SONAR-2447 Refactor permission check to work with resource key instead of ids

14 files changed, 132 insertions, 109 deletions

diff --git a/sonar-core/src/main/java/org/sonar/core/issue/workflow/IssueWorkflow.java b/sonar-core/src/main/java/org/sonar/core/issue/workflow/IssueWorkflow.java
index c532611afea..39105951297 100644
--- a/sonar-core/src/main/java/org/sonar/core/issue/workflow/IssueWorkflow.java
+++ b/sonar-core/src/main/java/org/sonar/core/issue/workflow/IssueWorkflow.java
@@ -27,6 +27,7 @@ import org.sonar.api.issue.Issue;
 import org.sonar.api.issue.condition.HasResolution;
 import org.sonar.api.issue.internal.DefaultIssue;
 import org.sonar.api.issue.internal.IssueChangeContext;
+import org.sonar.api.web.UserRole;
 import org.sonar.core.issue.IssueUpdater;
 
 import java.util.List;
@@ -83,23 +84,26 @@ public class IssueWorkflow implements BatchComponent, ServerComponent, Startable
         .functions(new SetResolution(null), new SetCloseDate(false))
         .build())
 
-        // resolve as false-positive
+      // resolve as false-positive
       .transition(Transition.builder(DefaultTransitions.FALSE_POSITIVE)
         .from(Issue.STATUS_OPEN).to(Issue.STATUS_RESOLVED)
         .functions(new SetResolution(Issue.RESOLUTION_FALSE_POSITIVE), SetAssignee.UNASSIGN)
+        .requiredProjectPermission(UserRole.ISSUE_ADMIN)
         .build())
       .transition(Transition.builder(DefaultTransitions.FALSE_POSITIVE)
         .from(Issue.STATUS_REOPENED).to(Issue.STATUS_RESOLVED)
         .functions(new SetResolution(Issue.RESOLUTION_FALSE_POSITIVE), SetAssignee.UNASSIGN)
+        .requiredProjectPermission(UserRole.ISSUE_ADMIN)
         .build())
       .transition(Transition.builder(DefaultTransitions.FALSE_POSITIVE)
         .from(Issue.STATUS_CONFIRMED).to(Issue.STATUS_RESOLVED)
         .functions(new SetResolution(Issue.RESOLUTION_FALSE_POSITIVE), SetAssignee.UNASSIGN)
+        .requiredProjectPermission(UserRole.ISSUE_ADMIN)
         .build())
 
-        // automatic transitions
+      // automatic transitions
 
-        // Close the "end of life" issues (disabled/deleted rule, deleted component)
+      // Close the "end of life" issues (disabled/deleted rule, deleted component)
       .transition(Transition.builder("automaticclose")
         .from(Issue.STATUS_OPEN).to(Issue.STATUS_CLOSED)
         .conditions(new IsEndOfLife(true))
diff --git a/sonar-core/src/main/java/org/sonar/core/issue/workflow/Transition.java b/sonar-core/src/main/java/org/sonar/core/issue/workflow/Transition.java
index de5565f3fc6..4ba2ad4c491 100644
--- a/sonar-core/src/main/java/org/sonar/core/issue/workflow/Transition.java
+++ b/sonar-core/src/main/java/org/sonar/core/issue/workflow/Transition.java
@@ -35,6 +35,7 @@ public class Transition {
   private final Condition[] conditions;
   private final Function[] functions;
   private final boolean automatic;
+  private String requiredProjectPermission;
 
   private Transition(TransitionBuilder builder) {
     key = builder.key;
@@ -43,6 +44,7 @@ public class Transition {
     conditions = builder.conditions.toArray(new Condition[builder.conditions.size()]);
     functions = builder.functions.toArray(new Function[builder.functions.size()]);
     automatic = builder.automatic;
+    requiredProjectPermission = builder.requiredProjectPermission;
   }
 
   public String key() {
@@ -78,6 +80,10 @@ public class Transition {
     return true;
   }
 
