Block pushes to a repository with a working copy (issue 49)

7 files changed, 78 insertions, 5 deletions

diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java
index a8d50b8c..e9b6587b 100644
--- a/src/com/gitblit/AccessRestrictionFilter.java
+++ b/src/com/gitblit/AccessRestrictionFilter.java
@@ -62,6 +62,15 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter {
 	protected abstract String getUrlRequestAction(String url);

 

 	/**

+	 * Determine if the action may be executed on the repository.

+	 * 

+	 * @param repository

+	 * @param action

+	 * @return true if the action may be performed

+	 */

+	protected abstract boolean isActionAllowed(RepositoryModel repository, String action);

+

+	/**

 	 * Determine if the repository requires authentication.

 	 * 

 	 * @param repository

@@ -110,6 +119,14 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter {
 			httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);

 			return;

 		}

+		

+		// Confirm that the action may be executed on the repository

+		if (!isActionAllowed(model, urlRequestType)) {

+			logger.info(MessageFormat.format("ARF: action {0} on {1} forbidden ({2})",

+					urlRequestType, model, HttpServletResponse.SC_FORBIDDEN));

+			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);

+			return;

+		}

 

 		// Wrap the HttpServletRequest with the AccessRestrictionRequest which

 		// overrides the servlet container user principal methods.

diff --git a/src/com/gitblit/DownloadZipFilter.java b/src/com/gitblit/DownloadZipFilter.java
index c308cbbb..d22649b5 100644
--- a/src/com/gitblit/DownloadZipFilter.java
+++ b/src/com/gitblit/DownloadZipFilter.java
@@ -57,6 +57,18 @@ public class DownloadZipFilter extends AccessRestrictionFilter {
 	}

 

 	/**

+	 * Determine if the action may be executed on the repository.

+	 * 

+	 * @param repository

+	 * @param action

+	 * @return true if the action may be performed

+	 */

+	@Override

+	protected boolean isActionAllowed(RepositoryModel repository, String action) {

+		return true;

+	}

+

+	/**

 	 * Determine if the repository requires authentication.

 	 * 

 	 * @param repository

diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java
index a689b48e..7a6411c4 100644
--- a/src/com/gitblit/GitBlit.java
+++ b/src/com/gitblit/GitBlit.java
@@ -760,6 +760,7 @@ public class GitBlit implements ServletContextListener {
 		model.name = repositoryName;

 		model.hasCommits = JGitUtils.hasCommits(r);

 		model.lastChange = JGitUtils.getLastChange(r, null);

+		model.isBare = r.isBare();

 		StoredConfig config = JGitUtils.readConfig(r);

 		if (config != null) {

 			model.description = getConfig(config, "description", "");

diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java
index a7f0fe74..e76fd767 100644
--- a/src/com/gitblit/GitFilter.java
+++ b/src/com/gitblit/GitFilter.java
@@ -81,6 +81,25 @@ public class GitFilter extends AccessRestrictionFilter {
 		}

 		return null;

 	}

+	

+	/**

+	 * Determine if the repository can receive pushes.

+	 * 

+	 * @param repository

+	 * @param action

+	 * @return true if the action may be performed

+	 */

+	@Override

+	protected boolean isActionAllowed(RepositoryModel repository, String action) {

+		if (action.equals(gitReceivePack)) {

+			// Push request

+			if (!repository.isBare) {

+				logger.warn("Gitblit does not allow pushes to repositories with a working copy");

+				return false;

+			}

+		}

+		return true;

+	}

 

 	/**

 	 * Determine if the repository requires authentication.

@@ -107,8 +126,8 @@ public class GitFilter extends AccessRestrictionFilter {
 		if (!GitBlit.getBoolean(Keys.git.enableGitServlet, true)) {

 			// Git Servlet disabled

 			return false;

-		}

-		boolean readOnly = repository.isFrozen;

+		}		

+		boolean readOnly = repository.isFrozen;	

 		if (readOnly || repository.accessRestriction.atLeast(AccessRestrictionType.PUSH)) {

 			boolean authorizedUser = user.canAccessRepository(repository);

 			if (action.equals(gitReceivePack)) {

diff --git a/src/com/gitblit/PagesFilter.java b/src/com/gitblit/PagesFilter.java
index 87fef0d2..b29bede2 100644
--- a/src/com/gitblit/PagesFilter.java
+++ b/src/com/gitblit/PagesFilter.java
@@ -77,6 +77,18 @@ public class PagesFilter extends AccessRestrictionFilter {
 	}

 

 	/**

+	 * Determine if the action may be executed on the repository.

+	 * 

+	 * @param repository

+	 * @param action

+	 * @return true if the action may be performed

+	 */

+	@Override

+	protected boolean isActionAllowed(RepositoryModel repository, String action) {

+		return true;

+	}

+	

+	/**

 	 * Determine if the repository requires authentication.

 	 * 

 	 * @param repository

diff --git a/src/com/gitblit/SyndicationFilter.java b/src/com/gitblit/SyndicationFilter.java
index d6dd1f2d..7e2561b9 100644
--- a/src/com/gitblit/SyndicationFilter.java
+++ b/src/com/gitblit/SyndicationFilter.java
@@ -55,6 +55,18 @@ public class SyndicationFilter extends AccessRestrictionFilter {
 	}

 

 	/**

+	 * Determine if the action may be executed on the repository.

+	 * 

+	 * @param repository

+	 * @param action

+	 * @return true if the action may be performed

+	 */

+	@Override

+	protected boolean isActionAllowed(RepositoryModel repository, String action) {

+		return true;

+	}

+	

+	/**

 	 * Determine if the repository requires authentication.

 	 * 

 	 * @param repository

diff --git a/src/com/gitblit/models/RepositoryModel.java b/src/com/gitblit/models/RepositoryModel.java
index b633c69e..10dcbc68 100644
--- a/src/com/gitblit/models/RepositoryModel.java
+++ b/src/com/gitblit/models/RepositoryModel.java
@@ -53,14 +53,14 @@ public class RepositoryModel implements Serializable, Comparable<RepositoryModel
 	public boolean skipSizeCalculation;

 	public boolean skipSummaryMetrics;

 	public String frequency;

+	public boolean isBare;

 	public String origin;

+	public String HEAD;

+	public List<String> availableRefs;

 	public String size;

 	public List<String> preReceiveScripts;

 	public List<String> postReceiveScripts;

 	public List<String> mailingLists;

-	public String HEAD;

-	public List<String> availableRefs;

-

 	private String displayName;

 	

 	public RepositoryModel() {