summaryrefslogtreecommitdiffstats
path: root/src/main/java/com/gitblit/git/GitblitReceivePack.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/com/gitblit/git/GitblitReceivePack.java')
-rw-r--r--src/main/java/com/gitblit/git/GitblitReceivePack.java11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/git/GitblitReceivePack.java b/src/main/java/com/gitblit/git/GitblitReceivePack.java
index 35f0d866..3a0eff22 100644
--- a/src/main/java/com/gitblit/git/GitblitReceivePack.java
+++ b/src/main/java/com/gitblit/git/GitblitReceivePack.java
@@ -50,6 +50,7 @@ import com.gitblit.client.Translation;
import com.gitblit.manager.IGitblit;
import com.gitblit.models.RepositoryModel;
import com.gitblit.models.UserModel;
+import com.gitblit.tickets.BranchTicketService;
import com.gitblit.utils.ArrayUtils;
import com.gitblit.utils.ClientLogger;
import com.gitblit.utils.CommitCache;
@@ -236,6 +237,16 @@ public class GitblitReceivePack extends ReceivePack implements PreReceiveHook, P
default:
break;
}
+ } else if (ref.equals(BranchTicketService.BRANCH)) {
+ // ensure pushing user is an administrator OR an owner
+ // i.e. prevent ticket tampering
+ boolean permitted = user.canAdmin() || repository.isOwner(user.username);
+ if (!permitted) {
+ sendRejection(cmd, "{0} is not permitted to push to {1}", user.username, ref);
+ }
+ } else if (ref.startsWith(Constants.R_FOR)) {
+ // prevent accidental push to refs/for
+ sendRejection(cmd, "{0} is not configured to receive patchsets", repository.name);
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-24 00:11:56 +0000