+  public String requiredProjectPermission() {
+    return requiredProjectPermission;
+  }
+
   @Override
   public boolean equals(Object o) {
     if (this == o) {
@@ -126,6 +132,7 @@ public class Transition {
     private List<Condition> conditions = Lists.newArrayList();
     private List<Function> functions = Lists.newArrayList();
     private boolean automatic = false;
+    private String requiredProjectPermission;
 
     private TransitionBuilder(String key) {
       this.key = key;
@@ -156,6 +163,11 @@ public class Transition {
       return this;
     }
 
+    public TransitionBuilder requiredProjectPermission(String requiredProjectPermission) {
+      this.requiredProjectPermission = requiredProjectPermission;
+      return this;
+    }
+
     public Transition build() {
       Preconditions.checkArgument(!Strings.isNullOrEmpty(key), "Transition key must be set");
       Preconditions.checkArgument(StringUtils.isAllLowerCase(key), "Transition key must be lower-case");
diff --git a/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java b/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java
index 81495ecc7b2..c7f16d637a1 100644
--- a/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java
+++ b/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java
@@ -27,7 +27,11 @@ import org.sonar.core.persistence.MyBatis;
 
 import javax.annotation.Nullable;
 
-import java.util.*;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import static com.google.common.collect.Maps.newHashMap;
 
@@ -39,58 +43,58 @@ public class AuthorizationDao implements ServerComponent {
     this.mybatis = mybatis;
   }
 
-  public Set<Long> keepAuthorizedComponentIds(Set<Long> componentIds, @Nullable Integer userId, String role) {
+  public Set<String> keepAuthorizedComponentKeys(Set<String> componentKeys, @Nullable Integer userId, String role) {
     SqlSession session = mybatis.openSession();
     try {
-      return keepAuthorizedComponentIds(componentIds, userId, role, session);
+      return keepAuthorizedComponentKeys(componentKeys, userId, role, session);
 
     } finally {
       MyBatis.closeQuietly(session);
     }
   }
 
-  public Set<Long> keepAuthorizedComponentIds(Set<Long> componentIds, @Nullable Integer userId, String role, SqlSession session) {
-    if (componentIds.isEmpty()) {
+  public Set<String> keepAuthorizedComponentKeys(Set<String> componentKeys, @Nullable Integer userId, String role, SqlSession session) {
+    if (componentKeys.isEmpty()) {
       return Collections.emptySet();
     }
     String sql;
     Map<String, Object> params;
     if (userId == null) {
-      sql = "keepAuthorizedComponentIdsForAnonymous";
-      params = ImmutableMap.of("role", role, "componentIds", componentIds);
+      sql = "keepAuthorizedComponentKeysForAnonymous";
+      params = ImmutableMap.of("role", role, "componentKeys", componentKeys);
     } else {
-      sql = "keepAuthorizedComponentIdsForUser";
-      params = ImmutableMap.of("userId", userId, "role", role, "componentIds", componentIds);
+      sql = "keepAuthorizedComponentKeysForUser";
+      params = ImmutableMap.of("userId", userId, "role", role, "componentKeys", componentKeys);
     }
 
-    return Sets.newHashSet(session.<Long>selectList(sql, params));
+    return Sets.newHashSet(session.<String>selectList(sql, params));
   }
 
-  public boolean isAuthorizedComponentId(long componentId, @Nullable Integer userId, String role) {
-    return keepAuthorizedComponentIds(Sets.newHashSet(componentId), userId, role).size() == 1;
+  public boolean isAuthorizedComponentKey(String componentKey, @Nullable Integer userId, String role) {
+    return keepAuthorizedComponentKeys(Sets.newHashSet(componentKey), userId, role).size() == 1;
   }
 
-  public Collection<Long> selectAuthorizedRootProjectsIds(@Nullable Integer userId, String role) {
+  public Collection<String> selectAuthorizedRootProjectsKeys(@Nullable Integer userId, String role) {
     SqlSession session = mybatis.openSession();
     try {
-      return selectAuthorizedRootProjectsIds(userId, role, session);
+      return selectAuthorizedRootProjectsKeys(userId, role, session);
 
