From 143567439e9f4e579f50786b591292812fffc275 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 18 Jun 2013 21:56:32 -0400
Subject: [PATCH] Do not advertise refs/gitblit/* refs to non-admin accounts

---
 src/main/java/com/gitblit/git/GitblitUploadPackFactory.java |   19 ++++++++++++++-----
 1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/main/java/com/gitblit/git/GitblitUploadPackFactory.java b/src/main/java/com/gitblit/git/GitblitUploadPackFactory.java
index e953ca4..1756ac5 100644
--- a/src/main/java/com/gitblit/git/GitblitUploadPackFactory.java
+++ b/src/main/java/com/gitblit/git/GitblitUploadPackFactory.java
@@ -15,6 +15,9 @@
  */
 package com.gitblit.git;
 
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
 import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
@@ -29,8 +32,6 @@
 
 import com.gitblit.GitBlit;
 import com.gitblit.models.UserModel;
-import com.gitblit.utils.IssueUtils;
-import com.gitblit.utils.PushLogUtils;
 
 /**
  * The upload pack factory creates an upload pack which controls what refs are
@@ -89,9 +90,17 @@
 				return refs;
 			}
 
-			// normal users can not clone gitblit refs
-			refs.remove(IssueUtils.GB_ISSUES);
-			refs.remove(PushLogUtils.GB_PUSHES);
+			// normal users can not clone any gitblit refs
+			// JGit's RefMap is custom and does not support iterator removal :(
+			List<String> toRemove = new ArrayList<String>();
+			for (String ref : refs.keySet()) {
+				if (ref.startsWith("refs/gitblit/")) {
+					toRemove.add(ref);
+				}
+			}
+			for (String ref : toRemove) {
+				refs.remove(ref);
+			}
 			return refs;
 		}
 	}

--
Gitblit v1.9.1