Improve select global permission in authorization DAO to take into account user roles and anonymous user

7 files changed, 96 insertions, 24 deletions

diff --git a/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java b/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java
index 7a826417df0..81495ecc7b2 100644
--- a/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java
+++ b/sonar-core/src/main/java/org/sonar/core/user/AuthorizationDao.java
@@ -90,7 +90,7 @@ public class AuthorizationDao implements ServerComponent {
     return session.selectList(sql, params);
   }
 
-  public List<String> selectGlobalPermissions(String userLogin){
+  public List<String> selectGlobalPermissions(@Nullable String userLogin){
     SqlSession session = mybatis.openSession();
     try {
       Map<String, Object> params = newHashMap();
diff --git a/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml b/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
index c872b7274ac..811a813d440 100644
--- a/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
+++ b/sonar-core/src/main/resources/org/sonar/core/user/AuthorizationMapper.xml
@@ -68,14 +68,34 @@
   </sql>
 
   <select id="selectGlobalPermissions" parameterType="map" resultType="String">
-    SELECT gr.role
-    FROM group_roles gr
-    inner join groups_users gu on gu.group_id=gr.id
-    inner join users u on u.id=gu.user_id
-    <where>
-      u.login=#{userLogin}
-      and gr.resource_id  is null
-    </where>
+    <choose>
+      <when test="userLogin != null">
+        SELECT gr.role
+        FROM group_roles gr
+        INNER JOIN groups_users gu on gu.group_id=gr.id
+        INNER JOIN users u on u.id=gu.user_id
+        <where>
+          and u.login=#{userLogin}
+          and gr.resource_id is null
+        </where>
+        UNION
+        SELECT ur.role
+        FROM user_roles ur
+        INNER JOIN users u on u.id=ur.user_id
+        <where>
+          and u.login=#{userLogin}
+          and ur.resource_id is null
+        </where>
+      </when>
+      <otherwise>
+        SELECT gr.role
+        FROM group_roles gr
+        <where>
+          and gr.resource_id is null
+          and gr.group_id is null
+        </where>
+      </otherwise>
+    </choose>
   </select>
 
 </mapper>
diff --git a/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java b/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
index df198a60280..572bfacaf0a 100644
--- a/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/user/AuthorizationDaoTest.java
@@ -152,12 +152,30 @@ public class AuthorizationDaoTest extends AbstractDaoTestCase {
   }
 
   @Test
-  public void should_return_global_permissions() {
-    setupData("should_return_global_permissions");
+  public void should_return_user_global_permissions() {
+    setupData("should_return_user_global_permissions");
 
     AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
     assertThat(authorization.selectGlobalPermissions("john")).containsOnly("user", "admin");
     assertThat(authorization.selectGlobalPermissions("arthur")).containsOnly("user");
     assertThat(authorization.selectGlobalPermissions("none")).isEmpty();
   }
+
+  @Test
+  public void should_return_group_global_permissions() {
+    setupData("should_return_group_global_permissions");
+
+    AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+    assertThat(authorization.selectGlobalPermissions("john")).containsOnly("user", "admin");
+    assertThat(authorization.selectGlobalPermissions("arthur")).containsOnly("user");
+    assertThat(authorization.selectGlobalPermissions("none")).isEmpty();
+  }
+
+  @Test
+  public void should_return_global_permissions_for_anonymous() {
+    setupData("should_return_global_permissions_for_anonymous");
+
+    AuthorizationDao authorization = new AuthorizationDao(getMyBatis());
+    assertThat(authorization.selectGlobalPermissions(null)).containsOnly("user", "admin");
+  }
 }
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_global_permissions.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_global_permissions.xml
deleted file mode 100644
index 863d395048f..00000000000
--- a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_global_permissions.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<dataset>
-
-  <users id="1" login="john" />
-  <users id="2" login="arthur" />
-
-  <groups_users user_id="1" group_id="200"/>
-  <groups_users user_id="1" group_id="201"/>
-  <groups_users user_id="2" group_id="200"/>
-
-  <group_roles id="200" group_id="200" resource_id="[null]" role="user"/>
-  <group_roles id="201" group_id="200" resource_id="[null]" role="admin"/>
-
-</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_global_permissions_for_anonymous.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_global_permissions_for_anonymous.xml
new file mode 100644
index 00000000000..515b647b270
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_global_permissions_for_anonymous.xml
@@ -0,0 +1,11 @@
+<dataset>
+
+  <user_roles id="1" user_id="100" resource_id="[null]" role="user"/>
+
+  <groups_users user_id="1" group_id="200"/>
+  <groups_users user_id="1" group_id="201"/>
+
+  <group_roles id="200" group_id="[null]" resource_id="[null]" role="user"/>
+  <group_roles id="201" group_id="[null]" resource_id="[null]" role="admin"/>
+
+</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_group_global_permissions.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_group_global_permissions.xml
new file mode 100644
index 00000000000..88727cc53af
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_group_global_permissions.xml
@@ -0,0 +1,18 @@
+<dataset>
+
+  <!-- user 10 has no direct grant access, but is in the 'user' group 200 and in the 'admin' group 201 -->
+  <users id="10" login="john" />
+  <!-- user 11 has no direct grant access, but is in the 'user' group 200 -->
+  <users id="11" login="arthur" />
+
+  <user_roles id="1" user_id="999" resource_id="[null]" role="user"/>
+  <user_roles id="2" user_id="999" resource_id="[null]" role="user"/>
+
+  <groups_users user_id="10" group_id="200"/>
+  <groups_users user_id="10" group_id="201"/>
+  <groups_users user_id="11" group_id="200"/>
+
+  <group_roles id="200" group_id="200" resource_id="[null]" role="user"/>
+  <group_roles id="201" group_id="200" resource_id="[null]" role="admin"/>
+
+</dataset>
diff --git a/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_user_global_permissions.xml b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_user_global_permissions.xml
new file mode 100644
index 00000000000..44c6a6b6ff7
--- /dev/null
+++ b/sonar-core/src/test/resources/org/sonar/core/user/AuthorizationDaoTest/should_return_user_global_permissions.xml
@@ -0,0 +1,18 @@
+<dataset>
+
+  <!-- user 10 has no group, but has direct role 'user' and 'admin' -->
+  <users id="10" login="john" />
+  <!-- user 11 has no group, but has direct role 'user' -->
+  <users id="11" login="arthur" />
+
+  <user_roles id="1" user_id="10" resource_id="[null]" role="user"/>
+  <user_roles id="2" user_id="10" resource_id="[null]" role="admin"/>
+  <user_roles id="3" user_id="11" resource_id="[null]" role="user"/>
+
+  <groups_users user_id="999" group_id="200"/>
+  <groups_users user_id="999" group_id="201"/>
+
+  <group_roles id="200" group_id="200" resource_id="[null]" role="user"/>
+  <group_roles id="201" group_id="200" resource_id="[null]" role="admin"/>
+
+</dataset>