SONAR-6481 SONAR-6484 SONAR-4475 do not remove the last admin user or group permission

author: Teryk Bellahsene <teryk.bellahsene@sonarsource.com> 2015-07-31 11:15:27 +0200
committer: Teryk Bellahsene <teryk.bellahsene@sonarsource.com> 2015-07-31 11:57:49 +0200
commit: c003fa9f7648ee31a963171683c29f6d6313c646 (patch)
tree: af95338438507682ff27c2aae6732a16c8a7999a /server
parent: 2aa70d1ad9253ac31901e776644b6213489e7f15 (diff)
download: sonarqube-c003fa9f7648ee31a963171683c29f6d6313c646.tar.gz
sonarqube-c003fa9f7648ee31a963171683c29f6d6313c646.zip
6 files changed, 24 insertions, 8 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java
index 001a00d7507..2389efba4ec 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/PermissionService.java
@@ -63,7 +63,7 @@ public class PermissionService {
   private final ComponentFinder componentFinder;
 
   public PermissionService(DbClient dbClient, PermissionRepository permissionRepository, PermissionFinder finder,
-                           IssueAuthorizationIndexer issueAuthorizationIndexer, UserSession userSession, ComponentFinder componentFinder) {
+    IssueAuthorizationIndexer issueAuthorizationIndexer, UserSession userSession, ComponentFinder componentFinder) {
     this.dbClient = dbClient;
     this.permissionRepository = permissionRepository;
     this.finder = finder;
@@ -206,6 +206,7 @@ public class PermissionService {
     if (Operation.ADD == operation) {
       permissionRepository.insertGroupPermission(componentId, targetedGroup, permissionChange.permission(), session);
     } else {
+      checkAdminUsersExistOutsideTheRemovedGroup(session, permissionChange, targetedGroup);
       permissionRepository.deleteGroupPermission(componentId, targetedGroup, permissionChange.permission(), session);
     }
     return true;
@@ -224,12 +225,27 @@ public class PermissionService {
     if (Operation.ADD == operation) {
       permissionRepository.insertUserPermission(componentId, targetedUser, permissionChange.permission(), session);
     } else {
+      checkOtherAdminUsersExist(session, permissionChange);
       permissionRepository.deleteUserPermission(componentId, targetedUser, permissionChange.permission(), session);
     }
     return true;
 
   }
 
+  private void checkOtherAdminUsersExist(DbSession session, PermissionChange permissionChange) {
+    if (GlobalPermissions.SYSTEM_ADMIN.equals(permissionChange.permission())
+      && dbClient.roleDao().countUserPermissions(session, permissionChange.permission(), null) <= 1) {
+      throw new BadRequestException(String.format("Last user with '%s' permission. Permission cannot be removed.", GlobalPermissions.SYSTEM_ADMIN));
+    }
+  }
+
+  private void checkAdminUsersExistOutsideTheRemovedGroup(DbSession session, PermissionChange permissionChange, Long groupIdToExclude) {
+    if (GlobalPermissions.SYSTEM_ADMIN.equals(permissionChange.permission())
+      && dbClient.roleDao().countUserPermissions(session, permissionChange.permission(), groupIdToExclude) <= 0) {
+      throw new BadRequestException(String.format("Last group with '%s' permission. Permission cannot be removed.", GlobalPermissions.SYSTEM_ADMIN));
+    }
+  }
+
   private Long getTargetedUser(DbSession session, String userLogin) {
     UserDto user = dbClient.userDao().selectActiveUserByLogin(session, userLogin);
     badRequestIfNullResult(user, OBJECT_TYPE_USER, userLogin);
diff --git a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
index 87d4ff5f566..708fecc0c95 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/permission/ws/RemoveUserAction.java
@@ -24,8 +24,8 @@ import org.sonar.api.server.ws.Request;
 import org.sonar.api.server.ws.Response;
 import org.sonar.api.server.ws.WebService;
 import org.sonar.core.permission.GlobalPermissions;
-import org.sonar.server.permission.PermissionService;
 import org.sonar.server.permission.PermissionChange;
+import org.sonar.server.permission.PermissionService;
 
