From 5a173d506f93986ff8b35956252babe53e3cf343 Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Thu, 2 Feb 2017 15:55:36 +0100
Subject: [PATCH] SONAR-8716 fix check of permissions in
 api/updatecenter/upload

---
 .../server/updatecenter/ws/UploadAction.java  |  3 +-
 .../updatecenter/ws/UploadActionTest.java     | 33 +++++++++----------
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/updatecenter/ws/UploadAction.java b/server/sonar-server/src/main/java/org/sonar/server/updatecenter/ws/UploadAction.java
index da4cce1c24a..a924fdce00b 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/updatecenter/ws/UploadAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/updatecenter/ws/UploadAction.java
@@ -26,7 +26,6 @@ import java.nio.file.Files;
 import org.sonar.api.server.ws.Request;
 import org.sonar.api.server.ws.Response;
 import org.sonar.api.server.ws.WebService;
-import org.sonar.core.permission.GlobalPermissions;
 import org.sonar.server.platform.ServerFileSystem;
 import org.sonar.server.user.UserSession;
 
@@ -63,7 +62,7 @@ public class UploadAction implements UpdateCenterWsAction {
 
   @Override
   public void handle(Request request, Response response) throws Exception {
-    userSession.checkPermission(GlobalPermissions.SYSTEM_ADMIN);
+    userSession.checkIsRoot();
 
     Part part = request.mandatoryParamAsPart(PARAM_FILE);
     String fileName = part.getFileName();
diff --git a/server/sonar-server/src/test/java/org/sonar/server/updatecenter/ws/UploadActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/updatecenter/ws/UploadActionTest.java
index bc3087da595..356bfc8789e 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/updatecenter/ws/UploadActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/updatecenter/ws/UploadActionTest.java
@@ -38,13 +38,11 @@ import static java.nio.file.Files.newInputStream;
 import static org.assertj.core.api.Java6Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
-import static org.sonar.core.permission.GlobalPermissions.PROVISIONING;
-import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN;
 import static org.sonar.test.ExceptionCauseMatcher.hasType;
 
 public class UploadActionTest {
 
-  static final String PLUGIN_NAME = "plugin.jar";
+  private static final String PLUGIN_NAME = "plugin.jar";
 
   @Rule
   public TemporaryFolder folder = new TemporaryFolder();
@@ -55,11 +53,10 @@ public class UploadActionTest {
   @Rule
   public UserSessionRule userSession = UserSessionRule.standalone();
 
-  ServerFileSystem fileSystem = mock(ServerFileSystem.class);
-  File pluginDirectory;
-
-  File plugin = new File(getClass().getResource("UploadActionTest/plugin.jar").getFile());
-  WsActionTester wsTester;
+  private ServerFileSystem fileSystem = mock(ServerFileSystem.class);
+  private File pluginDirectory;
+  private File plugin = new File(getClass().getResource("UploadActionTest/plugin.jar").getFile());
+  private WsActionTester wsTester;
 
   @Before
   public void setUp() throws Exception {
@@ -70,7 +67,7 @@ public class UploadActionTest {
 
   @Test
   public void upload_plugin() throws Exception {
-    setSystemAdminUser();
+    logInAsRoot();
 
     TestResponse response = call(newInputStream(plugin.toPath()), PLUGIN_NAME);
 
@@ -80,7 +77,7 @@ public class UploadActionTest {
 
   @Test
   public void erase_existing_plugin_if_already_exists() throws Exception {
-    setSystemAdminUser();
+    logInAsRoot();
 
     File plugin1 = new File(getClass().getResource("UploadActionTest/plugin.jar").getFile());
     call(newInputStream(plugin1.toPath()), PLUGIN_NAME);
@@ -95,7 +92,7 @@ public class UploadActionTest {
 
   @Test
   public void fail_when_plugin_extension_is_not_jar() throws Exception {
-    setSystemAdminUser();
+    logInAsRoot();
 
     expectedException.expect(IllegalArgumentException.class);
     expectedException.expectMessage("Only jar file is allowed");
@@ -104,7 +101,7 @@ public class UploadActionTest {
 
   @Test
   public void fail_when_no_files_param() throws Exception {
-    setSystemAdminUser();
+    logInAsRoot();
 
     expectedException.expect(IllegalArgumentException.class);
     expectedException.expectMessage("The 'file' parameter is missing");
@@ -113,7 +110,7 @@ public class UploadActionTest {
 
   @Test
   public void input_stream_should_be_closed() throws Exception {
-    setSystemAdminUser();
+    logInAsRoot();
 
     InputStream inputStream = newInputStream(plugin.toPath());
     call(inputStream, PLUGIN_NAME);
@@ -124,10 +121,12 @@ public class UploadActionTest {
   }
 
   @Test
-  public void fail_if_not_system_admin() throws Exception {
-    userSession.logIn().setGlobalPermissions(PROVISIONING);
+  public void throw_ForbiddenException_if_not_root() throws Exception {
+    userSession.logIn();
 
     expectedException.expect(ForbiddenException.class);
+    expectedException.expectMessage("Insufficient privileges");
+
     call(newInputStream(plugin.toPath()), PLUGIN_NAME);
   }
 
@@ -137,8 +136,8 @@ public class UploadActionTest {
       .execute();
   }
 
-  private void setSystemAdminUser() {
-    userSession.logIn().setGlobalPermissions(SYSTEM_ADMIN);
+  private void logInAsRoot() {
+    userSession.logIn().setRoot();
   }
 
   private void assertPluginIsUploaded(String pluginName) {
-- 
2.39.5