mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
Browse Source

SONAR-8716 fix check of permissions in api/ce/activity_status

tags/6.3-RC1
Simon Brandhof 7 years ago
parent
316982d6c9
commit
8ef9a43d2d
2 changed files with 29 additions and 18 deletions
Split View Show Diff Stats
  1. 2
    6
      server/sonar-server/src/main/java/org/sonar/server/ce/ws/ActivityStatusAction.java
  2. 27
    12
      server/sonar-server/src/test/java/org/sonar/server/ce/ws/ActivityStatusActionTest.java

+ 2
- 6
server/sonar-server/src/main/java/org/sonar/server/ce/ws/ActivityStatusAction.java View File

@@ -25,7 +25,6 @@ import org.sonar.api.server.ws.Request;
import org.sonar.api.server.ws.Response;
import org.sonar.api.server.ws.WebService;
import org.sonar.api.web.UserRole;
import org.sonar.core.permission.GlobalPermissions;
import org.sonar.core.util.Uuids;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
@@ -80,8 +79,7 @@ public class ActivityStatusAction implements CeWsAction {
}

private ActivityStatusWsResponse doHandle(ActivityStatusWsRequest request) {
DbSession dbSession = dbClient.openSession(false);
try {
try (DbSession dbSession = dbClient.openSession(false)) {
Optional<ComponentDto> component = searchComponent(dbSession, request);
String componentUuid = component.isPresent() ? component.get().uuid() : null;
checkPermissions(component);
@@ -92,8 +90,6 @@ public class ActivityStatusAction implements CeWsAction {
.setPending(pendingCount)
.setFailing(failingCount)
.build();
} finally {
dbClient.closeSession(dbSession);
}
}

@@ -109,7 +105,7 @@ public class ActivityStatusAction implements CeWsAction {
if (component.isPresent()) {
userSession.checkComponentPermission(UserRole.ADMIN, component.get());
} else {
userSession.checkPermission(GlobalPermissions.SYSTEM_ADMIN);
userSession.checkIsRoot();
}
}


+ 27
- 12
server/sonar-server/src/test/java/org/sonar/server/ce/ws/ActivityStatusActionTest.java View File

@@ -23,13 +23,11 @@ package org.sonar.server.ce.ws;
import com.google.common.base.Throwables;
import java.io.IOException;
import javax.annotation.Nullable;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.sonar.api.utils.System2;
import org.sonar.api.web.UserRole;
import org.sonar.core.permission.GlobalPermissions;
import org.sonar.core.util.Uuids;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
@@ -40,6 +38,7 @@ import org.sonar.db.component.ComponentDbTester;
import org.sonar.db.component.ComponentDto;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.server.component.ComponentFinder;
import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.ws.TestRequest;
@@ -59,19 +58,14 @@ public class ActivityStatusActionTest {
@Rule
public ExpectedException expectedException = ExpectedException.none();
@Rule
public UserSessionRule userSession = UserSessionRule.standalone();
public UserSessionRule userSession = UserSessionRule.standalone().login().setRoot();
@Rule
public DbTester db = DbTester.create(System2.INSTANCE);
ComponentDbTester componentDb = new ComponentDbTester(db);
DbClient dbClient = db.getDbClient();
DbSession dbSession = db.getSession();

WsActionTester ws = new WsActionTester(new ActivityStatusAction(userSession, dbClient, new ComponentFinder(dbClient)));

@Before
public void setUp() {
userSession.setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
}
private ComponentDbTester componentDb = new ComponentDbTester(db);
private DbClient dbClient = db.getDbClient();
private DbSession dbSession = db.getSession();
private WsActionTester ws = new WsActionTester(new ActivityStatusAction(userSession, dbClient, new ComponentFinder(dbClient)));

@Test
public void json_example() {
@@ -147,6 +141,27 @@ public class ActivityStatusActionTest {
callByComponentKey("unknown-key");
}

@Test
public void throw_ForbiddenException_if_not_root() {
userSession.login();

expectedException.expect(ForbiddenException.class);
expectedException.expectMessage("Insufficient privileges");

call();
}

@Test
public void throw_ForbiddenException_if_not_administrator_of_requested_project() {
userSession.login();
ComponentDto project = db.components().insertProject();

expectedException.expect(ForbiddenException.class);
expectedException.expectMessage("Insufficient privileges");

callByComponentKey(project.key());
}

private void insertInQueue(CeQueueDto.Status status, @Nullable String componentUuid) {
dbClient.ceQueueDao().insert(dbSession, newCeQueueDto(Uuids.createFast())
.setStatus(status)

Write Preview
Loading…
Cancel
Save