From 8653f27ae8b0af739bc92b6b5b21357cfbd942eb Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Lievremont Date: Wed, 15 Apr 2015 09:34:04 +0200 Subject: [PATCH] SONAR-6307 Add permission check on change_parent action --- .../qualityprofile/ws/QProfileChangeParentAction.java | 4 ++++ .../ws/QProfileChangeParentActionMediumTest.java | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentAction.java index 2401854a00a..59f28d38c88 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentAction.java @@ -25,10 +25,12 @@ import org.sonar.api.server.ws.Request; import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService.NewAction; import org.sonar.api.server.ws.WebService.NewController; +import org.sonar.core.permission.GlobalPermissions; import org.sonar.core.persistence.DbSession; import org.sonar.server.db.DbClient; import org.sonar.server.qualityprofile.QProfileFactory; import org.sonar.server.qualityprofile.RuleActivator; +import org.sonar.server.user.UserSession; import static org.apache.commons.lang.StringUtils.isEmpty; @@ -75,6 +77,8 @@ public class QProfileChangeParentAction implements BaseQProfileWsAction { @Override public void handle(Request request, Response response) throws Exception { + UserSession.get().checkLoggedIn().checkGlobalPermission(GlobalPermissions.QUALITY_PROFILE_ADMIN); + DbSession session = dbClient.openSession(false); try { String profileKey = QProfileIdentificationParamUtils.getProfileKeyFromParameters(request, profileFactory, session); diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentActionMediumTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentActionMediumTest.java index 6db542c2ffe..433a343967b 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentActionMediumTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/QProfileChangeParentActionMediumTest.java @@ -32,6 +32,7 @@ import org.sonar.core.qualityprofile.db.ActiveRuleDto; import org.sonar.core.qualityprofile.db.QualityProfileDto; import org.sonar.core.rule.RuleDto; import org.sonar.server.db.DbClient; +import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.qualityprofile.QProfileName; import org.sonar.server.qualityprofile.QProfileTesting; import org.sonar.server.qualityprofile.RuleActivator; @@ -254,6 +255,15 @@ public class QProfileChangeParentActionMediumTest { .execute(); } + @Test(expected = ForbiddenException.class) + public void fail_if_missing_permission() throws Exception { + MockUserSession.set().setLogin("anakin"); + wsTester.newGetRequest(QProfilesWs.API_ENDPOINT, "change_parent") + .setParam(QProfileIdentificationParamUtils.PARAM_PROFILE_KEY, "polop") + .setParam("parentKey", "pulup") + .execute(); + } + private QualityProfileDto createProfile(String lang, String name) { QualityProfileDto profile = QProfileTesting.newDto(new QProfileName(lang, name), "p" + lang + "-" + name.toLowerCase()); db.qualityProfileDao().insert(session, profile); -- 2.39.5