From d8edefbdfc628e02203bd7e8c7e7966a0f8080be Mon Sep 17 00:00:00 2001
From: Julien Lancelot <julien.lancelot@sonarsource.com>
Date: Wed, 27 Apr 2016 16:46:26 +0200
Subject: [PATCH] Fix query to keep authorized users for a project and a role

The query were returning every users that have the permission from a group, without taking into account given users
---
 .../resources/org/sonar/db/user/AuthorizationMapper.xml    | 4 +---
 .../test/java/org/sonar/db/user/AuthorizationDaoTest.java  | 7 +++++++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/sonar-db/src/main/resources/org/sonar/db/user/AuthorizationMapper.xml b/sonar-db/src/main/resources/org/sonar/db/user/AuthorizationMapper.xml
index 8ddb1e09b2c..12bef99c2fd 100644
--- a/sonar-db/src/main/resources/org/sonar/db/user/AuthorizationMapper.xml
+++ b/sonar-db/src/main/resources/org/sonar/db/user/AuthorizationMapper.xml
@@ -214,12 +214,10 @@
     WHERE
       gr.resource_id=#{componentId}
       AND gr.role=#{role}
-      AND (gr.group_id IS NULL OR gr.group_id IN (
-        select gu.group_id from groups_users gu where gu.user_id in
+      AND gu.user_id in
         <foreach collection="userIds" open="(" close=")" item="id" separator=",">
           #{id}
         </foreach>
-      ))
     UNION
     SELECT ur.user_id
     FROM user_roles ur
diff --git a/sonar-db/src/test/java/org/sonar/db/user/AuthorizationDaoTest.java b/sonar-db/src/test/java/org/sonar/db/user/AuthorizationDaoTest.java
index ed1a5747d14..53c43c9be32 100644
--- a/sonar-db/src/test/java/org/sonar/db/user/AuthorizationDaoTest.java
+++ b/sonar-db/src/test/java/org/sonar/db/user/AuthorizationDaoTest.java
@@ -290,6 +290,10 @@ public class AuthorizationDaoTest {
       // Only 100 and 101 has 'user' role on project
       newHashSet(100L, 101L, 102L), "user", PROJECT_ID)).containsOnly(100L, 101L);
 
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      // Only 100 and 101 has 'user' role on project
+      newHashSet(100L), "user", PROJECT_ID)).containsOnly(100L);
+
     // user does not have the role "admin"
     assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(), newHashSet(100L), "admin", PROJECT_ID)).isEmpty();
 
@@ -305,6 +309,9 @@ public class AuthorizationDaoTest {
       // Only 100 and 101 has 'user' role on project
       newHashSet(100L, 101L, 102L), "user", PROJECT_ID)).containsOnly(100L, 101L);
 
+    assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(),
+      newHashSet(100L), "user", PROJECT_ID)).containsOnly(100L);
+
     // user does not have the role "admin"
     assertThat(authorization.keepAuthorizedUsersForRoleAndProject(dbTester.getSession(), newHashSet(100L), "admin", PROJECT_ID)).isEmpty();
 
-- 
2.39.5