SONAR-7874 api/users/search is only returning login and name when accessed anonymously

author: Julien Lancelot <julien.lancelot@sonarsource.com> 2016-07-18 15:11:53 +0200
committer: Julien Lancelot <julien.lancelot@sonarsource.com> 2016-07-18 15:59:50 +0200
commit: c6ef2669cbcbb427e7d9582c2d3b6da70a7d0bf2 (patch)
tree: 174b1a34ae46eeddea98fbdb8086f247021fb16b /server
parent: dcc60abb6d19caa988c768c736cf8ad0134a92df (diff)
download: sonarqube-c6ef2669cbcbb427e7d9582c2d3b6da70a7d0bf2.tar.gz
sonarqube-c6ef2669cbcbb427e7d9582c2d3b6da70a7d0bf2.zip
3 files changed, 54 insertions, 31 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java
index 4aae003f5ef..33f8535a7e3 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java
@@ -58,7 +58,9 @@ public class SearchAction implements UsersWsAction {
   @Override
   public void define(WebService.NewController controller) {
     WebService.NewAction action = controller.createAction("search")
-      .setDescription("Get a list of active users. Administer System permission is required to show the 'groups' field.")
+      .setDescription("Get a list of active users. <br/>" +
+        "Administer System permission is required to show the 'groups' field.<br/>" +
+        "When accessed anonymously, only logins and names are returned.")
       .setSince("3.6")
       .setHandler(this)
       .setResponseExample(getClass().getResource("search-example.json"));
diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/UserJsonWriter.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/UserJsonWriter.java
index f77a2fb985f..990d4db28ff 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/UserJsonWriter.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/UserJsonWriter.java
@@ -69,14 +69,16 @@ public class UserJsonWriter {
     json.beginObject();
     json.prop(FIELD_LOGIN, user.getLogin());
     writeIfNeeded(json, user.getName(), FIELD_NAME, fields);
-    writeIfNeeded(json, user.getEmail(), FIELD_EMAIL, fields);
-    writeIfNeeded(json, user.isActive(), FIELD_ACTIVE, fields);
-    writeIfNeeded(json, user.isLocal(), FIELD_LOCAL, fields);
-    writeIfNeeded(json, user.getExternalIdentity(), FIELD_EXTERNAL_IDENTITY, fields);
-    writeIfNeeded(json, user.getExternalIdentityProvider(), FIELD_EXTERNAL_PROVIDER, fields);
-    writeGroupsIfNeeded(json, groups, fields);
-    writeScmAccountsIfNeeded(json, fields, user);
-    writeTokensCount(json, tokensCount);
+    if (userSession.isLoggedIn()) {
+      writeIfNeeded(json, user.getEmail(), FIELD_EMAIL, fields);
+      writeIfNeeded(json, user.isActive(), FIELD_ACTIVE, fields);
+      writeIfNeeded(json, user.isLocal(), FIELD_LOCAL, fields);
+      writeIfNeeded(json, user.getExternalIdentity(), FIELD_EXTERNAL_IDENTITY, fields);
+      writeIfNeeded(json, user.getExternalIdentityProvider(), FIELD_EXTERNAL_PROVIDER, fields);
+      writeGroupsIfNeeded(json, groups, fields);
+      writeScmAccountsIfNeeded(json, fields, user);
+      writeTokensCount(json, tokensCount);
+    }
     json.endObject();
   }
 
diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java
index ee48a84a72e..81a2fd5c22e 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java
@@ -37,11 +37,13 @@ import org.sonar.db.user.GroupDto;
 import org.sonar.db.user.UserDbTester;
 import org.sonar.db.user.UserDto;
 import org.sonar.db.user.UserGroupDto;
+import org.sonar.db.user.UserTesting;
 import org.sonar.server.es.EsTester;
 import org.sonar.server.tester.UserSessionRule;
 import org.sonar.server.user.index.UserDoc;
 import org.sonar.server.user.index.UserIndex;
 import org.sonar.server.user.index.UserIndexDefinition;
+import org.sonar.server.user.index.UserIndexer;
 import org.sonar.server.ws.WsTester;
 
 import static com.google.common.collect.Lists.newArrayList;
@@ -57,23 +59,25 @@ public class SearchActionTest {
 
   @ClassRule
   public static final EsTester esTester = new EsTester().addDefinitions(new UserIndexDefinition(new Settings()));
+
   @Rule
   public UserSessionRule userSession = UserSessionRule.standalone();
+
   @Rule
   public DbTester db = DbTester.create(System2.INSTANCE);
+
   UserDbTester userDb = new UserDbTester(db);
   GroupDbTester groupDb = new GroupDbTester(db);
   DbClient dbClient = db.getDbClient();
-  final DbSession dbSession = db.getSession();
+  DbSession dbSession = db.getSession();
 
-  WsTester ws;
-  UserIndex index;
+  UserIndex index = new UserIndex(esTester.client());
+  UserIndexer userIndexer = (UserIndexer) new UserIndexer(dbClient, esTester.client()).setEnabled(true);
+  WsTester ws = new WsTester(new UsersWs(new SearchAction(index, dbClient, new UserJsonWriter(userSession))));
 
   @Before
   public void setUp() {
     esTester.truncateIndices();
-    index = new UserIndex(esTester.client());
-    ws = new WsTester(new UsersWs(new SearchAction(index, dbClient, new UserJsonWriter(userSession))));
   }
 
