From 78753bc22f140f863aa3fe56b1c59699ca3e2fa8 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 26 Sep 2011 22:29:07 -0400
Subject: [PATCH] Protect DownloadZipServlet with an AccessRestrictionFilter.
---
src/com/gitblit/wicket/panels/RepositoriesPanel.java | 67 ++++++++++++++++++++++++++-------
1 files changed, 52 insertions(+), 15 deletions(-)
diff --git a/src/com/gitblit/wicket/panels/RepositoriesPanel.java b/src/com/gitblit/wicket/panels/RepositoriesPanel.java
index fa6c661..63b512c 100644
--- a/src/com/gitblit/wicket/panels/RepositoriesPanel.java
+++ b/src/com/gitblit/wicket/panels/RepositoriesPanel.java
@@ -60,11 +60,29 @@
private static final long serialVersionUID = 1L;
public RepositoriesPanel(String wicketId, final boolean showAdmin,
+ List<RepositoryModel> models,
final Map<AccessRestrictionType, String> accessRestrictionTranslations) {
super(wicketId);
+ final boolean linksActive;
+ final boolean showSize = GitBlit.getBoolean(Keys.web.showRepositorySizes, true);
+
final UserModel user = GitBlitWebSession.get().getUser();
- List<RepositoryModel> models = GitBlit.self().getRepositoryModels(user);
+ if (models == null) {
+ linksActive = true;
+ models = GitBlit.self().getRepositoryModels(user);
+ final ByteFormat byteFormat = new ByteFormat();
+ if (showSize) {
+ for (RepositoryModel model : models) {
+ model.size = byteFormat.format(GitBlit.self().calculateSize(model));
+ }
+ }
+ } else {
+ // disable links if the repositories are already provided
+ // the repositories are most likely from a proposal
+ linksActive = false;
+ }
+
final IDataProvider<RepositoryModel> dp;
Fragment adminLinks = new Fragment("adminPanel", "adminLinks", this);
@@ -76,9 +94,9 @@
Map<String, List<RepositoryModel>> groups = new HashMap<String, List<RepositoryModel>>();
for (RepositoryModel model : models) {
String rootPath = StringUtils.getRootPath(model.name);
- if (StringUtils.isEmpty(rootPath)) {
+ if (StringUtils.isEmpty(rootPath)) {
// root repository
- rootRepositories.add(model);
+ rootRepositories.add(model);
} else {
// non-root, grouped repository
if (!groups.containsKey(rootPath)) {
@@ -89,7 +107,7 @@
}
List<String> roots = new ArrayList<String>(groups.keySet());
Collections.sort(roots);
-
+
if (rootRepositories.size() > 0) {
// inject the root repositories at the top of the page
String rootPath = GitBlit.getString(Keys.web.repositoryRootGroupName, " ");
@@ -100,15 +118,16 @@
for (String root : roots) {
List<RepositoryModel> subModels = groups.get(root);
groupedModels.add(new GroupRepositoryModel(root, subModels.size()));
+ Collections.sort(subModels);
groupedModels.addAll(subModels);
}
dp = new RepositoriesProvider(groupedModels);
} else {
dp = new SortableRepositoriesProvider(models);
}
+
+ final String baseUrl = WicketUtils.getGitblitURL(getRequest());
- final boolean showSize = GitBlit.getBoolean(Keys.web.showRepositorySizes, true);
- final ByteFormat byteFormat = new ByteFormat();
DataView<RepositoryModel> dataView = new DataView<RepositoryModel>("row", dp) {
private static final long serialVersionUID = 1L;
int counter;
@@ -130,23 +149,29 @@
}
Fragment row = new Fragment("rowContent", "repositoryRow", this);
item.add(row);
- if (entry.hasCommits) {
- // Existing repository
+ if (entry.hasCommits && linksActive) {
PageParameters pp = WicketUtils.newRepositoryParameter(entry.name);
row.add(new LinkPanel("repositoryName", "list", entry.name, SummaryPage.class,
pp));
row.add(new LinkPanel("repositoryDescription", "list", entry.description,
SummaryPage.class, pp));
+ } else {
+ // new/empty repository OR proposed repository
+ row.add(new Label("repositoryName", entry.name));
+ row.add(new Label("repositoryDescription", entry.description));
+ }
+
+ if (entry.hasCommits) {
+ // Existing repository
if (showSize) {
- row.add(new Label("repositorySize", byteFormat.format(GitBlit.self().calculateSize(entry))));
+ row.add(new Label("repositorySize", entry.size));
} else {
row.add(new Label("repositorySize").setVisible(false));
}
} else {
// New repository
- row.add(new Label("repositoryName", entry.name));
- row.add(new Label("repositoryDescription", entry.description));
- row.add(new Label("repositorySize", "<span class='empty'>(empty)</span>").setEscapeModelStrings(false));
+ row.add(new Label("repositorySize", "<span class='empty'>(empty)</span>")
+ .setEscapeModelStrings(false));
}
if (entry.useTickets) {
@@ -168,6 +193,13 @@
getString("gb.isFrozen")));
} else {
row.add(WicketUtils.newClearPixel("frozenIcon").setVisible(false));
+ }
+
+ if (entry.isFederated) {
+ row.add(WicketUtils.newImage("federatedIcon", "federated_16x16.png",
+ getString("gb.isFederated")));
+ } else {
+ row.add(WicketUtils.newClearPixel("federatedIcon").setVisible(false));
}
switch (entry.accessRestriction) {
case NONE:
@@ -191,7 +223,12 @@
row.add(new Label("repositoryOwner", entry.owner));
- String lastChange = TimeUtils.timeAgo(entry.lastChange);
+ String lastChange;
+ if (entry.lastChange.getTime() == 0) {
+ lastChange = "--";
+ } else {
+ lastChange = TimeUtils.timeAgo(entry.lastChange);
+ }
Label lastChangeLabel = new Label("repositoryLastChange", lastChange);
row.add(lastChangeLabel);
WicketUtils.setCssClass(lastChangeLabel, TimeUtils.timeAgoCss(entry.lastChange));
@@ -236,8 +273,8 @@
} else {
row.add(new Label("repositoryLinks"));
}
- row.add(new ExternalLink("syndication", SyndicationServlet.asLink(getRequest()
- .getRelativePathPrefixToContextRoot(), entry.name, null, 0)));
+ row.add(new ExternalLink("syndication", SyndicationServlet.asLink(baseUrl,
+ entry.name, null, 0)).setVisible(linksActive));
WicketUtils.setAlternatingBackground(item, counter);
counter++;
}
--
Gitblit v1.9.1