Enforce strict order for permission determination

The order of permissions defined within a user or team is preserved
during read and write.  This order is important for determining the
regex match used within the user or team object.

If the user is an admin or repository owner, then RW+
Else if user has an explicit permission, use that
Else check for the first regex match in user permissions
Else check for the HIGHEST permission from team memberships

If the team is an admin team, then RW+
Else if a team has an explicit permission, use that
Else check for the first regex match in team permissions

2 files changed, 18 insertions, 12 deletions

diff --git a/src/com/gitblit/models/TeamModel.java b/src/com/gitblit/models/TeamModel.java
index 6410eb45..7d557db9 100644
--- a/src/com/gitblit/models/TeamModel.java
+++ b/src/com/gitblit/models/TeamModel.java
@@ -19,8 +19,8 @@ import java.io.Serializable;
 import java.util.ArrayList;

 import java.util.Collection;

 import java.util.Collections;

-import java.util.HashMap;

 import java.util.HashSet;

+import java.util.LinkedHashMap;

 import java.util.List;

 import java.util.Map;

 import java.util.Set;

@@ -51,7 +51,7 @@ public class TeamModel implements Serializable, Comparable<TeamModel> {
 	// retained for backwards-compatibility with RPC clients

 	@Deprecated

 	public final Set<String> repositories = new HashSet<String>();

-	public final Map<String, AccessPermission> permissions = new HashMap<String, AccessPermission>();

+	public final Map<String, AccessPermission> permissions = new LinkedHashMap<String, AccessPermission>();

 	public final Set<String> mailingLists = new HashSet<String>();

 	public final List<String> preReceiveScripts = new ArrayList<String>();

 	public final List<String> postReceiveScripts = new ArrayList<String>();

@@ -191,6 +191,8 @@ public class TeamModel implements Serializable, Comparable<TeamModel> {
 					AccessPermission p = permissions.get(key);

 					if (p != null) {

 						permission = p;

+						// take first match

+						break;

 					}

 				}

 			}

@@ -198,7 +200,7 @@ public class TeamModel implements Serializable, Comparable<TeamModel> {
 		return permission;

 	}

 	

-	private boolean canAccess(RepositoryModel repository, AccessRestrictionType ifRestriction, AccessPermission requirePermission) {

+	protected boolean canAccess(RepositoryModel repository, AccessRestrictionType ifRestriction, AccessPermission requirePermission) {

 		if (repository.accessRestriction.atLeast(ifRestriction)) {

 			AccessPermission permission = getRepositoryPermission(repository);

 			return permission.atLeast(requirePermission);

diff --git a/src/com/gitblit/models/UserModel.java b/src/com/gitblit/models/UserModel.java
index 6cc07789..d7bc2935 100644
--- a/src/com/gitblit/models/UserModel.java
+++ b/src/com/gitblit/models/UserModel.java
@@ -19,8 +19,8 @@ import java.io.Serializable;
 import java.security.Principal;

 import java.util.ArrayList;

 import java.util.Collections;

-import java.util.HashMap;

 import java.util.HashSet;

+import java.util.LinkedHashMap;

 import java.util.List;

 import java.util.Map;

 import java.util.Set;

@@ -60,7 +60,7 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 	// retained for backwards-compatibility with RPC clients

 	@Deprecated

 	public final Set<String> repositories = new HashSet<String>();

-	public final Map<String, AccessPermission> permissions = new HashMap<String, AccessPermission>();

+	public final Map<String, AccessPermission> permissions = new LinkedHashMap<String, AccessPermission>();

 	public final Set<TeamModel> teams = new HashSet<TeamModel>();

 

 	// non-persisted fields

@@ -217,8 +217,8 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 			return AccessPermission.REWIND;

 		}

 		

-		// determine best permission available based on user's personal permissions

-		// and the permissions of teams of which the user belongs

+		// explicit user permission OR user regex match is used

+		// if that fails, then the best team permission is used

 		AccessPermission permission = AccessPermission.NONE;

 		if (permissions.containsKey(repository.name.toLowerCase())) {

 			// exact repository permission specified, use it

@@ -232,17 +232,21 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 				if (StringUtils.matchesIgnoreCase(repository.name, key)) {

 					AccessPermission p = permissions.get(key);

 					if (p != null) {

+						// take first match

 						permission = p;

+						break;

 					}

 				}

 			}

 		}

 		

-		for (TeamModel team : teams) {

-			AccessPermission p = team.getRepositoryPermission(repository);

-			if (permission == null || p.exceeds(permission)) {

-				// use team permission

-				permission = p;

+		if (AccessPermission.NONE.equals(permission)) {

+			for (TeamModel team : teams) {

+				AccessPermission p = team.getRepositoryPermission(repository);

+				if (p.exceeds(permission)) {

+					// use highest team permission

+					permission = p;

+				}

 			}

 		}

 		return permission;