[SONAR-1973] Add security checks before saving reviews & comments

author: Fabrice Bellingard <bellingard@gmail.com> 2011-04-07 18:27:03 +0200
committer: Fabrice Bellingard <bellingard@gmail.com> 2011-04-20 08:49:57 +0200
commit: 5e68322598aaeda5a54025b20b1b2ee5f1a3fa02 (patch)
tree: 5e2a609361016999ab314d4cdbdc9a2817306697 /sonar-server/src
parent: 1c816c3c0b26000a2db621a896690270d2527a89 (diff)
download: sonarqube-5e68322598aaeda5a54025b20b1b2ee5f1a3fa02.tar.gz
sonarqube-5e68322598aaeda5a54025b20b1b2ee5f1a3fa02.zip
1 files changed, 26 insertions, 2 deletions
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
index 5d189373687..93e3f46137d 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
@@ -22,7 +22,7 @@ class ReviewsController < ApplicationController
 
 	SECTION=Navigation::SECTION_RESOURCE
 	
-	#verify :method => :post, :only => [  :create, :...... ], :redirect_to => { :action => :index }
+	verify :method => :post, :only => [  :create, :create_comment ], :redirect_to => { :action => :error_not_post }
 	
 	def index
 	  reviews = Review.find :all, :conditions => ['rule_failure_id=?', params[:rule_failure_id]]
@@ -48,6 +48,11 @@ class ReviewsController < ApplicationController
 	end
 	
 	def create
+	  unless hasRightsToCreate? params[:review][:rule_failure_id]
+	    render :text => "<b>Cannot create the review</b> : access denied."
+	    return
+	  end
+	  	  
 	  review = Review.new(params[:review])
 	  review.user = current_user
 	  review.status = "open"
@@ -67,7 +72,10 @@ class ReviewsController < ApplicationController
 	end
 	
 	def create_comment
-	  #return access_denied unless has_role?(:user, @project)
+	  unless hasRightsToCreate? params[:rule_failure_id]
+	    render :text => "<b>Cannot create the comment</b> : access denied."
+	    return
+	  end
 	
       review_comment = ReviewComment.new(params[:review_comment])
       review_comment.user = current_user
@@ -82,4 +90,20 @@ class ReviewsController < ApplicationController
 	  end
 	end
 	
+	private
+	
+	def hasRightsToCreate? ( rule_failure_id )
+	  return false unless current_user
+	  
+	  project = RuleFailure.find( rule_failure_id, :include => ['snapshot'] ).snapshot.root_project
+	  unless has_role?(:user, project)
+	    return false
+	  end
+	  return true
+	end
+	
+	def error_not_post
+	  render :text => "Create actions must use POST method."
+	end
+	
 end
author	Fabrice Bellingard <bellingard@gmail.com>	2011-04-07 18:27:03 +0200
committer	Fabrice Bellingard <bellingard@gmail.com>	2011-04-20 08:49:57 +0200
commit	5e68322598aaeda5a54025b20b1b2ee5f1a3fa02 (patch)
tree	5e2a609361016999ab314d4cdbdc9a2817306697 /sonar-server/src
parent	1c816c3c0b26000a2db621a896690270d2527a89 (diff)
download	sonarqube-5e68322598aaeda5a54025b20b1b2ee5f1a3fa02.tar.gz sonarqube-5e68322598aaeda5a54025b20b1b2ee5f1a3fa02.zip