Skip to content

Commit

Permalink
SONAR-8254 check admin permission on related organization
Browse files Browse the repository at this point in the history
  • Loading branch information
Simon Brandhof committed Oct 16, 2016
1 parent cc2e1ac commit 79127d1
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 31 deletions.
14 changes: 6 additions & 8 deletions server/sonar-server/src/main/java/org/sonar/server/usergroups/ws/AddUserAction.java
View file
Expand Up @@ -28,7 +28,6 @@
import org.sonar.db.DbSession; import org.sonar.db.DbSession;
import org.sonar.db.user.UserDto; import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserGroupDto; import org.sonar.db.user.UserGroupDto;
import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.user.UserSession; import org.sonar.server.user.UserSession;


import static java.lang.String.format; import static java.lang.String.format;
Expand All @@ -37,6 +36,7 @@
import static org.sonar.server.usergroups.ws.GroupWsSupport.PARAM_LOGIN; import static org.sonar.server.usergroups.ws.GroupWsSupport.PARAM_LOGIN;
import static org.sonar.server.usergroups.ws.GroupWsSupport.defineGroupWsParameters; import static org.sonar.server.usergroups.ws.GroupWsSupport.defineGroupWsParameters;
import static org.sonar.server.usergroups.ws.GroupWsSupport.defineLoginWsParameter; import static org.sonar.server.usergroups.ws.GroupWsSupport.defineLoginWsParameter;
import static org.sonar.server.ws.WsUtils.checkFound;


public class AddUserAction implements UserGroupsWsAction { public class AddUserAction implements UserGroupsWsAction {


Expand Down Expand Up @@ -65,18 +65,16 @@ public void define(NewController context) {


@Override @Override
public void handle(Request request, Response response) throws Exception { public void handle(Request request, Response response) throws Exception {
userSession.checkLoggedIn().checkPermission(GlobalPermissions.SYSTEM_ADMIN);


try (DbSession dbSession = dbClient.openSession(false)) { try (DbSession dbSession = dbClient.openSession(false)) {
GroupId groupId = support.findGroup(dbSession, request); GroupId groupId = support.findGroup(dbSession, request);
userSession.checkLoggedIn().checkOrganizationPermission(groupId.getOrganizationUuid(), GlobalPermissions.SYSTEM_ADMIN);


String login = request.mandatoryParam(PARAM_LOGIN); String login = request.mandatoryParam(PARAM_LOGIN);
UserDto user = dbClient.userDao().selectActiveUserByLogin(dbSession, login); UserDto user = dbClient.userDao().selectActiveUserByLogin(dbSession, login);
if (user == null) { checkFound(user, "Could not find a user with login '%s'", login);
throw new NotFoundException(format("Could not find a user with login '%s'", login));
}


if (userIsNotYetMemberOf(dbSession, user.getId(), groupId)) { if (!isMemberOf(dbSession, user, groupId)) {
UserGroupDto membershipDto = new UserGroupDto().setGroupId(groupId.getId()).setUserId(user.getId()); UserGroupDto membershipDto = new UserGroupDto().setGroupId(groupId.getId()).setUserId(user.getId());
dbClient.userGroupDao().insert(dbSession, membershipDto); dbClient.userGroupDao().insert(dbSession, membershipDto);
dbSession.commit(); dbSession.commit();
Expand All @@ -86,7 +84,7 @@ public void handle(Request request, Response response) throws Exception {
} }
} }


private boolean userIsNotYetMemberOf(DbSession dbSession, long userId, GroupId groupId) { private boolean isMemberOf(DbSession dbSession, UserDto user, GroupId groupId) {
return !dbClient.groupMembershipDao().selectGroupIdsByUserId(dbSession, userId).contains(groupId.getId()); return dbClient.groupMembershipDao().selectGroupIdsByUserId(dbSession, user.getId()).contains(groupId.getId());
} }
} }
69 changes: 46 additions & 23 deletions server/sonar-server/src/test/java/org/sonar/server/usergroups/ws/AddUserActionTest.java
View file
Expand Up @@ -30,6 +30,7 @@
import org.sonar.db.organization.OrganizationTesting; import org.sonar.db.organization.OrganizationTesting;
import org.sonar.db.user.GroupDto; import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto; import org.sonar.db.user.UserDto;
import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException; import org.sonar.server.exceptions.NotFoundException;
import org.sonar.server.exceptions.UnauthorizedException; import org.sonar.server.exceptions.UnauthorizedException;
import org.sonar.server.organization.DefaultOrganizationProviderRule; import org.sonar.server.organization.DefaultOrganizationProviderRule;
Expand Down Expand Up @@ -61,10 +62,10 @@ public void setUp() {


