SONAR-11586 Do not let admin remove their own admin right

2 files changed, 43 insertions, 2 deletions

diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
index 1dde54a3b10..dfaf0682fef 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
@@ -26,6 +26,7 @@ import org.sonar.api.server.ws.WebService;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.component.ComponentDto;
+import org.sonar.server.exceptions.BadRequestException;
 import org.sonar.server.permission.PermissionChange;
 import org.sonar.server.permission.PermissionService;
 import org.sonar.server.permission.PermissionUpdater;
@@ -34,6 +35,7 @@ import org.sonar.server.permission.UserPermissionChange;
 import org.sonar.server.user.UserSession;
 
 import static java.util.Collections.singletonList;
+import static org.sonar.db.permission.GlobalPermission.ADMINISTER;
 import static org.sonar.server.permission.ws.WsParameters.createProjectParameters;
 import static org.sonar.server.permission.ws.WsParameters.createUserLoginParameter;
 import static org.sonarqube.ws.client.permission.PermissionsWsParameters.PARAM_PERMISSION;
@@ -51,7 +53,7 @@ public class RemoveUserAction implements PermissionsWsAction {
   private final PermissionService permissionService;
 
   public RemoveUserAction(DbClient dbClient, UserSession userSession, PermissionUpdater permissionUpdater, PermissionWsSupport wsSupport,
-                          WsParameters wsParameters, PermissionService permissionService) {
+    WsParameters wsParameters, PermissionService permissionService) {
     this.dbClient = dbClient;
     this.userSession = userSession;
     this.permissionUpdater = permissionUpdater;
@@ -83,11 +85,15 @@ public class RemoveUserAction implements PermissionsWsAction {
   public void handle(Request request, Response response) throws Exception {
     try (DbSession dbSession = dbClient.openSession(false)) {
       UserId user = wsSupport.findUser(dbSession, request.mandatoryParam(PARAM_USER_LOGIN));
+      String permission = request.mandatoryParam(PARAM_PERMISSION);
+      if (ADMINISTER.getKey().equals(permission) && user.getLogin().equals(userSession.getLogin())) {
+        throw BadRequestException.create("As an admin, you can't remove your own admin right");
+      }
       Optional<ComponentDto> project = wsSupport.findProject(dbSession, request);
       wsSupport.checkPermissionManagementAccess(userSession, project.orElse(null));
       PermissionChange change = new UserPermissionChange(
         PermissionChange.Operation.REMOVE,
-        request.mandatoryParam(PARAM_PERMISSION),
+        permission,
         project.orElse(null),
         user, permissionService);
       permissionUpdater.apply(dbSession, singletonList(change));
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/permission/ws/RemoveUserActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/permission/ws/RemoveUserActionTest.java
index 7753cf6233b..a2d3871eb67 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/permission/ws/RemoveUserActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/permission/ws/RemoveUserActionTest.java
@@ -33,9 +33,11 @@ import org.sonar.server.exceptions.NotFoundException;
 import org.sonar.server.exceptions.ServerException;
 import org.sonar.server.permission.PermissionService;
 import org.sonar.server.permission.PermissionServiceImpl;
+import org.sonar.server.ws.TestRequest;
 
 import static java.lang.String.format;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.sonar.api.web.UserRole.ADMIN;
 import static org.sonar.api.web.UserRole.CODEVIEWER;
 import static org.sonar.api.web.UserRole.ISSUE_ADMIN;
@@ -91,6 +93,39 @@ public class RemoveUserActionTest extends BasePermissionWsTest<RemoveUserAction>
   }
 
   @Test
+  public void admin_can_not_remove_his_global_admin_right() {
+    db.users().insertPermissionOnUser(user, ADMINISTER);
+    loginAsAdmin();
+    UserDto admin = db.users().insertUser(userSession.getLogin());
+    db.users().insertPermissionOnUser(admin, ADMINISTER);
+
+    TestRequest request = newRequest()
+      .setParam(PARAM_USER_LOGIN, userSession.getLogin())
+      .setParam(PARAM_PERMISSION, ADMINISTER.getKey());
+
+    assertThatThrownBy(() -> request.execute())
+      .isInstanceOf(BadRequestException.class)
+      .hasMessage("As an admin, you can't remove your own admin right");
+  }
+
+  @Test
+  public void project_admin_can_not_remove_his_project_admin_right() {
+    loginAsAdmin();
+    UserDto admin = db.users().insertUser(userSession.getLogin());
+    ComponentDto project = db.components().insertPrivateProject();
+    db.users().insertProjectPermissionOnUser(admin, ADMINISTER.getKey(), project);
+
+    TestRequest request = newRequest()
+      .setParam(PARAM_USER_LOGIN, userSession.getLogin())
+      .setParam(PARAM_PROJECT_ID, project.uuid())
+      .setParam(PARAM_PERMISSION, ADMINISTER.getKey());
+
+    assertThatThrownBy(() -> request.execute())
+      .isInstanceOf(BadRequestException.class)
+      .hasMessage("As an admin, you can't remove your own admin right");
+  }
+
+  @Test
   public void fail_to_remove_admin_permission_if_last_admin() {
     db.users().insertPermissionOnUser(user, ADMINISTER);
     loginAsAdmin();