src/main/java/com/gitblit/ConfigUserService.java
@@ -37,6 +37,7 @@ import com.gitblit.Constants.AccessPermission; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Constants.Transport; import com.gitblit.manager.IRuntimeManager; import com.gitblit.models.TeamModel; @@ -734,22 +735,22 @@ // user roles List<String> roles = new ArrayList<String>(); if (model.canAdmin) { roles.add(Constants.ADMIN_ROLE); roles.add(Role.ADMIN.getRole()); } if (model.canFork) { roles.add(Constants.FORK_ROLE); roles.add(Role.FORK.getRole()); } if (model.canCreate) { roles.add(Constants.CREATE_ROLE); roles.add(Role.CREATE.getRole()); } if (model.excludeFromFederation) { roles.add(Constants.NOT_FEDERATED_ROLE); roles.add(Role.NOT_FEDERATED.getRole()); } if (roles.size() == 0) { // we do this to ensure that user record with no password // is written. otherwise, StoredConfig optimizes that account // away. :( roles.add(Constants.NO_ROLE); roles.add(Role.NONE.getRole()); } config.setStringList(USER, model.username, ROLE, roles); @@ -778,18 +779,18 @@ // team roles List<String> roles = new ArrayList<String>(); if (model.canAdmin) { roles.add(Constants.ADMIN_ROLE); roles.add(Role.ADMIN.getRole()); } if (model.canFork) { roles.add(Constants.FORK_ROLE); roles.add(Role.FORK.getRole()); } if (model.canCreate) { roles.add(Constants.CREATE_ROLE); roles.add(Role.CREATE.getRole()); } if (roles.size() == 0) { // we do this to ensure that team record is written. // Otherwise, StoredConfig might optimizes that record away. roles.add(Constants.NO_ROLE); roles.add(Role.NONE.getRole()); } config.setStringList(TEAM, model.name, ROLE, roles); if (model.accountType != null) { @@ -911,10 +912,10 @@ // user roles Set<String> roles = new HashSet<String>(Arrays.asList(config.getStringList( USER, username, ROLE))); user.canAdmin = roles.contains(Constants.ADMIN_ROLE); user.canFork = roles.contains(Constants.FORK_ROLE); user.canCreate = roles.contains(Constants.CREATE_ROLE); user.excludeFromFederation = roles.contains(Constants.NOT_FEDERATED_ROLE); user.canAdmin = roles.contains(Role.ADMIN.getRole()); user.canFork = roles.contains(Role.FORK.getRole()); user.canCreate = roles.contains(Role.CREATE.getRole()); user.excludeFromFederation = roles.contains(Role.NOT_FEDERATED.getRole()); // repository memberships if (!user.canAdmin) { @@ -947,9 +948,9 @@ TeamModel team = new TeamModel(teamname); Set<String> roles = new HashSet<String>(Arrays.asList(config.getStringList( TEAM, teamname, ROLE))); team.canAdmin = roles.contains(Constants.ADMIN_ROLE); team.canFork = roles.contains(Constants.FORK_ROLE); team.canCreate = roles.contains(Constants.CREATE_ROLE); team.canAdmin = roles.contains(Role.ADMIN.getRole()); team.canFork = roles.contains(Role.FORK.getRole()); team.canCreate = roles.contains(Role.CREATE.getRole()); team.accountType = AccountType.fromString(config.getString(TEAM, teamname, ACCOUNTTYPE)); if (!team.canAdmin) { src/main/java/com/gitblit/Constants.java
@@ -36,14 +36,19 @@ public static final String FULL_NAME = "Gitblit - a pure Java Git solution"; @Deprecated public static final String ADMIN_ROLE = "#admin"; @Deprecated public static final String FORK_ROLE = "#fork"; @Deprecated public static final String CREATE_ROLE = "#create"; @Deprecated public static final String NOT_FEDERATED_ROLE = "#notfederated"; @Deprecated public static final String NO_ROLE = "#none"; public static final String EXTERNAL_ACCOUNT = "#externalAccount"; @@ -178,6 +183,19 @@ return defaultValue; } public static enum Role { NONE, ADMIN, CREATE, FORK, NOT_FEDERATED; public String getRole() { return "#" + name().replace("_", "").toLowerCase(); } @Override public String toString() { return getRole(); } } /** * Enumeration representing the four access restriction levels. */ src/main/java/com/gitblit/auth/AuthenticationProvider.java
@@ -21,6 +21,7 @@ import org.slf4j.LoggerFactory; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.IStoredSettings; import com.gitblit.manager.IRuntimeManager; import com.gitblit.manager.IUserManager; @@ -138,6 +139,24 @@ */ public abstract boolean supportsTeamMembershipChanges(); /** * Returns true if the user's role can be changed. * * @param user * @param role * @return true if the user's role can be changed */ public abstract boolean supportsRoleChanges(UserModel user, Role role); /** * Returns true if the team's role can be changed. * * @param user * @param role * @return true if the team's role can be changed */ public abstract boolean supportsRoleChanges(TeamModel team, Role role); @Override public String toString() { return getServiceName() + " (" + getClass().getName() + ")"; @@ -199,5 +218,16 @@ public boolean supportsTeamMembershipChanges() { return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } } } src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java
@@ -32,8 +32,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; @@ -124,6 +126,16 @@ return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } /** * Authenticate a user based on a username and password. * src/main/java/com/gitblit/auth/LdapAuthProvider.java
