diff options
author | Simon Brandhof <simon.brandhof@gmail.com> | 2011-10-20 14:57:03 +0200 |
---|---|---|
committer | Simon Brandhof <simon.brandhof@gmail.com> | 2011-10-20 14:58:49 +0200 |
commit | b9a8170e294973750cd9e332f7c98a49dececaf1 (patch) | |
tree | 2c332875257383021147592e3bf35e708ce6b615 /sonar-server | |
parent | db17c3926fbb6ec5169c7f4d67c9d8087bc67a05 (diff) | |
download | sonarqube-b9a8170e294973750cd9e332f7c98a49dececaf1.tar.gz sonarqube-b9a8170e294973750cd9e332f7c98a49dececaf1.zip |
SONAR-2771 new URL /widget : improve error handling and security
Some helper methods have been added to simplify error handling : bad_request(message), not_found(message) and access_denied.
Diffstat (limited to 'sonar-server')
22 files changed, 169 insertions, 131 deletions
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb index f1e0100884c..222409c3af0 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/api_controller.rb @@ -21,25 +21,20 @@ require 'json' require 'time' class Api::ApiController < ApplicationController - class ApiException < Exception - attr_reader :code, :msg - - def initialize(code, msg) - @code = code - @msg = msg - end + rescue_from Errors::BadRequest do |error| + render_error(400, error.message) end - rescue_from ApiException do |exception| - render_error(exception.msg, exception.code) + rescue_from Errors::NotFound do |error| + render_error(404, error.message) end - rescue_from ActiveRecord::RecordInvalid do |exception| - render_error(exception.message, 400) + rescue_from ActiveRecord::RecordInvalid do |error| + render_error(400, error.message) end - rescue_from ActiveRecord::RecordNotFound do |exception| - render_error(exception.message, 404) + rescue_from ActiveRecord::RecordNotFound do |error| + render_error(404, error.message) end protected @@ -87,46 +82,36 @@ class Api::ApiController < ApplicationController - #---------------------------------------------------------------------------- - # ERRORS - #---------------------------------------------------------------------------- - def not_found(message) - raise ApiException.new(404, message) - end - - def bad_request(message) - raise ApiException.new(400, message) - end - - def access_denied - raise ApiException.new(401, 'Unauthorized') - end + # + # + # Error handling is different than in ApplicationController + # + # - def render_error(msg, http_status=400) + def render_error(status, message=nil) respond_to do |format| - format.json { render :json => error_to_json(msg, http_status), :status => http_status } - format.xml { render :xml => error_to_xml(msg, http_status), :status => http_status } - format.text { render :text => msg, :status => http_status } + format.json { render :json => error_to_json(status, message), :status => status } + format.xml { render :xml => error_to_xml(status, message), :status => status } + format.text { render :text => message, :status => status } end end - def error_to_json(msg, error_code=nil) - hash={} - hash[:err_code]=error_code if error_code - hash[:err_msg]=msg if msg + def error_to_json(status, message=nil) + hash={:err_code => status} + hash[:err_msg]=message if message jsonp(hash) end - def error_to_xml(msg, error_code=nil) + def error_to_xml(status, message=nil) xml = Builder::XmlMarkup.new(:indent => 0) xml.error do - xml.code(error_code) if error_code - xml.msg(msg) if msg + xml.code(status) + xml.msg(message) if message end end - def render_success(msg) - render_error(msg, 200) + def render_success(message=nil) + render_error(200, message) end end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb index 2db651e784c..45db03c2aca 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/resource_rest_controller.rb @@ -29,7 +29,7 @@ class Api::ResourceRestController < Api::RestController rest_status_ko("Resource [#{resource_id}] not found", 404) return end - return access_denied unless is_user?(@resource) + access_denied unless is_user?(@resource) end end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb index 4dff8559b9a..695a9647899 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/api/sources_controller.rb @@ -31,7 +31,7 @@ class Api::SourcesController < Api::RestController return end end - return access_denied unless has_role?(:codeviewer, @resource) + access_denied unless has_role?