SONAR-10323 Fix WS not checking SCAN global permission

author: Eric Hartmann <hartmann.eric@gmail.com> 2018-02-22 11:36:20 +0100
committer: Eric Hartmann <hartmann.eric@gmail.Com> 2018-02-22 16:06:22 +0100
commit: 1cbe9227baf6241fd77d818d658dd6d17fa2ae7d (patch)
tree: e6999113588c02ac6b0ea6f6e151ea8b8543b188 /server
parent: 7ca304b0fdd0f0172eb85f1a911405c7709eb02f (diff)
download: sonarqube-1cbe9227baf6241fd77d818d658dd6d17fa2ae7d.tar.gz
sonarqube-1cbe9227baf6241fd77d818d658dd6d17fa2ae7d.zip
2 files changed, 7 insertions, 2 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
index 53a3199b341..cc1023cbfc7 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/projectbranch/ws/ListAction.java
@@ -39,6 +39,7 @@ import org.sonar.db.component.ComponentDto;
 import org.sonar.db.component.SnapshotDto;
 import org.sonar.db.measure.MeasureDto;
 import org.sonar.db.metric.MetricDto;
+import org.sonar.db.permission.OrganizationPermission;
 import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.issue.index.BranchStatistics;
 import org.sonar.server.issue.index.IssueIndex;
@@ -164,7 +165,8 @@ public class ListAction implements BranchWsAction {
 
   private void checkPermission(ComponentDto component) {
     if (!userSession.hasComponentPermission(UserRole.USER, component) &&
-      !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+      !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
       throw insufficientPrivilegesException();
     }
   }
diff --git a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
index 2225743c0a4..863ddd27410 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/ValuesAction.java
@@ -38,6 +38,7 @@ import org.sonar.api.server.ws.WebService;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.component.ComponentDto;
+import org.sonar.db.permission.OrganizationPermission;
 import org.sonar.server.component.ComponentFinder;
 import org.sonar.server.user.UserSession;
 import org.sonarqube.ws.Settings;
@@ -152,7 +153,9 @@ public class ValuesAction implements SettingsWsAction {
       return Optional.empty();
     }
     ComponentDto component = componentFinder.getByKeyAndOptionalBranch(dbSession, componentKey, valuesRequest.getBranch());
-    if (!userSession.hasComponentPermission(USER, component) && !userSession.hasComponentPermission(SCAN_EXECUTION, component)) {
+    if (!userSession.hasComponentPermission(USER, component) &&
+      !userSession.hasComponentPermission(SCAN_EXECUTION, component) &&
+      !userSession.hasPermission(OrganizationPermission.SCAN, component.getOrganizationUuid())) {
       throw insufficientPrivilegesException();
     }
     return Optional.of(component);
author	Eric Hartmann <hartmann.eric@gmail.com>	2018-02-22 11:36:20 +0100
committer	Eric Hartmann <hartmann.eric@gmail.Com>	2018-02-22 16:06:22 +0100
commit	1cbe9227baf6241fd77d818d658dd6d17fa2ae7d (patch)
tree	e6999113588c02ac6b0ea6f6e151ea8b8543b188 /server
parent	7ca304b0fdd0f0172eb85f1a911405c7709eb02f (diff)
download	sonarqube-1cbe9227baf6241fd77d818d658dd6d17fa2ae7d.tar.gz sonarqube-1cbe9227baf6241fd77d818d658dd6d17fa2ae7d.zip