From e7883877a98dfcae3f75f1c1a562120d89aed22a Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 09 Feb 2012 08:33:16 -0500
Subject: [PATCH] Fixed session fixation vulnerability (issue 62)

---
 src/com/gitblit/wicket/pages/EditTeamPage.java |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditTeamPage.java b/src/com/gitblit/wicket/pages/EditTeamPage.java
index 8a0540f..57e9735 100644
--- a/src/com/gitblit/wicket/pages/EditTeamPage.java
+++ b/src/com/gitblit/wicket/pages/EditTeamPage.java
@@ -24,6 +24,7 @@
 import java.util.Set;
 
 import org.apache.wicket.PageParameters;
+import org.apache.wicket.behavior.SimpleAttributeModifier;
 import org.apache.wicket.extensions.markup.html.form.palette.Palette;
 import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.ChoiceRenderer;
@@ -149,6 +150,10 @@
 				while (selectedRepositories.hasNext()) {
 					repos.add(selectedRepositories.next().toLowerCase());
 				}
+				if (repos.size() == 0) {
+					error("A team must specify at least one repository.");
+					return;
+				}
 				teamModel.repositories.clear();
 				teamModel.repositories.addAll(repos);
 
@@ -203,14 +208,15 @@
 					// create another team
 					info(MessageFormat.format("New team ''{0}'' successfully created.",
 							teamModel.name));
-					setResponsePage(EditTeamPage.class);
-				} else {
-					// back to users page
-					setResponsePage(UsersPage.class);
 				}
+				// back to users page
+				setResponsePage(UsersPage.class);
 			}
 		};
 
+		// do not let the browser pre-populate these fields
+		form.add(new SimpleAttributeModifier("autocomplete", "off"));
+
 		// field names reflective match TeamModel fields
 		form.add(new TextField<String>("name"));
 		form.add(users);

--
Gitblit v1.9.1