From e8ba558f37941df3be94fbeb9a779d93fcd99eb3 Mon Sep 17 00:00:00 2001 From: Fabrice Bellingard Date: Fri, 29 Apr 2011 15:36:35 +0200 Subject: [PATCH] SONAR-2327, SONAR-2382 Add security checks --- .../app/controllers/api/reviews_controller.rb | 2 +- .../app/controllers/reviews_controller.rb | 16 ++++++++++++---- .../WEB-INF/app/views/reviews/index.html.erb | 6 ++++++ .../webapp/WEB-INF/lib/need_authorization.rb | 13 +++++++++++++ 4 files changed, 32 insertions(+), 5 deletions(-) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb index 17923826915..ad85564b11b 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb @@ -23,7 +23,7 @@ require 'json' class Api::ReviewsController < Api::ApiController def index - reviews=Review.search(params) + reviews=select_authorized(:user, Review.search(params), :project) respond_to do |format| format.json { render :json => jsonp(Review.reviews_to_json(reviews)) } diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb index ac563f86f08..60cb1f9cc8a 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb @@ -35,8 +35,12 @@ class ReviewsController < ApplicationController # Used for the permalink, e.g. http://localhost:9000/reviews/view/1 def view - @review=Review.find(params[:id], :include => ['resource', 'project']) - render 'reviews/_review', :locals => {:review => @review} + @review=Review.find(params[:id], :include => ['project']) + if has_role?(:user, @review.project) + render 'reviews/_review', :locals => {:review => @review} + else + render :text => "Cannot access this review : access denied." + end end @@ -47,7 +51,7 @@ class ReviewsController < ApplicationController # def show - @review=Review.find(params[:id], :include => ['resource', 'project']) + @review=Review.find(params[:id], :include => ['project']) render :partial => 'reviews/show' end @@ -322,7 +326,11 @@ class ReviewsController < ApplicationController end end - @reviews = Review.search(options) + found_reviews = Review.search(options) + @reviews = select_authorized(:user, found_reviews, :project) + if found_reviews.size != @reviews.size + @security_exclusions = true + end end def is_number?(s) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb index d77813855a7..01e838d9cd2 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb @@ -137,6 +137,12 @@ <% end %> + + <% if @security_exclusions %> +
+

Due to security settings, some results are not being displayed.

+ <% end %> + diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb b/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb index bde096664fa..f5cf8dcc89f 100644 --- a/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb +++ b/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb @@ -177,6 +177,19 @@ module NeedAuthorization result end + def select_authorized(role, objects, resource_method=nil) + if resource_method + booleans=has_role?(role, objects.map{|obj| obj.send(resource_method)}) + else + booleans=has_role?(role, objects) + end + result=[] + objects.each_with_index do |obj, index| + result<