Implement permission checking on alert delete().

hyperic · Sep 30, 2009 · 9c26cfc · 9c26cfc
1 parent 1100bea
commit 9c26cfc
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/hqu/hqapi1/app/AlertController.groovy b/hqu/hqapi1/app/AlertController.groovy
@@ -302,6 +302,8 @@ public class AlertController extends ApiController {
                 if (!alert) {
                     failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
                                                "Unable to find alert with id = " + id)
+                } else if (!canManageAlerts(alert.definition.resource)) {
+                    failureXml = getFailureXML(ErrorCode.PERMISSION_DENIED)
                 }
             }
 

diff --git a/src/org/hyperic/hq/hqapi1/test/AlertDelete_test.java b/src/org/hyperic/hq/hqapi1/test/AlertDelete_test.java
@@ -5,8 +5,11 @@
 import org.hyperic.hq.hqapi1.types.Alert;
 import org.hyperic.hq.hqapi1.types.StatusResponse;
 import org.hyperic.hq.hqapi1.types.Resource;
+import org.hyperic.hq.hqapi1.types.User;
 import org.hyperic.hq.hqapi1.AlertApi;
 
+import java.util.List;
+
 public class AlertDelete_test extends AlertTestBase {
 
     public AlertDelete_test(String name) {
@@ -42,6 +45,41 @@ public void testDeleteAlert() throws Exception {
         hqAssertSuccess(deleteDefResponse);
     }
 
+    public void testDeleteAlertNoPermission() throws Exception {
+        Resource platform = getLocalPlatformResource(false, false);
+        AlertDefinition d = generateAlerts(platform);
+        AlertApi api = getAlertApi();
+
+        AlertsResponse response = api.findAlerts(platform, 0, System.currentTimeMillis(),
+                                                 10, 1, false, false);
+        hqAssertSuccess(response);
+        assertTrue(response.getAlert().size() <= 10);
+        assertTrue(response.getAlert().size() > 0);
+
+        for (Alert a : response.getAlert()) {
+            validateAlert(a);
+        }
+
+        // Test delete with an unprivledged user
+
+        List<User> users = createTestUsers(1);
+        User unprivUser = users.get(0);
+        AlertApi apiUnpriv = getApi(unprivUser.getName(), TESTUSER_PASSWORD).getAlertApi();
+
+        Alert a = response.getAlert().get(0);
+        StatusResponse deleteResponse = apiUnpriv.delete(a.getId());
+        hqAssertFailurePermissionDenied(deleteResponse);
+
+        // TODO: Valididate alert was deleted? Will require a getById API.
+
+        // Cleanup
+        StatusResponse deleteDefResponse = getApi().
+                getAlertDefinitionApi().deleteAlertDefinition(d.getId());
+        hqAssertSuccess(deleteDefResponse);
+
+        deleteTestUsers(users);
+    }
+
     public void testDeleteInvalidAlert() throws Exception {
 
         AlertApi api = getAlertApi();