From 3e44b65e329c199f95488f9429c1a20362c70b4d Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 22 Oct 2012 08:55:44 -0400
Subject: [PATCH] Ensure illegal repository names are rejected in create-on-push

---
 src/com/gitblit/wicket/pages/RepositoryPage.java |   57 ++++++++++++++++++++++++++++++---------------------------
 1 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/RepositoryPage.java b/src/com/gitblit/wicket/pages/RepositoryPage.java
index 8ca2b33..bacf233 100644
--- a/src/com/gitblit/wicket/pages/RepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/RepositoryPage.java
@@ -28,12 +28,10 @@
 
 import org.apache.wicket.Component;
 import org.apache.wicket.PageParameters;
-import org.apache.wicket.RedirectException;
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.markup.html.form.DropDownChoice;
 import org.apache.wicket.markup.html.form.TextField;
 import org.apache.wicket.markup.html.link.ExternalLink;
-import org.apache.wicket.markup.html.link.Link;
 import org.apache.wicket.markup.html.panel.Fragment;
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
@@ -50,6 +48,7 @@
 import com.gitblit.PagesServlet;
 import com.gitblit.SyndicationServlet;
 import com.gitblit.models.ProjectModel;
+import com.gitblit.models.RefModel;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.SubmoduleModel;
 import com.gitblit.models.UserModel;
@@ -62,7 +61,6 @@
 import com.gitblit.wicket.PageRegistration.OtherPageLink;
 import com.gitblit.wicket.SessionlessForm;
 import com.gitblit.wicket.WicketUtils;
-import com.gitblit.wicket.panels.BasePanel.JavascriptEventConfirmation;
 import com.gitblit.wicket.panels.LinkPanel;
 import com.gitblit.wicket.panels.NavigationPanel;
 import com.gitblit.wicket.panels.RefsPanel;
@@ -94,6 +92,21 @@
 		}
 		objectId = WicketUtils.getObject(params);
 		
+		if (objectId != null) {
+			RefModel branch = null;
+			if ((branch = JGitUtils.getBranch(getRepository(), objectId)) != null) {
+				UserModel user = GitBlitWebSession.get().getUser();
+				if (user == null) {
+					// workaround until get().getUser() is reviewed throughout the app
+					user = UserModel.ANONYMOUS;
+				}
+				boolean canAccess = user.hasBranchPermission(repositoryName,
+								branch.reference.getName());
+				if (!canAccess) {
+					error("Access denied", true);
+				}
+			}
+		}
 		if (StringUtils.isEmpty(repositoryName)) {
 			error(MessageFormat.format(getString("gb.repositoryNotSpecifiedFor"), getPageName()), true);
 		}
@@ -171,6 +184,10 @@
 		}
 		return pages;
 	}
+	
+	protected boolean allowForkControls() {
+		return true;
+	}
 
 	@Override
 	protected void setupPage(String repositoryName, String pageName) {
@@ -195,6 +212,9 @@
 		add(new Label("pageName", pageName).setRenderBodyOnly(true));
 		
 		UserModel user = GitBlitWebSession.get().getUser();
+		if (user == null) {
+			user = UserModel.ANONYMOUS;
+		}
 
 		// indicate origin repository
 		RepositoryModel model = getRepositoryModel();
@@ -205,7 +225,7 @@
 			if (origin == null) {
 				// no origin repository
 				add(new Label("originRepository").setVisible(false));
-			} else if (!user.canViewRepository(origin)) {
+			} else if (!user.canView(origin)) {
 				// show origin repository without link
 				Fragment forkFrag = new Fragment("originRepository", "originFragment", this);
 				forkFrag.add(new Label("originRepository", StringUtils.stripDotGit(model.originRepository)));
@@ -230,7 +250,7 @@
 		}
 
 		// fork controls
-		if (user == null) {
+		if (!allowForkControls() || user == null || !user.isAuthenticated) {
 			// must be logged-in to fork, hide all fork controls
 			add(new ExternalLink("forkLink", "").setVisible(false));
 			add(new ExternalLink("myForkLink", "").setVisible(false));
@@ -238,13 +258,13 @@
 		} else {
 			String fork = GitBlit.self().getFork(user.username, model.name);
 			boolean hasFork = fork != null;
-			boolean canFork = user.canForkRepository(model);
+			boolean canFork = user.canFork(model);
 
 			if (hasFork || !canFork) {
 				// user not allowed to fork or fork already exists or repo forbids forking
 				add(new ExternalLink("forkLink", "").setVisible(false));
 				
-				if (user.canFork && !model.allowForks) {
+				if (user.canFork() && !model.allowForks) {
 					// show forks prohibited indicator
 					Fragment wc = new Fragment("forksProhibitedIndicator", "forksProhibitedFragment", this);
 					Label lbl = new Label("forksProhibited", getString("gb.forksProhibited"));
@@ -268,25 +288,8 @@
 				// can fork and we do not have one
 				add(new Label("forksProhibitedIndicator").setVisible(false));
 				add(new ExternalLink("myForkLink", "").setVisible(false));
-				Link<Void> forkLink = new Link<Void>("forkLink") {
-
-					private static final long serialVersionUID = 1L;
-
-					@Override
-					public void onClick() {
-						UserModel user = GitBlitWebSession.get().getUser();
-						RepositoryModel model = getRepositoryModel();
-						String asFork = MessageFormat.format("~{0}/{1}.git", user.username, StringUtils.stripDotGit(StringUtils.getLastPathElement(model.name)));
-						if (GitBlit.self().fork(model, GitBlitWebSession.get().getUser())) {
-							throw new RedirectException(SummaryPage.class, WicketUtils.newRepositoryParameter(asFork));
-						} else {
-							error(MessageFormat.format(getString("gb.repositoryForkFailed"), model));
-						}
-					}
-				};
-				forkLink.add(new JavascriptEventConfirmation("onclick", MessageFormat.format(
-						getString("gb.forkRepository"), getRepositoryModel())));
-				add(forkLink);
+				String url = getRequestCycle().urlFor(ForkPage.class, WicketUtils.newRepositoryParameter(model.name)).toString();
+				add(new ExternalLink("forkLink", url));
 			}
 		}
 		
@@ -589,4 +592,4 @@
 			getRequestCycle().setRequestTarget(new RedirectRequestTarget(absoluteUrl));
 		}
 	}
-}
\ No newline at end of file
+}

--
Gitblit v1.9.1