From 9c9d68f82fee5d020e4f9e990c8995bb1808e8ab Mon Sep 17 00:00:00 2001 From: Teryk Bellahsene Date: Thu, 25 Jun 2015 12:27:19 +0200 Subject: SONAR-6611 ws custom_measures/update check permissions before fetching logged user --- .../server/measure/custom/ws/UpdateAction.java | 2 +- .../server/measure/custom/ws/UpdateActionTest.java | 26 ++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) (limited to 'server/sonar-server') diff --git a/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java b/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java index c11392989ab..a5edb38b2f0 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/measure/custom/ws/UpdateAction.java @@ -97,9 +97,9 @@ public class UpdateAction implements CustomMeasuresWsAction { CustomMeasureDto customMeasure = dbClient.customMeasureDao().selectById(dbSession, id); MetricDto metric = dbClient.metricDao().selectById(dbSession, customMeasure.getMetricId()); ComponentDto component = dbClient.componentDao().selectByUuid(dbSession, customMeasure.getComponentUuid()); + checkPermissions(component); User user = userIndex.getByLogin(userSession.getLogin()); - checkPermissions(component); setValue(customMeasure, value, metric); setDescription(customMeasure, description); diff --git a/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java index 188dd68ea11..57031a6fa0d 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/measure/custom/ws/UpdateActionTest.java @@ -44,6 +44,7 @@ import org.sonar.server.es.EsTester; import org.sonar.server.exceptions.ForbiddenException; import org.sonar.server.exceptions.NotFoundException; import org.sonar.server.exceptions.ServerException; +import org.sonar.server.exceptions.UnauthorizedException; import org.sonar.server.measure.custom.persistence.CustomMeasureDao; import org.sonar.server.metric.persistence.MetricDao; import org.sonar.server.metric.ws.MetricTesting; @@ -279,6 +280,31 @@ public class UpdateActionTest { .execute(); } + @Test + public void fail_if_not_logged_in() throws Exception { + userSessionRule.anonymous(); + expectedException.expect(UnauthorizedException.class); + MetricDto metric = MetricTesting.newMetricDto().setEnabled(true).setValueType(ValueType.STRING.name()); + dbClient.metricDao().insert(dbSession, metric); + ComponentDto component = ComponentTesting.newProjectDto("project-uuid"); + dbClient.componentDao().insert(dbSession, component); + CustomMeasureDto customMeasure = newCustomMeasureDto() + .setMetricId(metric.getId()) + .setComponentId(component.getId()) + .setComponentUuid(component.uuid()) + .setCreatedAt(system.now()) + .setDescription("custom-measure-description") + .setTextValue("text-measure-value"); + dbClient.customMeasureDao().insert(dbSession, customMeasure); + dbSession.commit(); + + ws.newPostRequest(CustomMeasuresWs.ENDPOINT, UpdateAction.ACTION) + .setParam(PARAM_ID, String.valueOf(customMeasure.getId())) + .setParam(PARAM_DESCRIPTION, "new-custom-measure-description") + .setParam(PARAM_VALUE, "1984") + .execute(); + } + @Test public void fail_if_custom_measure_id_is_missing_in_request() throws Exception { expectedException.expect(IllegalArgumentException.class); -- cgit v1.2.3