(:codeviewer, @resource) source = @resource.last_snapshot.source if !source diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb index 9e8ff5e686b..6dc627136dc 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/application_controller.rb @@ -24,6 +24,21 @@ class ApplicationController < ActionController::Base before_filter :check_database_version, :set_locale, :check_authentication + rescue_from Errors::BadRequest do |error| + render :text => error.message, :status => 400 + end + + rescue_from Errors::NotFound do |error| + render :text => error.message, :status => 404 + end + + rescue_from ActiveRecord::RecordNotFound do |error| + render :text => error.message, :status => 404 + end + + # See lib/authenticated_system.rb#access_denied() + rescue_from Errors::AccessDenied, :with => :rescue_from_access_denied + def self.root_context ActionController::Base.relative_url_root || '' end @@ -91,7 +106,7 @@ class ApplicationController < ActionController::Base def check_authentication if current_user.nil? && Property.value('sonar.forceAuthentication')=='true' - return access_denied + access_denied end end @@ -99,5 +114,30 @@ class ApplicationController < ActionController::Base def message(key, options={}) Api::Utils.message(key, options) end - + + + + + + # + # + # ERROR HANDLING + # + # + + # The request is invalid. An accompanying error message explains why : missing mandatory property, bad value, ... + def bad_request(message) + raise Errors::BadRequest.new(message) + end + + # The resource requested, such as a project, a dashboard or a filter, does not exist + def not_found(message) + raise Errors::NotFound.new(message) + end + + # Authentication credentials are missing/incorrect or user has not the required permissions + def access_denied + raise Errors::AccessDenied + end + end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb index c085bcdeab1..a2fcb080ba6 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/charts_controller.rb @@ -27,7 +27,7 @@ class ChartsController < ApplicationController def trends resource=Project.by_key(params[:id]) - return access_denied unless has_role?(:user, resource) + access_denied unless has_role?(:user, resource) metric_keys=params[:metrics] diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb index ab1a6973fa2..e46df170ef4 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/cloud_controller.rb @@ -27,7 +27,7 @@ class CloudController < ApplicationController if @project.nil? return render :text => "Resource [#{project_key}] not found", :status => 404 end - return access_denied unless has_role?(:user, @project) + access_denied unless has_role?(:user, @project) @snapshot=@project.last_snapshot @size_metric=Metric.by_key(params[:size]||'ncloc') diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb index 8a68161aaeb..2588dd36453 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/components_controller.rb @@ -32,7 +32,7 @@ class ComponentsController < ApplicationController @components_configuration = Sonar::ComponentsConfiguration.new @project = Project.by_key(params[:id]) - return access_denied unless has_role?(:user, @project) + access_denied unless has_role?(:user, @project) @snapshot = @project.last_snapshot @snapshots = Snapshot.find(:all, :include => 'project', :conditions => ['snapshots.parent_snapshot_id=? and snapshots.qualifier<>? and projects.qualifier<>?', @snapshot.id, Snapshot::QUALIFIER_UNIT_TEST_CLASS, Snapshot::QUALIFIER_UNIT_TEST_CLASS]) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb index f7245aefa82..f86fc2901e8 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboard_controller.rb @@ -186,7 +186,7 @@ class DashboardController < ApplicationController redirect_to home_path return false end - return access_denied unless has_role?(:user, @resource) + access_denied unless has_role?(:user, @resource) @snapshot = @resource.last_snapshot @project=@resource # variable name used in old widgets end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb index 86dcb004482..22bfe87eb5a 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/dashboards_controller.rb @@ -36,7 +36,7 @@ class DashboardsController < ApplicationController redirect_to home_path return false end - return access_denied unless has_role?(:user, @resource) + access_denied unless has_role?(:user, @resource) @snapshot = @resource.last_snapshot @project=@resource # variable name used in old widgets end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb index d4f030e2651..eda1d32255d 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/events_controller.rb @@ -25,7 +25,7 @@ class EventsController < ApplicationController # GET /events.xml?rid=123 def index @resource=Project.by_key(params[:rid]) - return access_denied unless has_role?(:user, @resource) + access_denied unless has_role?(:user, @resource) @events = Event.find(:all, :conditions => {:resource_id => @resource.id}, :order => 'created_at') @@ -39,7 +39,7 @@ class EventsController < ApplicationController # GET /events/1.xml def show @event = Event.find(params[:id]) - return access_denied unless has_role?(:user, @event.resource) + access_denied unless has_role?(:user, @event.resource) respond_to do |format| format.html # show.html.erb format.xml { render :xml => @event } @@ -75,7 +75,7 @@ class EventsController < ApplicationController # POST /events.xml def create @event = Event.new(params[:event]) - return access_denied unless is_admin?(@event.resource) + access_denied unless is_admin?