src/main/java/com/gitblit/ConfigUserService.java
@@ -37,6 +37,7 @@ import com.gitblit.Constants.AccessPermission; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Constants.Transport; import com.gitblit.manager.IRuntimeManager; import com.gitblit.models.TeamModel; @@ -734,22 +735,22 @@ // user roles List<String> roles = new ArrayList<String>(); if (model.canAdmin) { roles.add(Constants.ADMIN_ROLE); roles.add(Role.ADMIN.getRole()); } if (model.canFork) { roles.add(Constants.FORK_ROLE); roles.add(Role.FORK.getRole()); } if (model.canCreate) { roles.add(Constants.CREATE_ROLE); roles.add(Role.CREATE.getRole()); } if (model.excludeFromFederation) { roles.add(Constants.NOT_FEDERATED_ROLE); roles.add(Role.NOT_FEDERATED.getRole()); } if (roles.size() == 0) { // we do this to ensure that user record with no password // is written. otherwise, StoredConfig optimizes that account // away. :( roles.add(Constants.NO_ROLE); roles.add(Role.NONE.getRole()); } config.setStringList(USER, model.username, ROLE, roles); @@ -778,18 +779,18 @@ // team roles List<String> roles = new ArrayList<String>(); if (model.canAdmin) { roles.add(Constants.ADMIN_ROLE); roles.add(Role.ADMIN.getRole()); } if (model.canFork) { roles.add(Constants.FORK_ROLE); roles.add(Role.FORK.getRole()); } if (model.canCreate) { roles.add(Constants.CREATE_ROLE); roles.add(Role.CREATE.getRole()); } if (roles.size() == 0) { // we do this to ensure that team record is written. // Otherwise, StoredConfig might optimizes that record away. roles.add(Constants.NO_ROLE); roles.add(Role.NONE.getRole()); } config.setStringList(TEAM, model.name, ROLE, roles); if (model.accountType != null) { @@ -911,10 +912,10 @@ // user roles Set<String> roles = new HashSet<String>(Arrays.asList(config.getStringList( USER, username, ROLE))); user.canAdmin = roles.contains(Constants.ADMIN_ROLE); user.canFork = roles.contains(Constants.FORK_ROLE); user.canCreate = roles.contains(Constants.CREATE_ROLE); user.excludeFromFederation = roles.contains(Constants.NOT_FEDERATED_ROLE); user.canAdmin = roles.contains(Role.ADMIN.getRole()); user.canFork = roles.contains(Role.FORK.getRole()); user.canCreate = roles.contains(Role.CREATE.getRole()); user.excludeFromFederation = roles.contains(Role.NOT_FEDERATED.getRole()); // repository memberships if (!user.canAdmin) { @@ -947,9 +948,9 @@ TeamModel team = new TeamModel(teamname); Set<String> roles = new HashSet<String>(Arrays.asList(config.getStringList( TEAM, teamname, ROLE))); team.canAdmin = roles.contains(Constants.ADMIN_ROLE); team.canFork = roles.contains(Constants.FORK_ROLE); team.canCreate = roles.contains(Constants.CREATE_ROLE); team.canAdmin = roles.contains(Role.ADMIN.getRole()); team.canFork = roles.contains(Role.FORK.getRole()); team.canCreate = roles.contains(Role.CREATE.getRole()); team.accountType = AccountType.fromString(config.getString(TEAM, teamname, ACCOUNTTYPE)); if (!team.canAdmin) { src/main/java/com/gitblit/Constants.java
@@ -36,14 +36,19 @@ public static final String FULL_NAME = "Gitblit - a pure Java Git solution"; @Deprecated public static final String ADMIN_ROLE = "#admin"; @Deprecated public static final String FORK_ROLE = "#fork"; @Deprecated public static final String CREATE_ROLE = "#create"; @Deprecated public static final String NOT_FEDERATED_ROLE = "#notfederated"; @Deprecated public static final String NO_ROLE = "#none"; public static final String EXTERNAL_ACCOUNT = "#externalAccount"; @@ -178,6 +183,19 @@ return defaultValue; } public static enum Role { NONE, ADMIN, CREATE, FORK, NOT_FEDERATED; public String getRole() { return "#" + name().replace("_", "").toLowerCase(); } @Override public String toString() { return getRole(); } } /** * Enumeration representing the four access restriction levels. */ src/main/java/com/gitblit/auth/AuthenticationProvider.java
@@ -21,6 +21,7 @@ import org.slf4j.LoggerFactory; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.IStoredSettings; import com.gitblit.manager.IRuntimeManager; import com.gitblit.manager.IUserManager; @@ -138,6 +139,24 @@ */ public abstract boolean supportsTeamMembershipChanges(); /** * Returns true if the user's role can be changed. * * @param user * @param role * @return true if the user's role can be changed */ public abstract boolean supportsRoleChanges(UserModel user, Role role); /** * Returns true if the team's role can be changed. * * @param user * @param role * @return true if the team's role can be changed */ public abstract boolean supportsRoleChanges(TeamModel team, Role role); @Override public String toString() { return getServiceName() + " (" + getClass().getName() + ")"; @@ -199,5 +218,16 @@ public boolean supportsTeamMembershipChanges() { return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } } } src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java
