From 6cb71a1d42e1c8388278219e38010efedad850d6 Mon Sep 17 00:00:00 2001 From: Julien Lancelot Date: Wed, 18 Dec 2013 10:24:49 +0100 Subject: [PATCH] SONAR-4535 Access to profiles from a project should be reserved to profile admin or admin --- .../WEB-INF/app/controllers/profiles_controller.rb | 7 +------ .../WEB-INF/app/controllers/project_controller.rb | 8 ++++---- .../src/main/webapp/WEB-INF/app/models/api/utils.rb | 10 ++++++++++ .../webapp/WEB-INF/app/views/project/profile.html.erb | 2 +- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/profiles_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/profiles_controller.rb index 84208d29d49..84386facf7f 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/profiles_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/profiles_controller.rb @@ -284,12 +284,7 @@ class ProfilesController < ApplicationController verify_post_request require_parameters 'id', 'project' - # Used for Selenium test as it send a project key instead of a project id - begin - project_id = Integer(params[:project]) - rescue - project_id = Project.first(:conditions => {:kee => params[:project].to_s}).id - end + project_id = Api::Utils.project_id(params[:project]) profile_id = params[:id].to_i call_backend do diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb index 41d5f709cf4..f811ba69214 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb @@ -78,11 +78,11 @@ class ProjectController < ApplicationController # GET /project/profile?id= def profile require_parameters :id - project_id = params[:id] - @project = get_current_project(project_id) - @snapshot = @project.last_snapshot + @project_id = Api::Utils.project_id(params[:id]) + access_denied unless (is_admin?(@project_id) || has_role?(:profileadmin)) + call_backend do - @project_quality_profiles = Internal.quality_profiles.profiles(@project.id.to_i).to_a + @project_quality_profiles = Internal.quality_profiles.profiles(@project_id.to_i).to_a @all_quality_profiles = Internal.quality_profiles.allProfiles().to_a end end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/api/utils.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/api/utils.rb index 61d82157769..2515fb19c79 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/models/api/utils.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/models/api/utils.rb @@ -227,4 +227,14 @@ class Api::Utils url end end + + # Return the project id from an id or a key + # Mostly used for Selenium test as it send a project key instead of a project id + def self.project_id(project_id_or_key) + begin + project_id = Integer(project_id_or_key) + rescue + project_id = Project.first(:conditions => {:kee => project_id_or_key.to_s}).id + end + end end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/project/profile.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/project/profile.html.erb index 22c3316efa4..ce0a01c912a 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/project/profile.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/project/profile.html.erb @@ -17,7 +17,7 @@ <%= h language.getName() -%>
- +