From 0f3cb24604e7c3c1a78d5b97f6f4fce6f796b510 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 29 Mar 2013 10:02:23 -0400
Subject: [PATCH] Enforce security on raw blob page (issue 198)

---
 src/main/java/com/gitblit/wicket/pages/RawPage.java |   20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/RawPage.java b/src/main/java/com/gitblit/wicket/pages/RawPage.java
index 28e8bae..27a01f9 100644
--- a/src/main/java/com/gitblit/wicket/pages/RawPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/RawPage.java
@@ -22,7 +22,6 @@
 import org.apache.wicket.IRequestTarget;
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.RequestCycle;
-import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.protocol.http.WebResponse;
 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.revwalk.RevCommit;
@@ -31,17 +30,20 @@
 
 import com.gitblit.GitBlit;
 import com.gitblit.Keys;
+import com.gitblit.models.RepositoryModel;
+import com.gitblit.models.UserModel;
 import com.gitblit.utils.JGitUtils;
 import com.gitblit.utils.StringUtils;
+import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
 
-public class RawPage extends WebPage {
+public class RawPage extends SessionPage {
 
 	private final Logger logger = LoggerFactory.getLogger(getClass().getSimpleName());
 
 	public RawPage(final PageParameters params) {
 		super(params);
-
+		
 		if (!params.containsKey("r")) {
 			error(getString("gb.repositoryNotSpecified"));
 			redirectToInterceptPage(new RepositoriesPage());
@@ -60,7 +62,17 @@
 				final String objectId = WicketUtils.getObject(params);
 				final String blobPath = WicketUtils.getPath(params);
 				String[] encodings = GitBlit.getEncodings();
-
+				GitBlitWebSession session = GitBlitWebSession.get();
+				UserModel user = session.getUser();
+				
+				RepositoryModel model = GitBlit.self().getRepositoryModel(user, repositoryName);
+				if (model == null) {
+					// user does not have permission
+					error(getString("gb.canNotLoadRepository") + " " + repositoryName);
+					redirectToInterceptPage(new RepositoriesPage());
+					return;
+				}
+				
 				Repository r = GitBlit.self().getRepository(repositoryName);
 				if (r == null) {
 					error(getString("gb.canNotLoadRepository") + " " + repositoryName);

--
Gitblit v1.9.1