From ed1a03a47232447cc27821afcb2c2cb8794b4f86 Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=C3=A9bastien=20Lesaint?= Date: Tue, 7 Feb 2017 18:18:03 +0100 Subject: [PATCH] SONAR-8754 api/organizations/create require root for guarded org --- .../server/organization/ws/DeleteAction.java | 6 +++- .../organization/ws/DeleteActionTest.java | 29 ++++++++++++++++--- .../db/organization/OrganizationDbTester.java | 11 +++++-- 3 files changed, 39 insertions(+), 7 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/organization/ws/DeleteAction.java b/server/sonar-server/src/main/java/org/sonar/server/organization/ws/DeleteAction.java index 5f55af3c5f3..f25940ff6fb 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/organization/ws/DeleteAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/organization/ws/DeleteAction.java @@ -82,7 +82,11 @@ public class DeleteAction implements OrganizationsAction { "Organization with key '%s' not found", key); - userSession.checkOrganizationPermission(organizationDto.getUuid(), SYSTEM_ADMIN); + if (organizationDto.isGuarded()) { + userSession.checkIsRoot(); + } else { + userSession.checkOrganizationPermission(organizationDto.getUuid(), SYSTEM_ADMIN); + } deleteProjects(dbSession, organizationDto.getUuid()); deletePermissions(dbSession, organizationDto.getUuid()); diff --git a/server/sonar-server/src/test/java/org/sonar/server/organization/ws/DeleteActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/organization/ws/DeleteActionTest.java index 5b49ab11772..3fcf6e43329 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/organization/ws/DeleteActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/organization/ws/DeleteActionTest.java @@ -126,7 +126,7 @@ public class DeleteActionTest { } @Test - public void request_fails_with_ForbiddenException_when_user_has_no_System_Administer_permission() { + public void request_fails_with_ForbiddenException_when_user_has_no_System_Administer_permission_for_non_guarded_organization() { OrganizationDto organization = dbTester.organizations().insert(); userSession.logIn(); @@ -137,7 +137,7 @@ public class DeleteActionTest { } @Test - public void request_fails_with_ForbiddenException_when_user_does_not_have_System_Administer_permission_on_specified_organization() { + public void request_fails_with_ForbiddenException_when_user_does_not_have_System_Administer_permission_on_specified_non_guarded_organization() { OrganizationDto organization = dbTester.organizations().insert(); userSession.logIn().addOrganizationPermission(dbTester.getDefaultOrganization().getUuid(), SYSTEM_ADMIN); @@ -148,7 +148,7 @@ public class DeleteActionTest { } @Test - public void request_deletes_specified_organization_if_exists_and_user_has_Admin_permission_on_it() { + public void request_deletes_specified_non_guarded_organization_if_exists_and_user_has_Admin_permission_on_it() { OrganizationDto organization = dbTester.organizations().insert(); userSession.logIn().addOrganizationPermission(organization.getUuid(), SYSTEM_ADMIN); @@ -158,7 +158,18 @@ public class DeleteActionTest { } @Test - public void request_deletes_specified_organization_if_exists_and_user_is_root() { + public void request_fails_with_ForbiddenException_when_user_has_System_Administer_permission_on_specified_guarded_organization() { + OrganizationDto organization = dbTester.organizations().insert(dto -> dto.setGuarded(true)); + userSession.logIn().addOrganizationPermission(organization.getUuid(), SYSTEM_ADMIN); + + expectedException.expect(ForbiddenException.class); + expectedException.expectMessage("Insufficient privileges"); + + sendRequest(organization); + } + + @Test + public void request_deletes_specified_non_guarded_organization_if_exists_and_user_is_root() { OrganizationDto organization = dbTester.organizations().insert(); userSession.logIn().setRoot(); @@ -167,6 +178,16 @@ public class DeleteActionTest { verifyOrganizationDoesNotExist(organization); } + @Test + public void request_deletes_specified_guarded_organization_if_exists_and_user_is_root() { + OrganizationDto organization = dbTester.organizations().insert(dto -> dto.setGuarded(true)); + userSession.logIn().setRoot(); + + sendRequest(organization); + + verifyOrganizationDoesNotExist(organization); + } + @Test public void request_also_deletes_components_of_specified_organization() { userSession.logIn().setRoot(); diff --git a/sonar-db/src/test/java/org/sonar/db/organization/OrganizationDbTester.java b/sonar-db/src/test/java/org/sonar/db/organization/OrganizationDbTester.java index ee67f83555b..b6de3ebc321 100644 --- a/sonar-db/src/test/java/org/sonar/db/organization/OrganizationDbTester.java +++ b/sonar-db/src/test/java/org/sonar/db/organization/OrganizationDbTester.java @@ -19,6 +19,7 @@ */ package org.sonar.db.organization; +import java.util.function.Consumer; import javax.annotation.Nullable; import org.sonar.db.DbSession; import org.sonar.db.DbTester; @@ -40,12 +41,18 @@ public class OrganizationDbTester { return insert(OrganizationTesting.newOrganizationDto()); } + public OrganizationDto insert(Consumer populator) { + OrganizationDto dto = OrganizationTesting.newOrganizationDto(); + populator.accept(dto); + return insert(dto); + } + public OrganizationDto insertForKey(String key) { - return insert(OrganizationTesting.newOrganizationDto().setKey(key)); + return insert(dto -> dto.setKey(key)); } public OrganizationDto insertForUuid(String organizationUuid) { - return insert(OrganizationTesting.newOrganizationDto().setUuid(organizationUuid)); + return insert(dto -> dto.setUuid(organizationUuid)); } /** -- 2.39.5