SONAR-1330 Check edit permission via group

author: Julien Lancelot <julien.lancelot@sonarsource.com> 2017-09-27 14:14:05 +0200
committer: Stas Vilchik <stas.vilchik@sonarsource.com> 2017-10-02 17:18:15 +0200
commit: 843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea (patch)
tree: 29a78cb9d9495c0ab8c2758cec0d47332fb58f79
parent: 6a3ae4ac87b1e12a9bcd496c57bb6e2918cc345e (diff)
download: sonarqube-843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea.tar.gz
sonarqube-843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea.zip
8 files changed, 30 insertions, 10 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java
index 7e092cb5231..8e9a37d367b 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddGroupAction.java
@@ -90,7 +90,7 @@ public class AddGroupAction implements QProfileWsAction {
     try (DbSession dbSession = dbClient.openSession(false)) {
       OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
       QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
       GroupDto user = wsSupport.getGroup(dbSession, organization, request.mandatoryParam(PARAM_GROUP));
       addGroup(dbSession, profile, user);
     }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java
index eb29e55d783..a58cd4c4f19 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/AddUserAction.java
@@ -90,7 +90,7 @@ public class AddUserAction implements QProfileWsAction {
     try (DbSession dbSession = dbClient.openSession(false)) {
       OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
       QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
       UserDto user = wsSupport.getUser(dbSession, organization, request.mandatoryParam(PARAM_LOGIN));
       addUser(dbSession, profile, user);
     }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java
index 38c11723d09..6fb6e0702d8 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/QProfileWsSupport.java
@@ -124,18 +124,19 @@ public class QProfileWsSupport {
     userSession.checkPermission(OrganizationPermission.ADMINISTER_QUALITY_PROFILES, organization);
   }
 
-  public void checkCanEdit(DbSession dbSession, QProfileDto profile) {
+  public void checkCanEdit(DbSession dbSession, OrganizationDto organization, QProfileDto profile) {
     checkNotBuiltInt(profile);
-    OrganizationDto organization = getOrganization(dbSession, profile);
     userSession.checkLoggedIn();
     if (userSession.hasPermission(OrganizationPermission.ADMINISTER_QUALITY_PROFILES, organization)) {
       return;
     }
     UserDto user = dbClient.userDao().selectByLogin(dbSession, userSession.getLogin());
     checkState(user != null, "User from session does not exist");
-    if (dbClient.qProfileEditUsersDao().exists(dbSession, profile, user)) {
+    if (dbClient.qProfileEditUsersDao().exists(dbSession, profile, user)
+      || dbClient.qProfileEditGroupsDao().selectQProfileUuidsByOrganizationAndGroups(dbSession, organization, userSession.getGroups()).contains(profile.getKee())) {
       return;
     }
+
     throw insufficientPrivilegesException();
   }
 
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java
index 9c94c4f3289..83fb547bbf8 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveGroupAction.java
@@ -86,7 +86,7 @@ public class RemoveGroupAction implements QProfileWsAction {
     try (DbSession dbSession = dbClient.openSession(false)) {
       OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
       QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
       GroupDto group = wsSupport.getGroup(dbSession, organization, request.mandatoryParam(PARAM_GROUP));
       removeGroup(dbSession, profile, group);
     }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java
index e299c3fd7b0..d2b8c6cc89e 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/RemoveUserAction.java
@@ -86,7 +86,7 @@ public class RemoveUserAction implements QProfileWsAction {
     try (DbSession dbSession = dbClient.openSession(false)) {
       OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, request.param(PARAM_ORGANIZATION));
       QProfileDto profile = wsSupport.getProfile(dbSession, organization, request.mandatoryParam(PARAM_QUALITY_PROFILE), request.mandatoryParam(PARAM_LANGUAGE));
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
       UserDto user = wsSupport.getUser(dbSession, organization, request.mandatoryParam(PARAM_LOGIN));
       removeUser(dbSession, profile, user);
     }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java
index dffbefe4e3e..b0cc85b5a6c 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchGroupsAction.java
@@ -110,7 +110,7 @@ public class SearchGroupsAction implements QProfileWsAction {
     try (DbSession dbSession = dbClient.openSession(false)) {
       OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, wsRequest.getOrganization());
       QProfileDto profile = wsSupport.getProfile(dbSession, organization, wsRequest.getQualityProfile(), wsRequest.getLanguage());
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
 
       SearchGroupsQuery query = builder()
         .setOrganization(organization)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java
index 44945638c0f..1dcc2514481 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/qualityprofile/ws/SearchUsersAction.java
@@ -114,7 +114,7 @@ public class SearchUsersAction implements QProfileWsAction {
     try (DbSession dbSession = dbClient.openSession(false)) {
       OrganizationDto organization = wsSupport.getOrganizationByKey(dbSession, wsRequest.getOrganization());
       QProfileDto profile = wsSupport.getProfile(dbSession, organization, wsRequest.getQualityProfile(), wsRequest.getLanguage());
-      wsSupport.checkCanEdit(dbSession, profile);
+      wsSupport.checkCanEdit(dbSession, organization, profile);
 
       SearchUsersQuery query = builder()
         .setOrganization(organization)
diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java
index 8b3d1051c0d..e7e738802b0 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/AddGroupActionTest.java
@@ -129,7 +129,7 @@ public class AddGroupActionTest {
   }
 
   @Test
-  public void qp_editors_can_add_group() {
+  public void can_add_group_with_user_edit_permission() {
     OrganizationDto organization = db.organizations().insert();
     QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO));
     GroupDto group = db.users().insertGroup(organization);
@@ -148,6 +148,25 @@ public class AddGroupActionTest {
   }
 
   @Test
+  public void can_add_group_with_group_edit_permission() {
+    OrganizationDto organization = db.organizations().insert();
+    QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO));
+    GroupDto group = db.users().insertGroup(organization);
+    UserDto userAllowedToEditProfile = db.users().insertUser();
+    db.qualityProfiles().addGroupPermission(profile, group);
+    userSession.logIn(userAllowedToEditProfile).setGroups(group);
+
+    ws.newRequest()
+      .setParam(PARAM_QUALITY_PROFILE, profile.getName())
+      .setParam(PARAM_LANGUAGE, XOO)
+      .setParam(PARAM_GROUP, group.getName())
+      .setParam(PARAM_ORGANIZATION, organization.getKey())
+      .execute();
+
+    assertThat(db.getDbClient().qProfileEditGroupsDao().exists(db.getSession(), profile, group)).isTrue();
+  }
+
+  @Test
   public void uses_default_organization_when_no_organization() {
     OrganizationDto organization = db.getDefaultOrganization();
     QProfileDto profile = db.qualityProfiles().insert(organization, p -> p.setLanguage(XOO));
author	Julien Lancelot <julien.lancelot@sonarsource.com>	2017-09-27 14:14:05 +0200
committer	Stas Vilchik <stas.vilchik@sonarsource.com>	2017-10-02 17:18:15 +0200
commit	843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea (patch)
tree	29a78cb9d9495c0ab8c2758cec0d47332fb58f79
parent	6a3ae4ac87b1e12a9bcd496c57bb6e2918cc345e (diff)
download	sonarqube-843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea.tar.gz sonarqube-843fce55ff4d7c2a8eebdc478ce8fa9cb02a6cea.zip