@@ -30,6 +30,7 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; @@ -272,7 +273,6 @@ return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, "")); } /** * If the LDAP server will maintain team memberships then LdapUserService * will not allow team membership changes. In this scenario all team @@ -287,6 +287,32 @@ } @Override public boolean supportsRoleChanges(UserModel user, Role role) { if (Role.ADMIN == role) { if (!supportsTeamMembershipChanges()) { List<String> admins = settings.getStrings(Keys.realm.ldap.admins); if (admins.contains(user.username)) { return false; } } } return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { if (Role.ADMIN == role) { if (!supportsTeamMembershipChanges()) { List<String> admins = settings.getStrings(Keys.realm.ldap.admins); if (admins.contains("@" + team.name)) { return false; } } } return true; } @Override public AccountType getAccountType() { return AccountType.LDAP; } src/main/java/com/gitblit/auth/PAMAuthProvider.java
@@ -23,8 +23,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; /** @@ -78,6 +80,16 @@ } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } @Override public AccountType getAccountType() { return AccountType.PAM; } src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -23,8 +23,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.utils.ConnectionUtils; import com.gitblit.utils.StringUtils; @@ -78,6 +80,16 @@ } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } @Override public AccountType getAccountType() { return AccountType.REDMINE; } src/main/java/com/gitblit/auth/SalesforceAuthProvider.java
@@ -2,8 +2,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.sforce.soap.partner.Connector; import com.sforce.soap.partner.GetUserInfoResult; @@ -119,4 +121,15 @@ public boolean supportsTeamMembershipChanges() { return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } } src/main/java/com/gitblit/auth/WindowsAuthProvider.java
@@ -26,8 +26,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.utils.StringUtils; import com.sun.jna.platform.win32.Win32Exception; @@ -91,6 +93,16 @@ } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } @Override public AccountType getAccountType() { return AccountType.WINDOWS; } src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -35,6 +35,7 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.AuthenticationType; import com.gitblit.Constants.Role; import com.gitblit.IStoredSettings; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider; @@ -585,6 +586,28 @@ return (team != null && team.isLocalTeam()) || findProvider(team).supportsTeamMembershipChanges(); } /** * Returns true if the user's role can be changed. * * @param user * @return true if the user's role can be changed */ @Override public boolean supportsRoleChanges(UserModel user, Role role) { return (user != null && user.isLocalAccount()) || findProvider(user).supportsRoleChanges(user, role); } /** * Returns true if the team's role can be changed. * * @param user * @return true if the team's role can be changed */ @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return (team != null && team.isLocalTeam()) || findProvider(team).supportsRoleChanges(team, role); } protected AuthenticationProvider findProvider(UserModel user) { for (AuthenticationProvider provider : authenticationProviders) { if (provider.getAccountType().equals(user.accountType)) { src/main/java/com/gitblit/manager/GitblitManager.java
@@ -51,6 +51,7 @@ import com.gitblit.Constants.AccessPermission; import com.gitblit.Constants.FederationRequest; import com.gitblit.Constants.FederationToken; import com.gitblit.Constants.Role; import com.gitblit.GitBlitException; import com.gitblit.IStoredSettings; import com.gitblit.models.FederationModel; @@ -711,6 +712,16 @@ return authenticationManager.supportsTeamMembershipChanges(team); } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return authenticationManager.supportsRoleChanges(user, role); } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return authenticationManager.supportsRoleChanges(team, role); } /* * USER MANAGER */ src/main/java/com/gitblit/manager/IAuthenticationManager.java
@@ -18,6 +18,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.gitblit.Constants.Role; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.transport.ssh.SshKey; @@ -161,4 +162,22 @@ */ boolean supportsTeamMembershipChanges(TeamModel team); /** * Returns true if the specified role can be changed. * * @param user * @return true if the specified role can be changed * @since 1.6.1 */ boolean supportsRoleChanges(UserModel user, Role role); /** * Returns true if the specified role can be changed. * * @param team * @return true if the specified role can be changed * @since 1.6.1 */ boolean supportsRoleChanges(TeamModel team, Role role); } src/main/java/com/gitblit/servlet/AuthenticationFilter.java