     } finally {
       MyBatis.closeQuietly(session);
     }
   }
 
-  public Collection<Long> selectAuthorizedRootProjectsIds(@Nullable Integer userId, String role, SqlSession session) {
+  public Collection<String> selectAuthorizedRootProjectsKeys(@Nullable Integer userId, String role, SqlSession session) {
     String sql;
     Map<String, Object> params = newHashMap();
-    sql = "selectAuthorizedRootProjectsIds";
+    sql = "selectAuthorizedRootProjectsKeys";
     params.put("userId", userId);
     params.put("role", role);
 
     return session.selectList(sql, params);
   }
 
-  public List<String> selectGlobalPermissions(@Nullable String userLogin){
+  public List<String> selectGlobalPermissions(@Nullable String userLogin) {
     SqlSession session = mybatis.openSession();
     try {
       Map<String, Object> params = newHashMap();
diff --git a/sonar-core/src/main/resources/org/sonar/core/issue/db/IssueMapper.xml b/sonar-core/src/main/resources/org/sonar/core/issue/db/IssueMapper.xml
index 9cc0a285dcd..c733b5e4f1d 100644
--- a/sonar-core/src/main/resources/org/sonar/core/issue/db/IssueMapper.xml
+++ b/sonar-core/src/main/resources/org/sonar/core/issue/db/IssueMapper.xml
@@ -222,7 +222,8 @@
 
   <sql id="selectQueryConditions">
     <if test="componentRootKeys.size() == 0 and role != null">
-      inner join (<include refid="org.sonar.core.user.AuthorizationMapper.selectAuthorizedRootProjectsIdsQuery" />) authorizedProjects on authorizedProjects.root_project_id=i.root_component_id
+      inner join projects root_project on root_project.id=i.root_component_id and root_project.enabled=${_true}
+      inner join (<include refid="org.sonar.core.user.AuthorizationMapper.selectAuthorizedRootProjectsKeysQuery" />) authorizedProjects on authorizedProjects.root_project_kee=root_project.kee
     </if>
     <if test="componentRootKeys.size() > 0">
       inner join (<include refid="org.sonar.core.resource.ResourceMapper.selectAuthorizedChildrenComponentIdsQuery" />) authorizedComponents on authorizedComponents.project_id=i.component_id
diff --git a/sonar-core/src/main/resources/org/sonar/core/resource/ResourceMapper.xml b/sonar-core/src/main/resources/org/sonar/core/resource/ResourceMapper.xml
index 0599168ed89..af2115f0ea8 100644
--- a/sonar-core/src/main/resources/org/sonar/core/resource/ResourceMapper.xml
+++ b/sonar-core/src/main/resources/org/sonar/core/resource/ResourceMapper.xml
@@ -218,9 +218,10 @@
       from projects project_components
       inner join snapshots snapshot_components on snapshot_components.project_id = project_components.id and snapshot_components.islast = ${_true}
       inner join snapshots root_snapshot_components on root_snapshot_components.project_id = snapshot_components.root_project_id and root_snapshot_components.islast = ${_true}
+      inner join projects root_project on root_project.id=root_snapshot_components.project_id
       inner join (
-        <include refid="org.sonar.core.user.AuthorizationMapper.selectAuthorizedRootProjectsIdsQuery" />
-      ) authorized_projects on authorized_projects.root_project_id = root_snapshot_components.project_id
+        <include refid="org.sonar.core.user.AuthorizationMapper.selectAuthorizedRootProjectsKeysQuery" />
+      ) authorized_projects on authorized_projects.root_project_kee = root_project.kee
       <where>
         and <foreach item="componentRootKey" index="index" collection="componentRootKeys" open="(" separator=" or " close=")"> project_components.kee=#{componentRootKey}</foreach>
         and project_components.enabled = ${_true}
diff --git a/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml b/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
index b686a35a6d1..c50e70a9caf 100644
--- a/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
+++ b/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
@@ -3,41 +3,41 @@
 
 <mapper namespace="org.sonar.core.user.AuthorizationMapper">
 
-  <select id="keepAuthorizedComponentIdsForUser" parameterType="map" resultType="long">
-    SELECT p.id
+  <select id="keepAuthorizedComponentKeysForUser" parameterType="map" resultType="string">
+    SELECT p.kee
     FROM group_roles gr, projects p
     WHERE
       gr.role=#{role}
       and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
       and (gr.resource_id = p.root_id or gr.resource_id = p.id) and
-      <foreach collection="componentIds" open="(" close=")" item="element" index="index" separator=" or " >p.id=#{element}</foreach>
+      <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
     UNION
-    SELECT p.id
+    SELECT p.kee
     FROM user_roles ur, projects p
     WHERE
       ur.role=#{role}
       and ur.user_id=#{userId} and
-      <foreach collection="componentIds" open="(" close=")" item="element" index="index" separator=" or " >p.id=#{element}</foreach>
+      <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
   </select>
 
