From 9d33d9fa1a229413e5c131bcb0bfcae72a8fc87b Mon Sep 17 00:00:00 2001
From: Eric Hartmann <hartmann.eric@gmail.com>
Date: Thu, 22 Feb 2018 11:36:20 +0100
Subject: [PATCH] SONAR-10323 Fix WS not checking SCAN global permission

---
 .../main/java/org/sonar/server/branch/ws/ListAction.java   | 4 +++-
 .../java/org/sonar/server/setting/ws/ValuesAction.java     | 7 +++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java
index ca822de18f8..4583eb92be9 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/branch/ws/ListAction.java
@@ -39,6 +39,7 @@ import org.sonar.db.component.BranchType;
 import org.sonar.db.component.ComponentDto;
 import org.sonar.db.component.SnapshotDto;
 import org.sonar.db.measure.LiveMeasureDto;
+import org.sonar.db.permission.OrganizationPermission;
 import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.issue.index.BranchStatistics;
 import org.sonar.server.issue.index.IssueIndex;
@@ -163,7 +164,8 @@ public class ListAction implements BranchWsAction {
 
   private void checkPermission(ComponentDto component) {
     if (!userSession.hasComponentPermission(UserRole.USER, component) &&
-      !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+      !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
       throw insufficientPrivilegesException();
     }
   }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
index 273e8a8a568..4a947af76ae 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
@@ -39,6 +39,7 @@ import org.sonar.api.server.ws.WebService;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.component.ComponentDto;
+import org.sonar.db.permission.OrganizationPermission;
 import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.user.UserSession;
 import org.sonarqube.ws.Settings;
@@ -154,8 +155,10 @@ public class ValuesAction implements SettingsWsAction {
       return Optional.empty();
     }
     ComponentDto component = componentFinder.getByKeyAndOptionalBranch(dbSession, componentKey, valuesRequest.getBranch());
-    if (!userSession.hasComponentPermission(USER, component) && !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
-      throw insufficientPrivilegesException();
+    if (!userSession.hasComponentPermission(USER, component) &&
+        !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+        !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
+        throw insufficientPrivilegesException();
     }
     return Optional.of(component);
   }
-- 
2.39.5