From 843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea Mon Sep 17 00:00:00 2001 From: Julien Lancelot Date: Wed, 27 Sep 2017 14:14:05 +0200 Subject: [PATCH] SONAR-1330 Check edit permission via group --- .../qualityprofile/ws/AddGroupAction.java | 2 +- .../qualityprofile/ws/AddUserAction.java | 2 +- .../qualityprofile/ws/QProfileWsSupport.java | 7 ++++--- .../qualityprofile/ws/RemoveGroupAction.java | 2 +- .../qualityprofile/ws/RemoveUserAction.java | 2 +- .../qualityprofile/ws/SearchGroupsAction.java | 2 +- .../qualityprofile/ws/SearchUsersAction.java | 2 +- .../qualityprofile/ws/AddGroupActionTest.java | 21 ++++++++++++++++++- 8 files changed, 30 insertions(+), 10 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java index 7e092cb5231..8e9a37d367b 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java @@ -90,7 +90,7 @@ public class AddGroupAction implements QProfileWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION)); QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE)); - wsSupport.checkCanEdit(dbSession, profile); + wsSupport.checkCanEdit(dbSession, organization, profile); GroupDto user = wsSupport.getGroup(dbSession, organization, request.mandatoryParam(PARAM_GROUP)); addGroup(dbSession, profile, user); } diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java index eb29e55d783..a58cd4c4f19 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java @@ -90,7 +90,7 @@ public class AddUserAction implements QProfileWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION)); QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE)); - wsSupport.checkCanEdit(dbSession, profile); + wsSupport.checkCanEdit(dbSession, organization, profile); UserDto user = wsSupport.getUser(dbSession, organization, request.mandatoryParam(PARAM_LOGIN)); addUser(dbSession, profile, user); } diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java index 38c11723d09..6fb6e0702d8 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java @@ -124,18 +124,19 @@ public class QProfileWsSupport { userSession.checkPermission(OrganizationPermission.ADMINISTER_QUALITY_PROFILES, organization); } - public void checkCanEdit(DbSession dbSession, QProfileDto profile) { + public void checkCanEdit(DbSession dbSession, OrganizationDto organization, QProfileDto profile) { checkNotBuiltInt(profile); - OrganizationDto organization = getOrganization(dbSession, profile); userSession.checkLoggedIn(); if (userSession.hasPermission(OrganizationPermission.ADMINISTER_QUALITY_PROFILES, organization)) { return; } UserDto user = dbClient.userDao().selectByLogin(dbSession, userSession.getLogin()); checkState(user != null, "User from session does not exist"); - if (dbClient.qProfileEditUsersDao().exists(dbSession, profile, user)) { + if (dbClient.qProfileEditUsersDao().exists(dbSession, profile, user) + || dbClient.qProfileEditGroupsDao().selectQProfileUuidsByOrganizationAndGroups(dbSession, organization, userSession.getGroups()).contains(profile.getKee())) { return; } + throw insufficientPrivilegesException(); } diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java index 9c94c4f3289..83fb547bbf8 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java @@ -86,7 +86,7 @@ public class RemoveGroupAction implements QProfileWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION)); QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE)); - wsSupport.checkCanEdit(dbSession, profile); + wsSupport.checkCanEdit(dbSession, organization, profile); GroupDto group = wsSupport.getGroup(dbSession, organization, request.mandatoryParam(PARAM_GROUP)); removeGroup(dbSession, profile, group); } diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java index e299c3fd7b0..d2b8c6cc89e 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java @@ -86,7 +86,7 @@ public class RemoveUserAction implements QProfileWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION)); QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE)); - wsSupport.checkCanEdit(dbSession, profile); + wsSupport.checkCanEdit(dbSession, organization, profile); UserDto user = wsSupport.getUser(dbSession, organization, request.mandatoryParam(PARAM_LOGIN)); removeUser(dbSession, profile, user); } diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java index dffbefe4e3e..b0cc85b5a6c 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java @@ -110,7 +110,7 @@ public class SearchGroupsAction implements QProfileWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, wsRequest.getOrganization()); QProfileDto profile = wsSupport.getProfile(dbSession, organization, wsRequest.getQualityProfile(), wsRequest.getLanguage()); - wsSupport.checkCanEdit(dbSession, profile); + wsSupport.checkCanEdit(dbSession, organization, profile); SearchGroupsQuery query = builder() .setOrganization(organization) diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java index 44945638c0f..1dcc2514481 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java @@ -114,7 +114,7 @@ public class SearchUsersAction implements QProfileWsAction { try (DbSession dbSession = dbClient.openSession(false)) { OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, wsRequest.getOrganization()); QProfileDto profile = wsSupport.getProfile(dbSession, organization, wsRequest.getQualityProfile(), wsRequest.getLanguage()); - wsSupport.checkCanEdit(dbSession, profile); + wsSupport.checkCanEdit(dbSession, organization, profile); SearchUsersQuery query = builder() .setOrganization(organization) diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java index 8b3d1051c0d..e7e738802b0 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java @@ -129,7 +129,7 @@ public class AddGroupActionTest { } @Test - public void qp_editors_can_add_group() { + public void can_add_group_with_user_edit_permission() { OrganizationDto organization = db.organizations().insert(); QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO)); GroupDto group = db.users().insertGroup(organization); @@ -147,6 +147,25 @@ public class AddGroupActionTest { assertThat(db.getDbClient().qProfileEditGroupsDao().exists(db.getSession(), profile, group)).isTrue(); } + @Test + public void can_add_group_with_group_edit_permission() { + OrganizationDto organization = db.organizations().insert(); + QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO)); + GroupDto group = db.users().insertGroup(organization); + UserDto userAllowedToEditProfile = db.users().insertUser(); + db.qualityProfiles().addGroupPermission(profile, group); + userSession.logIn(userAllowedToEditProfile).setGroups(group); + + ws.newRequest() + .setParam(PARAM_QUALITY_PROFILE, profile.getName()) + .setParam(PARAM_LANGUAGE, XOO) + .setParam(PARAM_GROUP, group.getName()) + .setParam(PARAM_ORGANIZATION, organization.getKey()) + .execute(); + + assertThat(db.getDbClient().qProfileEditGroupsDao().exists(db.getSession(), profile, group)).isTrue(); + } + @Test public void uses_default_organization_when_no_organization() { OrganizationDto organization = db.getDefaultOrganization(); -- 2.39.5