-  <select id="keepAuthorizedComponentIdsForAnonymous" parameterType="map" resultType="long">
-      SELECT p.id
+  <select id="keepAuthorizedComponentKeysForAnonymous" parameterType="map" resultType="string">
+      SELECT p.kee
       FROM group_roles gr, projects p
       WHERE
         gr.role=#{role}
         and gr.group_id is null
         and (gr.resource_id = p.root_id or gr.resource_id = p.id) and
-        <foreach collection="componentIds" open="(" close=")" item="element" index="index" separator=" or " >p.id=#{element}</foreach>
+        <foreach collection="componentKeys" open="(" close=")" item="element" index="index" separator=" or " >p.kee=#{element}</foreach>
   </select>
 
-  <select id="selectAuthorizedRootProjectsIds" parameterType="map" resultType="long">
-    <include refid="selectAuthorizedRootProjectsIdsQuery" />
+  <select id="selectAuthorizedRootProjectsKeys" parameterType="map" resultType="string">
+    <include refid="selectAuthorizedRootProjectsKeysQuery" />
   </select>
 
-  <sql id="selectAuthorizedRootProjectsIdsQuery">
+  <sql id="selectAuthorizedRootProjectsKeysQuery">
     <choose>
       <when test="userId != null">
-        SELECT p.id as root_project_id
+        SELECT p.kee as root_project_kee
         FROM group_roles gr
         INNER JOIN projects p on p.id = gr.resource_id AND p.scope = 'PRJ' AND p.qualifier = 'TRK'
         <where>
@@ -45,7 +45,7 @@
           and (gr.group_id is null or gr.group_id in (select gu.group_id from groups_users gu where gu.user_id=#{userId}))
         </where>
         UNION
-        SELECT p.id as root_project_id
+        SELECT p.kee as root_project_kee
         FROM user_roles ur
         INNER JOIN projects p on p.id = ur.resource_id AND p.scope = 'PRJ' AND p.qualifier = 'TRK'
         <where>
@@ -54,7 +54,7 @@
         </where>
       </when>
       <otherwise>
-        SELECT p.id as root_project_id
+        SELECT p.kee as root_project_kee
         FROM group_roles gr
         INNER JOIN projects p on p.id = gr.resource_id AND p.scope = 'PRJ' AND p.qualifier = 'TRK'
         <where>
diff --git a/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java b/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
index 2ad4c6e3f77..89b307d437e 100644
--- a/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
@@ -31,7 +31,8 @@ import static org.fest.assertions.Assertions.assertThat;
 public class AuthorizationDaoTest extends AbstractDaoTestCase {
 
   private static final int USER = 100;
-  private static final long PROJECT = 300l, PACKAGE = 301l, FILE = 302l, FILE_IN_OTHER_PROJECT = 999l, EMPTY_PROJECT=400l;
+  private static final String PROJECT = "pj-w-snapshot", PACKAGE = "pj-w-snapshot:package", FILE = "pj-w-snapshot:file", FILE_IN_OTHER_PROJECT = "another",
+    EMPTY_PROJECT = "pj-wo-snapshot";
 
   @Test
   public void user_should_be_authorized() {
@@ -39,15 +40,15 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
     setupData("user_should_be_authorized");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Set<Long> componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+    Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
       USER, "user");
 
     assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
 
     // user does not have the role "admin"
-    componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE),
+    componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE),
       USER, "admin");
     assertThat(componentIds).isEmpty();
   }
@@ -58,15 +59,15 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
     setupData("group_should_be_authorized");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Set<Long> componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+    Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
       USER, "user");
 
     assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
 
     // group does not have the role "admin"
-    componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+    componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
       USER, "admin");
     assertThat(componentIds).isEmpty();
   }
@@ -77,15 +78,15 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
     setupData("group_should_have_global_authorization");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Set<Long> componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+    Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
       USER, "user");
 
     assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
 
     // group does not have the role "admin"
-    componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+    componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
       USER, "admin");
     assertThat(componentIds).isEmpty();
   }
@@ -95,59 +96,59 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
     setupData("anonymous_should_be_authorized");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Set<Long> componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
+    Set<String> componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT, EMPTY_PROJECT),
       null, "user");
 
     assertThat(componentIds).containsOnly(PROJECT, PACKAGE, FILE, EMPTY_PROJECT);
 
