From b7403152813c7fee783e3c999c7f7ae9fbaacce0 Mon Sep 17 00:00:00 2001 From: James Moger Date: Fri, 3 Feb 2012 18:16:16 -0500 Subject: Block pushes to a repository with a working copy (issue 49) --- src/com/gitblit/AccessRestrictionFilter.java | 17 +++++++++++++++++ src/com/gitblit/DownloadZipFilter.java | 12 ++++++++++++ src/com/gitblit/GitBlit.java | 1 + src/com/gitblit/GitFilter.java | 23 +++++++++++++++++++++-- src/com/gitblit/PagesFilter.java | 12 ++++++++++++ src/com/gitblit/SyndicationFilter.java | 12 ++++++++++++ src/com/gitblit/models/RepositoryModel.java | 6 +++--- 7 files changed, 78 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java index a8d50b8c..e9b6587b 100644 --- a/src/com/gitblit/AccessRestrictionFilter.java +++ b/src/com/gitblit/AccessRestrictionFilter.java @@ -61,6 +61,15 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter { */ protected abstract String getUrlRequestAction(String url); + /** + * Determine if the action may be executed on the repository. + * + * @param repository + * @param action + * @return true if the action may be performed + */ + protected abstract boolean isActionAllowed(RepositoryModel repository, String action); + /** * Determine if the repository requires authentication. * @@ -110,6 +119,14 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter { httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND); return; } + + // Confirm that the action may be executed on the repository + if (!isActionAllowed(model, urlRequestType)) { + logger.info(MessageFormat.format("ARF: action {0} on {1} forbidden ({2})", + urlRequestType, model, HttpServletResponse.SC_FORBIDDEN)); + httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); + return; + } // Wrap the HttpServletRequest with the AccessRestrictionRequest which // overrides the servlet container user principal methods. diff --git a/src/com/gitblit/DownloadZipFilter.java b/src/com/gitblit/DownloadZipFilter.java index c308cbbb..d22649b5 100644 --- a/src/com/gitblit/DownloadZipFilter.java +++ b/src/com/gitblit/DownloadZipFilter.java @@ -56,6 +56,18 @@ public class DownloadZipFilter extends AccessRestrictionFilter { return "DOWNLOAD"; } + /** + * Determine if the action may be executed on the repository. + * + * @param repository + * @param action + * @return true if the action may be performed + */ + @Override + protected boolean isActionAllowed(RepositoryModel repository, String action) { + return true; + } + /** * Determine if the repository requires authentication. * diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java index a689b48e..7a6411c4 100644 --- a/src/com/gitblit/GitBlit.java +++ b/src/com/gitblit/GitBlit.java @@ -760,6 +760,7 @@ public class GitBlit implements ServletContextListener { model.name = repositoryName; model.hasCommits = JGitUtils.hasCommits(r); model.lastChange = JGitUtils.getLastChange(r, null); + model.isBare = r.isBare(); StoredConfig config = JGitUtils.readConfig(r); if (config != null) { model.description = getConfig(config, "description", ""); diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java index a7f0fe74..e76fd767 100644 --- a/src/com/gitblit/GitFilter.java +++ b/src/com/gitblit/GitFilter.java @@ -81,6 +81,25 @@ public class GitFilter extends AccessRestrictionFilter { } return null; } + + /** + * Determine if the repository can receive pushes. + * + * @param repository + * @param action + * @return true if the action may be performed + */ + @Override + protected boolean isActionAllowed(RepositoryModel repository, String action) { + if (action.equals(gitReceivePack)) { + // Push request + if (!repository.isBare) { + logger.warn("Gitblit does not allow pushes to repositories with a working copy"); + return false; + } + } + return true; + } /** * Determine if the repository requires authentication. @@ -107,8 +126,8 @@ public class GitFilter extends AccessRestrictionFilter { if (!GitBlit.getBoolean(Keys.git.enableGitServlet, true)) { // Git Servlet disabled return false; - } - boolean readOnly = repository.isFrozen; + } + boolean readOnly = repository.isFrozen; if (readOnly || repository.accessRestriction.atLeast(AccessRestrictionType.PUSH)) { boolean authorizedUser = user.canAccessRepository(repository); if (action.equals(gitReceivePack)) { diff --git a/src/com/gitblit/PagesFilter.java b/src/com/gitblit/PagesFilter.java index 87fef0d2..b29bede2 100644 --- a/src/com/gitblit/PagesFilter.java +++ b/src/com/gitblit/PagesFilter.java @@ -76,6 +76,18 @@ public class PagesFilter extends AccessRestrictionFilter { return "VIEW"; } + /** + * Determine if the action may be executed on the repository. + * + * @param repository + * @param action + * @return true if the action may be performed + */ + @Override + protected boolean isActionAllowed(RepositoryModel repository, String action) { + return true; + } + /** * Determine if the repository requires authentication. * diff --git a/src/com/gitblit/SyndicationFilter.java b/src/com/gitblit/SyndicationFilter.java index d6dd1f2d..7e2561b9 100644 --- a/src/com/gitblit/SyndicationFilter.java +++ b/src/com/gitblit/SyndicationFilter.java @@ -54,6 +54,18 @@ public class SyndicationFilter extends AccessRestrictionFilter { return "VIEW"; } + /** + * Determine if the action may be executed on the repository. + * + * @param repository + * @param action + * @return true if the action may be performed + */ + @Override + protected boolean isActionAllowed(RepositoryModel repository, String action) { + return true; + } + /** * Determine if the repository requires authentication. * diff --git a/src/com/gitblit/models/RepositoryModel.java b/src/com/gitblit/models/RepositoryModel.java index b633c69e..10dcbc68 100644 --- a/src/com/gitblit/models/RepositoryModel.java +++ b/src/com/gitblit/models/RepositoryModel.java @@ -53,14 +53,14 @@ public class RepositoryModel implements Serializable, Comparable availableRefs; public String size; public List preReceiveScripts; public List postReceiveScripts; public List mailingLists; - public String HEAD; - public List availableRefs; - private String displayName; public RepositoryModel() { -- cgit v1.2.3