From b63b8f6cc0b75e4b504ba6a098fc1b059e7069f1 Mon Sep 17 00:00:00 2001
From: Lukasz Jarocki <lukasz.jarocki@sonarsource.com>
Date: Fri, 26 May 2023 15:56:26 +0200
Subject: [PATCH] SONAR-18856 permissions system now correctly validates
 subportfolios

---
 .../main/java/org/sonar/db/entity/EntityDto.java   |  2 +-
 .../org/sonar/server/user/AbstractUserSession.java |  2 +-
 .../org/sonar/server/setting/ws/SetActionIT.java   | 14 ++++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/entity/EntityDto.java b/server/sonar-db-dao/src/main/java/org/sonar/db/entity/EntityDto.java
index 03e0b564dc3..ab4db5a449a 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/entity/EntityDto.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/entity/EntityDto.java
@@ -36,7 +36,7 @@ public class EntityDto {
   protected String authUuid;
 
   public String getAuthUuid() {
-    if (qualifier.equals("SVW")) {
+    if ("SVW".equals(qualifier)) {
       return authUuid;
     }
     return uuid;
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java
index 44ee9a5e252..62276076f39 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java
@@ -103,7 +103,7 @@ public abstract class AbstractUserSession implements UserSession {
 
   @Override
   public final boolean hasEntityPermission(String permission, EntityDto entity) {
-    return hasProjectUuidPermission(permission, entity.getUuid());
+    return hasProjectUuidPermission(permission, entity.getAuthUuid());
   }
 
   @Override
diff --git a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
index 8003484b19c..24510b7afc2 100644
--- a/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
+++ b/server/sonar-webserver-webapi/src/it/java/org/sonar/server/setting/ws/SetActionIT.java
@@ -153,6 +153,20 @@ public class SetActionIT {
     assertThat(settingsChangeNotifier.wasCalled).isFalse();
   }
 
+  @Test
+  public void persist_new_subportfolio_setting() {
+    propertyDb.insertProperty(newGlobalPropertyDto("my.key", "my global value"), null, null, null, null);
+    ComponentDto portfolio = db.components().insertPrivatePortfolio();
+    ComponentDto subportfolio = db.components().insertSubportfolio(portfolio);
+    logInAsProjectAdministrator(portfolio);
+
+    callForProjectSettingByKey("my.key", "my project value", subportfolio.getKey());
+
+    assertGlobalSetting("my.key", "my global value");
+    assertComponentSetting("my.key", "my project value", subportfolio.uuid());
+    assertThat(settingsChangeNotifier.wasCalled).isFalse();
+  }
+
   @Test
   public void persist_project_property_with_project_admin_permission() {
     ComponentDto project = db.components().insertPrivateProject().getMainBranchComponent();
-- 
2.39.5