@@ -36,6 +36,7 @@ import org.slf4j.LoggerFactory; import com.gitblit.Constants; import com.gitblit.Constants.Role; import com.gitblit.manager.IAuthenticationManager; import com.gitblit.models.UserModel; import com.gitblit.utils.DeepCopier; @@ -172,7 +173,7 @@ @Override public boolean isUserInRole(String role) { if (role.equals(Constants.ADMIN_ROLE)) { if (role.equals(Role.ADMIN.getRole())) { return user.canAdmin(); } // Gitblit does not currently use actual roles in the traditional src/main/java/com/gitblit/wicket/pages/EditTeamPage.java
@@ -39,6 +39,7 @@ import org.apache.wicket.model.util.ListModel; import com.gitblit.Constants.RegistrantType; import com.gitblit.Constants.Role; import com.gitblit.GitBlitException; import com.gitblit.Keys; import com.gitblit.models.RegistrantAccessPermission; @@ -221,14 +222,23 @@ // do not let the browser pre-populate these fields form.add(new SimpleAttributeModifier("autocomplete", "off")); // not all user services support manipulating team memberships // not all user providers support manipulating team memberships boolean editMemberships = app().authentication().supportsTeamMembershipChanges(teamModel); // not all user providers support manipulating the admin role boolean changeAdminRole = app().authentication().supportsRoleChanges(teamModel, Role.ADMIN); // not all user providers support manipulating the create role boolean changeCreateRole = app().authentication().supportsRoleChanges(teamModel, Role.CREATE); // not all user providers support manipulating the fork role boolean changeForkRole = app().authentication().supportsRoleChanges(teamModel, Role.FORK); // field names reflective match TeamModel fields form.add(new TextField<String>("name")); form.add(new CheckBox("canAdmin")); form.add(new CheckBox("canFork").setEnabled(app().settings().getBoolean(Keys.web.allowForking, true))); form.add(new CheckBox("canCreate")); form.add(new CheckBox("canAdmin").setEnabled(changeAdminRole)); form.add(new CheckBox("canFork").setEnabled(app().settings().getBoolean(Keys.web.allowForking, true) && changeForkRole)); form.add(new CheckBox("canCreate").setEnabled(changeCreateRole)); form.add(users.setEnabled(editMemberships)); mailingLists = new Model<String>(teamModel.mailingLists == null ? "" : StringUtils.flattenStrings(teamModel.mailingLists, " ")); src/main/java/com/gitblit/wicket/pages/EditUserPage.java
@@ -35,6 +35,7 @@ import org.apache.wicket.model.util.ListModel; import com.gitblit.Constants.RegistrantType; import com.gitblit.Constants.Role; import com.gitblit.GitBlitException; import com.gitblit.Keys; import com.gitblit.models.RegistrantAccessPermission; @@ -216,17 +217,26 @@ // do not let the browser pre-populate these fields form.add(new SimpleAttributeModifier("autocomplete", "off")); // not all user services support manipulating username and password // not all user providers support manipulating username and password boolean editCredentials = app().authentication().supportsCredentialChanges(userModel); // not all user services support manipulating display name // not all user providers support manipulating display name boolean editDisplayName = app().authentication().supportsDisplayNameChanges(userModel); // not all user services support manipulating email address // not all user providers support manipulating email address boolean editEmailAddress = app().authentication().supportsEmailAddressChanges(userModel); // not all user services support manipulating team memberships // not all user providers support manipulating team memberships boolean editTeams = app().authentication().supportsTeamMembershipChanges(userModel); // not all user providers support manipulating the admin role boolean changeAdminRole = app().authentication().supportsRoleChanges(userModel, Role.ADMIN); // not all user providers support manipulating the create role boolean changeCreateRole = app().authentication().supportsRoleChanges(userModel, Role.CREATE); // not all user providers support manipulating the fork role boolean changeForkRole = app().authentication().supportsRoleChanges(userModel, Role.FORK); // field names reflective match UserModel fields form.add(new TextField<String>("username").setEnabled(editCredentials)); @@ -245,7 +255,7 @@ // display a disabled-yet-checked checkbox form.add(new CheckBox("canAdmin", Model.of(true)).setEnabled(false)); } else { form.add(new CheckBox("canAdmin")); form.add(new CheckBox("canAdmin").setEnabled(changeAdminRole)); } if (userModel.canFork() && !userModel.canFork) { @@ -254,7 +264,7 @@ form.add(new CheckBox("canFork", Model.of(true)).setEnabled(false)); } else { final boolean forkingAllowed = app().settings().getBoolean(Keys.web.allowForking, true); form.add(new CheckBox("canFork").setEnabled(forkingAllowed)); form.add(new CheckBox("canFork").setEnabled(forkingAllowed && changeForkRole)); } if (userModel.canCreate() && !userModel.canCreate) { @@ -262,7 +272,7 @@ // display a disabled-yet-checked checkbox form.add(new CheckBox("canCreate", Model.of(true)).setEnabled(false)); } else { form.add(new CheckBox("canCreate")); form.add(new CheckBox("canCreate").setEnabled(changeCreateRole)); } form.add(new CheckBox("excludeFromFederation"));
