Revised user access checks to account for repository ownership.

Repository owners no longer have to be explicitly selected to grant
them access to Git, feeds, and zip downloads. Idea from Github/dadalar.

1 files changed, 16 insertions, 0 deletions

diff --git a/src/com/gitblit/models/UserModel.java b/src/com/gitblit/models/UserModel.java
index fcf2b263..dadc44e7 100644
--- a/src/com/gitblit/models/UserModel.java
+++ b/src/com/gitblit/models/UserModel.java
@@ -20,6 +20,8 @@ import java.security.Principal;
 import java.util.HashSet;

 import java.util.Set;

 

+import com.gitblit.utils.StringUtils;

+

 /**

  * UserModel is a serializable model class that represents a user and the user's

  * restricted repository memberships. Instances of UserModels are also used as

@@ -43,10 +45,24 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 		this.username = username;

 	}

 

+	/**

+	 * This method does not take into consideration Ownership where the

+	 * administrator has not explicitly granted access to the owner.

+	 * 

+	 * @param repositoryName

+	 * @return

+	 */

+	@Deprecated

 	public boolean canAccessRepository(String repositoryName) {

 		return canAdmin || repositories.contains(repositoryName.toLowerCase());

 	}

 

+	public boolean canAccessRepository(RepositoryModel repository) {

+		boolean isOwner = !StringUtils.isEmpty(repository.owner)

+				&& repository.owner.equals(username);

+		return canAdmin || isOwner || repositories.contains(repository.name.toLowerCase());

+	}

+

 	public void addRepository(String name) {

 		repositories.add(name.toLowerCase());

 	}