Merge pull request #98 from Raschudesny/JD-1428

JD-1428. Added usual jira admins permissions to work with WF registry

pom.xml

@@ -4,7 +4,7 @@
  <modelVersion>4.0.0</modelVersion>
  <groupId>ru.mail.jira.plugins</groupId>
  <artifactId>groovy</artifactId>
- <version>1.21.6-jira8</version>
+ <version>1.21.7-jira8</version>
  <organization>
  <name>AtlasTeam</name>
  <url>https://atlasteam.ru/</url>

src/main/java/ru/mail/jira/plugins/groovy/impl/PermissionHelper.java

@@ -26,12 +26,22 @@ public void checkIfAdmin() {
  checkIfAdmin(authenticationContext.getLoggedInUser());
  }
 
+ public void checkIfAdminOrSysAdmin() {
+ if (!isAdminOrSysAdmin())
+ throw new SecurityException("User is not admin");
+ }
+
  public void checkIfAdmin(ApplicationUser user) {
  if (!isAdmin(user)) {
  throw new SecurityException("User is not admin");
  }
  }
 
+ public boolean isAdminOrSysAdmin() {
+ ApplicationUser user = authenticationContext.getLoggedInUser();
+ return globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, user) || globalPermissionManager.hasPermission(GlobalPermissionKey.ADMINISTER, user);
+ }
+
  public boolean isAdmin() {
  return isAdmin(authenticationContext.getLoggedInUser());
  }

src/main/java/ru/mail/jira/plugins/groovy/rest/ExecutionResource.java

@@ -29,7 +29,7 @@ public ExecutionResource(
  @Path("/forRegistry/{scriptId}")
  public Response getExecutions(@PathParam("scriptId") int scriptId) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return executionRepository.getRegistryExecutions(scriptId);
  }).getResponse();
@@ -39,7 +39,7 @@ public Response getExecutions(@PathParam("scriptId") int scriptId) {
  @Path("/forRegistry/{scriptId}/last")
  public Response getLastExecutions(@PathParam("scriptId") int scriptId) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return executionRepository.getLastRegistryExecutions(scriptId);
  }).getResponse();
@@ -49,7 +49,7 @@ public Response getLastExecutions(@PathParam("scriptId") int scriptId) {
  @Path("/forInline/{scriptId}")
  public Response getExecutions(@PathParam("scriptId") String scriptId) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return executionRepository.getInlineExecutions(scriptId);
  }).getResponse();
@@ -59,7 +59,7 @@ public Response getExecutions(@PathParam("scriptId") String scriptId) {
  @Path("/forInline/{scriptId}/last")
  public Response getLastExecutions(@PathParam("scriptId") String scriptId) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return executionRepository.getLastInlineExecutions(scriptId);
  }).getResponse();

