From cc1be45db85751a50b98c1d36002582a7b886b5b Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Lievremont Date: Wed, 7 May 2014 11:53:56 +0200 Subject: [PATCH] SONAR-1884 Check project permissions when viewing projects associated to a quality profile --- .../qualityprofile/QProfileProjectLookup.java | 29 +++++++++++++++---- .../QProfileProjectLookupTest.java | 21 ++++++++++++-- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java b/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java index dab7aa21172..e286088d260 100644 --- a/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java +++ b/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java @@ -22,25 +22,31 @@ package org.sonar.server.qualityprofile; import com.google.common.collect.Lists; import org.apache.ibatis.session.SqlSession; +import org.elasticsearch.common.collect.Maps; import org.sonar.api.ServerComponent; import org.sonar.api.component.Component; -import org.sonar.core.component.ComponentDto; +import org.sonar.api.web.UserRole; import org.sonar.core.persistence.MyBatis; import org.sonar.core.qualityprofile.db.QualityProfileDao; import org.sonar.core.qualityprofile.db.QualityProfileDto; +import org.sonar.core.user.AuthorizationDao; +import org.sonar.server.user.UserSession; import javax.annotation.CheckForNull; import java.util.List; +import java.util.Map; public class QProfileProjectLookup implements ServerComponent { private final MyBatis myBatis; private final QualityProfileDao qualityProfileDao; + private final AuthorizationDao authorizationDao; - public QProfileProjectLookup(MyBatis myBatis, QualityProfileDao qualityProfileDao) { + public QProfileProjectLookup(MyBatis myBatis, QualityProfileDao qualityProfileDao, AuthorizationDao authorizationDao) { this.myBatis = myBatis; this.qualityProfileDao = qualityProfileDao; + this.authorizationDao = authorizationDao; } public List projects(int profileId) { @@ -48,9 +54,22 @@ public class QProfileProjectLookup implements ServerComponent { try { QualityProfileDto qualityProfile = qualityProfileDao.selectById(profileId, session); QProfileValidations.checkProfileIsNotNull(qualityProfile); - List componentDtos = qualityProfileDao.selectProjects( - qualityProfile.getName(), QProfileOperations.PROFILE_PROPERTY_PREFIX + qualityProfile.getLanguage(), session); - return Lists.newArrayList(componentDtos); + Map componentsByKeys = Maps.newHashMap(); + for (Component component: qualityProfileDao.selectProjects( + qualityProfile.getName(), QProfileOperations.PROFILE_PROPERTY_PREFIX + qualityProfile.getLanguage(), session + )) { + componentsByKeys.put(component.key(), component); + } + + UserSession userSession = UserSession.get(); + List result = Lists.newArrayList(); + for (String key: authorizationDao.keepAuthorizedComponentKeys( + componentsByKeys.keySet(), userSession.userId(), UserRole.USER + )) { + result.add(componentsByKeys.get(key)); + } + + return result; } finally { MyBatis.closeQuietly(session); } diff --git a/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java b/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java index e2c85adfb17..f618d00c389 100644 --- a/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java +++ b/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java @@ -20,22 +20,28 @@ package org.sonar.server.qualityprofile; +import org.elasticsearch.common.collect.Sets; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.runners.MockitoJUnitRunner; +import org.sonar.api.web.UserRole; import org.sonar.core.component.ComponentDto; import org.sonar.core.persistence.DbSession; import org.sonar.core.persistence.MyBatis; import org.sonar.core.properties.PropertiesDao; import org.sonar.core.qualityprofile.db.QualityProfileDao; import org.sonar.core.qualityprofile.db.QualityProfileDto; +import org.sonar.core.user.AuthorizationDao; import org.sonar.server.exceptions.NotFoundException; +import org.sonar.server.user.MockUserSession; import static com.google.common.collect.Lists.newArrayList; import static org.fest.assertions.Assertions.assertThat; import static org.fest.assertions.Fail.fail; +import static org.mockito.Matchers.anySet; +import static org.mockito.Matchers.eq; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @@ -54,19 +60,30 @@ public class QProfileProjectLookupTest { @Mock PropertiesDao propertiesDao; + @Mock + AuthorizationDao authorizationDao; + QProfileProjectLookup lookup; @Before public void setUp() throws Exception { when(myBatis.openSession(false)).thenReturn(session); - lookup = new QProfileProjectLookup(myBatis, qualityProfileDao); + lookup = new QProfileProjectLookup(myBatis, qualityProfileDao, authorizationDao); } @Test public void search_projects() throws Exception { + int userId = 42; + MockUserSession.set().setUserId(userId); QualityProfileDto qualityProfile = new QualityProfileDto().setId(1).setName("My profile").setLanguage("java"); when(qualityProfileDao.selectById(1, session)).thenReturn(qualityProfile); - when(qualityProfileDao.selectProjects("My profile", "sonar.profile.java", session)).thenReturn(newArrayList(new ComponentDto().setId(1L).setKey("org.codehaus.sonar:sonar").setName("SonarQube"))); + String key1 = "org.codehaus.sonar:sonar1"; + String key2 = "org.codehaus.sonar:sonar2"; + when(qualityProfileDao.selectProjects("My profile", "sonar.profile.java", session)).thenReturn(newArrayList( + new ComponentDto().setId(1L).setKey(key1).setName("SonarQube One"), + new ComponentDto().setId(1L).setKey(key2).setName("SonarQube Two"))); + + when(authorizationDao.keepAuthorizedComponentKeys(anySet(), eq(userId), eq(UserRole.USER))).thenReturn(Sets.newHashSet(key1)); assertThat(lookup.projects(1)).hasSize(1); } -- 2.39.5