     // group does not have the role "admin"
-    componentIds = authorization.keepAuthorizedComponentIds(
-      Sets.<Long>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
+    componentIds = authorization.keepAuthorizedComponentKeys(
+      Sets.<String>newHashSet(PROJECT, PACKAGE, FILE, FILE_IN_OTHER_PROJECT),
       null, "admin");
     assertThat(componentIds).isEmpty();
   }
 
   @Test
-  public void should_return_root_project_ids_for_user() {
-    setupData("should_return_root_project_ids_for_user");
+  public void should_return_root_project_keys_for_user() {
+    setupData("should_return_root_project_keys_for_user");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Collection<Long> rootProjectIds = authorization.selectAuthorizedRootProjectsIds(USER, "user");
+    Collection<String> rootProjectIds = authorization.selectAuthorizedRootProjectsKeys(USER, "user");
 
     assertThat(rootProjectIds).containsOnly(PROJECT);
 
     // user does not have the role "admin"
-    rootProjectIds = authorization.selectAuthorizedRootProjectsIds(USER, "admin");
+    rootProjectIds = authorization.selectAuthorizedRootProjectsKeys(USER, "admin");
     assertThat(rootProjectIds).isEmpty();
   }
 
   @Test
-  public void should_return_root_project_ids_for_group() {
+  public void should_return_root_project_keys_for_group() {
     // but user is not in an authorized group
-    setupData("should_return_root_project_ids_for_group");
+    setupData("should_return_root_project_keys_for_group");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Collection<Long> rootProjectIds = authorization.selectAuthorizedRootProjectsIds(USER, "user");
+    Collection<String> rootProjectIds = authorization.selectAuthorizedRootProjectsKeys(USER, "user");
 
     assertThat(rootProjectIds).containsOnly(PROJECT);
 
     // user does not have the role "admin"
-    rootProjectIds = authorization.selectAuthorizedRootProjectsIds(USER, "admin");
+    rootProjectIds = authorization.selectAuthorizedRootProjectsKeys(USER, "admin");
     assertThat(rootProjectIds).isEmpty();
   }
 
   @Test
-  public void should_return_root_project_ids_for_anonymous() {
-    setupData("should_return_root_project_ids_for_anonymous");
+  public void should_return_root_project_keys_for_anonymous() {
+    setupData("should_return_root_project_keys_for_anonymous");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
-    Collection<Long> rootProjectIds = authorization.selectAuthorizedRootProjectsIds(null, "user");
+    Collection<String> rootProjectIds = authorization.selectAuthorizedRootProjectsKeys(null, "user");
 
     assertThat(rootProjectIds).containsOnly(PROJECT);
 
     // group does not have the role "admin"
-    rootProjectIds = authorization.selectAuthorizedRootProjectsIds(null, "admin");
+    rootProjectIds = authorization.selectAuthorizedRootProjectsKeys(null, "admin");
     assertThat(rootProjectIds).isEmpty();
   }
 
diff --git a/sonar-core/src/test/resources/org/sonar/core/issue/db/IssueStatsDaoTest/should_select_assignees.xml b/sonar-core/src/test/resources/org/sonar/core/issue/db/IssueStatsDaoTest/should_select_assignees.xml
index 71624f7d596..4cf535d51a2 100644
--- a/sonar-core/src/test/resources/org/sonar/core/issue/db/IssueStatsDaoTest/should_select_assignees.xml
+++ b/sonar-core/src/test/resources/org/sonar/core/issue/db/IssueStatsDaoTest/should_select_assignees.xml
@@ -1,7 +1,7 @@
 <dataset>
 
