aboutsummaryrefslogtreecommitdiffstats
path: root/sonar-server
diff options
context:
space:
mode:
authorSimon Brandhof <simon.brandhof@gmail.com>2011-10-20 14:57:03 +0200
committerSimon Brandhof <simon.brandhof@gmail.com>2011-10-20 14:58:49 +0200
commitb9a8170e294973750cd9e332f7c98a49dececaf1 (patch)
tree2c332875257383021147592e3bf35e708ce6b615 /sonar-server
parentdb17c3926fbb6ec5169c7f4d67c9d8087bc67a05 (diff)
downloadsonarqube-b9a8170e294973750cd9e332f7c98a49dececaf1.tar.gz
sonarqube-b9a8170e294973750cd9e332f7c98a49dececaf1.zip
SONAR-2771 new URL /widget : improve error handling and security
Some helper methods have been added to simplify error handling : bad_request(message), not_found(message) and access_denied.
Diffstat (limited to 'sonar-server')
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb65
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb44
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb10
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb44
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb18
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb10
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb6
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb12
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb35
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb30
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb2
-rw-r--r--sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb4
22 files changed, 169 insertions, 131 deletions
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb
index f1e0100884c..222409c3af0 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb
@@ -21,25 +21,20 @@ require 'json'
require 'time'
class Api::ApiController < ApplicationController
- class ApiException < Exception
- attr_reader :code, :msg
-
- def initialize(code, msg)
- @code = code
- @msg = msg
- end
+ rescue_from Errors::BadRequest do |error|
+ render_error(400, error.message)
end
- rescue_from ApiException do |exception|
- render_error(exception.msg, exception.code)
+ rescue_from Errors::NotFound do |error|
+ render_error(404, error.message)
end
- rescue_from ActiveRecord::RecordInvalid do |exception|
- render_error(exception.message, 400)
+ rescue_from ActiveRecord::RecordInvalid do |error|
+ render_error(400, error.message)
end
- rescue_from ActiveRecord::RecordNotFound do |exception|
- render_error(exception.message, 404)
+ rescue_from ActiveRecord::RecordNotFound do |error|
+ render_error(404, error.message)
end
protected
@@ -87,46 +82,36 @@ class Api::ApiController < ApplicationController
- #----------------------------------------------------------------------------
- # ERRORS
- #----------------------------------------------------------------------------
- def not_found(message)
- raise ApiException.new(404, message)
- end
-
- def bad_request(message)
- raise ApiException.new(400, message)
- end
-
- def access_denied
- raise ApiException.new(401, 'Unauthorized')
- end
+ #
+ #
+ # Error handling is different than in ApplicationController
+ #
+ #
- def render_error(msg, http_status=400)
+ def render_error(status, message=nil)
respond_to do |format|
- format.json { render :json => error_to_json(msg, http_status), :status => http_status }
- format.xml { render :xml => error_to_xml(msg, http_status), :status => http_status }
- format.text { render :text => msg, :status => http_status }
+ format.json { render :json => error_to_json(status, message), :status => status }
+ format.xml { render :xml => error_to_xml(status, message), :status => status }
+ format.text { render :text => message, :status => status }
end
end
- def error_to_json(msg, error_code=nil)
- hash={}
- hash[:err_code]=error_code if error_code
- hash[:err_msg]=msg if msg
+ def error_to_json(status, message=nil)
+ hash={:err_code => status}
+ hash[:err_msg]=message if message
jsonp(hash)
end
- def error_to_xml(msg, error_code=nil)
+ def error_to_xml(status, message=nil)
xml = Builder::XmlMarkup.new(:indent => 0)
xml.error do
- xml.code(error_code) if error_code
- xml.msg(msg) if msg
+ xml.code(status)
+ xml.msg(message) if message
end
end
- def render_success(msg)
- render_error(msg, 200)
+ def render_success(message=nil)
+ render_error(200, message)
end
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb
index 2db651e784c..45db03c2aca 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb
@@ -29,7 +29,7 @@ class Api::ResourceRestController < Api::RestController
rest_status_ko("Resource [#{resource_id}] not found", 404)
return
end
- return access_denied unless is_user?(@resource)
+ access_denied unless is_user?(@resource)
end
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb
index 4dff8559b9a..695a9647899 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb
@@ -31,7 +31,7 @@ class Api::SourcesController < Api::RestController
return
end
end
- return access_denied unless has_role?(:codeviewer, @resource)
+ access_denied unless has_role?(:codeviewer, @resource)
source = @resource.last_snapshot.source
if !source
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb
index 9e8ff5e686b..6dc627136dc 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb
@@ -24,6 +24,21 @@ class ApplicationController < ActionController::Base
before_filter :check_database_version, :set_locale, :check_authentication
+ rescue_from Errors::BadRequest do |error|
+ render :text => error.message, :status => 400
+ end
+
+ rescue_from Errors::NotFound do |error|
+ render :text => error.message, :status => 404
+ end
+
+ rescue_from ActiveRecord::RecordNotFound do |error|
+ render :text => error.message, :status => 404
+ end
+
+ # See lib/authenticated_system.rb#access_denied()
+ rescue_from Errors::AccessDenied, :with => :rescue_from_access_denied
+
def self.root_context
ActionController::Base.relative_url_root || ''
end
@@ -91,7 +106,7 @@ class ApplicationController < ActionController::Base
def check_authentication
if current_user.nil? && Property.value('sonar.forceAuthentication')=='true'
- return access_denied
+ access_denied
end
end
@@ -99,5 +114,30 @@ class ApplicationController < ActionController::Base
def message(key, options={})
Api::Utils.message(key, options)
end
-
+
+
+
+
+
+ #
+ #
+ # ERROR HANDLING
+ #
+ #
+
+ # The request is invalid. An accompanying error message explains why : missing mandatory property, bad value, ...