 public class RemoveUserAction implements PermissionsWsAction {
 
@@ -42,7 +42,7 @@ public class RemoveUserAction implements PermissionsWsAction {
   @Override
   public void define(WebService.NewController context) {
     WebService.NewAction action = context.createAction(ACTION)
-      .setDescription("Remove permission to a user.<br /> Requires 'Administer System' permission.")
+      .setDescription("Remove permission from a user.<br /> Requires 'Administer System' permission.")
       .setSince("5.2")
       .setPost(true)
       .setHandler(this);
diff --git a/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java b/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java
index 6e730589b4d..780421e168b 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/computation/step/ApplyPermissionsStepTest.java
@@ -134,7 +134,7 @@ public class ApplyPermissionsStepTest extends BaseStepTest {
     ComponentDto projectDto = ComponentTesting.newProjectDto(PROJECT_UUID).setKey(PROJECT_KEY).setAuthorizationUpdatedAt(authorizationUpdatedAt);
     dbClient.componentDao().insert(dbSession, projectDto);
     // Permissions are already set on the project
-    dbClient.roleDao().insertGroupRole(new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(projectDto.getId()), dbSession);
+    dbClient.roleDao().insertGroupRole(dbSession, new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(projectDto.getId()));
 
     dbSession.commit();
 
diff --git a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java
index a254c97e6a7..c0cddb928cd 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/qualityprofile/ws/ProjectsActionTest.java
@@ -117,7 +117,7 @@ public class ProjectsActionTest {
     dbClient.componentDao().insert(session, project1, project2);
 
     // user only sees project1
-    roleDao.insertUserRole(new UserRoleDto().setUserId(userId).setResourceId(project1.getId()).setRole(UserRole.USER), session);
+    roleDao.insertUserRole(session, new UserRoleDto().setUserId(userId).setResourceId(project1.getId()).setRole(UserRole.USER));
 
     associateProjectsWithProfile(session, xooP1, project1, project2);
 
@@ -231,7 +231,7 @@ public class ProjectsActionTest {
 
   private void addBrowsePermissionToAnyone(DbSession session, ComponentDto... projects) {
     for (ComponentDto project : projects) {
-      roleDao.insertGroupRole(new GroupRoleDto().setGroupId(null).setResourceId(project.getId()).setRole(UserRole.USER), session);
+      roleDao.insertGroupRole(session, new GroupRoleDto().setGroupId(null).setResourceId(project.getId()).setRole(UserRole.USER));
     }
   }
 
diff --git a/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java
index 68365e85afb..5465772752e 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/DeleteActionTest.java
@@ -125,7 +125,7 @@ public class DeleteActionTest {
   @Test
   public void delete_with_permissions() throws Exception {
     GroupDto group = groupDao.insert(session, new GroupDto().setName("to-delete"));
-    roleDao.insertGroupRole(new GroupRoleDto().setGroupId(group.getId()).setResourceId(42L).setRole(UserRole.ADMIN), session);
+    roleDao.insertGroupRole(session, new GroupRoleDto().setGroupId(group.getId()).setResourceId(42L).setRole(UserRole.ADMIN));
     session.commit();
 
     loginAsAdmin();
diff --git a/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java b/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
index c989b76e8c8..75e86390690 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/view/index/ViewIndexerTest.java
@@ -213,7 +213,7 @@ public class ViewIndexerTest {
     ComponentDto project = ComponentTesting.newProjectDto();
     ComponentDto file = ComponentTesting.newFileDto(project);
     dbClient.componentDao().insert(dbSession, project, file);
-    dbClient.roleDao().insertGroupRole(new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(project.getId()), dbSession);
+    dbClient.roleDao().insertGroupRole(dbSession, new GroupRoleDto().setRole(UserRole.USER).setGroupId(null).setResourceId(project.getId()));
 
     IssueDto issue = IssueTesting.newDto(rule, file, project);
     dbClient.issueDao().insert(dbSession, issue);
author	Teryk Bellahsene <teryk.bellahsene@sonarsource.com>	2015-07-31 11:15:27 +0200
committer	Teryk Bellahsene <teryk.bellahsene@sonarsource.com>	2015-07-31 11:57:49 +0200
commit	c003fa9f7648ee31a963171683c29f6d6313c646 (patch)
tree	af95338438507682ff27c2aae6732a16c8a7999a /server
parent	2aa70d1ad9253ac31901e776644b6213489e7f15 (diff)
download	sonarqube-c003fa9f7648ee31a963171683c29f6d6313c646.tar.gz sonarqube-c003fa9f7648ee31a963171683c29f6d6313c646.zip