SONAR-6525 Fix security bypass on plugin-contributed pages

author: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com> 2015-05-05 11:35:56 +0200
committer: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com> 2015-05-05 11:47:19 +0200
commit: 9b235dda465394be414f0e7e52094b930ccad175 (patch)
tree: 849e729410adb9ad7706292aa7e7eac51d1aeb3a
parent: 3445f73e4cb2f908a512354468367a2b1311f27f (diff)
download: sonarqube-9b235dda465394be414f0e7e52094b930ccad175.tar.gz
sonarqube-9b235dda465394be414f0e7e52094b930ccad175.zip
2 files changed, 13 insertions, 37 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java b/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java
index de4cc75d909..3beb0bbbbeb 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/ui/ViewProxy.java
@@ -285,9 +285,7 @@ public class ViewProxy<V extends View> implements Comparable<ViewProxy> {
   public boolean isUserAuthorized(ComponentDto component) {
     boolean authorized = userRoles.length == 0;
     for (String userRole : getUserRoles()) {
-      authorized |= (UserRole.VIEWER.equals(userRole)
-        || UserRole.USER.equals(userRole)
-        || UserSession.get().hasProjectPermissionByUuid(userRole, component.uuid()));
+      authorized |= UserSession.get().hasProjectPermissionByUuid(userRole, component.uuid());
     }
     return authorized;
   }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java b/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java
index ab93684bfc0..60a335023aa 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/ui/ViewProxyTest.java
@@ -348,40 +348,6 @@ public class ViewProxyTest {
     MockUserSession.set().addProjectUuidPermissions("pilip", "abcd");
     assertThat(proxy.isUserAuthorized(newProjectDto("abcd"))).isFalse();
   }
-
-  @Test
-  public void is_authorized_on_component_viewer_bypass() {
-
-    @NavigationSection(NavigationSection.RESOURCE)
-    @UserRole(UserRole.VIEWER)
-    class MyView extends FakeView {
-      MyView() {
-        super("fake");
-      }
-    }
-
-    ViewProxy proxy = new ViewProxy<View>(new MyView());
-
-    MockUserSession.set();
-    assertThat(proxy.isUserAuthorized(newProjectDto("abcd"))).isTrue();
-  }
-
-  @Test
-  public void is_authorized_on_component_user_bypass() {
-
-    @NavigationSection(NavigationSection.RESOURCE)
-    @UserRole(UserRole.USER)
-    class MyView extends FakeView {
-      MyView() {
-        super("fake");
-      }
-    }
-
-    ViewProxy proxy = new ViewProxy<View>(new MyView());
-
-    MockUserSession.set();
-    assertThat(proxy.isUserAuthorized(newProjectDto("abcd"))).isTrue();
-  }
 }
 
 class FakeView implements View {
@@ -392,10 +358,12 @@ class FakeView implements View {
     this.id = id;
   }
 
+  @Override
   public String getId() {
     return id;
   }
 
+  @Override
   public String getTitle() {
     return id;
   }
@@ -407,10 +375,12 @@ class FakeView implements View {
   @WidgetProperty(key = "third_prop", type = WidgetPropertyType.INTEGER)
 })
 class EditableWidget implements Widget {
+  @Override
   public String getId() {
     return "w1";
   }
 
+  @Override
   public String getTitle() {
     return "W1";
   }
@@ -418,10 +388,12 @@ class EditableWidget implements Widget {
 
 @WidgetProperties(@WidgetProperty(key = "message", defaultValue = "", type = WidgetPropertyType.TEXT))
 class TextWidget implements Widget {
+  @Override
   public String getId() {
     return "text";
   }
 
+  @Override
   public String getTitle() {
     return "TEXT";
   }
@@ -429,10 +401,12 @@ class TextWidget implements Widget {
 
 @WidgetScope("GLOBAL")
 class GlobalWidget implements Widget {
+  @Override
   public String getId() {
     return "global";
   }
 
+  @Override
   public String getTitle() {
     return "Global";
   }
@@ -440,10 +414,12 @@ class GlobalWidget implements Widget {
 
 @WidgetScope("INVALID")
 class WidgetWithInvalidScope implements Widget {
+  @Override
   public String getId() {
     return "invalidScope";
   }
 
+  @Override
   public String getTitle() {
     return "InvalidScope";
   }
@@ -454,10 +430,12 @@ class WidgetWithInvalidScope implements Widget {
   @WidgetProperty(key = "bar")
 })
 class WidgetWithOptionalProperties implements Widget {
+  @Override
   public String getId() {
     return "w2";
   }
 
+  @Override
   public String getTitle() {
     return "W2";
   }
author	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>	2015-05-05 11:35:56 +0200
committer	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>	2015-05-05 11:47:19 +0200
commit	9b235dda465394be414f0e7e52094b930ccad175 (patch)
tree	849e729410adb9ad7706292aa7e7eac51d1aeb3a
parent	3445f73e4cb2f908a512354468367a2b1311f27f (diff)
download	sonarqube-9b235dda465394be414f0e7e52094b930ccad175.tar.gz sonarqube-9b235dda465394be414f0e7e52094b930ccad175.zip