From 7fc0669b944f8d07538352bab71e6cd00e6c7bc3 Mon Sep 17 00:00:00 2001 From: Teryk Bellahsene Date: Tue, 15 Nov 2016 12:02:50 +0100 Subject: [PATCH] SONAR-8345 WS api/user_groups/search requires System Administer permission --- .../server/usergroups/ws/SearchAction.java | 9 ++++++--- .../usergroups/ws/SearchActionTest.java | 20 ++++++++++--------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/usergroups/ws/SearchAction.java b/server/sonar-server/src/main/java/org/sonar/server/usergroups/ws/SearchAction.java index 1bc40570c2f..27e9a01832f 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/usergroups/ws/SearchAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/usergroups/ws/SearchAction.java @@ -39,6 +39,7 @@ import org.sonar.server.es.SearchOptions; import org.sonar.server.user.UserSession; import static org.apache.commons.lang.StringUtils.defaultIfBlank; +import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN; import static org.sonar.server.es.SearchOptions.MAX_LIMIT; import static org.sonar.server.usergroups.ws.GroupWsSupport.PARAM_ORGANIZATION_KEY; @@ -64,7 +65,10 @@ public class SearchAction implements UserGroupsWsAction { public void define(NewController context) { WebService.NewAction action = context.createAction("search") .setDescription("Search for user groups.
" + - "Requires to be logged in.") + "Requires the following permission:" + + "") .setHandler(this) .setResponseExample(getClass().getResource("example-search.json")) .setSince("5.2") @@ -81,8 +85,6 @@ public class SearchAction implements UserGroupsWsAction { @Override public void handle(Request request, Response response) throws Exception { - userSession.checkLoggedIn(); - int page = request.mandatoryParamAsInt(Param.PAGE); int pageSize = request.mandatoryParamAsInt(Param.PAGE_SIZE); SearchOptions options = new SearchOptions() @@ -93,6 +95,7 @@ public class SearchAction implements UserGroupsWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = groupWsSupport.findOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION_KEY)); + userSession.checkLoggedIn().checkOrganizationPermission(organization.getUuid(), SYSTEM_ADMIN); int limit = dbClient.groupDao().countByQuery(dbSession, organization.getUuid(), query); List groups = dbClient.groupDao().selectByQuery(dbSession, organization.getUuid(), query, options.getOffset(), pageSize); diff --git a/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/SearchActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/SearchActionTest.java index 24eefd399a8..e50e676aee7 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/SearchActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/SearchActionTest.java @@ -36,6 +36,7 @@ import org.sonar.server.ws.WsTester; import static org.apache.commons.lang.StringUtils.capitalize; import static org.assertj.core.api.Assertions.assertThat; +import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN; import static org.sonar.db.user.GroupTesting.newGroupDto; public class SearchActionTest { @@ -58,7 +59,7 @@ public class SearchActionTest { @Test public void search_empty() throws Exception { - loginAsSimpleUser(); + loginAsDefaultOrgAdmin(); newRequest().execute().assertJson(getClass(), "empty.json"); } @@ -70,7 +71,7 @@ public class SearchActionTest { insertGroup(db.getDefaultOrganization(), "customer2", 0); insertGroup(db.getDefaultOrganization(), "customer3", 0); - loginAsSimpleUser(); + loginAsDefaultOrgAdmin(); newRequest().execute().assertJson(getClass(), "five_groups.json"); } @@ -82,7 +83,7 @@ public class SearchActionTest { insertGroup(db.getDefaultOrganization(), "customer2", 4); insertGroup(db.getDefaultOrganization(), "customer3", 0); - loginAsSimpleUser(); + loginAsDefaultOrgAdmin(); newRequest().execute().assertJson(getClass(), "with_members.json"); } @@ -94,7 +95,7 @@ public class SearchActionTest { insertGroup(db.getDefaultOrganization(), "customer%_%/2", 0); insertGroup(db.getDefaultOrganization(), "customer%_%/3", 0); - loginAsSimpleUser(); + loginAsDefaultOrgAdmin(); newRequest().setParam(Param.TEXT_QUERY, "tomer%_%/").execute().assertJson(getClass(), "customers.json"); } @@ -106,7 +107,7 @@ public class SearchActionTest { insertGroup(db.getDefaultOrganization(), "customer2", 0); insertGroup(db.getDefaultOrganization(), "customer3", 0); - loginAsSimpleUser(); + loginAsDefaultOrgAdmin(); newRequest() .setParam(Param.PAGE_SIZE, "3").execute().assertJson(getClass(), "page_1.json"); newRequest() @@ -119,7 +120,7 @@ public class SearchActionTest { public void search_with_fields() throws Exception { insertGroup(db.getDefaultOrganization(), "sonar-users", 0); - loginAsSimpleUser(); + loginAsDefaultOrgAdmin(); assertThat(newRequest().execute().outputAsString()) .contains("id") .contains("name") @@ -157,8 +158,9 @@ public class SearchActionTest { GroupDto group = db.users().insertGroup(org, "users"); // the group in default org is not returned db.users().insertGroup(db.getDefaultOrganization(), "users"); + loginAsDefaultOrgAdmin(); + userSession.addOrganizationPermission(org.getUuid(), SYSTEM_ADMIN); - loginAsSimpleUser(); newRequest() .setParam("organization", org.getKey()) .execute() @@ -188,8 +190,8 @@ public class SearchActionTest { } } - private void loginAsSimpleUser() { - userSession.login("user"); + private void loginAsDefaultOrgAdmin() { + userSession.login("user").addOrganizationPermission(db.getDefaultOrganization().getUuid(), SYSTEM_ADMIN); } private GroupWsSupport newGroupWsSupport() { -- 2.39.5