From 1608ca3d98c5b93efa66deeebada1cd750ed0875 Mon Sep 17 00:00:00 2001 From: Toshi MARUYAMA Date: Tue, 4 Oct 2011 21:52:08 +0000 Subject: [PATCH] Merged r7579 from trunk. Restrict anonymous read access with Redmine.pm Redmine.pm now also checks for public projects whether the anonymous user has the browse_repository right for a read operation. Contributed by Holger Just. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.2-stable@7580 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- extra/svn/Redmine.pm | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm index c0320f13e..8fbd229ff 100644 --- a/extra/svn/Redmine.pm +++ b/extra/svn/Redmine.pm @@ -208,7 +208,7 @@ sub access_handler { my $project_id = get_project_identifier($r); $r->set_handlers(PerlAuthenHandler => [\&OK]) - if is_public_project($project_id, $r); + if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r); return OK } @@ -280,6 +280,29 @@ sub is_public_project { $ret; } +sub anonymous_role_allows_browse_repository { + my $r = shift; + + my $dbh = connect_database($r); + my $sth = $dbh->prepare( + "SELECT permissions FROM roles WHERE builtin = 2;" + ); + + $sth->execute(); + my $ret = 0; + if (my @row = $sth->fetchrow_array) { + if ($row[0] =~ /:browse_repository/) { + $ret = 1; + } + } + $sth->finish(); + undef $sth; + $dbh->disconnect(); + undef $dbh; + + $ret; +} + # perhaps we should use repository right (other read right) to check public access. # it could be faster BUT it doesn't work for the moment. # sub is_public_project_by_file { -- 2.39.5