From 95cde188b5fe83d2beada2970ad0b0f1452945e9 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Date: Mon, 12 May 2014 11:11:00 +0200
Subject: [PATCH] SONAR-1884 Fix filter on project permissions for user/group

---
 .../sonar/core/user/AuthorizationMapper.xml   | 10 ++++---
 .../sonar/core/user/AuthorizationDaoTest.java | 26 +++++++++++++++++++
 .../group_should_be_authorized.xml            |  6 +++++
 .../user_should_have_global_permission.xml    | 12 +++++++++
 4 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/user_should_have_global_permission.xml

diff --git a/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml b/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
index 79c15536960..f14637152b8 100644
--- a/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
+++ b/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
@@ -8,15 +8,17 @@
     FROM group_roles gr, projects p
     WHERE
       gr.role=#{role}
-      and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
-      and (gr.resource_id = p.root_id or gr.resource_id = p.id) and
-      <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
+      and (gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
+      and
+        (gr.resource_id is null or gr.resource_id = p.root_id or gr.resource_id = p.id) and
+        <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
     UNION
     SELECT p.kee
     FROM user_roles ur, projects p
     WHERE
       ur.role=#{role}
-      and ur.user_id=#{userId} and
+      and ur.user_id=#{userId}
+      and (ur.resource_id is null or ur.resource_id = p.root_id or ur.resource_id = p.id) and
       <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
   </select>
 
diff --git a/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java b/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
index a20f0b08ff8..9b8b6e8a8e6 100644
--- a/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
@@ -53,6 +53,25 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
     assertThat(componentIds).isEmpty();
   }
 
+  @Test
+  public void user_should_have_global_authorization() {
+    // is not in an authorized group
+    setupData("user_should_have_global_permission");
+
+    AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+    Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+      USER, "project_admin");
+
+    assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
+
+    // user does not have the role "profile_admin"
+    componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE),
+      USER, "profile_admin");
+    assertThat(componentIds).isEmpty();
+  }
+
   @Test
   public void group_should_be_authorized() {
     // user is in an authorized group
@@ -65,6 +84,13 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
 
     assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
 
+    // user is in group that doesn't have user right
+    componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+      200, "user");
+
+    assertThat(componentIds).containsOnly(EMPTY_PROJECT);
+
     // group does not have the role "admin"
     componentIds = authorization.keepAuthorizedComponentKeys(
       Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/group_should_be_authorized.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/group_should_be_authorized.xml
index 3631f49e9ee..d0b191eaf28 100644
--- a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/group_should_be_authorized.xml
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/group_should_be_authorized.xml
@@ -2,10 +2,16 @@
 
   <!-- user 100 has no direct grant access, but is in the group 200 that has the role "user"
   on the project 300  -->
+  <!-- user 200 has no grant access either, but is in the group 300 that has no role on project 300 -->
   <user_roles id="1" user_id="100" resource_id="999" role="user"/>
+  <user_roles id="2" user_id="200" resource_id="999" role="user"/>
+
   <groups_users user_id="100" group_id="200"/>
+  <groups_users user_id="200" group_id="300"/>
+
   <group_roles id="1" group_id="200" resource_id="300" role="user"/>
   <group_roles id="2" group_id="200" resource_id="400" role="user"/>
+  <group_roles id="3" group_id="300" resource_id="400" role="user"/>
 
   <projects id="301" kee="pj-w-snapshot:package" root_id="300" />
   <projects id="302" kee="pj-w-snapshot:file" root_id="300" />
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/user_should_have_global_permission.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/user_should_have_global_permission.xml
new file mode 100644
index 00000000000..2c2b97bc038
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/user_should_have_global_permission.xml
@@ -0,0 +1,12 @@
+<dataset>
+
+  <!-- user 100 has the role "project_admin" on all resources -->
+  <user_roles id="1" user_id="100" resource_id="[null]" role="project_admin"/>
+
+  <projects id="301" kee="pj-w-snapshot:package" root_id="300" />
+  <projects id="302" kee="pj-w-snapshot:file" root_id="300" />
+  <projects id="303" kee="pj-w-snapshot:other" root_id="300" />
+  <projects id="300" kee="pj-w-snapshot" />
+  <projects id="400" kee="pj-wo-snapshot" />
+
+</dataset>
-- 
2.39.5