(@event.resource) respond_to do |format| if @event.save flash[:notice] = 'Event is created.' @@ -94,7 +94,7 @@ class EventsController < ApplicationController # PUT /events/1.xml def update @event = Event.find(params[:id]) - return access_denied unless is_admin?(@event.resource) + access_denied unless is_admin?(@event.resource) respond_to do |format| if @event.update_attributes(params[:event]) flash[:notice] = 'Event was successfully updated.' @@ -113,7 +113,7 @@ class EventsController < ApplicationController # DELETE /events/1.xml def destroy @event = Event.find(params[:id]) - return access_denied unless is_admin?(@event.resource) + access_denied unless is_admin?(@event.resource) @event.destroy flash[:notice] = 'Event is deleted.' diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb index 0b1110c0448..9c84fe4af63 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/feeds_controller.rb @@ -40,7 +40,7 @@ class FeedsController < ApplicationController def project @project=Project.by_key(params[:id]) - return access_denied unless is_user?(@project) + access_denied unless is_user?(@project) @category=params[:category] conditions={:resource_id => @project.id} diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb index ee254338008..700d5f76c1c 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/filters_controller.rb @@ -82,9 +82,7 @@ class FiltersController < ApplicationController def edit @filter=::Filter.find(params[:id]) - unless editable_filter?(@filter) - return access_denied - end + access_denied unless editable_filter?(@filter) options=params options[:user]=current_user @@ -94,9 +92,7 @@ class FiltersController < ApplicationController def update @filter=::Filter.find(params[:id]) - unless editable_filter?(@filter) - return access_denied - end + access_denied unless editable_filter?(@filter) load_filter_from_params(@filter, params) @@ -217,9 +213,7 @@ class FiltersController < ApplicationController column=FilterColumn.find(params[:id]) filter=column.filter - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) if column.deletable? column.destroy @@ -232,9 +226,7 @@ class FiltersController < ApplicationController def add_column filter=::Filter.find(params[:id]) - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) filter.clean_columns_order() # clean the columns which are badly ordered (see SONAR-1902) fields=params[:column].split(',') @@ -251,9 +243,7 @@ class FiltersController < ApplicationController column=FilterColumn.find(params[:id]) filter=column.filter - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) filter.clean_columns_order() # clean the columns which are badly ordered (see SONAR-1902) target_column=filter.column_by_id(params[:id].to_i) @@ -271,9 +261,7 @@ class FiltersController < ApplicationController column=FilterColumn.find(params[:id]) filter=column.filter - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) filter.clean_columns_order() # clean the columns which are badly ordered (see SONAR-1902) target_column=filter.column_by_id(params[:id].to_i) @@ -291,9 +279,7 @@ class FiltersController < ApplicationController column=FilterColumn.find(params[:id]) filter=column.filter - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) filter.columns.each do |col| if col==column @@ -315,9 +301,7 @@ class FiltersController < ApplicationController #--------------------------------------------------------------------- def set_view filter=::Filter.find(params[:id]) - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) filter.default_view=params[:view] filter.save @@ -326,9 +310,7 @@ class FiltersController < ApplicationController def set_columns filter=::Filter.find(params[:id]) - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) filter.columns.clear params[:columns].each do |colstring| @@ -341,9 +323,7 @@ class FiltersController < ApplicationController def set_page_size filter=::Filter.find(params[:id]) - unless editable_filter?(filter) - return access_denied - end + access_denied unless editable_filter?(filter) size=[::Filter::MAX_PAGE_SIZE, params[:size].to_i].min size=[::Filter::MIN_PAGE_SIZE, size].max @@ -389,9 +369,7 @@ class FiltersController < ApplicationController #--------------------------------------------------------------------- def treemap @filter=::Filter.find(params[:id]) - unless viewable_filter?(@filter) - return access_denied - end + access_denied unless viewable_filter?(@filter) @size_metric=Metric.by_key(params[:size_metric]) @color_metric=Metric.by_key(params[:color_metric]) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb index b7d85bac951..48b6a8c0acd 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/manual_measures_controller.rb @@ -69,7 +69,7 @@ class ManualMeasuresController < ApplicationController def load_resource @resource=Project.by_key(params[:id]) return redirect_to home_path unless @resource - return access_denied unless has_role?(:admin, @resource) + access_denied unless has_role?