Merged #167 "Do not let new forks inadvertently disclose repository contents"

author: James Moger <james.moger@gitblit.com> 2014-09-05 17:28:24 -0600
committer: James Moger <james.moger@gitblit.com> 2014-09-05 17:28:24 -0600
commit: 90eb5a08ddd6a3a246e8b73da9524c304838928a (patch)
tree: 971ded25f97a1434c7e7d29369bb4661bdd68f29
parent: 30dc4e420aa0b7c9f33c5f1af0f4b7dc26fcc63b (diff)
parent: a08e6f95864eb9a7ea8a1003083938f8bbc648c7 (diff)
download: gitblit-90eb5a08ddd6a3a246e8b73da9524c304838928a.tar.gz
gitblit-90eb5a08ddd6a3a246e8b73da9524c304838928a.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/manager/GitblitManager.java b/src/main/java/com/gitblit/manager/GitblitManager.java
index 98ad33e7..b9ae122f 100644
--- a/src/main/java/com/gitblit/manager/GitblitManager.java
+++ b/src/main/java/com/gitblit/manager/GitblitManager.java
@@ -216,6 +216,13 @@ public class GitblitManager implements IGitblit {
 		RepositoryModel cloneModel = repository.cloneAs(cloneName);
 		// owner has REWIND/RW+ permissions
 		cloneModel.addOwner(user.username);
+
+		// ensure initial access restriction of the fork
+		// is not lower than the source repository  (issue-495/ticket-167)
+		if (repository.accessRestriction.exceeds(cloneModel.accessRestriction)) {
+			cloneModel.accessRestriction = repository.accessRestriction;
+		}
+
 		repositoryManager.updateRepositoryModel(cloneName, cloneModel, false);
 
 		// add the owner of the source repository to the clone's access list
author	James Moger <james.moger@gitblit.com>	2014-09-05 17:28:24 -0600
committer	James Moger <james.moger@gitblit.com>	2014-09-05 17:28:24 -0600
commit	90eb5a08ddd6a3a246e8b73da9524c304838928a (patch)
tree	971ded25f97a1434c7e7d29369bb4661bdd68f29
parent	30dc4e420aa0b7c9f33c5f1af0f4b7dc26fcc63b (diff)
parent	a08e6f95864eb9a7ea8a1003083938f8bbc648c7 (diff)
download	gitblit-90eb5a08ddd6a3a246e8b73da9524c304838928a.tar.gz gitblit-90eb5a08ddd6a3a246e8b73da9524c304838928a.zip