From: James Moger Date: Thu, 26 Feb 2015 16:16:01 +0000 (-0500) Subject: issue-545: Enforce repository permissions in patch page X-Git-Tag: v1.7.0~6^2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Ftickets%2F42%2F242%2F1;p=gitblit.git issue-545: Enforce repository permissions in patch page --- diff --git a/src/main/java/com/gitblit/wicket/pages/PatchPage.java b/src/main/java/com/gitblit/wicket/pages/PatchPage.java index ece41367..bd904e1f 100644 --- a/src/main/java/com/gitblit/wicket/pages/PatchPage.java +++ b/src/main/java/com/gitblit/wicket/pages/PatchPage.java @@ -20,6 +20,8 @@ import org.apache.wicket.markup.html.basic.Label; import org.eclipse.jgit.lib.Repository; import org.eclipse.jgit.revwalk.RevCommit; +import com.gitblit.models.RepositoryModel; +import com.gitblit.models.UserModel; import com.gitblit.utils.DiffUtils; import com.gitblit.utils.JGitUtils; import com.gitblit.utils.StringUtils; @@ -31,13 +33,12 @@ import com.gitblit.wicket.WicketUtils; @CacheControl(LastModified.BOOT) public class PatchPage extends SessionPage { - public PatchPage(PageParameters params) { + public PatchPage(final PageParameters params) { super(params); if (!params.containsKey("r")) { - GitBlitWebSession.get().cacheErrorMessage(getString("gb.repositoryNotSpecified")); + error(getString("gb.repositoryNotSpecified")); redirectToInterceptPage(new RepositoriesPage()); - return; } final String repositoryName = WicketUtils.getRepositoryName(params); @@ -45,9 +46,20 @@ public class PatchPage extends SessionPage { final String objectId = WicketUtils.getObject(params); final String blobPath = WicketUtils.getPath(params); + GitBlitWebSession session = GitBlitWebSession.get(); + UserModel user = session.getUser(); + + RepositoryModel model = app().repositories().getRepositoryModel(user, repositoryName); + if (model == null) { + // user does not have permission + error(getString("gb.canNotLoadRepository") + " " + repositoryName); + redirectToInterceptPage(new RepositoriesPage()); + return; + } + Repository r = app().repositories().getRepository(repositoryName); if (r == null) { - GitBlitWebSession.get().cacheErrorMessage(getString("gb.canNotLoadRepository") + " " + repositoryName); + error(getString("gb.canNotLoadRepository") + " " + repositoryName); redirectToInterceptPage(new RepositoriesPage()); return; } @@ -67,4 +79,5 @@ public class PatchPage extends SessionPage { add(new Label("patchText", patch)); r.close(); } + }