From 9da97003c7f33a64ae5060f413f9c4c5d26efe78 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 19 May 2011 19:01:45 -0400
Subject: [PATCH] Critical fix for servlet.

---
 src/com/gitblit/wicket/pages/EditUserPage.java |   83 ++++++++++++++++++++++++++++++++++++-----
 1 files changed, 72 insertions(+), 11 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditUserPage.java b/src/com/gitblit/wicket/pages/EditUserPage.java
index 250d1fd..7522f3e 100644
--- a/src/com/gitblit/wicket/pages/EditUserPage.java
+++ b/src/com/gitblit/wicket/pages/EditUserPage.java
@@ -1,5 +1,6 @@
 package com.gitblit.wicket.pages;
 
+import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
@@ -15,13 +16,18 @@
 import org.apache.wicket.model.Model;
 import org.apache.wicket.model.util.CollectionModel;
 import org.apache.wicket.model.util.ListModel;
+import org.eclipse.jetty.http.security.Credential.Crypt;
 import org.eclipse.jetty.http.security.Credential.MD5;
 
+import com.gitblit.Constants.AccessRestrictionType;
 import com.gitblit.GitBlit;
 import com.gitblit.GitBlitException;
+import com.gitblit.Keys;
+import com.gitblit.utils.StringUtils;
 import com.gitblit.wicket.AdminPage;
 import com.gitblit.wicket.BasePage;
 import com.gitblit.wicket.WicketUtils;
+import com.gitblit.wicket.models.RepositoryModel;
 import com.gitblit.wicket.models.UserModel;
 
 @AdminPage
@@ -41,7 +47,7 @@
 		super(params);
 		isCreate = false;
 		String name = WicketUtils.getUsername(params);
-		UserModel model = GitBlit.self().getUser(name);
+		UserModel model = GitBlit.self().getUserModel(name);
 		setupPage(model);
 	}
 
@@ -51,24 +57,68 @@
 		} else {
 			super.setupPage("", getString("gb.edit"));
 		}
-		final Model<String> confirmPassword = new Model<String>();
+		final Model<String> confirmPassword = new Model<String>(StringUtils.isEmpty(userModel.getPassword()) ? "" : userModel.getPassword());
 		CompoundPropertyModel<UserModel> model = new CompoundPropertyModel<UserModel>(userModel);
 
-		List<String> repos = GitBlit.self().getRepositoryList();
-		repos.add(0, "*"); // all repositories wildcard
-		final Palette<String> repositories = new Palette<String>("repositories", new ListModel<String>(userModel.getRepositories()), new CollectionModel<String>(repos), new ChoiceRenderer<String>("", ""), 10, false);		
+		List<String> repos = new ArrayList<String>();
+		for (String repo : GitBlit.self().getRepositoryList()) {
+			RepositoryModel repositoryModel = GitBlit.self().getRepositoryModel(repo);
+			if (repositoryModel.accessRestriction.exceeds(AccessRestrictionType.NONE)) {
+				repos.add(repo);
+			}
+		}
+		final Palette<String> repositories = new Palette<String>("repositories", new ListModel<String>(userModel.getRepositories()), new CollectionModel<String>(repos), new ChoiceRenderer<String>("", ""), 10, false);
 		Form<UserModel> form = new Form<UserModel>("editForm", model) {
 
 			private static final long serialVersionUID = 1L;
 
+			/*
+			 * (non-Javadoc)
+			 * 
+			 * @see org.apache.wicket.markup.html.form.Form#onSubmit()
+			 */
 			@Override
 			protected void onSubmit() {
+				String username = userModel.getUsername();
+				if (StringUtils.isEmpty(username)) {
+					error("Please enter a username!");
+					return;
+				}
+				if (isCreate) {
+					UserModel model = GitBlit.self().getUserModel(username);
+					if (model != null) {
+						error(MessageFormat.format("Username {0} is unavailable.", username));
+						return;
+					}
+				}
 				if (!userModel.getPassword().equals(confirmPassword.getObject())) {
 					error("Passwords do not match!");
 					return;
 				}
-				userModel.setPassword(MD5.digest(userModel.getPassword()));
-				
+				String password = userModel.getPassword();
+				if (!password.toUpperCase().startsWith(Crypt.__TYPE) && !password.toUpperCase().startsWith(MD5.__TYPE)) {
+					// This is a plain text password.
+					// Check length.
+					int minLength = GitBlit.self().settings().getInteger(Keys.realm.minPasswordLength, 5);
+					if (minLength < 4) {
+						minLength = 4;
+					}
+					if (password.trim().length() < minLength) {
+						error(MessageFormat.format("Password is too short. Minimum length is {0} characters.", minLength));
+						return;
+					}
+					
+					// Optionally encrypt/obfuscate the password.
+					String type = GitBlit.self().settings().getString(Keys.realm.passwordStorage, "md5");
+					if (type.equalsIgnoreCase("md5")) {
+						// store MD5 checksum of password
+						userModel.setPassword(MD5.digest(userModel.getPassword()));
+					} else if (type.equalsIgnoreCase("crypt")) {
+						// simple unix encryption
+						userModel.setPassword(Crypt.crypt(userModel.getUsername(), userModel.getPassword()));
+					}
+				}
+
 				Iterator<String> selectedRepositories = repositories.getSelectedChoices();
 				List<String> repos = new ArrayList<String>();
 				while (selectedRepositories.hasNext()) {
@@ -81,15 +131,26 @@
 					error(e.getMessage());
 					return;
 				}
-				setRedirect(true);
-				setResponsePage(EditUserPage.class);
+				setRedirect(false);
+				if (isCreate) {
+					// create another user
+					info(MessageFormat.format("New user {0} successfully created.", userModel.getUsername()));
+					setResponsePage(EditUserPage.class);
+				} else {
+					// back to home
+					setResponsePage(RepositoriesPage.class);
+				}
 			}
 		};
 
 		// field names reflective match UserModel fields
 		form.add(new TextField<String>("username").setEnabled(isCreate));
-		form.add(new PasswordTextField("password"));
-		form.add(new PasswordTextField("confirmPassword", confirmPassword));
+		PasswordTextField passwordField = new PasswordTextField("password");
+		passwordField.setResetPassword(false);
+		form.add(passwordField);
+		PasswordTextField confirmPasswordField = new PasswordTextField("confirmPassword", confirmPassword);
+		confirmPasswordField.setResetPassword(false);
+		form.add(confirmPasswordField);
 		form.add(new CheckBox("canAdmin"));
 		form.add(repositories);
 		add(form);

--
Gitblit v1.9.1