   <group_roles id="1" group_id="[null]" resource_id="399" role="user"/>
-  <projects id="399" root_id="[null]" qualifier="TRK" scope="PRJ"/>
+  <projects id="399" kee="my.project:kee" root_id="[null]" qualifier="TRK" scope="PRJ"/>
 
   <issues
       id="100"
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_anonymous.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_anonymous.xml
deleted file mode 100644
index 78751463f13..00000000000
--- a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_anonymous.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<dataset>
-
-  <user_roles id="1" user_id="100" resource_id="999" role="user"/>
-  <groups_users user_id="100" group_id="200"/>
-  <group_roles id="1" group_id="[null]" resource_id="300" role="user"/>
-
-  <projects id="300" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-  <projects id="301" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-  <projects id="302" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-
-  <projects id="303" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-
-</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_group.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_group.xml
deleted file mode 100644
index 8ed4eaf95e0..00000000000
--- a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_group.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<dataset>
-
-  <!-- user 100 has no direct grant access, but is in the group 200 that has the role "user"
-  on the project 300  -->
-  <user_roles id="1" user_id="100" resource_id="999" role="user"/>
-  <groups_users user_id="100" group_id="200"/>
-  <group_roles id="1" group_id="200" resource_id="300" role="user"/>
-
-  <projects id="300" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-  <projects id="301" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-  <projects id="302" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-
-  <projects id="303" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-
-</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_user.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_user.xml
deleted file mode 100644
index b3154f594d2..00000000000
--- a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_ids_for_user.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<dataset>
-
-  <!-- user 100 has the role "user" on the project 300 and in group 200 -->
-  <user_roles id="1" user_id="100" resource_id="300" role="user"/>
-  <groups_users user_id="100" group_id="200"/>
-  <group_roles id="1" group_id="200" resource_id="999" role="user"/>
-
-  <projects id="300" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-  <projects id="301" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-  <projects id="302" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-
-  <projects id="303" scope="PRJ" qualifier="TRK" enabled="[true]"/>
-
-</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_anonymous.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_anonymous.xml
new file mode 100644
index 00000000000..14f78bec9ec
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_anonymous.xml
@@ -0,0 +1,13 @@
+<dataset>
+
+  <user_roles id="1" user_id="100" resource_id="999" role="user"/>
+  <groups_users user_id="100" group_id="200"/>
+  <group_roles id="1" group_id="[null]" resource_id="300" role="user"/>
+
+  <projects id="300" kee="pj-w-snapshot" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+  <projects id="301" kee="pj-w-snapshot1" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+  <projects id="302" kee="pj-w-snapshot2" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+
+  <projects id="303" kee="pj-w-snapshot3" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+
+</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_group.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_group.xml
new file mode 100644
index 00000000000..9c5f753751d
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_group.xml
@@ -0,0 +1,15 @@
+<dataset>
+
+  <!-- user 100 has no direct grant access, but is in the group 200 that has the role "user"
+  on the project 300  -->
+  <user_roles id="1" user_id="100" resource_id="999" role="user"/>
+  <groups_users user_id="100" group_id="200"/>
+  <group_roles id="1" group_id="200" resource_id="300" role="user"/>
+
+  <projects id="300" kee="pj-w-snapshot" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+  <projects id="301" kee="pj-w-snapshot1" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+  <projects id="302" kee="pj-w-snapshot2" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+
+  <projects id="303" kee="pj-w-snapshot3" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+
+</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_user.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_user.xml
new file mode 100644
index 00000000000..773dd296f08
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_root_project_keys_for_user.xml
@@ -0,0 +1,14 @@
+<dataset>
+
+  <!-- user 100 has the role "user" on the project 300 and in group 200 -->
+  <user_roles id="1" user_id="100" resource_id="300" role="user"/>
+  <groups_users user_id="100" group_id="200"/>
+  <group_roles id="1" group_id="200" resource_id="999" role="user"/>
+
+  <projects id="300" kee="pj-w-snapshot" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+  <projects id="301" kee="pj-w-snapshot1" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+  <projects id="302" kee="pj-w-snapshot2" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+
+  <projects id="303" kee="pj-w-snapshot3" scope="PRJ" qualifier="TRK" enabled="[true]"/>
+
+</dataset>