src/main/java/ru/mail/jira/plugins/groovy/rest/RegistryResource.java

@@ -48,7 +48,7 @@ public RegistryResource(
  @WebSudoRequired
  public Response getDirectories() {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getAllDirectories();
  }).getResponse();
@@ -59,7 +59,7 @@ public Response getDirectories() {
  @WebSudoRequired
  public Response getAllScripts() {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getAllScripts();
  }).getResponse();
@@ -70,7 +70,7 @@ public Response getAllScripts() {
  @WebSudoRequired
  public Response getDirectoriesPicker() {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getAllDirectoriesForPicker();
  }).getResponse();
@@ -81,7 +81,7 @@ public Response getDirectoriesPicker() {
  @WebSudoRequired
  public Response getDirectory(@PathParam("id") int id) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getDirectory(id);
  }).getResponse();
@@ -153,7 +153,7 @@ public Response moveDirectory(@PathParam("id") int id, ParentForm form) {
  @WebSudoRequired
  public Response getAllScripts(@PathParam("type") WorkflowScriptType workflowScriptType) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getAllScriptDescriptions(workflowScriptType);
  }).getResponse();
@@ -164,7 +164,7 @@ public Response getAllScripts(@PathParam("type") WorkflowScriptType workflowScri
  @WebSudoRequired
  public Response getScript(@PathParam("id") int id) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getScript(id, true, false, false);
  }).getResponse();
@@ -175,7 +175,7 @@ public Response getScript(@PathParam("id") int id) {
  @WebSudoRequired
  public Response getScriptChangelogs(@PathParam("id") int id) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.getScriptChangelogs(id);
  }).getResponse();
@@ -186,7 +186,7 @@ public Response getScriptChangelogs(@PathParam("id") int id) {
  @WebSudoRequired
  public Response createScript(RegistryScriptForm form) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return scriptRepository.createScript(authenticationContext.getLoggedInUser(), form);
  })
@@ -199,7 +199,7 @@ public Response createScript(RegistryScriptForm form) {
  @WebSudoRequired
  public Response updateScript(@PathParam("id") int id, RegistryScriptForm form) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
  return scriptRepository.updateScript(authenticationContext.getLoggedInUser(), id, form);
  })
  .withExceptionMapper(MultipleCompilationErrorsException.class, Response.Status.BAD_REQUEST, e -> ExceptionHelper.mapCompilationException("scriptBody", e))
@@ -250,7 +250,7 @@ public Response moveScript(@PathParam("id") int id, ParentForm form) {
  @WebSudoRequired
  public Response findScriptWorkflows(@PathParam("id") int id) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
  return workflowSearchService.search(new ScriptUsageCollector(id)).getResult();
  }).getResponse();
  }
@@ -260,7 +260,7 @@ public Response findScriptWorkflows(@PathParam("id") int id) {
  @WebSudoRequired
  public Response getWorkflowUsage() {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return workflowSearchService.search(new AllScriptUsageCollector()).getResult();
  }).getResponse();

src/main/java/ru/mail/jira/plugins/groovy/rest/StaticCheckResource.java

@@ -46,7 +46,7 @@ public StaticCheckResource(
  @POST
  public Response checkStatic(StaticCheckForm form) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  Map<String, String> additionalParams = form.getAdditionalParams();
 

src/main/java/ru/mail/jira/plugins/groovy/rest/WatcherResource.java

@@ -32,7 +32,7 @@ public Response getWatches(
  @PathParam("type") EntityType type
  ) {
  return new RestExecutor<>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  return watcherService.getWatches(type, authenticationContext.getLoggedInUser());
  }).getResponse();
@@ -45,7 +45,7 @@ public Response watch(
  @PathParam("id") int id
  ) {
  return new RestExecutor<Void>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
 
  watcherService.addWatcher(type, id, authenticationContext.getLoggedInUser());
 
@@ -60,7 +60,7 @@ public Response unwatch(
  @PathParam("id") int id
  ) {
  return new RestExecutor<Void>(() -> {
- permissionHelper.checkIfAdmin();
+ permissionHelper.checkIfAdminOrSysAdmin();
  watcherService.removeWatcher(type, id, authenticationContext.getLoggedInUser());
 
  return null;

src/main/java/ru/mail/jira/plugins/groovy/servlet/GroovyServlet.java

@@ -52,7 +52,12 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
  return;
  }
 
- if (!permissionHelper.isAdmin()) {
+ if (path.startsWith("registry") && !permissionHelper.isAdminOrSysAdmin()) {
+ response.sendError(403);
+ return;
+ }
+
+ if (!path.startsWith("registry") && !permissionHelper.isAdmin()) {
  response.sendError(403);
  return;
  }

src/main/resources/atlassian-plugin.xml

@@ -244,9 +244,15 @@
  <label key="ru.mail.jira.plugins.groovy.link.registry" />
  <link linkId="mailru-groovy-registry-link">/plugins/servlet/my-groovy/registry</link>
 
- <condition class="com.atlassian.jira.plugin.webfragment.conditions.JiraGlobalPermissionCondition">
- <param name="permission">SYSTEM_ADMIN</param>
- </condition>
+ <coditions type="OR">
+ <condition class="com.atlassian.jira.plugin.webfragment.conditions.JiraGlobalPermissionCondition">
+ <param name="permission">SYSTEM_ADMIN</param>
+ </condition>
+ <condition class="com.atlassian.jira.plugin.webfragment.conditions.JiraGlobalPermissionCondition">
+ <param name="permission">ADMIN</param>
+ </condition>
+
+ </coditions>
  </web-item>
 
  <web-item key="groovy-listeners-menu-item" name="Groovy listeners menu item" section="admin_plugins_menu/admin_mailru_groovy_section">