@@ -32,8 +32,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; @@ -124,6 +126,16 @@ return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } /** * Authenticate a user based on a username and password. * src/main/java/com/gitblit/auth/LdapAuthProvider.java
@@ -30,6 +30,7 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; @@ -272,7 +273,6 @@ return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, "")); } /** * If the LDAP server will maintain team memberships then LdapUserService * will not allow team membership changes. In this scenario all team @@ -286,6 +286,32 @@ return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false); } @Override public boolean supportsRoleChanges(UserModel user, Role role) { if (Role.ADMIN == role) { if (!supportsTeamMembershipChanges()) { List<String> admins = settings.getStrings(Keys.realm.ldap.admins); if (admins.contains(user.username)) { return false; } } } return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { if (Role.ADMIN == role) { if (!supportsTeamMembershipChanges()) { List<String> admins = settings.getStrings(Keys.realm.ldap.admins); if (admins.contains("@" + team.name)) { return false; } } } return true; } @Override public AccountType getAccountType() { return AccountType.LDAP; src/main/java/com/gitblit/auth/PAMAuthProvider.java
@@ -23,8 +23,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; /** @@ -77,6 +79,16 @@ return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } @Override public AccountType getAccountType() { return AccountType.PAM; src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -23,8 +23,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.utils.ConnectionUtils; import com.gitblit.utils.StringUtils; @@ -76,6 +78,16 @@ public boolean supportsTeamMembershipChanges() { return false; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } @Override public AccountType getAccountType() { @@ -154,7 +166,7 @@ url = url.concat("/"); } String apiUrl = url + "users/current.json"; HttpURLConnection http; if (username == null) { // apikey authentication src/main/java/com/gitblit/auth/SalesforceAuthProvider.java
@@ -2,8 +2,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.sforce.soap.partner.Connector; import com.sforce.soap.partner.GetUserInfoResult; @@ -119,4 +121,15 @@ public boolean supportsTeamMembershipChanges() { return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } } src/main/java/com/gitblit/auth/WindowsAuthProvider.java
@@ -26,8 +26,10 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.utils.StringUtils; import com.sun.jna.platform.win32.Win32Exception; @@ -90,6 +92,16 @@ return true; } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return true; } @Override public AccountType getAccountType() { return AccountType.WINDOWS; src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -35,6 +35,7 @@ import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.AuthenticationType; import com.gitblit.Constants.Role; import com.gitblit.IStoredSettings; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider; @@ -585,6 +586,28 @@ return (team != null && team.isLocalTeam()) || findProvider(team).supportsTeamMembershipChanges(); } /** * Returns true if the user's role can be changed. * * @param user * @return true if the user's role can be changed */ @Override public boolean supportsRoleChanges(UserModel user, Role role) { return (user != null && user.isLocalAccount()) || findProvider(user).supportsRoleChanges(user, role); } /** * Returns true if the team's role can be changed. * * @param user * @return true if the team's role can be changed */ @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return (team != null && team.isLocalTeam()) || findProvider(team).supportsRoleChanges(team, role); } protected AuthenticationProvider findProvider(UserModel user) { for (AuthenticationProvider provider : authenticationProviders) { if (provider.getAccountType().equals(user.accountType)) { src/main/java/com/gitblit/manager/GitblitManager.java
@@ -51,6 +51,7 @@ import com.gitblit.Constants.AccessPermission; import com.gitblit.Constants.FederationRequest; import com.gitblit.Constants.FederationToken; import com.gitblit.Constants.Role; import com.gitblit.GitBlitException; import com.gitblit.IStoredSettings; import com.gitblit.models.FederationModel; @@ -711,6 +712,16 @@ return authenticationManager.supportsTeamMembershipChanges(team); } @Override public boolean supportsRoleChanges(UserModel user, Role role) { return authenticationManager.supportsRoleChanges(user, role); } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { return authenticationManager.supportsRoleChanges(team, role); } /* * USER MANAGER */ src/main/java/com/gitblit/manager/IAuthenticationManager.java
