From 2e6e992a678d2504e1f00e6c6dabf3e7c090d2e3 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 22 May 2014 19:38:52 -0400
Subject: [PATCH] Documentation

---
 src/main/java/com/gitblit/wicket/pages/SessionPage.java |   47 +++++++++++++++++++++++++++++++++++++++++++----
 1 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
index 5a255ec..7a58175 100644
--- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
@@ -16,14 +16,17 @@
 package com.gitblit.wicket.pages;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.protocol.http.WebRequest;
 import org.apache.wicket.protocol.http.WebResponse;
 
-import com.gitblit.GitBlit;
+import com.gitblit.Keys;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.StringUtils;
+import com.gitblit.wicket.GitBlitWebApp;
 import com.gitblit.wicket.GitBlitWebSession;
 
 public abstract class SessionPage extends WebPage {
@@ -38,12 +41,48 @@
 		login();
 	}
 
+	protected String [] getEncodings() {
+		return app().settings().getStrings(Keys.web.blobEncodings).toArray(new String[0]);
+	}
+
+	protected GitBlitWebApp app() {
+		return GitBlitWebApp.get();
+	}
+
 	private void login() {
 		GitBlitWebSession session = GitBlitWebSession.get();
 		if (session.isLoggedIn() && !session.isSessionInvalidated()) {
 			// already have a session, refresh usermodel to pick up
 			// any changes to permissions or roles (issue-186)
-			UserModel user = GitBlit.self().getUserModel(session.getUser().username);
+			UserModel user = app().users().getUserModel(session.getUser().username);
+
+			if (user == null || user.disabled) {
+				// user was deleted/disabled during session
+				HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
+						.getHttpServletResponse();
+				app().authentication().logout(response, user);
+				session.setUser(null);
+				session.invalidateNow();
+				return;
+			}
+
+			// validate cookie during session (issue-361)
+			if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
+				HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
+						.getHttpServletRequest();
+				String requestCookie = app().authentication().getCookie(request);
+				if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
+					if (!requestCookie.equals(user.cookie)) {
+						// cookie was changed during our session
+						HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
+								.getHttpServletResponse();
+						app().authentication().logout(response, user);
+						session.setUser(null);
+						session.invalidateNow();
+						return;
+					}
+				}
+			}
 			session.setUser(user);
 			return;
 		}
@@ -51,7 +90,7 @@
 		// try to authenticate by servlet request
 		HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest())
 				.getHttpServletRequest();
-		UserModel user = GitBlit.self().authenticate(httpRequest);
+		UserModel user = app().authentication().authenticate(httpRequest);
 
 		// Login the user
 		if (user != null) {
@@ -61,7 +100,7 @@
 
 			// Set Cookie
 			WebResponse response = (WebResponse) getRequestCycle().getResponse();
-			GitBlit.self().setCookie(response, user);
+			app().authentication().setCookie(response.getHttpServletResponse(), user);
 
 			session.continueRequest();
 		}

--
Gitblit v1.9.1