Getting project and repo with sys admin permissions #135

tomasbjerre · tomasbjerre · commit 474e1fd252ee · 2016-07-30T08:56:50.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,13 +3,19 @@
 Changelog of Pull Request Notifier for Bitbucket.
 
 ## Unreleased
+### GitHub [#135](https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/issues/135) Not permitted to access buttons settings as project/repo admin
+  Getting project and repo with sys admin permissions
+  
+  [4af3fd9f87fa409](https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/commit/4af3fd9f87fa409) Tomas Bjerre *2016-07-30 06:42:38*
+
+## 2.32
 ### No issue
   Fine tuning notification confirmation feature
  * Using AUI flag.
  * Showing invoked URL and response content.
  * Also logging error when variable cant be resolved. Was giving up entirely. Will now log and continue trying to resolve other variables.
   
-  [cd772334597de1f](https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/commit/cd772334597de1f) Tomas Bjerre *2016-07-29 22:25:58*
+  [aee524c305eb666](https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/commit/aee524c305eb666) Tomas Bjerre *2016-07-29 22:47:15*
 
   Add Button Trigger Confirmation Dialog
 
diff --git a/src/main/java/se/bjurr/prnfb/service/UserCheckService.java b/src/main/java/se/bjurr/prnfb/service/UserCheckService.java
@@ -2,7 +2,9 @@
 
 import static com.atlassian.bitbucket.permission.Permission.PROJECT_ADMIN;
 import static com.atlassian.bitbucket.permission.Permission.REPO_ADMIN;
+import static com.atlassian.bitbucket.permission.Permission.SYS_ADMIN;
 import static com.google.common.base.Strings.emptyToNull;
+import static com.google.common.base.Throwables.propagate;
 import static com.google.common.collect.Iterables.filter;
 import static se.bjurr.prnfb.settings.USER_LEVEL.ADMIN;
 import static se.bjurr.prnfb.settings.USER_LEVEL.EVERYONE;
@@ -19,25 +21,30 @@
 import com.atlassian.bitbucket.project.ProjectService;
 import com.atlassian.bitbucket.repository.Repository;
 import com.atlassian.bitbucket.repository.RepositoryService;
+import com.atlassian.bitbucket.user.SecurityService;
+import com.atlassian.bitbucket.util.Operation;
 import com.atlassian.sal.api.user.UserKey;
 import com.atlassian.sal.api.user.UserManager;
 import com.atlassian.sal.api.user.UserProfile;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Predicate;
 
 public class UserCheckService {
  private final PermissionService permissionService;
  private final ProjectService projectService;
  private final RepositoryService repositoryService;
+ private final SecurityService securityService;
  private final SettingsService settingsService;
  private final UserManager userManager;
 
  public UserCheckService(PermissionService permissionService, UserManager userManager, SettingsService settingsService,
-   RepositoryService repositoryService, ProjectService projectService) {
+   RepositoryService repositoryService, ProjectService projectService, SecurityService securityService) {
   this.userManager = userManager;
   this.settingsService = settingsService;
   this.permissionService = permissionService;
   this.projectService = projectService;
   this.repositoryService = repositoryService;
+  this.securityService = securityService;
  }
 
  public Iterable<PrnfbButton> filterAllowed(List<PrnfbButton> buttons) {
@@ -60,10 +67,10 @@ public boolean isAdmin(UserKey userKey, String projectKey, String repositorySlug
   repositorySlug = emptyToNull(repositorySlug);
 
   if (projectKey != null && repositorySlug == null) {
-   Project project = this.projectService.getByKey(projectKey);
+   Project project = getProject(projectKey);
    return this.permissionService.hasProjectPermission(project, PROJECT_ADMIN);
   } else if (repositorySlug != null) {
-   Repository repository = this.repositoryService.getBySlug(projectKey, repositorySlug);
+   Repository repository = getRepo(projectKey, repositorySlug);
    return this.permissionService.hasRepositoryPermission(repository, REPO_ADMIN);
   }
   return isAdmin;
@@ -100,6 +107,22 @@ public boolean isViewAllowed() {
   return true;
  }
 
+ @VisibleForTesting
+ private Project getProject(String projectKey) {
+  try {
+   return this.securityService//
+     .withPermission(SYS_ADMIN, "Getting project")//
+     .call(new Operation<Project, Exception>() {
+      @Override
+      public Project perform() throws Exception {
+       return UserCheckService.this.projectService.getByKey(projectKey);
+      }
+     });
+  } catch (Exception e) {
+   throw propagate(e);
+  }
+ }
+
  private boolean isAdminAllowed(USER_LEVEL adminRestriction, @Nullable String projectKey,
    @Nullable String repositorySlug) {
   UserKey userKey = this.userManager.getRemoteUser().getUserKey();
@@ -108,6 +131,22 @@ private boolean isAdminAllowed(USER_LEVEL adminRestriction, @Nullable String pro
   return isAdminAllowedCheck(adminRestriction, isAdmin, isSystemAdmin);
  }
 