+ def bad_request(message)
+ raise Errors::BadRequest.new(message)
+ end
+
+ # The resource requested, such as a project, a dashboard or a filter, does not exist
+ def not_found(message)
+ raise Errors::NotFound.new(message)
+ end
+
+ # Authentication credentials are missing/incorrect or user has not the required permissions
+ def access_denied
+ raise Errors::AccessDenied
+ end
+
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb
index c085bcdeab1..a2fcb080ba6 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb
@@ -27,7 +27,7 @@ class ChartsController < ApplicationController
def trends
resource=Project.by_key(params[:id])
- return access_denied unless has_role?(:user, resource)
+ access_denied unless has_role?(:user, resource)
metric_keys=params[:metrics]
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb
index ab1a6973fa2..e46df170ef4 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb
@@ -27,7 +27,7 @@ class CloudController < ApplicationController
if @project.nil?
return render :text => "Resource [#{project_key}] not found", :status => 404
end
- return access_denied unless has_role?(:user, @project)
+ access_denied unless has_role?(:user, @project)
@snapshot=@project.last_snapshot
@size_metric=Metric.by_key(params[:size]||'ncloc')
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb
index 8a68161aaeb..2588dd36453 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb
@@ -32,7 +32,7 @@ class ComponentsController < ApplicationController
@components_configuration = Sonar::ComponentsConfiguration.new
@project = Project.by_key(params[:id])
- return access_denied unless has_role?(:user, @project)
+ access_denied unless has_role?(:user, @project)
@snapshot = @project.last_snapshot
@snapshots = Snapshot.find(:all, :include => 'project', :conditions => ['snapshots.parent_snapshot_id=? and snapshots.qualifier<>? and projects.qualifier<>?', @snapshot.id, Snapshot::QUALIFIER_UNIT_TEST_CLASS, Snapshot::QUALIFIER_UNIT_TEST_CLASS])
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb
index f7245aefa82..f86fc2901e8 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb
@@ -186,7 +186,7 @@ class DashboardController < ApplicationController
redirect_to home_path
return false
end
- return access_denied unless has_role?(:user, @resource)
+ access_denied unless has_role?(:user, @resource)
@snapshot = @resource.last_snapshot
@project=@resource # variable name used in old widgets
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb
index 86dcb004482..22bfe87eb5a 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb
@@ -36,7 +36,7 @@ class DashboardsController < ApplicationController
redirect_to home_path
return false
end
- return access_denied unless has_role?(:user, @resource)
+ access_denied unless has_role?(:user, @resource)
@snapshot = @resource.last_snapshot
@project=@resource # variable name used in old widgets
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb
index d4f030e2651..eda1d32255d 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb
@@ -25,7 +25,7 @@ class EventsController < ApplicationController
# GET /events.xml?rid=123
def index
@resource=Project.by_key(params[:rid])
- return access_denied unless has_role?(:user, @resource)
+ access_denied unless has_role?(:user, @resource)
@events = Event.find(:all, :conditions => {:resource_id => @resource.id}, :order => 'created_at')
@@ -39,7 +39,7 @@ class EventsController < ApplicationController
# GET /events/1.xml
def show
@event = Event.find(params[:id])
- return access_denied unless has_role?(:user, @event.resource)
+ access_denied unless has_role?(:user, @event.resource)
respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @event }
@@ -75,7 +75,7 @@ class EventsController < ApplicationController
# POST /events.xml
def create
@event = Event.new(params[:event])
- return access_denied unless is_admin?(@event.resource)
+ access_denied unless is_admin?(@event.resource)
respond_to do |format|
if @event.save
flash[:notice] = 'Event is created.'