@Test @Test
public void add_user_to_group_referenced_by_its_id() throws Exception { public void add_user_to_group_referenced_by_its_id() throws Exception {
GroupDto group = db.users().insertGroup(defaultOrganizationProvider.getDto(), "admins"); GroupDto group = db.users().insertGroup();
UserDto user = db.users().insertUser("my-admin"); UserDto user = db.users().insertUser();
loginAsAdminOnDefaultOrganization();


loginAsAdmin();
newRequest() newRequest()
.setParam("id", group.getId().toString()) .setParam("id", group.getId().toString())
.setParam("login", user.getLogin()) .setParam("login", user.getLogin())
Expand All @@ -76,10 +77,10 @@ public void add_user_to_group_referenced_by_its_id() throws Exception {


@Test @Test
public void add_user_to_group_referenced_by_its_name() throws Exception { public void add_user_to_group_referenced_by_its_name() throws Exception {
GroupDto group = db.users().insertGroup(defaultOrganizationProvider.getDto(), "a-group"); GroupDto group = db.users().insertGroup();
UserDto user = db.users().insertUser("user_login"); UserDto user = db.users().insertUser();
loginAsAdminOnDefaultOrganization();


loginAsAdmin();
newRequest() newRequest()
.setParam(PARAM_GROUP_NAME, group.getName()) .setParam(PARAM_GROUP_NAME, group.getName())
.setParam(PARAM_LOGIN, user.getLogin()) .setParam(PARAM_LOGIN, user.getLogin())
Expand All @@ -94,8 +95,8 @@ public void add_user_to_group_referenced_by_its_name_and_organization() throws E
OrganizationDto org = OrganizationTesting.insert(db, newOrganizationDto()); OrganizationDto org = OrganizationTesting.insert(db, newOrganizationDto());
GroupDto group = db.users().insertGroup(org, "a-group"); GroupDto group = db.users().insertGroup(org, "a-group");
UserDto user = db.users().insertUser("user_login"); UserDto user = db.users().insertUser("user_login");
loginAsAdmin(org);


loginAsAdmin();
newRequest() newRequest()
.setParam(PARAM_ORGANIZATION_KEY, org.getKey()) .setParam(PARAM_ORGANIZATION_KEY, org.getKey())
.setParam(PARAM_GROUP_NAME, group.getName()) .setParam(PARAM_GROUP_NAME, group.getName())
Expand All @@ -113,8 +114,8 @@ public void add_user_to_another_group() throws Exception {
GroupDto users = db.users().insertGroup(defaultOrg, "users"); GroupDto users = db.users().insertGroup(defaultOrg, "users");
UserDto user = db.users().insertUser("my-admin"); UserDto user = db.users().insertUser("my-admin");
db.users().insertMember(users, user); db.users().insertMember(users, user);
loginAsAdminOnDefaultOrganization();


loginAsAdmin();
newRequest() newRequest()
.setParam("id", admins.getId().toString()) .setParam("id", admins.getId().toString())
.setParam("login", user.getLogin()) .setParam("login", user.getLogin())
Expand All @@ -125,12 +126,12 @@ public void add_user_to_another_group() throws Exception {
} }


@Test @Test
public void user_is_already_member_of_group() throws Exception { public void do_not_fail_if_user_is_already_member_of_group() throws Exception {
GroupDto users = db.users().insertGroup(defaultOrganizationProvider.getDto(), "users"); GroupDto users = db.users().insertGroup();
UserDto user = db.users().insertUser("my-admin"); UserDto user = db.users().insertUser();
db.users().insertMember(users, user); db.users().insertMember(users, user);
loginAsAdminOnDefaultOrganization();


loginAsAdmin();
newRequest() newRequest()
.setParam("id", users.getId().toString()) .setParam("id", users.getId().toString())
.setParam("login", user.getLogin()) .setParam("login", user.getLogin())
Expand All @@ -143,12 +144,12 @@ public void user_is_already_member_of_group() throws Exception {