+ @VisibleForTesting
+ Repository getRepo(String projectKey, String repositorySlug) {
+  try {
+   return this.securityService//
+     .withPermission(SYS_ADMIN, "Getting repo")//
+     .call(new Operation<Repository, Exception>() {
+      @Override
+      public Repository perform() throws Exception {
+       return UserCheckService.this.repositoryService.getBySlug(projectKey, repositorySlug);
+      }
+     });
+  } catch (Exception e) {
+   throw propagate(e);
+  }
+ }
+
  boolean isAdminAllowedCheck(USER_LEVEL userLevel, boolean isAdmin, boolean isSystemAdmin) {
   return userLevel == EVERYONE //
     || isSystemAdmin //
diff --git a/src/test/java/se/bjurr/prnfb/service/UserCheckServiceTest.java b/src/test/java/se/bjurr/prnfb/service/UserCheckServiceTest.java
@@ -12,26 +12,39 @@
 
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.Matchers;
 import org.mockito.Mock;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
 
 import se.bjurr.prnfb.presentation.dto.ON_OR_OFF;
 import se.bjurr.prnfb.settings.PrnfbButton;
 
 import com.atlassian.bitbucket.permission.PermissionService;
 import com.atlassian.bitbucket.project.ProjectService;
 import com.atlassian.bitbucket.repository.RepositoryService;
+import com.atlassian.bitbucket.user.EscalatedSecurityContext;
+import com.atlassian.bitbucket.user.SecurityService;
+import com.atlassian.bitbucket.util.Operation;
 import com.atlassian.sal.api.user.UserKey;
 import com.atlassian.sal.api.user.UserManager;
 import com.atlassian.sal.api.user.UserProfile;
 
 public class UserCheckServiceTest {
 
+ @Mock
+ private EscalatedSecurityContext escalatedSecurityContext;
+
  @Mock
  private PermissionService permissionService;
+ private String projectKey;
  @Mock
  private ProjectService projectService;
  @Mock
  private RepositoryService repositoryService;
+ private String repositorySlug;
+ @Mock
+ private SecurityService securityService;
  @Mock
  private SettingsService settingsService;
  private UserCheckService sut;
@@ -42,19 +55,35 @@ public class UserCheckServiceTest {
  private UserManager userManager;
 
  @Before
- public void before() {
+ public void before() throws Exception {
   initMocks(this);
   this.sut = new UserCheckService(this.permissionService, this.userManager, this.settingsService,
-    this.repositoryService, this.projectService);
+    this.repositoryService, this.projectService, this.securityService);
+
+  when(this.securityService.withPermission(Matchers.any(), Matchers.any()))//
+    .thenReturn(this.escalatedSecurityContext);
+  when(this.escalatedSecurityContext.call(Matchers.any()))//
+    .thenAnswer(new Answer<Boolean>() {
+     @Override
+     public Boolean answer(InvocationOnMock invocation) throws Throwable {
+      Operation<?, ?> op = (Operation<?, ?>) invocation.getArguments()[0];
+      return (Boolean) op.perform();
+     }
+    });
  }
 
  @Test
  public void testThatAdminAllowedCanBeChecked() {
-  this.sut.isAdminAllowed(null, null);
+  this.projectKey = null;
+  this.repositorySlug = null;
+  this.sut.isAdminAllowed(this.projectKey, this.repositorySlug);
  }
 
  @Test
  public void testThatAllowedButtonsCanBeFiltered() {
+  this.projectKey = "p1";
+  this.repositorySlug = "r1";
+
   when(this.userManager.getRemoteUser())//
     .thenReturn(this.user);
   when(this.userManager.getRemoteUser().getUserKey())//
@@ -77,12 +106,16 @@ public void testThatAllowedButtonsCanBeFiltered() {
 
  @Test
  public void testThatAllowedCanBeChecked() {
+  this.projectKey = "p1";
+  this.repositorySlug = "r1";
+
   when(this.userManager.getRemoteUser())//
     .thenReturn(this.user);
   when(this.userManager.getRemoteUser().getUserKey())//
     .thenReturn(this.userKey);
   when(this.userManager.isSystemAdmin(this.userKey))//
     .thenReturn(true);
+
   PrnfbButton candidate = new PrnfbButton(null, "title", ADMIN, ON_OR_OFF.off, "p1", "r1");
   assertThat(this.sut.isAllowedUseButton(candidate))//
     .isTrue();