(:admin, @resource) @snapshot=@resource.last_snapshot end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb index f62514c0a9e..174ccb4e216 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_controller.rb @@ -29,7 +29,7 @@ class ProjectController < ApplicationController def deletion @project=Project.by_key(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) @snapshot=@project.last_snapshot if !@project.project? @@ -49,7 +49,7 @@ class ProjectController < ApplicationController def history @project=Project.by_key(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) if !(@project.project? || @project.view? || @project.subview?) redirect_to :action => 'index', :id => params[:id] @@ -62,7 +62,7 @@ class ProjectController < ApplicationController def delete_snapshot_history project=Project.by_key(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) sid = params[:snapshot_id] if sid @@ -75,7 +75,7 @@ class ProjectController < ApplicationController def links @project=Project.by_key(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) @snapshot=@project.last_snapshot if !@project.project? @@ -85,7 +85,7 @@ class ProjectController < ApplicationController def set_links project = Project.by_key(params[:project_id]) - return access_denied unless is_admin?(project) + access_denied unless is_admin?(project) project.links.clear @@ -112,7 +112,7 @@ class ProjectController < ApplicationController def settings @project=Project.by_key(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) @snapshot=@project.last_snapshot if !@project.project? && !@project.module? @@ -148,7 +148,7 @@ class ProjectController < ApplicationController def exclusions @project=Project.by_key(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) @snapshot=@project.last_snapshot if !@project.project? && !@project.module? @@ -158,7 +158,7 @@ class ProjectController < ApplicationController def set_exclusions @project = Project.find(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) patterns=params['patterns'].reject{|p| p.blank?}.uniq if patterns.empty? @@ -173,7 +173,7 @@ class ProjectController < ApplicationController def delete_exclusions @project = Project.find(params[:id]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) Property.clear('sonar.exclusions', @project.id) flash[:notice]='Filters deleted' diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb index 4ae8ae62694..199f2377e5e 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/project_roles_controller.rb @@ -26,24 +26,24 @@ class ProjectRolesController < ApplicationController def index @project=Project.by_key(params[:resource]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) end def edit_users @project=Project.by_key(params[:resource]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) @role = params[:role] end def edit_groups @project=Project.by_key(params[:resource]) - return access_denied unless is_admin?(@project) + access_denied unless is_admin?(@project) @role = params[:role] end def grant_users project=Project.by_key(params[:resource]) - return access_denied unless is_admin?(project) + access_denied unless is_admin?(project) UserRole.grant_users(params[:users], params[:role], project.id) redirect_to(:action => 'index', :resource => project.id) @@ -51,7 +51,7 @@ class ProjectRolesController < ApplicationController def grant_groups project=Project.by_key(params[:resource]) - return access_denied unless is_admin?(project) + access_denied unless is_admin?(project) GroupRole.grant_groups(params[:groups], params[:role], project.id) redirect_to(:action => 'index', :resource => project.id) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb index 76a404306d6..57108dc01e9 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/settings_controller.rb @@ -26,7 +26,7 @@ class SettingsController < ApplicationController verify :method => :post, :only => ['update'], :redirect_to => {:action => :index} def index - return access_denied unless is_admin? + access_denied unless is_admin? load_properties(false) @category ||= 'general' end @@ -34,10 +34,10 @@ class SettingsController < ApplicationController def update if params[:resource_id] project=Project.by_key(params[:resource_id]) - return access_denied unless (project && is_admin?(project)) + access_denied unless (project && is_admin?(project)) resource_id=project.id else - return access_denied unless is_admin? + access_denied unless is_admin? resource_id=nil end diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb index 30fae8bef84..2c9a1c7529b 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/timemachine_controller.rb @@ -32,7 +32,7 @@ class TimemachineController < ApplicationController return redirect_to home_url unless @project @snapshot=@project.last_snapshot - return access_denied unless is_user?(@snapshot) + access_denied unless is_user?