@@ -18,6 +18,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.gitblit.Constants.Role; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.transport.ssh.SshKey; @@ -161,4 +162,22 @@ */ boolean supportsTeamMembershipChanges(TeamModel team); /** * Returns true if the specified role can be changed. * * @param user * @return true if the specified role can be changed * @since 1.6.1 */ boolean supportsRoleChanges(UserModel user, Role role); /** * Returns true if the specified role can be changed. * * @param team * @return true if the specified role can be changed * @since 1.6.1 */ boolean supportsRoleChanges(TeamModel team, Role role); } src/main/java/com/gitblit/servlet/AuthenticationFilter.java
@@ -1,189 +1,190 @@ /* * Copyright 2011 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.gitblit.servlet; import java.io.IOException; import java.security.Principal; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.gitblit.Constants; import com.gitblit.manager.IAuthenticationManager; import com.gitblit.models.UserModel; import com.gitblit.utils.DeepCopier; import com.gitblit.utils.StringUtils; /** * The AuthenticationFilter is a servlet filter that preprocesses requests that * match its url pattern definition in the web.xml file. * * http://en.wikipedia.org/wiki/Basic_access_authentication * * @author James Moger * */ public abstract class AuthenticationFilter implements Filter { protected static final String CHALLENGE = "Basic realm=\"" + Constants.NAME + "\""; protected static final String SESSION_SECURED = "com.gitblit.secured"; protected transient Logger logger = LoggerFactory.getLogger(getClass()); protected IAuthenticationManager authenticationManager; protected AuthenticationFilter(IAuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { } /** * doFilter does the actual work of preprocessing the request to ensure that * the user may proceed. * * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public abstract void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException; /** * Allow the filter to require a client certificate to continue processing. * * @return true, if a client certificate is required */ protected boolean requiresClientCertificate() { return false; } /** * Returns the full relative url of the request. * * @param httpRequest * @return url */ protected String getFullUrl(HttpServletRequest httpRequest) { String servletUrl = httpRequest.getContextPath() + httpRequest.getServletPath(); String url = httpRequest.getRequestURI().substring(servletUrl.length()); String params = httpRequest.getQueryString(); if (url.length() > 0 && url.charAt(0) == '/') { url = url.substring(1); } String fullUrl = url + (StringUtils.isEmpty(params) ? "" : ("?" + params)); return fullUrl; } /** * Returns the user making the request, if the user has authenticated. * * @param httpRequest * @return user */ protected UserModel getUser(HttpServletRequest httpRequest) { UserModel user = authenticationManager.authenticate(httpRequest, requiresClientCertificate()); return user; } /** * Taken from Jetty's LoginAuthenticator.renewSessionOnAuthentication() */ protected void newSession(HttpServletRequest request, HttpServletResponse response) { HttpSession oldSession = request.getSession(false); if (oldSession != null && oldSession.getAttribute(SESSION_SECURED) == null) { synchronized (this) { Map<String, Object> attributes = new HashMap<String, Object>(); Enumeration<String> e = oldSession.getAttributeNames(); while (e.hasMoreElements()) { String name = e.nextElement(); attributes.put(name, oldSession.getAttribute(name)); oldSession.removeAttribute(name); } oldSession.invalidate(); HttpSession newSession = request.getSession(true); newSession.setAttribute(SESSION_SECURED, Boolean.TRUE); for (Map.Entry<String, Object> entry : attributes.entrySet()) { newSession.setAttribute(entry.getKey(), entry.getValue()); } } } } /** * Wraps a standard HttpServletRequest and overrides user principal methods. */ public static class AuthenticatedRequest extends HttpServletRequestWrapper { private UserModel user; public AuthenticatedRequest(HttpServletRequest req) { super(req); user = DeepCopier.copy(UserModel.ANONYMOUS); } UserModel getUser() { return user; } void setUser(UserModel user) { this.user = user; } @Override