@@ -94,7 +94,7 @@ class EventsController < ApplicationController
# PUT /events/1.xml
def update
@event = Event.find(params[:id])
- return access_denied unless is_admin?(@event.resource)
+ access_denied unless is_admin?(@event.resource)
respond_to do |format|
if @event.update_attributes(params[:event])
flash[:notice] = 'Event was successfully updated.'
@@ -113,7 +113,7 @@ class EventsController < ApplicationController
# DELETE /events/1.xml
def destroy
@event = Event.find(params[:id])
- return access_denied unless is_admin?(@event.resource)
+ access_denied unless is_admin?(@event.resource)
@event.destroy
flash[:notice] = 'Event is deleted.'
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb
index 0b1110c0448..9c84fe4af63 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb
@@ -40,7 +40,7 @@ class FeedsController < ApplicationController
def project
@project=Project.by_key(params[:id])
- return access_denied unless is_user?(@project)
+ access_denied unless is_user?(@project)
@category=params[:category]
conditions={:resource_id => @project.id}
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb
index ee254338008..700d5f76c1c 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb
@@ -82,9 +82,7 @@ class FiltersController < ApplicationController
def edit
@filter=::Filter.find(params[:id])
- unless editable_filter?(@filter)
- return access_denied
- end
+ access_denied unless editable_filter?(@filter)
options=params
options[:user]=current_user
@@ -94,9 +92,7 @@ class FiltersController < ApplicationController
def update
@filter=::Filter.find(params[:id])
- unless editable_filter?(@filter)
- return access_denied
- end
+ access_denied unless editable_filter?(@filter)
load_filter_from_params(@filter, params)
@@ -217,9 +213,7 @@ class FiltersController < ApplicationController
column=FilterColumn.find(params[:id])
filter=column.filter
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
if column.deletable?
column.destroy
@@ -232,9 +226,7 @@ class FiltersController < ApplicationController
def add_column
filter=::Filter.find(params[:id])
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
filter.clean_columns_order() # clean the columns which are badly ordered (see SONAR-1902)
fields=params[:column].split(',')
@@ -251,9 +243,7 @@ class FiltersController < ApplicationController
column=FilterColumn.find(params[:id])
filter=column.filter
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
filter.clean_columns_order() # clean the columns which are badly ordered (see SONAR-1902)
target_column=filter.column_by_id(params[:id].to_i)
@@ -271,9 +261,7 @@ class FiltersController < ApplicationController
column=FilterColumn.find(params[:id])
filter=column.filter
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
filter.clean_columns_order() # clean the columns which are badly ordered (see SONAR-1902)
target_column=filter.column_by_id(params[:id].to_i)
@@ -291,9 +279,7 @@ class FiltersController < ApplicationController
column=FilterColumn.find(params[:id])
filter=column.filter
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
filter.columns.each do |col|
if col==column
@@ -315,9 +301,7 @@ class FiltersController < ApplicationController
#---------------------------------------------------------------------
def set_view
filter=::Filter.find(params[:id])
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
filter.default_view=params[:view]
filter.save
@@ -326,9 +310,7 @@ class FiltersController < ApplicationController
def set_columns
filter=::Filter.find(params[:id])
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
filter.columns.clear
params[:columns].each do |colstring|
@@ -341,9 +323,7 @@ class FiltersController < ApplicationController
def set_page_size
filter=::Filter.find(params[:id])
- unless editable_filter?(filter)
- return access_denied
- end
+ access_denied unless editable_filter?(filter)
size=[::Filter::MAX_PAGE_SIZE, params[:size].to_i].min
size=[::Filter::MIN_PAGE_SIZE, size].max
@@ -389,9 +369,7 @@ class FiltersController < ApplicationController
#---------------------------------------------------------------------
def treemap
@filter=::Filter.find(params[:id])
- unless viewable_filter?(@filter)
- return access_denied
- end
+ access_denied unless viewable_filter?(@filter)
@size_metric=Metric.by_key(params[:size_metric])
@color_metric=Metric.by_key(params[:color_metric])
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb
index b7d85bac951..48b6a8c0acd 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb
@@ -69,7 +69,7 @@ class ManualMeasuresController < ApplicationController
def load_resource
@resource=Project.by_key(params[:id])
return redirect_to home_path unless @resource
- return access_denied unless has_role?(:admin, @resource)
+ access_denied unless has_role?(:admin, @resource)
@snapshot=@resource.last_snapshot
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb
index f62514c0a9e..174ccb4e216 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb
@@ -29,7 +29,7 @@ class ProjectController < ApplicationController
def deletion
@project=Project.by_key(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
@snapshot=@project.last_snapshot
if !@project.project?
