WindowsAuthProvider setting to restrict BUILTIN\Administrators

author James Moger <james.moger@gitblit.com>

Fri, 21 Feb 2014 20:25:46 +0000 (15:25 -0500)

committer James Moger <james.moger@gitblit.com>

Fri, 21 Feb 2014 20:25:46 +0000 (15:25 -0500)
author James Moger <james.moger@gitblit.com>
Fri, 21 Feb 2014 20:25:46 +0000 (15:25 -0500)
committer James Moger <james.moger@gitblit.com>
Fri, 21 Feb 2014 20:25:46 +0000 (15:25 -0500)
diff --git a/releases.moxie b/releases.moxie

index 0aa35efaad79cedc1e3da5b6ecd2e8bd7b50157c..da8476412c413fb634411154d0b44f2447d9f490 100644 (file)
--- a/releases.moxie
+++ b/releases.moxie
@@ -62,6 +62,7 @@ r20: {
         - Support Markdown image links relative to the repository root (issue-324)
         - Added filesystem write permission check (issue-345)
         - Added GO launch parameter for redirecting logging to a rolling, daily log file (issue-348)
+       - Added settings to Windows authentication provider to permit/prohibit BUILTIN\Administrators from being Gitblit Admins (issue-354)
         - Support rendering confluence, mediawiki, textile, tracwiki, and twiki markup documents
         - Added setting to globally disable anonymous pushes in the receive pack
         - Added a normalized diffstat display to the commit, commitdiff, and compare pages
@@ -90,6 +91,7 @@ r20: {
         - { name: 'realm.ldap.synchronize', defaultValue: 'false' }
         - { name: 'realm.ldap.syncPeriod', defaultValue: '5 MINUTES' }
         - { name: 'realm.ldap.removeDeletedUsers', defaultValue: 'true' }
+       - { name: 'realm.windows.permitBuiltInAdministrators', defaultValue: 'true' }
         - { name: 'web.commitMessageRenderer', defaultValue: 'plain' }
         - { name: 'web.documents', defaultValue: 'readme home index changelog contributing submitting_patches copying license notice authors' }
         - { name: 'web.showBranchGraph', defaultValue: 'true' }
diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties

index da638322bd56a9b48b0e9f0e12d5166f0ee7a7fa..35ae16ab60a2060c35ec88fb722a94e6e940ff0e 100644 (file)
--- a/src/main/distrib/data/gitblit.properties
+++ b/src/main/distrib/data/gitblit.properties
@@ -1352,6 +1352,12 @@ realm.container.autoCreateAccounts = false
  # SINCE 1.3.0\r
  realm.windows.allowGuests = false\r
  \r
+# Allow user accounts belonging to the BUILTIN\Administrators group to be\r
+# Gitblit administrators.\r
+#\r
+# SINCE 1.4.0\r
+realm.windows.permitBuiltInAdministrators = true\r
+\r
  # The default domain for authentication.\r
  #\r
  # If specified, this domain will be used for authentication UNLESS the supplied\r
diff --git a/src/main/java/com/gitblit/auth/WindowsAuthProvider.java b/src/main/java/com/gitblit/auth/WindowsAuthProvider.java

index 93cae046d5b225de10d06ce68dc9a434e4674eaa..ac15b28fae9a224b37ed1ee50a867f3a32216c02 100644 (file)
--- a/src/main/java/com/gitblit/auth/WindowsAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/WindowsAuthProvider.java
@@ -158,9 +158,11 @@ public class WindowsAuthProvider extends UsernamePasswordAuthenticationProvider
                         groupNames.add(group.getFqn());
          }
  
-        if (groupNames.contains("BUILTIN\\Administrators")) {
-               // local administrator
-               user.canAdmin = true;
+               if (settings.getBoolean(Keys.realm.windows.permitBuiltInAdministrators, true)) {
+                       if (groupNames.contains("BUILTIN\\Administrators")) {
+                               // local administrator
+                               user.canAdmin = true;
+                       }
          }
  
          // TODO consider mapping Windows groups to teams
author	James Moger <james.moger@gitblit.com>
	Fri, 21 Feb 2014 20:25:46 +0000 (15:25 -0500)
committer	James Moger <james.moger@gitblit.com>
	Fri, 21 Feb 2014 20:25:46 +0000 (15:25 -0500)
releases.moxie		patch \| blob \| history
src/main/distrib/data/gitblit.properties		patch \| blob \| history
src/main/java/com/gitblit/auth/WindowsAuthProvider.java		patch \| blob \| history