From b94965e87929c6b4e42f9a2078dc0d910cc2637d Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 09 May 2012 07:59:00 -0400
Subject: [PATCH] Merge pull request #17 from peterloron/master

---
 src/com/gitblit/AccessRestrictionFilter.java |   18 +++++++++++++++++-
 1 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java
index 27e2a18..e9b6587 100644
--- a/src/com/gitblit/AccessRestrictionFilter.java
+++ b/src/com/gitblit/AccessRestrictionFilter.java
@@ -25,7 +25,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import com.gitblit.AuthenticationFilter.AuthenticatedRequest;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.StringUtils;
@@ -61,6 +60,15 @@
 	 * @return action of the request
 	 */
 	protected abstract String getUrlRequestAction(String url);
+
+	/**
+	 * Determine if the action may be executed on the repository.
+	 * 
+	 * @param repository
+	 * @param action
+	 * @return true if the action may be performed
+	 */
+	protected abstract boolean isActionAllowed(RepositoryModel repository, String action);
 
 	/**
 	 * Determine if the repository requires authentication.
@@ -111,6 +119,14 @@
 			httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
 			return;
 		}
+		
+		// Confirm that the action may be executed on the repository
+		if (!isActionAllowed(model, urlRequestType)) {
+			logger.info(MessageFormat.format("ARF: action {0} on {1} forbidden ({2})",
+					urlRequestType, model, HttpServletResponse.SC_FORBIDDEN));
+			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return;
+		}
 
 		// Wrap the HttpServletRequest with the AccessRestrictionRequest which
 		// overrides the servlet container user principal methods.

--
Gitblit v1.9.1