Security patch for Sonar

Hi Zigzag,

Your patch on user management is finally applied on trunk (version 1.12). The style of management pages can be improved but that's not important now. I'll do some updates later.
The next step is to add relations between roles and groups/users on each project. That's what Atlassian JIRA names "Project Role Membership" for a project. Here is my proposal :

• no needs to create a ROLES table. They are already hardcoded (admin/viewer)
• create tables GROUPS_ROLES (id, group_id, role) and USERS_ROLES (id, user_id, role)
• add a page 'Project roles' in the global configuration section. It could look like this : http://skitch.com/simon.brandhof/nnqhp/project-roles

What's your point of view ?

Thank you again for your work,
Simon

Hi Zigzag,

Your patch on user management is finally applied on trunk (version 1.12). The style of management pages can be improved but that's not important now. I'll do some updates later.
The next step is to add relations between roles and groups/users on each project. That's what Atlassian JIRA names "Project Role Membership" for a project. Here is my proposal :

• no needs to create a ROLES table. They are already hardcoded (admin/viewer)
• create tables GROUPS_ROLES (id, group_id, role) and USERS_ROLES (id, user_id, role)
• add a page 'Project roles' in the global configuration section. It could look like this : http://skitch.com/simon.brandhof/nnqhp/project-roles

What's your point of view ?

Thank you again for your work,
Simon

I think it is a good idea for the design.(with adding the "resource_id" in both tables).
I will try to implement in the comming week then send you a patch.

Orinally I thought that this part would be added in the Security plugin -- that is the reason I conern with the GUI plug-in way.
But as you said in preivous email about the security plugin, it would be more about the user/group sychronization with LDAP/Jira...etc.

Therefore my qustion is how do the plugin change the User/Group information in the database?
Should we expose the User/Groupd and it's relations table through REST API in sonar core?

I think it is a good idea for the design.(with adding the "resource_id" in both tables).
I will try to implement in the comming week then send you a patch.

Great ! Take all the time you need.

Orinally I thought that this part would be added in the Security plugin -- that is the reason I conern with the GUI plug-in way.
But as you said in preivous email about the security plugin, it would be more about the user/group sychronization with LDAP/Jira...etc.

Therefore my qustion is how do the plugin change the User/Group information in the database?
Should we expose the User/Groupd and it's relations table through REST API in sonar core?

I think that security plugins directly access external systems, without using sonar database. There's no need to synchronize it with external referentials. The database is just used by the default mechanism.

Using Apache KI will probably be a good solution to connect security plugins. I'll have a look at this lib then get back to you. It's not so important for the moment.

Regards,
Simon

1. Is our security mechanisim worked/should work for the API as the same way as the GUI? (In the first patch that I sent, I only focus on the GUI part but do not have a api call test)

2. What is the version related to the http://docs.codehaus.org/display/SONAR/Web+Service+API.  Is it 1.11? And do you have a plan to change some of it at 1.12?

3. Could you tell us how about the release date 1.12?