From 9715e11fe30eccafa4c8272316883c80ba036a6e Mon Sep 17 00:00:00 2001 From: James Moger Date: Thu, 2 May 2013 22:59:02 -0400 Subject: Improve permission determination when repo is frozen or is not bare --- src/main/java/com/gitblit/Constants.java | 6 ++- .../java/com/gitblit/models/RepositoryModel.java | 1 + src/main/java/com/gitblit/models/TeamModel.java | 33 ++++++++++++--- src/main/java/com/gitblit/models/UserModel.java | 47 +++++++++++++++++----- .../java/com/gitblit/tests/PermissionsTest.java | 35 ++++++++++++++++ 5 files changed, 106 insertions(+), 16 deletions(-) (limited to 'src') diff --git a/src/main/java/com/gitblit/Constants.java b/src/main/java/com/gitblit/Constants.java index f0373464..0514045d 100644 --- a/src/main/java/com/gitblit/Constants.java +++ b/src/main/java/com/gitblit/Constants.java @@ -385,7 +385,11 @@ public class Constants { private AccessPermission(String code) { this.code = code; } - + + public boolean atMost(AccessPermission perm) { + return ordinal() <= perm.ordinal(); + } + public boolean atLeast(AccessPermission perm) { return ordinal() >= perm.ordinal(); } diff --git a/src/main/java/com/gitblit/models/RepositoryModel.java b/src/main/java/com/gitblit/models/RepositoryModel.java index 5c906e5e..6e1e226a 100644 --- a/src/main/java/com/gitblit/models/RepositoryModel.java +++ b/src/main/java/com/gitblit/models/RepositoryModel.java @@ -101,6 +101,7 @@ public class RepositoryModel implements Serializable, Comparable(); + this.isBare = true; addOwner(owner); } diff --git a/src/main/java/com/gitblit/models/TeamModel.java b/src/main/java/com/gitblit/models/TeamModel.java index 8e0d5d5c..e0499f7c 100644 --- a/src/main/java/com/gitblit/models/TeamModel.java +++ b/src/main/java/com/gitblit/models/TeamModel.java @@ -197,16 +197,29 @@ public class TeamModel implements Serializable, Comparable { ap.permission = AccessPermission.NONE; ap.mutable = false; + // determine maximum permission for the repository + final AccessPermission maxPermission = + (repository.isFrozen || !repository.isBare) ? + AccessPermission.CLONE : AccessPermission.REWIND; + if (AccessRestrictionType.NONE.equals(repository.accessRestriction)) { // anonymous rewind ap.permissionType = PermissionType.ANONYMOUS; - ap.permission = AccessPermission.REWIND; + if (AccessPermission.REWIND.atMost(maxPermission)) { + ap.permission = AccessPermission.REWIND; + } else { + ap.permission = maxPermission; + } return ap; } if (canAdmin) { ap.permissionType = PermissionType.ADMINISTRATOR; - ap.permission = AccessPermission.REWIND; + if (AccessPermission.REWIND.atMost(maxPermission)) { + ap.permission = AccessPermission.REWIND; + } else { + ap.permission = maxPermission; + } return ap; } @@ -215,7 +228,11 @@ public class TeamModel implements Serializable, Comparable { AccessPermission p = permissions.get(repository.name.toLowerCase()); if (p != null && repository.accessRestriction.isValidPermission(p)) { ap.permissionType = PermissionType.EXPLICIT; - ap.permission = p; + if (p.atMost(maxPermission)) { + ap.permission = p; + } else { + ap.permission = maxPermission; + } ap.mutable = true; return ap; } @@ -227,7 +244,11 @@ public class TeamModel implements Serializable, Comparable { if (p != null && repository.accessRestriction.isValidPermission(p)) { // take first match ap.permissionType = PermissionType.REGEX; - ap.permission = p; + if (p.atMost(maxPermission)) { + ap.permission = p; + } else { + ap.permission = maxPermission; + } ap.source = key; return ap; } @@ -252,8 +273,8 @@ public class TeamModel implements Serializable, Comparable { ap.permissionType = PermissionType.ANONYMOUS; break; case NONE: - // implied REWIND or CLONE if frozen - ap.permission = repository.isFrozen ? AccessPermission.CLONE : AccessPermission.REWIND; + // implied REWIND or CLONE + ap.permission = maxPermission; ap.permissionType = PermissionType.ANONYMOUS; break; } diff --git a/src/main/java/com/gitblit/models/UserModel.java b/src/main/java/com/gitblit/models/UserModel.java index 5750d46a..e4c659c1 100644 --- a/src/main/java/com/gitblit/models/UserModel.java +++ b/src/main/java/com/gitblit/models/UserModel.java @@ -278,18 +278,31 @@ public class UserModel implements Principal, Serializable, Comparable ap.registrantType = RegistrantType.USER; ap.permission = AccessPermission.NONE; ap.mutable = false; + + // determine maximum permission for the repository + final AccessPermission maxPermission = + (repository.isFrozen || !repository.isBare) ? + AccessPermission.CLONE : AccessPermission.REWIND; if (AccessRestrictionType.NONE.equals(repository.accessRestriction)) { // anonymous rewind ap.permissionType = PermissionType.ANONYMOUS; - ap.permission = AccessPermission.REWIND; + if (AccessPermission.REWIND.atMost(maxPermission)) { + ap.permission = AccessPermission.REWIND; + } else { + ap.permission = maxPermission; + } return ap; } // administrator if (canAdmin()) { ap.permissionType = PermissionType.ADMINISTRATOR; - ap.permission = AccessPermission.REWIND; + if (AccessPermission.REWIND.atMost(maxPermission)) { + ap.permission = AccessPermission.REWIND; + } else { + ap.permission = maxPermission; + } if (!canAdmin) { // administator permission from team membership for (TeamModel team : teams) { @@ -305,13 +318,21 @@ public class UserModel implements Principal, Serializable, Comparable // repository owner - either specified owner or personal repository if (repository.isOwner(username) || repository.isUsersPersonalRepository(username)) { ap.permissionType = PermissionType.OWNER; - ap.permission = AccessPermission.REWIND; + if (AccessPermission.REWIND.atMost(maxPermission)) { + ap.permission = AccessPermission.REWIND; + } else { + ap.permission = maxPermission; + } return ap; } if (AuthorizationControl.AUTHENTICATED.equals(repository.authorizationControl) && isAuthenticated) { // AUTHENTICATED is a shortcut for authorizing all logged-in users RW+ access - ap.permission = AccessPermission.REWIND; + if (AccessPermission.REWIND.atMost(maxPermission)) { + ap.permission = AccessPermission.REWIND; + } else { + ap.permission = maxPermission; + } return ap; } @@ -322,7 +343,11 @@ public class UserModel implements Principal, Serializable, Comparable AccessPermission p = permissions.get(repository.name.toLowerCase()); if (p != null && repository.accessRestriction.isValidPermission(p)) { ap.permissionType = PermissionType.EXPLICIT; - ap.permission = p; + if (p.atMost(maxPermission)) { + ap.permission = p; + } else { + ap.permission = maxPermission; + } ap.mutable = true; return ap; } @@ -334,7 +359,11 @@ public class UserModel implements Principal, Serializable, Comparable if (p != null && repository.accessRestriction.isValidPermission(p)) { // take first match ap.permissionType = PermissionType.REGEX; - ap.permission = p; + if (p.atMost(maxPermission)) { + ap.permission = p; + } else { + ap.permission = maxPermission; + } ap.source = key; return ap; } @@ -345,7 +374,7 @@ public class UserModel implements Principal, Serializable, Comparable // try to find a team match for (TeamModel team : teams) { RegistrantAccessPermission p = team.getRepositoryPermission(repository); - if (p.permission.exceeds(ap.permission) && PermissionType.ANONYMOUS != p.permissionType) { + if (p.permission.atMost(maxPermission) && p.permission.exceeds(ap.permission) && PermissionType.ANONYMOUS != p.permissionType) { // use highest team permission that is not an implicit permission ap.permission = p.permission; ap.source = team.name; @@ -370,8 +399,8 @@ public class UserModel implements Principal, Serializable, Comparable ap.permissionType = PermissionType.ANONYMOUS; break; case NONE: - // implied REWIND or CLONE if frozen - ap.permission = repository.isFrozen ? AccessPermission.CLONE : AccessPermission.REWIND; + // implied REWIND or CLONE + ap.permission = maxPermission; ap.permissionType = PermissionType.ANONYMOUS; break; } diff --git a/src/test/java/com/gitblit/tests/PermissionsTest.java b/src/test/java/com/gitblit/tests/PermissionsTest.java index 8e2ed977..12225e42 100644 --- a/src/test/java/com/gitblit/tests/PermissionsTest.java +++ b/src/test/java/com/gitblit/tests/PermissionsTest.java @@ -2843,4 +2843,39 @@ public class PermissionsTest extends Assert { assertTrue("User did not inherit create privileges", user.canCreate()); } + @Test + public void testIsFrozen() throws Exception { + RepositoryModel repo = new RepositoryModel("somerepo.git", null, null, new Date()); + repo.authorizationControl = AuthorizationControl.NAMED; + repo.accessRestriction = AccessRestrictionType.NONE; + + UserModel user = new UserModel("test"); + TeamModel team = new TeamModel("team"); + + assertEquals("user has wrong permission!", AccessPermission.REWIND, user.getRepositoryPermission(repo).permission); + assertEquals("team has wrong permission!", AccessPermission.REWIND, team.getRepositoryPermission(repo).permission); + + // freeze repo + repo.isFrozen = true; + assertEquals("user has wrong permission!", AccessPermission.CLONE, user.getRepositoryPermission(repo).permission); + assertEquals("team has wrong permission!", AccessPermission.CLONE, team.getRepositoryPermission(repo).permission); + } + + @Test + public void testIsBare() throws Exception { + RepositoryModel repo = new RepositoryModel("somerepo.git", null, null, new Date()); + repo.authorizationControl = AuthorizationControl.NAMED; + repo.accessRestriction = AccessRestrictionType.NONE; + + UserModel user = new UserModel("test"); + TeamModel team = new TeamModel("team"); + + assertEquals("user has wrong permission!", AccessPermission.REWIND, user.getRepositoryPermission(repo).permission); + assertEquals("team has wrong permission!", AccessPermission.REWIND, team.getRepositoryPermission(repo).permission); + + // set repo to have a working copy, pushes prohibited + repo.isBare = false; + assertEquals("user has wrong permission!", AccessPermission.CLONE, user.getRepositoryPermission(repo).permission); + assertEquals("team has wrong permission!", AccessPermission.CLONE, team.getRepositoryPermission(repo).permission); + } } -- cgit v1.2.3