@@ -49,7 +49,7 @@ class ProjectController < ApplicationController
def history
@project=Project.by_key(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
if !(@project.project? || @project.view? || @project.subview?)
redirect_to :action => 'index', :id => params[:id]
@@ -62,7 +62,7 @@ class ProjectController < ApplicationController
def delete_snapshot_history
project=Project.by_key(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
sid = params[:snapshot_id]
if sid
@@ -75,7 +75,7 @@ class ProjectController < ApplicationController
def links
@project=Project.by_key(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
@snapshot=@project.last_snapshot
if !@project.project?
@@ -85,7 +85,7 @@ class ProjectController < ApplicationController
def set_links
project = Project.by_key(params[:project_id])
- return access_denied unless is_admin?(project)
+ access_denied unless is_admin?(project)
project.links.clear
@@ -112,7 +112,7 @@ class ProjectController < ApplicationController
def settings
@project=Project.by_key(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
@snapshot=@project.last_snapshot
if !@project.project? && !@project.module?
@@ -148,7 +148,7 @@ class ProjectController < ApplicationController
def exclusions
@project=Project.by_key(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
@snapshot=@project.last_snapshot
if !@project.project? && !@project.module?
@@ -158,7 +158,7 @@ class ProjectController < ApplicationController
def set_exclusions
@project = Project.find(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
patterns=params['patterns'].reject{|p| p.blank?}.uniq
if patterns.empty?
@@ -173,7 +173,7 @@ class ProjectController < ApplicationController
def delete_exclusions
@project = Project.find(params[:id])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
Property.clear('sonar.exclusions', @project.id)
flash[:notice]='Filters deleted'
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb
index 4ae8ae62694..199f2377e5e 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb
@@ -26,24 +26,24 @@ class ProjectRolesController < ApplicationController
def index
@project=Project.by_key(params[:resource])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
end
def edit_users
@project=Project.by_key(params[:resource])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
@role = params[:role]
end
def edit_groups
@project=Project.by_key(params[:resource])
- return access_denied unless is_admin?(@project)
+ access_denied unless is_admin?(@project)
@role = params[:role]
end
def grant_users
project=Project.by_key(params[:resource])
- return access_denied unless is_admin?(project)
+ access_denied unless is_admin?(project)
UserRole.grant_users(params[:users], params[:role], project.id)
redirect_to(:action => 'index', :resource => project.id)
@@ -51,7 +51,7 @@ class ProjectRolesController < ApplicationController
def grant_groups
project=Project.by_key(params[:resource])
- return access_denied unless is_admin?(project)
+ access_denied unless is_admin?(project)
GroupRole.grant_groups(params[:groups], params[:role], project.id)
redirect_to(:action => 'index', :resource => project.id)
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb
index 76a404306d6..57108dc01e9 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb
@@ -26,7 +26,7 @@ class SettingsController < ApplicationController
verify :method => :post, :only => ['update'], :redirect_to => {:action => :index}
def index
- return access_denied unless is_admin?
+ access_denied unless is_admin?
load_properties(false)
@category ||= 'general'
end
@@ -34,10 +34,10 @@ class SettingsController < ApplicationController
def update
if params[:resource_id]
project=Project.by_key(params[:resource_id])
- return access_denied unless (project && is_admin?(project))
+ access_denied unless (project && is_admin?(project))
resource_id=project.id
else
- return access_denied unless is_admin?
