diff options
| author | Teryk Bellahsene <teryk.bellahsene@sonarsource.com> | 2015-06-25 12:27:19 +0200 |
|---|---|---|
| committer | Teryk Bellahsene <teryk.bellahsene@sonarsource.com> | 2015-06-25 12:27:19 +0200 |
| commit | 9c9d68f82fee5d020e4f9e990c8995bb1808e8ab (patch) | |
| tree | fe69f254ea7fbebc2342bcd1ba0844a70022e84b /server/sonar-server | |
| parent | 8f7068c61bbeab118d2b5f197963371ca3a92a2b (diff) | |
| download | sonarqube-9c9d68f82fee5d020e4f9e990c8995bb1808e8ab.tar.gz sonarqube-9c9d68f82fee5d020e4f9e990c8995bb1808e8ab.zip | |
SONAR-6611 ws custom_measures/update check permissions before fetching logged user
Diffstat (limited to 'server/sonar-server')
2 files changed, 27 insertions, 1 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java b/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java index c11392989ab..a5edb38b2f0 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java @@ -97,9 +97,9 @@ public class UpdateAction implements CustomMeasuresWsAction { CustomMeasureDto customMeasure = dbClient.customMeasureDao().selectById(dbSession, id); MetricDto metric = dbClient.metricDao().selectById(dbSession, customMeasure.getMetricId()); ComponentDto component = dbClient.componentDao().selectByUuid(dbSession, customMeasure.getComponentUuid()); + checkPermissions(component); User user = userIndex.getByLogin(userSession.getLogin()); - checkPermissions(component); setValue(customMeasure, value, metric); setDescription(customMeasure, description); diff --git a/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java index 188dd68ea11..57031a6fa0d 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java @@ -44,6 +44,7 @@ import org.sonar.server.es.EsTester; import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.exceptions.NotFoundException; import org.sonar.server.exceptions.ServerException; +import org.sonar.server.exceptions.UnauthorizedException; import org.sonar.server.measure.custom.persistence.CustomMeasureDao; import org.sonar.server.metric.persistence.MetricDao; import org.sonar.server.metric.ws.MetricTesting; @@ -280,6 +281,31 @@ public class UpdateActionTest { } @Test + public void fail_if_not_logged_in() throws Exception { + userSessionRule.anonymous(); + expectedException.expect(UnauthorizedException.class); + MetricDto metric = MetricTesting.newMetricDto().setEnabled(true).setValueType(ValueType.STRING.name()); + dbClient.metricDao().insert(dbSession, metric); + ComponentDto component = ComponentTesting.newProjectDto("project-uuid"); + dbClient.componentDao().insert(dbSession, component); + CustomMeasureDto customMeasure = newCustomMeasureDto() + .setMetricId(metric.getId()) + .setComponentId(component.getId()) + .setComponentUuid(component.uuid()) + .setCreatedAt(system.now()) + .setDescription("custom-measure-description") + .setTextValue("text-measure-value"); + dbClient.customMeasureDao().insert(dbSession, customMeasure); + dbSession.commit(); + + ws.newPostRequest(CustomMeasuresWs.ENDPOINT, UpdateAction.ACTION) + .setParam(PARAM_ID, String.valueOf(customMeasure.getId())) + .setParam(PARAM_DESCRIPTION, "new-custom-measure-description") + .setParam(PARAM_VALUE, "1984") + .execute(); + } + + @Test public void fail_if_custom_measure_id_is_missing_in_request() throws Exception { expectedException.expect(IllegalArgumentException.class); |