Merge pull request Ericsson#4375 from bruntib/fix_product_permissions

[fix] Get product configuration with view permission
feyruzb · Oct 25, 2024 · 1e9f8f0 · 1e9f8f0
2 parents 91b729c + 76e8245
commit 1e9f8f0
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/web/server/codechecker_server/api/product_server.py b/web/server/codechecker_server/api/product_server.py
@@ -67,6 +67,8 @@ def __require_permission(self, required, args=None):
         with DBSession(self.__session) as session:
             if args is None:
                 args = dict(self.__permission_args)
+
+            if 'config_db_session' not in args:
                 args['config_db_session'] = session
 
             # Anonymous access is only allowed if authentication is
@@ -254,7 +256,9 @@ def getProductConfiguration(self, product_id):
         Get the product configuration --- WITHOUT THE DB PASSWORD --- of the
         given product.
         """
-        self.__require_permission([permissions.PRODUCT_VIEW])
+        self.__require_permission([permissions.PRODUCT_VIEW], {
+            'productID': product_id
+        })
 
         with DBSession(self.__session) as session:
             product = session.query(Product).get(product_id)

diff --git a/web/tests/functional/products/__init__.py b/web/tests/functional/products/__init__.py
@@ -96,6 +96,7 @@ def setup_class_common(workspace_name):
 
     # Export the test configuration to the workspace.
     env.export_test_cfg(TEST_WORKSPACE, test_config)
+    env.enable_auth(TEST_WORKSPACE)
 
 
 def teardown_class_common():

diff --git a/web/tests/functional/products/test_products.py b/web/tests/functional/products/test_products.py
@@ -181,6 +181,19 @@ def test_get_product_data(self):
                          Confidentiality.CONFIDENTIAL,
                          "Default Confidentiality was not Confidential")
 
+    def test_get_product_config_auth_server(self):
+        """
+        Test if product configuration can be retrieved from an authenticated
+        server.
+        """
+        pr_client = env.setup_product_client(
+            self.test_workspace, product=self.product_name)
+        product_id = pr_client.getCurrentProduct().id
+
+        pr_client = env.setup_product_client(self.test_workspace)
+        pr_config = pr_client.getProductConfiguration(product_id)
+        self.assertIsNotNone(pr_config)
+
     def test_editing(self):
         """
         Test editing the product details (without reconnecting it).