   @Test
@@ -99,7 +103,7 @@ public class SearchActionTest {
     }
     dbClient.userTokenDao().insert(dbSession, newUserToken().setLogin(fmallet.getLogin()));
     db.commit();
-    esTester.putDocuments(UserIndexDefinition.INDEX, UserIndexDefinition.TYPE_USER, toUserDoc(fmallet), toUserDoc(simon));
+    userIndexer.index();
     loginAsAdmin();
 
     String response = ws.newGetRequest("api/users", "search").execute().outputAsString();
@@ -109,11 +113,13 @@ public class SearchActionTest {
 
   @Test
   public void search_empty() throws Exception {
+    loginAsSimpleUser();
     ws.newGetRequest("api/users", "search").execute().assertJson(getClass(), "empty.json");
   }
 
   @Test
   public void search_without_parameters() throws Exception {
+    loginAsSimpleUser();
     injectUsers(5);
 
     ws.newGetRequest("api/users", "search").execute().assertJson(getClass(), "five_users.json");
@@ -121,6 +127,7 @@ public class SearchActionTest {
 
   @Test
   public void search_with_query() throws Exception {
+    loginAsSimpleUser();
     injectUsers(5);
     UserDto user = userDb.insertUser(
       newUserDto("user-%_%-login", "user-name", "user@mail.com")
@@ -140,6 +147,7 @@ public class SearchActionTest {
 
   @Test
   public void search_with_paging() throws Exception {
+    loginAsSimpleUser();
     injectUsers(10);
 
     ws.newGetRequest("api/users", "search").setParam(Param.PAGE_SIZE, "5").execute().assertJson(getClass(), "page_one.json");
@@ -148,6 +156,7 @@ public class SearchActionTest {
 
   @Test
   public void search_with_fields() throws Exception {
+    loginAsSimpleUser();
     injectUsers(1);
 
     assertThat(ws.newGetRequest("api/users", "search").execute().outputAsString())
@@ -197,6 +206,7 @@ public class SearchActionTest {
 
   @Test
   public void search_with_groups() throws Exception {
+    loginAsAdmin();
     List<UserDto> users = injectUsers(1);
 
     GroupDto group1 = dbClient.groupDao().insert(dbSession, new GroupDto().setName("sonar-users"));
@@ -205,14 +215,31 @@ public class SearchActionTest {
     dbClient.userGroupDao().insert(dbSession, new UserGroupDto().setGroupId(group2.getId()).setUserId(users.get(0).getId()));
     dbSession.commit();
 
-    loginAsAdmin();
     ws.newGetRequest("api/users", "search").execute().assertJson(getClass(), "user_with_groups.json");
   }
 
+  @Test
+  public void only_return_login_and_name_when_not_logged() throws Exception {
+    userSession.anonymous();
+
+    dbClient.userDao().insert(dbSession, UserTesting.newUserDto("john", "John", "john@email.com"));
+    dbSession.commit();
+    userIndexer.index();
+
+    ws.newGetRequest("api/users", "search").execute().assertJson(
+      "{" +
+        "  \"users\": [" +
+        "    {" +
+        "      \"login\": \"john\"," +
+        "      \"name\": \"John\"" +
+        "    }" +
+        "  ]" +
+        "}");
+  }
+
   private List<UserDto> injectUsers(int numberOfUsers) throws Exception {
     List<UserDto> userDtos = Lists.newArrayList();
     long createdAt = System.currentTimeMillis();
-    UserDoc[] users = new UserDoc[numberOfUsers];
     for (int index = 0; index < numberOfUsers; index++) {
       String email = String.format("user-%d@mail.com", index);
       String login = String.format("user-%d", index);
@@ -232,8 +259,6 @@ public class SearchActionTest {
         .setUpdatedAt(createdAt));
       userDtos.add(userDto);
 
-      users[index] = toUserDoc(userDto);
-
       for (int tokenIndex = 0; tokenIndex < index; tokenIndex++) {
         dbClient.userTokenDao().insert(dbSession, newUserToken()
           .setLogin(login)
@@ -241,22 +266,16 @@ public class SearchActionTest {
       }
     }
     dbSession.commit();
-    esTester.putDocuments(UserIndexDefinition.INDEX, UserIndexDefinition.TYPE_USER, users);
+    userIndexer.index();
     return userDtos;
   }
 
-  private static UserDoc toUserDoc(UserDto dto) {
-    return new UserDoc()
-      .setActive(dto.isActive())
-      .setCreatedAt(dto.getCreatedAt())
-      .setEmail(dto.getEmail())
-      .setLogin(dto.getLogin())
-      .setName(dto.getName())
-      .setScmAccounts(dto.getScmAccountsAsList())
-      .setUpdatedAt(dto.getUpdatedAt());
-  }
-
   private void loginAsAdmin() {
     userSession.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
   }
+
+  private void loginAsSimpleUser() {
+    userSession.login("user");
+  }
+
 }
author	Julien Lancelot <julien.lancelot@sonarsource.com>	2016-07-18 15:11:53 +0200
committer	Julien Lancelot <julien.lancelot@sonarsource.com>	2016-07-18 15:59:50 +0200
commit	c6ef2669cbcbb427e7d9582c2d3b6da70a7d0bf2 (patch)
tree	174b1a34ae46eeddea98fbdb8086f247021fb16b /server
parent	dcc60abb6d19caa988c768c736cf8ad0134a92df (diff)
download	sonarqube-c6ef2669cbcbb427e7d9582c2d3b6da70a7d0bf2.tar.gz sonarqube-c6ef2669cbcbb427e7d9582c2d3b6da70a7d0bf2.zip