From 3e44b65e329c199f95488f9429c1a20362c70b4d Mon Sep 17 00:00:00 2001 From: James Moger <james.moger@gitblit.com> Date: Mon, 22 Oct 2012 08:55:44 -0400 Subject: [PATCH] Ensure illegal repository names are rejected in create-on-push --- src/com/gitblit/wicket/pages/RepositoryPage.java | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) diff --git a/src/com/gitblit/wicket/pages/RepositoryPage.java b/src/com/gitblit/wicket/pages/RepositoryPage.java index b7cade6..bacf233 100644 --- a/src/com/gitblit/wicket/pages/RepositoryPage.java +++ b/src/com/gitblit/wicket/pages/RepositoryPage.java @@ -48,6 +48,7 @@ import com.gitblit.PagesServlet; import com.gitblit.SyndicationServlet; import com.gitblit.models.ProjectModel; +import com.gitblit.models.RefModel; import com.gitblit.models.RepositoryModel; import com.gitblit.models.SubmoduleModel; import com.gitblit.models.UserModel; @@ -91,6 +92,21 @@ } objectId = WicketUtils.getObject(params); + if (objectId != null) { + RefModel branch = null; + if ((branch = JGitUtils.getBranch(getRepository(), objectId)) != null) { + UserModel user = GitBlitWebSession.get().getUser(); + if (user == null) { + // workaround until get().getUser() is reviewed throughout the app + user = UserModel.ANONYMOUS; + } + boolean canAccess = user.hasBranchPermission(repositoryName, + branch.reference.getName()); + if (!canAccess) { + error("Access denied", true); + } + } + } if (StringUtils.isEmpty(repositoryName)) { error(MessageFormat.format(getString("gb.repositoryNotSpecifiedFor"), getPageName()), true); } @@ -576,4 +592,4 @@ getRequestCycle().setRequestTarget(new RedirectRequestTarget(absoluteUrl)); } } -} \ No newline at end of file +} -- Gitblit v1.9.1