SECURITY-995 Use POST method and check permissions

Use POST method for saving connection data and also check that user has
ADMINISTER permission

src/main/java/com/agiletestware/pangolin/GlobalConfig.java

@@ -28,6 +28,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 import com.agiletestware.pangolin.client.DefaultPangolinClientFactory;
 import com.agiletestware.pangolin.client.DefaultRetrofitFactory;
@@ -45,6 +46,7 @@
 import hudson.model.AbstractProject;
 import hudson.util.FormValidation;
 import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
 
 /**
  * Global configuration for Pangolin plugin.
@@ -98,13 +100,14 @@ public GlobalConfig() {
 	 * @return the form validation
 	 */
 	// GlobalSettings form validation
+	@POST
 	public FormValidation doSaveConnection(
 			@QueryParameter("pangolinUrl") final String pangolinUrl,
 			@QueryParameter("testRailUrl") final String testRailUrl,
 			@QueryParameter("testRailUserName") final String testRailUserName,
 			@QueryParameter("testRailPassword") final String testRailPassword,
 			@QueryParameter("uploadTimeOut") final int uploadTimeOut) {
-
+		Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 		final String pangolinURLTrimmed = fixEmptyAndTrim(pangolinUrl);
 		final String testRailURLTrimmed = fixEmptyAndTrim(testRailUrl);
 		final String testRailUserNameTrimmed = fixEmptyAndTrim(testRailUserName);

src/test/java/com/agiletestware/pangolin/GlobalConfigTest.java

@@ -34,8 +34,11 @@
 
 import javax.servlet.ServletException;
 
+import org.acegisecurity.Authentication;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 import org.junit.runner.RunWith;
 import org.powermock.api.mockito.PowerMockito;
 import org.powermock.core.classloader.annotations.PrepareForTest;
@@ -46,6 +49,9 @@
 import com.agiletestware.pangolin.validator.CustomUrlAvailableValidator;
 
 import hudson.model.AbstractProject;
+import hudson.security.ACL;
+import hudson.security.AccessDeniedException2;
+import hudson.security.Permission;
 import hudson.util.FormValidation;
 import jenkins.model.Jenkins;
 
@@ -66,6 +72,8 @@ public class GlobalConfigTest {
 	private static final int TIME_OUT = 1;
 	private static final String ENCRYPTED_PASSWORD = "encryptedPassword";
 
+	@Rule
+	public ExpectedException expected = ExpectedException.none();
 	private final Jenkins jenkins = mock(Jenkins.class);
 	private GlobalConfig globalConfig;
 	private final CustomUrlAvailableValidator alwaysValidValidator = mock(CustomUrlAvailableValidator.class);
@@ -74,6 +82,14 @@ public class GlobalConfigTest {
 	public void setUp() throws Exception {
 		PowerMockito.mockStatic(Jenkins.class);
 		PowerMockito.when(Jenkins.getInstance()).thenReturn(jenkins);
+		PowerMockito.when(Jenkins.getAuthentication()).thenCallRealMethod();
+		when(jenkins.getACL()).thenReturn(new ACL() {
+
+			@Override
+			public boolean hasPermission(final Authentication a, final Permission permission) {
+				return true;
+			}
+		});
 		globalConfig = spy(GlobalConfig.class);
 		doAnswer((i) -> null).when(globalConfig).save();
 		when(alwaysValidValidator.validate(any(), any())).thenReturn(FormValidation.ok());
@@ -179,6 +195,19 @@ public void doSaveConnectionWithDifferentPasswordValues() throws Exception {
 		verifyNoMoreInteractions(client);
 	}
 
+	@Test
+	public void doSaveConnectionFailOnMissingPrivileges() {
+		expected.expect(AccessDeniedException2.class);
+		when(jenkins.getACL()).thenReturn(new ACL() {
+
+			@Override
+			public boolean hasPermission(final Authentication a, final Permission permission) {
+				return false;
+			}
+		});
+		globalConfig.doSaveConnection(PANGOLIN_URL, TEST_RAIL_URL, TEST_RAIL_USER, TEST_RAIL_PASSWORD, TIME_OUT);
+	}
+
 	@Test
 	public void doCheckPassPangolinURL() throws IOException, ServletException {
 		final List<String> urls = Arrays.asList("http://localhost:9090", "https://localhost:9090", "http://localhost",