From 6069be20b5ebb786a1b890fa9c91350ffd355b0f Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 18 Nov 2015 09:15:50 -0500
Subject: [PATCH] Require admin permissions to view the filestore page

---
 src/main/java/com/gitblit/wicket/pages/RootPage.java |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/RootPage.java b/src/main/java/com/gitblit/wicket/pages/RootPage.java
index b48f722..6ed5a35 100644
--- a/src/main/java/com/gitblit/wicket/pages/RootPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/RootPage.java
@@ -185,6 +185,11 @@
 		// navigation links
 		List<NavLink> navLinks = new ArrayList<NavLink>();
 		if (!authenticateView || (authenticateView && isLoggedIn)) {
+			UserModel user = UserModel.ANONYMOUS;
+			if (isLoggedIn) {
+				user = GitBlitWebSession.get().getUser();
+			}
+
 			navLinks.add(new PageNavLink(isLoggedIn ? "gb.myDashboard" : "gb.dashboard", MyDashboardPage.class,
 					getRootPageParameters()));
 			if (isLoggedIn && app().tickets().isReady()) {
@@ -192,7 +197,9 @@
 			}
 			navLinks.add(new PageNavLink("gb.repositories", RepositoriesPage.class,
 					getRootPageParameters()));
-			navLinks.add(new PageNavLink("gb.filestore", FilestorePage.class, getRootPageParameters()));
+			if (user.canAdmin()) {
+				navLinks.add(new PageNavLink("gb.filestore", FilestorePage.class, getRootPageParameters()));
+			}
 			navLinks.add(new PageNavLink("gb.activity", ActivityPage.class, getRootPageParameters()));
 			if (allowLucene) {
 				navLinks.add(new PageNavLink("gb.search", LuceneSearchPage.class));
@@ -200,11 +207,6 @@
 
 			if (!authenticateView || (authenticateView && isLoggedIn)) {
 				addDropDownMenus(navLinks);
-			}
-
-			UserModel user = UserModel.ANONYMOUS;
-			if (isLoggedIn) {
-				user = GitBlitWebSession.get().getUser();
 			}
 
 			// add nav link extensions
@@ -568,7 +570,7 @@
 					char[] password = RootPage.this.password.getObject().toCharArray();
 
 					HttpServletRequest request = ((WebRequest)RequestCycle.get().getRequest()).getHttpServletRequest();
-					
+
 					UserModel user = app().authentication().authenticate(username, password, request.getRemoteAddr());
 					if (user == null) {
 						error(getString("gb.invalidUsernameOrPassword"));

--
Gitblit v1.9.1