aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulien Lancelot <julien.lancelot@sonarsource.com>2014-08-13 10:13:02 +0200
committerJulien Lancelot <julien.lancelot@sonarsource.com>2014-08-13 10:13:02 +0200
commit0e6b081d5a4aa28732b9e9ebd359be752f35c4f9 (patch)
tree3cb6dd8bf914c990e2d29a146442db6834fa26fb
parent550dcbf9da08a3a77f4ab8e846525df952b5b3a1 (diff)
downloadsonarqube-0e6b081d5a4aa28732b9e9ebd359be752f35c4f9.tar.gz
sonarqube-0e6b081d5a4aa28732b9e9ebd359be752f35c4f9.zip
SONAR-5036 When coming from a view, a user should not be able to drilldown in a project he doesn't have access to
Diffstat
-rw-r--r--server/sonar-web/src/main/webapp/WEB-INF/app/controllers/drilldown_controller.rb4
-rw-r--r--server/sonar-web/src/main/webapp/WEB-INF/app/models/drilldown.rb17
-rw-r--r--server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb16
-rw-r--r--server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb10
4 files changed, 30 insertions, 17 deletions
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/drilldown_controller.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/drilldown_controller.rb
index 96be43d8789..43574f0858f 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/drilldown_controller.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/controllers/drilldown_controller.rb
@@ -54,7 +54,7 @@ class DrilldownController < ApplicationController
end
# load data
- @drilldown = Drilldown.new(@resource, @metric, selected_rids, options)
+ @drilldown = Drilldown.new(@resource, @metric, selected_rids, self, options)
@highlighted_resource=@drilldown.highlighted_resource
if @highlighted_resource.nil? && @drilldown.columns.empty?
@@ -110,7 +110,7 @@ class DrilldownController < ApplicationController
end
# load data
- @drilldown = Drilldown.new(@resource, @metric, @selected_rids, options)
+ @drilldown = Drilldown.new(@resource, @metric, @selected_rids, self, options)
@highlighted_resource=@drilldown.highlighted_resource
if @highlighted_resource.nil? && @drilldown.columns.empty?
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/models/drilldown.rb b/server/sonar-web/src/main/webapp/WEB-INF/app/models/drilldown.rb
index 7edd5070449..012d8eacceb 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/models/drilldown.rb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/models/drilldown.rb
@@ -19,10 +19,11 @@
#
class Drilldown
- attr_reader :resource, :metric, :selected_resource_ids
+ attr_reader :resource, :metric, :selected_resource_ids, :controller
attr_reader :snapshot, :columns, :highlighted_resource, :highlighted_snapshot
- def initialize(resource, metric, selected_resource_ids, options={})
+ def initialize(resource, metric, selected_resource_ids, controller, options={})
+ @controller=controller
@resource=resource
@selected_resource_ids=selected_resource_ids||[]
@metric=metric
@@ -140,7 +141,14 @@ class DrilldownColumn
@resource_per_sid={}
sids=@measures.map { |m| m.snapshot_id }.compact.uniq
unless sids.empty?
- Snapshot.all(:include => :project, :conditions => {'snapshots.id' => sids}).each do |snapshot|
+ snapshots = Snapshot.all(:include => :project, :conditions => {'snapshots.id' => sids})
+
+ # User should only see projects he's authorized to see.
+ authorized_project_ids = snapshots.map{|s| s.project.copy_resource_id || s.resource_id_for_authorization}.compact
+ authorized_project_ids = @drilldown.controller.select_authorized(:user, authorized_project_ids) unless authorized_project_ids.empty?
+ authorized_snapshots = snapshots.select{|s| authorized_project_ids.include?(s.project.copy_resource_id || s.resource_id_for_authorization)}
+
+ authorized_snapshots.each do |snapshot|
@resource_per_sid[snapshot.id]=snapshot.project
if @drilldown.selected_resource_ids.include?(snapshot.project_id)
@selected_snapshot=snapshot
@@ -149,6 +157,7 @@ class DrilldownColumn
end
end
+ # The resource can be null if it's linked to a copy (on a View or a Developer)
def resource(measure)
@resource_per_sid[measure.snapshot_id]
end
@@ -164,4 +173,4 @@ class DrilldownColumn
def switch?
selected_snapshot && selected_snapshot.resource && selected_snapshot.resource.copy_resource
end
-end \ No newline at end of file
+end
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb
index 7c588467e66..03f26531bd7 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/issues.html.erb
@@ -139,12 +139,13 @@
<%
column.measures.each_with_index do |measure, row_index|
resource=column.resource(measure)
- clazz = cycle('even', 'odd', :name => "col_#{index}")
- selected = column.selected_snapshot && column.selected_snapshot.project_id==resource.id
- if selected
- clazz += ' selected'
- paths << [h(resource.name), @selected_rids-[resource.id]]
- end
+ if resource
+ clazz = cycle('even', 'odd', :name => "col_#{index}")
+ selected = column.selected_snapshot && column.selected_snapshot.project_id==resource.id
+ if selected
+ clazz += ' selected'
+ paths << [h(resource.name), @selected_rids-[resource.id]]
+ end
%>
<tr class="<%= clazz -%>" id="row_<%= index -%>_<%= row_index -%>">
<td nowrap>
@@ -169,7 +170,8 @@
<%= @period ? format_variation(measure, :period => @period, :style => 'light') : measure.formatted_value -%>
</td>
</tr>
- <% end %>
+ <% end
+ end %>
</table>
</div>
</td>
diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
index 453e9e8ba65..142eb95bb77 100644
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
@@ -68,9 +68,10 @@
<table class="spaced">
<% column.measures.each_with_index do |measure, row_index|
resource=column.resource(measure)
- selected = column.selected_snapshot && column.selected_snapshot.project_id==resource.id
- clazz = cycle("even", "odd", :name => "col_#{index}")
- clazz = clazz + ' selected' if selected
+ if resource
+ selected = column.selected_snapshot && column.selected_snapshot.project_id==resource.id
+ clazz = cycle("even", "odd", :name => "col_#{index}")
+ clazz = clazz + ' selected' if selected
%>
<tr class="<%= clazz -%>" id="row_<%= index -%>_<%= row_index -%>">
<td nowrap>
@@ -94,7 +95,8 @@
<%= format_measure(measure, :skip_span_id => true, :period => @period) -%>
</td>
</tr>
- <% end %>
+ <% end
+ end %>
</table>
</div>
</td>
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-03 12:06:22 +0000