Do not traverse unaccessible subdirectories (issue 51)

lemval

2012-01-31 1c30dad2115fc513791d8a5b292ad0f7d7b85749

 src/com/gitblit/wicket/AuthorizationStrategy.java

@@ -22,7 +22,8 @@


import com.gitblit.GitBlit;

import com.gitblit.Keys;

import com.gitblit.wicket.models.UserModel;

import com.gitblit.models.UserModel;

import com.gitblit.wicket.pages.BasePage;

import com.gitblit.wicket.pages.RepositoriesPage;



public class AuthorizationStrategy extends AbstractPageAuthorizationStrategy implements

@@ -34,6 +35,12 @@
   @SuppressWarnings({ "unchecked", "rawtypes" })

   @Override

   protected boolean isPageAuthorized(Class pageClass) {

      if (RepositoriesPage.class.equals(pageClass)) {

         // allow all requests to get to the RepositoriesPage with its inline

         // authentication form

         return true;

      }



      if (BasePage.class.isAssignableFrom(pageClass)) {

         boolean authenticateView = GitBlit.getBoolean(Keys.web.authenticateViewPages, true);

         boolean authenticateAdmin = GitBlit.getBoolean(Keys.web.authenticateAdminPages, true);

@@ -46,7 +53,7 @@
         }



         UserModel user = session.getUser();

         if (pageClass.isAnnotationPresent(AdminPage.class)) {

         if (pageClass.isAnnotationPresent(RequiresAdminRole.class)) {

            // admin page

            if (allowAdmin) {

               if (authenticateAdmin) {

@@ -71,12 +78,7 @@
   @Override

   public void onUnauthorizedInstantiation(Component component) {

      if (component instanceof BasePage) {

         GitBlitWebSession session = GitBlitWebSession.get();

         if (!session.isLoggedIn()) {

            throw new RestartResponseAtInterceptPageException(LoginPage.class);

         } else {

            throw new RestartResponseAtInterceptPageException(RepositoriesPage.class);

         }

         throw new RestartResponseAtInterceptPageException(RepositoriesPage.class);

      }

   }

}