@Test @Test
public void group_has_multiple_members() throws Exception { public void group_has_multiple_members() throws Exception {
GroupDto users = db.users().insertGroup(defaultOrganizationProvider.getDto(), "user"); GroupDto users = db.users().insertGroup();
UserDto user1 = db.users().insertUser("user1"); UserDto user1 = db.users().insertUser();
UserDto user2 = db.users().insertUser("user2"); UserDto user2 = db.users().insertUser();
db.users().insertMember(users, user1); db.users().insertMember(users, user1);


loginAsAdmin(); loginAsAdminOnDefaultOrganization();
newRequest() newRequest()
.setParam("id", users.getId().toString()) .setParam("id", users.getId().toString())
.setParam("login", user2.getLogin()) .setParam("login", user2.getLogin())
Expand All @@ -161,11 +162,11 @@ public void group_has_multiple_members() throws Exception {


@Test @Test
public void fail_if_group_does_not_exist() throws Exception { public void fail_if_group_does_not_exist() throws Exception {
UserDto user = db.users().insertUser("my-admin"); UserDto user = db.users().insertUser();


expectedException.expect(NotFoundException.class); expectedException.expect(NotFoundException.class);


loginAsAdmin(); loginAsAdminOnDefaultOrganization();
newRequest() newRequest()
.setParam("id", "42") .setParam("id", "42")
.setParam("login", user.getLogin()) .setParam("login", user.getLogin())
Expand All @@ -178,7 +179,7 @@ public void fail_if_user_does_not_exist() throws Exception {


expectedException.expect(NotFoundException.class); expectedException.expect(NotFoundException.class);


loginAsAdmin(); loginAsAdminOnDefaultOrganization();
newRequest() newRequest()
.setParam("id", group.getId().toString()) .setParam("id", group.getId().toString())
.setParam("login", "my-admin") .setParam("login", "my-admin")
Expand All @@ -187,8 +188,8 @@ public void fail_if_user_does_not_exist() throws Exception {


@Test @Test
public void fail_if_not_administrator() throws Exception { public void fail_if_not_administrator() throws Exception {
GroupDto group = db.users().insertGroup(defaultOrganizationProvider.getDto(), "admins"); GroupDto group = db.users().insertGroup();
UserDto user = db.users().insertUser("my-admin"); UserDto user = db.users().insertUser();


expectedException.expect(UnauthorizedException.class); expectedException.expect(UnauthorizedException.class);


Expand All @@ -198,12 +199,34 @@ public void fail_if_not_administrator() throws Exception {
.execute(); .execute();
} }


@Test
public void fail_if_administrator_of_another_organization() throws Exception {
OrganizationDto org1 = OrganizationTesting.insert(db, newOrganizationDto());
GroupDto group = db.users().insertGroup(org1, "a-group");
UserDto user = db.users().insertUser("user_login");
OrganizationDto org2 = OrganizationTesting.insert(db, newOrganizationDto());
loginAsAdmin(org2);

expectedException.expect(ForbiddenException.class);

newRequest()
.setParam(PARAM_ORGANIZATION_KEY, org1.getKey())
.setParam(PARAM_GROUP_NAME, group.getName())
.setParam(PARAM_LOGIN, user.getLogin())
.execute();
}


private WsTester.TestRequest newRequest() { private WsTester.TestRequest newRequest() {
return ws.newPostRequest("api/user_groups", "add_user"); return ws.newPostRequest("api/user_groups", "add_user");
} }


private void loginAsAdmin() { private void loginAsAdminOnDefaultOrganization() {
userSession.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN); loginAsAdmin(db.getDefaultOrganization());
}

private void loginAsAdmin(OrganizationDto org) {
userSession.login().addOrganizationPermission(org.getUuid(), GlobalPermissions.SYSTEM_ADMIN);
} }


private GroupWsSupport newGroupWsSupport() { private GroupWsSupport newGroupWsSupport() {
Expand Down

0 comments on commit 79127d1

Please sign in to comment.