Permalink
Browse files

Implement permission checking on alert delete().

  • Loading branch information...
1 parent 1100bea commit 9c26cfc97be05cf2bf680bc50221bd2950fce16a Ryan Morgan committed Sep 30, 2009
Showing with 40 additions and 0 deletions.
  1. +2 −0 hqu/hqapi1/app/AlertController.groovy
  2. +38 −0 src/org/hyperic/hq/hqapi1/test/AlertDelete_test.java
@@ -302,6 +302,8 @@ public class AlertController extends ApiController {
if (!alert) {
failureXml = getFailureXML(ErrorCode.OBJECT_NOT_FOUND,
"Unable to find alert with id = " + id)
+ } else if (!canManageAlerts(alert.definition.resource)) {
+ failureXml = getFailureXML(ErrorCode.PERMISSION_DENIED)
}
}
@@ -5,8 +5,11 @@
import org.hyperic.hq.hqapi1.types.Alert;
import org.hyperic.hq.hqapi1.types.StatusResponse;
import org.hyperic.hq.hqapi1.types.Resource;
+import org.hyperic.hq.hqapi1.types.User;
import org.hyperic.hq.hqapi1.AlertApi;
+import java.util.List;
+
public class AlertDelete_test extends AlertTestBase {
public AlertDelete_test(String name) {
@@ -42,6 +45,41 @@ public void testDeleteAlert() throws Exception {
hqAssertSuccess(deleteDefResponse);
}
+ public void testDeleteAlertNoPermission() throws Exception {
+ Resource platform = getLocalPlatformResource(false, false);
+ AlertDefinition d = generateAlerts(platform);
+ AlertApi api = getAlertApi();
+
+ AlertsResponse response = api.findAlerts(platform, 0, System.currentTimeMillis(),
+ 10, 1, false, false);
+ hqAssertSuccess(response);
+ assertTrue(response.getAlert().size() <= 10);
+ assertTrue(response.getAlert().size() > 0);
+
+ for (Alert a : response.getAlert()) {
+ validateAlert(a);
+ }
+
+ // Test delete with an unprivledged user
+
+ List<User> users = createTestUsers(1);
+ User unprivUser = users.get(0);
+ AlertApi apiUnpriv = getApi(unprivUser.getName(), TESTUSER_PASSWORD).getAlertApi();
+
+ Alert a = response.getAlert().get(0);
+ StatusResponse deleteResponse = apiUnpriv.delete(a.getId());
+ hqAssertFailurePermissionDenied(deleteResponse);
+
+ // TODO: Valididate alert was deleted? Will require a getById API.
+
+ // Cleanup
+ StatusResponse deleteDefResponse = getApi().
+ getAlertDefinitionApi().deleteAlertDefinition(d.getId());
+ hqAssertSuccess(deleteDefResponse);
+
+ deleteTestUsers(users);
+ }
+
public void testDeleteInvalidAlert() throws Exception {
AlertApi api = getAlertApi();

0 comments on commit 9c26cfc

Please sign in to comment.