From 27c74e401365f9858f46241ff7f52ca1d8a60832 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 27 Aug 2012 16:21:49 -0400
Subject: [PATCH] Setting Admin attribute is now consistent with LDAP team config

---
 docs/04_releases.mkd                 |   13 +++++++++++--
 src/com/gitblit/LdapUserService.java |   33 +++++++++++++++++++++++----------
 2 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index a0324a6..155fc3b 100644
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -9,6 +9,17 @@
 
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%) | [war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%) | [express](http://code.google.com/p/gitblit/downloads/detail?name=%EXPRESS%) | [fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%) | [manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%) | [api](http://code.google.com/p/gitblit/downloads/detail?name=%API%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*
 
+#### changes
+
+- LDAP admin attribute setting is now consistent with LDAP teams setting and admin teams list.  
+If *realm.ldap.maintainTeams==true* **AND** *realm.ldap.admins* is not empty, then User.canAdmin() is controlled by LDAP administrative team membership.  Otherwise, User.canAdmin() is controlled by Gitblit.
+
+<hr/>
+
+### Older Releases
+
+**1.1.0** *released 2012-08-25*
+
 #### fixes
 
 - Bypass Wicket's inability to handle direct url addressing of a view-restricted, grouped repository for new, unauthenticated sessions (e.g. click link from email or rss feed without having an active Wicket session)
@@ -64,8 +75,6 @@
 - Updated Spanish translation
 
 <hr/>
-
-### Older Releases
 
 **1.0.0** *released 2012-07-14*
 
diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java
index 38376b8..54a5575 100644
--- a/src/com/gitblit/LdapUserService.java
+++ b/src/com/gitblit/LdapUserService.java
@@ -205,17 +205,30 @@
 		return null;		
 	}
 
+	/**
+	 * Set the admin attribute from team memberships retrieved from LDAP.
+	 * If we are not storing teams in LDAP and/or we have not defined any
+	 * administrator teams, then do not change the admin flag.
+	 * 
+	 * @param user
+	 */
 	private void setAdminAttribute(UserModel user) {
-	    user.canAdmin = false;
-	    List<String>  admins = settings.getStrings(Keys.realm.ldap.admins);
-	    for (String admin : admins) {
-	        if (admin.startsWith("@")) { // Team
-	            if (user.getTeam(admin.substring(1)) != null)
-	                user.canAdmin = true;
-	        } else
-	            if (user.getName().equalsIgnoreCase(admin))
-	                user.canAdmin = true;
-	    }
+		if (!supportsTeamMembershipChanges()) {
+			List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+			// if we have defined administrative teams, then set admin flag
+			// otherwise leave admin flag unchanged
+			if (!ArrayUtils.isEmpty(admins)) {
+				user.canAdmin = false;
+				for (String admin : admins) {
+					if (admin.startsWith("@")) { // Team
+						if (user.getTeam(admin.substring(1)) != null)
+							user.canAdmin = true;
+					} else
+						if (user.getName().equalsIgnoreCase(admin))
+							user.canAdmin = true;
+				}
+			}
+		}
 	}
 	
 	private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {

--
Gitblit v1.9.1