+ access_denied unless is_admin?
resource_id=nil
end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb
index 30fae8bef84..2c9a1c7529b 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb
@@ -32,7 +32,7 @@ class TimemachineController < ApplicationController
return redirect_to home_url unless @project
@snapshot=@project.last_snapshot
- return access_denied unless is_user?(@snapshot)
+ access_denied unless is_user?(@snapshot)
if params[:sid]
@sids = params[:sid].split(',').collect {|s| s.to_i}
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb
index cc5d91ad9ac..bed567352cd 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb
@@ -33,13 +33,11 @@ class UsersController < ApplicationController
flash[:notice] = 'User is created.'
end
- to_index(user.errors, nil);
+ to_index(user.errors, nil)
end
def signup
- unless request.post? && Property.value('sonar.allowUsersToSignUp')=='true'
- return access_denied
- end
+ access_denied unless request.post? && Property.value('sonar.allowUsersToSignUp')=='true'
cookies.delete :auth_token
@user=prepare_user
@@ -84,7 +82,7 @@ class UsersController < ApplicationController
flash[:notice] = 'Password was successfully updated.'
end
- to_index(user.errors, nil);
+ to_index(user.errors, nil)
end
def update
@@ -97,7 +95,7 @@ class UsersController < ApplicationController
flash[:notice] = 'User was successfully updated.'
end
- to_index(user.errors, nil);
+ to_index(user.errors, nil)
end
def destroy
@@ -110,7 +108,7 @@ class UsersController < ApplicationController
flash[:notice] = 'User is deleted.'
end
- to_index(@user.errors, nil);
+ to_index(@user.errors, nil)
end
def select_group
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb
index 274dd1e272c..0d3ba47c081 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb
@@ -23,31 +23,38 @@ class WidgetController < ApplicationController
SECTION=Navigation::SECTION_RESOURCE
def index
- begin
- load_widget
- load_resource
- params[:layout]='false'
- render :action => 'index'
-
- rescue Exception => e
- render :text => e
- end
+ load_resource
+ load_widget
+ params[:layout]='false'
+ render :action => 'index'
end
-
+
private
def load_resource
@resource=Project.by_key(params[:resource])
+ not_found('Unknown resource') unless @resource
+
@project=@resource
- return access_denied unless has_role?(:user, @resource)
+ access_denied unless has_role?(:user, @resource)
@snapshot = @resource.last_snapshot
end
def load_widget
- widget_key = params[:id]
+ widget_key=params[:id]
@widget_definition = java_facade.getWidget(widget_key)
+ not_found('Unknown widget') unless @widget_definition
+
+ authorized=(@widget_definition.getUserRoles().size==0)
+ unless authorized
+ @widget_definition.getUserRoles().each do |role|
+ authorized=(role=='user') || (role=='viewer') || has_role?(role, @resource)
+ break if authorized
+ end
+ end
+ access_denied unless authorized
+
@widget=Widget.new(:widget_key => widget_key, :id => 1)
-
@widget_definition.getWidgetProperties().each do |property_definition|
@widget.properties<<WidgetProperty.new(
:kee => property_definition.key(),
@@ -55,7 +62,7 @@ class WidgetController < ApplicationController
:text_value => params[property_definition.key()] || property_definition.defaultValue
)
end
-
@dashboard_configuration=Api::DashboardConfiguration.new(nil, :period_index => params[:period], :snapshot => @snapshot)
+ @widget_width = params[:widget_width] || '350px'
end
end \ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb
new file mode 100644
index 00000000000..0744c55403c
--- /dev/null
+++ b/sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb
@@ -0,0 +1,30 @@
+#
+# Sonar, entreprise quality control tool.
+# Copyright (C) 2008-2011 SonarSource
+# mailto:contact AT sonarsource DOT com
+#
+# Sonar is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 3 of the License, or (at your option) any later version.
+#
+# Sonar is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with Sonar; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+#
+module Errors
+
+ class AccessDenied < StandardError
+ def initialize
+ super('Unauthorized')
+ end
+ end
+ class BadRequest < StandardError; end
+ class NotFound < StandardError; end
+
+end \ No newline at end of file
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb
index b5a77d249a3..d73c740127e 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb
@@ -1,4 +1,4 @@
-<div id="block_1" class="block">
+<div id="block_1" class="block" style="width: <%= @widget_width -%>">
<div class="<%= @widget_definition.getId() %>" style="height:100%;">
<%
begin
diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
index 4365bc1efea..16d814913e7 100644
--- a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb
@@ -50,7 +50,7 @@ module AuthenticatedSystem
# skip_before_filter :login_required
#
def login_required
- authorized? || access_denied
+ authorized? || rescue_from_access_denied
end
# Redirect as appropriate when an access request fails.
@@ -61,7 +61,7 @@ module AuthenticatedSystem
# behavior in case the user is not authorized
# to access the requested action. For example, a popup window might
# simply close itself.
- def access_denied
+ def rescue_from_access_denied
respond_to do |format|
format.html do
store_location