public String getRemoteUser() { return user.username; } @Override public boolean isUserInRole(String role) { if (role.equals(Constants.ADMIN_ROLE)) { return user.canAdmin(); } // Gitblit does not currently use actual roles in the traditional // servlet container sense. That is the reason this is marked // deprecated, but I may want to revisit this. return user.hasRepositoryPermission(role); } @Override public Principal getUserPrincipal() { return user; } } } /* * Copyright 2011 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.gitblit.servlet; import java.io.IOException; import java.security.Principal; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.gitblit.Constants; import com.gitblit.Constants.Role; import com.gitblit.manager.IAuthenticationManager; import com.gitblit.models.UserModel; import com.gitblit.utils.DeepCopier; import com.gitblit.utils.StringUtils; /** * The AuthenticationFilter is a servlet filter that preprocesses requests that * match its url pattern definition in the web.xml file. * * http://en.wikipedia.org/wiki/Basic_access_authentication * * @author James Moger * */ public abstract class AuthenticationFilter implements Filter { protected static final String CHALLENGE = "Basic realm=\"" + Constants.NAME + "\""; protected static final String SESSION_SECURED = "com.gitblit.secured"; protected transient Logger logger = LoggerFactory.getLogger(getClass()); protected IAuthenticationManager authenticationManager; protected AuthenticationFilter(IAuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { } /** * doFilter does the actual work of preprocessing the request to ensure that * the user may proceed. * * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public abstract void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException; /** * Allow the filter to require a client certificate to continue processing. * * @return true, if a client certificate is required */ protected boolean requiresClientCertificate() { return false; } /** * Returns the full relative url of the request. * * @param httpRequest * @return url */ protected String getFullUrl(HttpServletRequest httpRequest) { String servletUrl = httpRequest.getContextPath() + httpRequest.getServletPath(); String url = httpRequest.getRequestURI().substring(servletUrl.length()); String params = httpRequest.getQueryString(); if (url.length() > 0 && url.charAt(0) == '/') { url = url.substring(1); } String fullUrl = url + (StringUtils.isEmpty(params) ? "" : ("?" + params)); return fullUrl; } /** * Returns the user making the request, if the user has authenticated. * * @param httpRequest * @return user */ protected UserModel getUser(HttpServletRequest httpRequest) { UserModel user = authenticationManager.authenticate(httpRequest, requiresClientCertificate()); return user; } /** * Taken from Jetty's LoginAuthenticator.renewSessionOnAuthentication() */ protected void newSession(HttpServletRequest request, HttpServletResponse response) { HttpSession oldSession = request.getSession(false); if (oldSession != null && oldSession.getAttribute(SESSION_SECURED) == null) { synchronized (this) { Map<String, Object> attributes = new HashMap<String, Object>(); Enumeration<String> e = oldSession.getAttributeNames(); while (e.hasMoreElements()) { String name = e.nextElement(); attributes.put(name, oldSession.getAttribute(name)); oldSession.removeAttribute(name); } oldSession.invalidate(); HttpSession newSession = request.getSession(true); newSession.setAttribute(SESSION_SECURED, Boolean.TRUE); for (Map.Entry<String, Object> entry : attributes.entrySet()) { newSession.setAttribute(entry.getKey(), entry.getValue()); } } } } /** * Wraps a standard HttpServletRequest and overrides user principal methods. */ public static class AuthenticatedRequest extends HttpServletRequestWrapper { private UserModel user; public AuthenticatedRequest(HttpServletRequest req) { super(req); user = DeepCopier.copy(UserModel.ANONYMOUS); } UserModel getUser() { return user; } void setUser(UserModel user) { this.user = user; } @Override public String getRemoteUser() { return user.username; } @Override public boolean isUserInRole(String role) { if (role.equals(Role.ADMIN.getRole())) { return user.canAdmin(); } // Gitblit does not currently use actual roles in the traditional // servlet container sense. That is the reason this is marked // deprecated, but I may want to revisit this. return user.hasRepositoryPermission(role); } @Override public Principal getUserPrincipal() { return user; } } } src/main/java/com/gitblit/wicket/pages/EditTeamPage.java
