Merged in bugfix/check_permissions_for_permissions (pull request #281)

Check permissions to read permissions

scm-webapp/src/main/java/sonia/scm/api/v2/resources/GroupPermissionResource.java

@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.security.PermissionPermissions;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -47,6 +48,7 @@ public class GroupPermissionResource {
     @ResponseCode(code = 500, condition = "internal server error")
   })
   public Response getPermissions(@PathParam("id") String id) {
+    PermissionPermissions.read().check();
     Collection<PermissionDescriptor> permissions = permissionAssigner.readPermissionsForGroup(id);
     return Response.ok(permissionCollectionToDtoMapper.mapForGroup(permissions, id)).build();
   }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java

@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import sonia.scm.security.PermissionAssigner;
 import sonia.scm.security.PermissionDescriptor;
+import sonia.scm.security.PermissionPermissions;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
@@ -48,6 +49,7 @@ public class UserPermissionResource {
     @ResponseCode(code = 500, condition = "internal server error")
   })
   public Response getPermissions(@PathParam("id") String id) {
+    PermissionPermissions.read().check();
     Collection<PermissionDescriptor> permissions = permissionAssigner.readPermissionsForUser(id);
     return Response.ok(permissionCollectionToDtoMapper.mapForUser(permissions, id)).build();
   }