SONAR-10945 Prevent access qgates and rules to none members of paid organization

* Add membership check for paid organization in api/qualitygates ws
* Add membership check for paid organization in api/rules ws
* Move membership check in UserSession
* Use UserSession#checkMemebership in QGates and Rules ws

3 files changed, 33 insertions, 0 deletions

diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/user/BaseUserSession.java b/server/sonar-server-common/src/main/java/org/sonar/server/user/BaseUserSession.java
index 913f285ded4..51c591cd62f 100644
--- a/server/sonar-server-common/src/main/java/org/sonar/server/user/BaseUserSession.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/user/BaseUserSession.java
@@ -69,6 +69,13 @@ public abstract class BaseUserSession implements UserSession {
   protected abstract boolean hasProjectUuidPermission(String permission, String projectUuid);
 
   @Override
+  public final boolean hasMembership(OrganizationDto organization) {
+    return isRoot() || hasMembershipImpl(organization);
+  }
+
+  protected abstract boolean hasMembershipImpl(OrganizationDto organization);
+
+  @Override
   public final List<ComponentDto> keepAuthorizedComponents(String permission, Collection<ComponentDto> components) {
     if (isRoot()) {
       return new ArrayList<>(components);
diff --git a/server/sonar-server-common/src/main/java/org/sonar/server/user/UserSession.java b/server/sonar-server-common/src/main/java/org/sonar/server/user/UserSession.java
index 4eca7b6b46c..645254afcf3 100644
--- a/server/sonar-server-common/src/main/java/org/sonar/server/user/UserSession.java
+++ b/server/sonar-server-common/src/main/java/org/sonar/server/user/UserSession.java
@@ -173,4 +173,20 @@ public interface UserSession {
    */
   UserSession checkIsSystemAdministrator();
 
+  /**
+   * Returns {@code true} if the user is member of the organization, otherwise {@code false}.
+   *
+   * If the organization does not exist, then returns {@code false}.
+   *
+   * Always returns {@code true} if {@link #isRoot()} is {@code true}, even if
+   * organization does not exist.
+   */
+  boolean hasMembership(OrganizationDto organization);
+
+  /**
+   * Ensures that {@link #hasMembership(OrganizationDto)} is {@code true},
+   * otherwise throws a {@link org.sonar.server.exceptions.ForbiddenException}.
+   */
+  UserSession checkMembership(OrganizationDto organization);
+
 }
diff --git a/server/sonar-server-common/src/test/java/org/sonar/server/user/LightUserSessionRule.java b/server/sonar-server-common/src/test/java/org/sonar/server/user/LightUserSessionRule.java
index 0c39a08164e..640dcb9aa91 100644
--- a/server/sonar-server-common/src/test/java/org/sonar/server/user/LightUserSessionRule.java
+++ b/server/sonar-server-common/src/test/java/org/sonar/server/user/LightUserSessionRule.java
@@ -146,6 +146,11 @@ public class LightUserSessionRule extends BaseUserSession implements TestRule {
   }
 
   @Override
+  protected boolean hasMembershipImpl(OrganizationDto organization) {
+    throw new UnsupportedOperationException("hasMembershipImpl not implemented");
+  }
+
+  @Override
   protected Optional<String> componentUuidToProjectUuid(String componentUuid) {
     return Optional.ofNullable(projectUuidByComponentUuid.get(componentUuid));
   }
@@ -233,4 +238,9 @@ public class LightUserSessionRule extends BaseUserSession implements TestRule {
   public UserSession checkIsSystemAdministrator() {
     throw new UnsupportedOperationException("checkIsSystemAdministrator not implemented");
   }
+
+  @Override
+  public UserSession checkMembership(OrganizationDto organization) {
+    throw new UnsupportedOperationException("checkMembership not implemented");
+  }
 }