogging); - CeQueueWsAction underTest = new CeQueueWsAction(userSession, dbTester.getDbClient(), formatter); + QueueWsAction underTest = new QueueWsAction(userSession, dbTester.getDbClient(), formatter); WsActionTester tester = new WsActionTester(underTest); @Before @@ -84,7 +85,7 @@ public class QueueWsActionTest { @Test public void get_queue_of_project() { - userSession.addProjectUuidPermissions(UserRole.USER, "PROJECT_1"); + userSession.addComponentUuidPermission(UserRole.ADMIN, "PROJECT_1", "PROJECT_1"); insert("T1", "PROJECT_1", CeQueueDto.Status.PENDING); insert("T2", "PROJECT_2", CeQueueDto.Status.PENDING); insert("T3", "PROJECT_2", CeQueueDto.Status.IN_PROGRESS); @@ -100,6 +101,13 @@ public class QueueWsActionTest { assertThat(queueResponse.getTasks(0).getId()).isEqualTo("T1"); } + @Test(expected = ForbiddenException.class) + public void requires_admin_permission() { + tester.newRequest() + .setMediaType(MimeTypes.PROTOBUF) + .execute(); + } + private CeQueueDto insert(String taskUuid, String componentUuid, CeQueueDto.Status status) { CeQueueDto queueDto = new CeQueueDto(); queueDto.setTaskType(CeTaskTypes.REPORT); -- 2.39.5