From f5c7d375c226b0f17cd31042275dd7d74621d3ae Mon Sep 17 00:00:00 2001
From: Eric Hartmann <hartmann.eric@gmail.com>
Date: Thu, 15 Feb 2018 17:31:55 +0100
Subject: [PATCH] SONAR-10323 Fix permission on api/project_branches/list

---
 .../server/projectbranch/ws/ListAction.java   | 13 ++++++++++--
 .../sonar/server/setting/ws/ValuesAction.java |  8 ++++++--
 .../projectbranch/ws/ListActionTest.java      | 20 +++++++++++++++++++
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
index cc575a3868a..53a3199b341 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
@@ -52,12 +52,14 @@ import static java.util.Collections.singletonList;
 import static org.sonar.api.measures.CoreMetrics.ALERT_STATUS_KEY;
 import static org.sonar.api.resources.Qualifiers.PROJECT;
 import static org.sonar.api.utils.DateUtils.formatDateTime;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 import static org.sonar.core.util.Protobuf.setNullable;
 import static org.sonar.core.util.stream.MoreCollectors.toList;
 import static org.sonar.core.util.stream.MoreCollectors.uniqueIndex;
 import static org.sonar.db.component.BranchType.LONG;
 import static org.sonar.db.component.BranchType.SHORT;
 import static org.sonar.server.projectbranch.ws.BranchesWs.addProjectParam;
+import static org.sonar.server.user.AbstractUserSession.insufficientPrivilegesException;
 import static org.sonarqube.ws.client.projectbranches.ProjectBranchesParameters.ACTION_LIST;
 import static org.sonarqube.ws.client.projectbranches.ProjectBranchesParameters.PARAM_PROJECT;
 
@@ -80,7 +82,7 @@ public class ListAction implements BranchWsAction {
     WebService.NewAction action = context.createAction(ACTION_LIST)
       .setSince("6.6")
       .setDescription("List the branches of a project.<br/>" +
-        "Requires 'Administer' rights on the specified project.")
+        "Requires 'Browse' or 'Execute analysis' rights on the specified project.")
       .setResponseExample(Resources.getResource(getClass(), "list-example.json"))
       .setHandler(this);
 
@@ -93,7 +95,7 @@ public class ListAction implements BranchWsAction {
 
     try (DbSession dbSession = dbClient.openSession(false)) {
       ComponentDto project = componentFinder.getByKey(dbSession, projectKey);
-      userSession.checkComponentPermission(UserRole.USER, project);
+      checkPermission(project);
       checkArgument(project.isEnabled() && PROJECT.equals(project.qualifier()), "Invalid project key");
 
       Collection<BranchDto> branches = dbClient.branchDao().selectByComponent(dbSession, project);
@@ -159,4 +161,11 @@ public class ListAction implements BranchWsAction {
     }
     builder.setStatus(statusBuilder);
   }
+
+  private void checkPermission(ComponentDto component) {
+    if (!userSession.hasComponentPermission(UserRole.USER, component) &&
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+      throw insufficientPrivilegesException();
+    }
+  }
 }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
index f6776aaa46b..2225743c0a4 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
@@ -51,6 +51,8 @@ import static org.sonar.api.CoreProperties.SERVER_ID;
 import static org.sonar.api.CoreProperties.SERVER_STARTTIME;
 import static org.sonar.api.PropertyType.PROPERTY_SET;
 import static org.sonar.api.web.UserRole.USER;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
+import static org.sonar.server.user.AbstractUserSession.insufficientPrivilegesException;
 import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001;
 import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
 import static org.sonar.server.ws.WsUtils.writeProtobuf;
@@ -87,7 +89,7 @@ public class ValuesAction implements SettingsWsAction {
     WebService.NewAction action = context.createAction(ACTION_VALUES)
       .setDescription("List settings values.<br>" +
         "If no value has been set for a setting, then the default value is returned.<br>" +
-        "Requires 'Browse' permission when a component is specified<br/>",
+        "Requires 'Browse' or 'Execute Analysis' permission when a component is specified<br/>",
         "To access licensed settings, authentication is required<br/>" +
           "To access secured settings, one of the following permissions is required: " +
           "<ul>" +
@@ -150,7 +152,9 @@ public class ValuesAction implements SettingsWsAction {
       return Optional.empty();
     }
     ComponentDto component = componentFinder.getByKeyAndOptionalBranch(dbSession, componentKey, valuesRequest.getBranch());
-    userSession.checkComponentPermission(USER, component);
+    if (!userSession.hasComponentPermission(USER, component) && !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+      throw insufficientPrivilegesException();
+    }
     return Optional.of(component);
   }
 
diff --git a/server/sonar-server/src/test/java/org/sonar/server/projectbranch/ws/ListActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/projectbranch/ws/ListActionTest.java
index 81174c3c290..9a01442e75b 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/projectbranch/ws/ListActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/projectbranch/ws/ListActionTest.java
@@ -69,6 +69,7 @@ import static org.sonar.api.rules.RuleType.CODE_SMELL;
 import static org.sonar.api.rules.RuleType.VULNERABILITY;
 import static org.sonar.api.utils.DateUtils.dateToLong;
 import static org.sonar.api.utils.DateUtils.parseDateTime;
+import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 import static org.sonar.test.JsonAssert.assertJson;
 import static org.sonarqube.ws.WsBranches.Branch.Status;
 
@@ -126,6 +127,25 @@ public class ListActionTest {
     assertJson(json).isSimilarTo(ws.getDef().responseExampleAsString());
   }
 
+  @Test
+  public void test_with_SCAN_EXCUTION_permission() {
+    ComponentDto project = db.components().insertPrivateProject(p -> p.setDbKey("sonarqube"));
+    ComponentDto longLivingBranch = db.components().insertProjectBranch(project, b -> b.setKey("feature/bar").setBranchType(BranchType.LONG));
+    ComponentDto shortLivingBranch = db.components().insertProjectBranch(project, b -> b.setKey("feature/foo").setBranchType(BranchType.SHORT).setMergeBranchUuid(longLivingBranch.uuid()));
+    userSession.logIn().addProjectPermission(SCAN_EXECUTION, project);
+
+    db.getDbClient().snapshotDao().insert(db.getSession(), SnapshotTesting.newAnalysis(longLivingBranch).setLast(true).setCreatedAt(DateUtils.parseDateTime("2017-04-01T01:15:42+0100").getTime()));
+    db.getDbClient().snapshotDao().insert(db.getSession(), SnapshotTesting.newAnalysis(shortLivingBranch).setLast(true).setCreatedAt(DateUtils.parseDateTime("2017-04-03T13:37:00+0100").getTime()));
+    db.commit();
+
+    String json = ws.newRequest()
+      .setParam("project", project.getDbKey())
+      .execute()
+      .getInput();
+
+    assertJson(json).isSimilarTo(ws.getDef().responseExampleAsString());
+  }
+
   @Test
   public void main_branch() {
     ComponentDto project = db.components().insertMainBranch();
-- 
2.39.5