From 3e44b65e329c199f95488f9429c1a20362c70b4d Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 22 Oct 2012 08:55:44 -0400
Subject: [PATCH] Ensure illegal repository names are rejected in create-on-push

---
 src/com/gitblit/wicket/pages/RepositoryPage.java |   20 ++++++++++++++++++--
 1 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/RepositoryPage.java b/src/com/gitblit/wicket/pages/RepositoryPage.java
index 9048eba..bacf233 100644
--- a/src/com/gitblit/wicket/pages/RepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/RepositoryPage.java
@@ -48,6 +48,7 @@
 import com.gitblit.PagesServlet;
 import com.gitblit.SyndicationServlet;
 import com.gitblit.models.ProjectModel;
+import com.gitblit.models.RefModel;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.SubmoduleModel;
 import com.gitblit.models.UserModel;
@@ -91,6 +92,21 @@
 		}
 		objectId = WicketUtils.getObject(params);
 		
+		if (objectId != null) {
+			RefModel branch = null;
+			if ((branch = JGitUtils.getBranch(getRepository(), objectId)) != null) {
+				UserModel user = GitBlitWebSession.get().getUser();
+				if (user == null) {
+					// workaround until get().getUser() is reviewed throughout the app
+					user = UserModel.ANONYMOUS;
+				}
+				boolean canAccess = user.hasBranchPermission(repositoryName,
+								branch.reference.getName());
+				if (!canAccess) {
+					error("Access denied", true);
+				}
+			}
+		}
 		if (StringUtils.isEmpty(repositoryName)) {
 			error(MessageFormat.format(getString("gb.repositoryNotSpecifiedFor"), getPageName()), true);
 		}
@@ -248,7 +264,7 @@
 				// user not allowed to fork or fork already exists or repo forbids forking
 				add(new ExternalLink("forkLink", "").setVisible(false));
 				
-				if (user.canFork && !model.allowForks) {
+				if (user.canFork() && !model.allowForks) {
 					// show forks prohibited indicator
 					Fragment wc = new Fragment("forksProhibitedIndicator", "forksProhibitedFragment", this);
 					Label lbl = new Label("forksProhibited", getString("gb.forksProhibited"));
@@ -576,4 +592,4 @@
 			getRequestCycle().setRequestTarget(new RedirectRequestTarget(absoluteUrl));
 		}
 	}
-}
\ No newline at end of file
+}

--
Gitblit v1.9.1