(@snapshot) if params[:sid] @sids = params[:sid].split(',').collect {|s| s.to_i} diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb index cc5d91ad9ac..bed567352cd 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/users_controller.rb @@ -33,13 +33,11 @@ class UsersController < ApplicationController flash[:notice] = 'User is created.' end - to_index(user.errors, nil); + to_index(user.errors, nil) end def signup - unless request.post? && Property.value('sonar.allowUsersToSignUp')=='true' - return access_denied - end + access_denied unless request.post? && Property.value('sonar.allowUsersToSignUp')=='true' cookies.delete :auth_token @user=prepare_user @@ -84,7 +82,7 @@ class UsersController < ApplicationController flash[:notice] = 'Password was successfully updated.' end - to_index(user.errors, nil); + to_index(user.errors, nil) end def update @@ -97,7 +95,7 @@ class UsersController < ApplicationController flash[:notice] = 'User was successfully updated.' end - to_index(user.errors, nil); + to_index(user.errors, nil) end def destroy @@ -110,7 +108,7 @@ class UsersController < ApplicationController flash[:notice] = 'User is deleted.' end - to_index(@user.errors, nil); + to_index(@user.errors, nil) end def select_group diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb index 274dd1e272c..0d3ba47c081 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/widget_controller.rb @@ -23,31 +23,38 @@ class WidgetController < ApplicationController SECTION=Navigation::SECTION_RESOURCE def index - begin - load_widget - load_resource - params[:layout]='false' - render :action => 'index' - - rescue Exception => e - render :text => e - end + load_resource + load_widget + params[:layout]='false' + render :action => 'index' end - + private def load_resource @resource=Project.by_key(params[:resource]) + not_found('Unknown resource') unless @resource + @project=@resource - return access_denied unless has_role?(:user, @resource) + access_denied unless has_role?(:user, @resource) @snapshot = @resource.last_snapshot end def load_widget - widget_key = params[:id] + widget_key=params[:id] @widget_definition = java_facade.getWidget(widget_key) + not_found('Unknown widget') unless @widget_definition + + authorized=(@widget_definition.getUserRoles().size==0) + unless authorized + @widget_definition.getUserRoles().each do |role| + authorized=(role=='user') || (role=='viewer') || has_role?(role, @resource) + break if authorized + end + end + access_denied unless authorized + @widget=Widget.new(:widget_key => widget_key, :id => 1) - @widget_definition.getWidgetProperties().each do |property_definition| @widget.properties<<WidgetProperty.new( :kee => property_definition.key(), @@ -55,7 +62,7 @@ class WidgetController < ApplicationController :text_value => params[property_definition.key()] || property_definition.defaultValue ) end - @dashboard_configuration=Api::DashboardConfiguration.new(nil, :period_index => params[:period], :snapshot => @snapshot) + @widget_width = params[:widget_width] || '350px' end end
\ No newline at end of file diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb new file mode 100644 index 00000000000..0744c55403c --- /dev/null +++ b/sonar-server/src/main/webapp/WEB-INF/app/models/errors.rb @@ -0,0 +1,30 @@ +# +# Sonar, entreprise quality control tool. +# Copyright (C) 2008-2011 SonarSource +# mailto:contact AT sonarsource DOT com +# +# Sonar is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 3 of the License, or (at your option) any later version. +# +# Sonar is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with Sonar; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 +# +module Errors + + class AccessDenied < StandardError + def initialize + super('Unauthorized') + end + end + class BadRequest < StandardError; end + class NotFound < StandardError; end + +end
\ No newline at end of file diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb index b5a77d249a3..d73c740127e 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/widget/index.html.erb @@ -1,4 +1,4 @@ -<div id="block_1" class="block"> +<div id="block_1" class="block" style="width: <%= @widget_width -%>"> <div class="<%= @widget_definition.getId() %>" style="height:100%;"> <% begin diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb index 4365bc1efea..16d814913e7 100644 --- a/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb +++ b/sonar-server/src/main/webapp/WEB-INF/lib/authenticated_system.rb @@ -50,7 +50,7 @@ module AuthenticatedSystem # skip_before_filter :login_required # def login_required - authorized? || access_denied + authorized? || rescue_from_access_denied end # Redirect as appropriate when an access request fails. @@ -61,7 +61,7 @@ module AuthenticatedSystem # behavior in case the user is not authorized # to access the requested action. For example, a popup window might # simply close itself. - def access_denied + def rescue_from_access_denied respond_to do |format| format.html do store_location |