SONAR-2327, SONAR-2382 Add security checks

4 files changed, 32 insertions, 5 deletions

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb
index 17923826915..ad85564b11b 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/reviews_controller.rb
@@ -23,7 +23,7 @@ require 'json'
 class Api::ReviewsController < Api::ApiController
 
   def index
-    reviews=Review.search(params)
+    reviews=select_authorized(:user, Review.search(params), :project)
     
     respond_to do |format|
       format.json { render :json => jsonp(Review.reviews_to_json(reviews)) }
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
index ac563f86f08..60cb1f9cc8a 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
@@ -35,8 +35,12 @@ class ReviewsController < ApplicationController
   
   # Used for the permalink, e.g. http://localhost:9000/reviews/view/1
   def view
-    @review=Review.find(params[:id], :include => ['resource', 'project'])
-    render 'reviews/_review', :locals => {:review => @review}
+    @review=Review.find(params[:id], :include => ['project'])
+    if has_role?(:user, @review.project)
+      render 'reviews/_review', :locals => {:review => @review}
+    else
+      render :text => "<b>Cannot access this review</b> : access denied."
+    end
   end
 
 
@@ -47,7 +51,7 @@ class ReviewsController < ApplicationController
   #
 
   def show
-    @review=Review.find(params[:id], :include => ['resource', 'project'])
+    @review=Review.find(params[:id], :include => ['project'])
     render :partial => 'reviews/show'
   end
 
@@ -322,7 +326,11 @@ class ReviewsController < ApplicationController
       end
     end
     
-    @reviews = Review.search(options)
+    found_reviews = Review.search(options)
+    @reviews = select_authorized(:user, found_reviews, :project)
+    if found_reviews.size != @reviews.size
+      @security_exclusions = true
+    end
   end
 
   def is_number?(s)
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb
index d77813855a7..01e838d9cd2 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/reviews/index.html.erb
@@ -137,6 +137,12 @@
   <%
      end
   %>
+  
+  <% if @security_exclusions %>
+    <br/>
+    <p class="notes">Due to security settings, some results are not being displayed.</p>
+  <% end %>
+  
 </div>
 
 <div id="review-loading" style="display: none"><%= image_tag 'loading.gif' -%></div>
diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb b/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb
index bde096664fa..f5cf8dcc89f 100644
--- a/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/need_authorization.rb
@@ -177,6 +177,19 @@ module NeedAuthorization
       result
     end
 
+    def select_authorized(role, objects, resource_method=nil)
+      if resource_method
+        booleans=has_role?(role, objects.map{|obj| obj.send(resource_method)})
+      else
+        booleans=has_role?(role, objects)
+      end
+      result=[]
+      objects.each_with_index do |obj, index|
+        result<<obj if booleans[index]==true
+      end
+      result
+    end
+    
     #
     # Filter method to enforce a login admin requirement.
     #