@@ -39,6 +39,7 @@ import org.apache.wicket.model.util.ListModel; import com.gitblit.Constants.RegistrantType; import com.gitblit.Constants.Role; import com.gitblit.GitBlitException; import com.gitblit.Keys; import com.gitblit.models.RegistrantAccessPermission; @@ -221,14 +222,23 @@ // do not let the browser pre-populate these fields form.add(new SimpleAttributeModifier("autocomplete", "off")); // not all user services support manipulating team memberships // not all user providers support manipulating team memberships boolean editMemberships = app().authentication().supportsTeamMembershipChanges(teamModel); // not all user providers support manipulating the admin role boolean changeAdminRole = app().authentication().supportsRoleChanges(teamModel, Role.ADMIN); // not all user providers support manipulating the create role boolean changeCreateRole = app().authentication().supportsRoleChanges(teamModel, Role.CREATE); // not all user providers support manipulating the fork role boolean changeForkRole = app().authentication().supportsRoleChanges(teamModel, Role.FORK); // field names reflective match TeamModel fields form.add(new TextField<String>("name")); form.add(new CheckBox("canAdmin")); form.add(new CheckBox("canFork").setEnabled(app().settings().getBoolean(Keys.web.allowForking, true))); form.add(new CheckBox("canCreate")); form.add(new CheckBox("canAdmin").setEnabled(changeAdminRole)); form.add(new CheckBox("canFork").setEnabled(app().settings().getBoolean(Keys.web.allowForking, true) && changeForkRole)); form.add(new CheckBox("canCreate").setEnabled(changeCreateRole)); form.add(users.setEnabled(editMemberships)); mailingLists = new Model<String>(teamModel.mailingLists == null ? "" : StringUtils.flattenStrings(teamModel.mailingLists, " ")); src/main/java/com/gitblit/wicket/pages/EditUserPage.java
@@ -35,6 +35,7 @@ import org.apache.wicket.model.util.ListModel; import com.gitblit.Constants.RegistrantType; import com.gitblit.Constants.Role; import com.gitblit.GitBlitException; import com.gitblit.Keys; import com.gitblit.models.RegistrantAccessPermission; @@ -216,17 +217,26 @@ // do not let the browser pre-populate these fields form.add(new SimpleAttributeModifier("autocomplete", "off")); // not all user services support manipulating username and password // not all user providers support manipulating username and password boolean editCredentials = app().authentication().supportsCredentialChanges(userModel); // not all user services support manipulating display name // not all user providers support manipulating display name boolean editDisplayName = app().authentication().supportsDisplayNameChanges(userModel); // not all user services support manipulating email address // not all user providers support manipulating email address boolean editEmailAddress = app().authentication().supportsEmailAddressChanges(userModel); // not all user services support manipulating team memberships // not all user providers support manipulating team memberships boolean editTeams = app().authentication().supportsTeamMembershipChanges(userModel); // not all user providers support manipulating the admin role boolean changeAdminRole = app().authentication().supportsRoleChanges(userModel, Role.ADMIN); // not all user providers support manipulating the create role boolean changeCreateRole = app().authentication().supportsRoleChanges(userModel, Role.CREATE); // not all user providers support manipulating the fork role boolean changeForkRole = app().authentication().supportsRoleChanges(userModel, Role.FORK); // field names reflective match UserModel fields form.add(new TextField<String>("username").setEnabled(editCredentials)); @@ -245,7 +255,7 @@ // display a disabled-yet-checked checkbox form.add(new CheckBox("canAdmin", Model.of(true)).setEnabled(false)); } else { form.add(new CheckBox("canAdmin")); form.add(new CheckBox("canAdmin").setEnabled(changeAdminRole)); } if (userModel.canFork() && !userModel.canFork) { @@ -254,7 +264,7 @@ form.add(new CheckBox("canFork", Model.of(true)).setEnabled(false)); } else { final boolean forkingAllowed = app().settings().getBoolean(Keys.web.allowForking, true); form.add(new CheckBox("canFork").setEnabled(forkingAllowed)); form.add(new CheckBox("canFork").setEnabled(forkingAllowed && changeForkRole)); } if (userModel.canCreate() && !userModel.canCreate) { @@ -262,7 +272,7 @@ // display a disabled-yet-checked checkbox form.add(new CheckBox("canCreate", Model.of(true)).setEnabled(false)); } else { form.add(new CheckBox("canCreate")); form.add(new CheckBox("canCreate").setEnabled(changeCreateRole)); } form.add(new CheckBox("excludeFromFederation"));