SONAR-1884 Check project permissions when viewing projects associated to a quality profile

2 files changed, 43 insertions, 7 deletions

diff --git a/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java b/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java
index dab7aa21172..e286088d260 100644
--- a/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java
+++ b/sonar-server/src/main/java/org/sonar/server/qualityprofile/QProfileProjectLookup.java
@@ -22,25 +22,31 @@ package org.sonar.server.qualityprofile;
 
 import com.google.common.collect.Lists;
 import org.apache.ibatis.session.SqlSession;
+import org.elasticsearch.common.collect.Maps;
 import org.sonar.api.ServerComponent;
 import org.sonar.api.component.Component;
-import org.sonar.core.component.ComponentDto;
+import org.sonar.api.web.UserRole;
 import org.sonar.core.persistence.MyBatis;
 import org.sonar.core.qualityprofile.db.QualityProfileDao;
 import org.sonar.core.qualityprofile.db.QualityProfileDto;
+import org.sonar.core.user.AuthorizationDao;
+import org.sonar.server.user.UserSession;
 
 import javax.annotation.CheckForNull;
 
 import java.util.List;
+import java.util.Map;
 
 public class QProfileProjectLookup implements ServerComponent {
 
   private final MyBatis myBatis;
   private final QualityProfileDao qualityProfileDao;
+  private final AuthorizationDao authorizationDao;
 
-  public QProfileProjectLookup(MyBatis myBatis, QualityProfileDao qualityProfileDao) {
+  public QProfileProjectLookup(MyBatis myBatis, QualityProfileDao qualityProfileDao, AuthorizationDao authorizationDao) {
     this.myBatis = myBatis;
     this.qualityProfileDao = qualityProfileDao;
+    this.authorizationDao = authorizationDao;
   }
 
   public List<Component> projects(int profileId) {
@@ -48,9 +54,22 @@ public class QProfileProjectLookup implements ServerComponent {
     try {
       QualityProfileDto qualityProfile = qualityProfileDao.selectById(profileId, session);
       QProfileValidations.checkProfileIsNotNull(qualityProfile);
-      List<ComponentDto> componentDtos = qualityProfileDao.selectProjects(
-        qualityProfile.getName(), QProfileOperations.PROFILE_PROPERTY_PREFIX + qualityProfile.getLanguage(), session);
-      return Lists.<Component>newArrayList(componentDtos);
+      Map<String, Component> componentsByKeys = Maps.newHashMap();
+      for (Component component: qualityProfileDao.selectProjects(
+          qualityProfile.getName(), QProfileOperations.PROFILE_PROPERTY_PREFIX + qualityProfile.getLanguage(), session
+        )) {
+        componentsByKeys.put(component.key(), component);
+      }
+
+      UserSession userSession = UserSession.get();
+      List<Component> result = Lists.newArrayList();
+      for (String key: authorizationDao.keepAuthorizedComponentKeys(
+          componentsByKeys.keySet(), userSession.userId(), UserRole.USER
+        )) {
+        result.add(componentsByKeys.get(key));
+      }
+
+      return result;
     } finally {
       MyBatis.closeQuietly(session);
     }
diff --git a/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java b/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java
index e2c85adfb17..f618d00c389 100644
--- a/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java
+++ b/sonar-server/src/test/java/org/sonar/server/qualityprofile/QProfileProjectLookupTest.java
@@ -20,22 +20,28 @@
 
 package org.sonar.server.qualityprofile;
 
+import org.elasticsearch.common.collect.Sets;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
+import org.sonar.api.web.UserRole;
 import org.sonar.core.component.ComponentDto;
 import org.sonar.core.persistence.DbSession;
 import org.sonar.core.persistence.MyBatis;
 import org.sonar.core.properties.PropertiesDao;
 import org.sonar.core.qualityprofile.db.QualityProfileDao;
 import org.sonar.core.qualityprofile.db.QualityProfileDto;
+import org.sonar.core.user.AuthorizationDao;
 import org.sonar.server.exceptions.NotFoundException;
+import org.sonar.server.user.MockUserSession;
 
 import static com.google.common.collect.Lists.newArrayList;
 import static org.fest.assertions.Assertions.assertThat;
 import static org.fest.assertions.Fail.fail;
+import static org.mockito.Matchers.anySet;
+import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -54,19 +60,30 @@ public class QProfileProjectLookupTest {
   @Mock
   PropertiesDao propertiesDao;
 
+  @Mock
+  AuthorizationDao authorizationDao;
+
   QProfileProjectLookup lookup;
 
   @Before
   public void setUp() throws Exception {
     when(myBatis.openSession(false)).thenReturn(session);
-    lookup = new QProfileProjectLookup(myBatis, qualityProfileDao);
+    lookup = new QProfileProjectLookup(myBatis, qualityProfileDao, authorizationDao);
   }
 
   @Test
   public void search_projects() throws Exception {
+    int userId = 42;
+    MockUserSession.set().setUserId(userId);
     QualityProfileDto qualityProfile = new QualityProfileDto().setId(1).setName("My profile").setLanguage("java");
     when(qualityProfileDao.selectById(1, session)).thenReturn(qualityProfile);
-    when(qualityProfileDao.selectProjects("My profile", "sonar.profile.java", session)).thenReturn(newArrayList(new ComponentDto().setId(1L).setKey("org.codehaus.sonar:sonar").setName("SonarQube")));
+    String key1 = "org.codehaus.sonar:sonar1";
+    String key2 = "org.codehaus.sonar:sonar2";
+    when(qualityProfileDao.selectProjects("My profile", "sonar.profile.java", session)).thenReturn(newArrayList(
+      new ComponentDto().setId(1L).setKey(key1).setName("SonarQube One"),
+      new ComponentDto().setId(1L).setKey(key2).setName("SonarQube Two")));
+
+    when(authorizationDao.keepAuthorizedComponentKeys(anySet(), eq(userId), eq(UserRole.USER))).thenReturn(Sets.newHashSet(key1));
 
     assertThat(lookup.projects(1)).hasSize(1);
   }