From 78753bc22f140f863aa3fe56b1c59699ca3e2fa8 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 26 Sep 2011 22:29:07 -0400
Subject: [PATCH] Protect DownloadZipServlet with an AccessRestrictionFilter.

---
 src/com/gitblit/DownloadZipServlet.java |   24 ++----------------------
 1 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/src/com/gitblit/DownloadZipServlet.java b/src/com/gitblit/DownloadZipServlet.java
index 5f2a2a4..ed3aa55 100644
--- a/src/com/gitblit/DownloadZipServlet.java
+++ b/src/com/gitblit/DownloadZipServlet.java
@@ -25,20 +25,12 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.gitblit.Constants.AccessRestrictionType;
-import com.gitblit.models.RepositoryModel;
 import com.gitblit.utils.JGitUtils;
 import com.gitblit.utils.StringUtils;
 
 /**
  * Streams out a zip file from the specified repository for any tree path at any
  * revision.
- * 
- * Unlike the GitServlet and the SyndicationServlet, this servlet is not
- * protected by an AccessRestrictionFilter. It performs its own authorization
- * check, but it does not perform any authentication. The assumption is that
- * requests to this servlet are made via the web ui and not by direct url
- * access. Unauthorized requests fail with a standard 403 (FORBIDDEN) code.
  * 
  * @author James Moger
  * 
@@ -72,7 +64,7 @@
 	}
 
 	/**
-	 * Performs the authorization and zip streaming of the specified elements.
+	 * Creates a zip stream from the repository of the requested data.
 	 * 
 	 * @param request
 	 * @param response
@@ -86,8 +78,8 @@
 			logger.warn("Zip downloads are disabled");
 			response.sendError(HttpServletResponse.SC_FORBIDDEN);
 			return;
-
 		}
+		
 		String repository = request.getParameter("r");
 		String basePath = request.getParameter("p");
 		String objectId = request.getParameter("h");
@@ -98,18 +90,6 @@
 				name = name.substring(name.lastIndexOf('/') + 1);
 			}
 
-			// check roles first
-			boolean authorized = request.isUserInRole(Constants.ADMIN_ROLE);
-			authorized |= request.isUserInRole(repository);
-
-			if (!authorized) {
-				RepositoryModel model = GitBlit.self().getRepositoryModel(repository);
-				if (model.accessRestriction.atLeast(AccessRestrictionType.VIEW)) {
-					logger.warn("Unauthorized access via zip servlet for " + model.name);
-					response.sendError(HttpServletResponse.SC_FORBIDDEN);
-					return;
-				}
-			}
 			if (!StringUtils.isEmpty(basePath)) {
 				name += "-" + basePath.replace('/', '_');
 			}

--
Gitblit v1.9.1