Commit @9f0f83d67bdc552e6fcdd47e102d35cb30470196

doortts 2016-12-28

code: Fix members only access code bug

@9f0f83d67bdc552e6fcdd47e102d35cb30470196

9f0f83d

app/actions/CodeAccessCheckAction.java (added)

+++ app/actions/CodeAccessCheckAction.java

...	...	@@ -0,0 +1,28 @@
	1	+/**
	2	+ * Yona, 21st Century Project Hosting SW
	3	+ * <p>
	4	+ * Copyright Yona & Yobi Authors & NAVER Corp.
	5	+ * https://yona.io
	6	+ **/
	7	+package actions;
	8	+
	9	+import actions.support.PathParser;
	10	+import controllers.UserApp;
	11	+import models.Project;
	12	+import play.libs.F.Promise;
	13	+import play.mvc.Http.Context;
	14	+import play.mvc.Result;
	15	+import utils.ErrorViews;
	16	+
	17	+public class CodeAccessCheckAction extends AbstractProjectCheckAction<Void> {
	18	+ @Override
	19	+ protected Promise<Result> call(Project project, Context context, PathParser parser) throws Throwable {
	20	+ // Only members can access code?
	21	+ Promise<Result> promise;
	22	+ if(project.isCodeAccessibleMemberOnly && !project.hasMember(UserApp.currentUser())) {
	23	+ promise = Promise.pure((Result) forbidden(ErrorViews.Forbidden.render("error.forbidden.or.notfound", context.request().path())));
	24	+ return promise;
	25	+ }
	26	+ return this.delegate.call(context);
	27	+ }
	28	+}

d91a576

9f0f83d

app/controllers/BranchApp.java

--- app/controllers/BranchApp.java

+++ app/controllers/BranchApp.java


  */
 package controllers;
 
+import actions.CodeAccessCheckAction;
 import controllers.annotation.AnonymousCheck;
 import controllers.annotation.IsAllowed;
 import controllers.annotation.IsOnlyGitAvailable;

 import org.eclipse.jgit.lib.Repository;
 import play.mvc.Controller;
 import play.mvc.Result;
+import play.mvc.With;
 import playRepository.GitBranch;
 import playRepository.GitRepository;
 import utils.HttpUtil;

 @AnonymousCheck
 public class BranchApp extends Controller {
 
-    @IsAllowed(Operation.READ)
+    @With(CodeAccessCheckAction.class)
     public static Result branches(String loginId, String projectName) throws IOException, GitAPIException {
         Project project = Project.findByOwnerAndProjectName(loginId, projectName);
         GitRepository gitRepository = new GitRepository(project);

d91a576

9f0f83d

app/controllers/CodeApp.java

--- app/controllers/CodeApp.java

+++ app/controllers/CodeApp.java


  */
 package controllers;
 
+import actions.CodeAccessCheckAction;
 import actions.DefaultProjectCheckAction;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import controllers.annotation.AnonymousCheck;

 import org.apache.commons.io.FilenameUtils;
 import org.apache.tika.Tika;
 import org.apache.tika.mime.MediaType;
-import org.eclipse.jgit.api.ArchiveCommand;
-import org.eclipse.jgit.api.Git;
 import org.eclipse.jgit.api.errors.GitAPIException;
-import org.eclipse.jgit.archive.ZipFormat;
 import org.tmatesoft.svn.core.SVNException;
 import play.mvc.Controller;
 import play.mvc.Http;
 import play.mvc.Result;
 import play.mvc.With;
-import playRepository.GitRepository;
 import playRepository.PlayRepository;
 import playRepository.RepositoryService;
 import utils.ErrorViews;

         return redirect(routes.CodeApp.codeBrowserWithBranch(userName, projectName, defaultBranch, ""));
     }
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result codeBrowserWithBranch(String userName, String projectName, String branch, String path)
         throws UnsupportedOperationException, IOException, SVNException, GitAPIException, ServletException {
         Project project = Project.findByOwnerAndProjectName(userName, projectName);

         return ok(view.render(project, branches, recursiveData, branch, path));
     }
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result ajaxRequest(String userName, String projectName, String path) throws Exception{
         PlayRepository repository = RepositoryService.getRepository(userName, projectName);
         path = HttpUtil.decodePathSegment(path);

         }
     }
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result download(String userName, String projectName, String branch, String path)
             throws UnsupportedOperationException, IOException, SVNException, GitAPIException, ServletException {
         Project project = Project.findByOwnerAndProjectName(userName, projectName);

         return ok(chunks);
     }
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result ajaxRequestWithBranch(String userName, String projectName, String branch, String path)
             throws UnsupportedOperationException, IOException, SVNException, GitAPIException, ServletException{
         CodeApp.hostName = request().host();

         }
     }
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result showRawFile(String userName, String projectName, String revision, String path) throws Exception{
         path = HttpUtil.decodePathSegment(path);
         revision = HttpUtil.decodePathSegment(revision);

         return ok(fileAsRaw).as(mediaTypeString);
     }
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result showImageFile(String userName, String projectName, String revision, String path) throws Exception{
         revision = HttpUtil.decodePathSegment(revision);
         path = HttpUtil.decodePathSegment(path);

d91a576

9f0f83d

app/controllers/CodeHistoryApp.java

--- app/controllers/CodeHistoryApp.java

+++ app/controllers/CodeHistoryApp.java


  */
 package controllers;
 
+import actions.CodeAccessCheckAction;
 import actions.DefaultProjectCheckAction;
 import actions.NullProjectCheckAction;
 import controllers.annotation.AnonymousCheck;

 import org.eclipse.jgit.api.errors.NoHeadException;
 import org.tmatesoft.svn.core.SVNException;
 import play.data.Form;
-import play.mvc.*;
+import play.mvc.Call;
+import play.mvc.Controller;
+import play.mvc.Result;
+import play.mvc.With;
 import playRepository.Commit;
 import playRepository.FileDiff;
 import playRepository.PlayRepository;
 import playRepository.RepositoryService;
-import utils.*;
+import utils.AccessControl;
+import utils.ErrorViews;
+import utils.HttpUtil;
+import utils.RouteUtil;
 import views.html.code.diff;
 import views.html.code.history;
 import views.html.code.nohead;

     private static final int HISTORY_ITEM_LIMIT = 25;
 
 
-    @With(DefaultProjectCheckAction.class)
+    @With(CodeAccessCheckAction.class)
     public static Result historyUntilHead(String ownerName, String projectName) throws IOException,
             UnsupportedOperationException, ServletException, GitAPIException,
             SVNException {
         return history(ownerName, projectName, null, null);
     }
 
-    @IsAllowed(Operation.READ)
+    @With(CodeAccessCheckAction.class)
     public static Result history(String ownerName, String projectName, String branch, String path) throws IOException,
             UnsupportedOperationException, ServletException, GitAPIException,
             SVNException {

         }
     }
 
-    @IsAllowed(Operation.READ)
+    @With(CodeAccessCheckAction.class)
     public static Result show(String ownerName, String projectName, String commitId)
             throws IOException, UnsupportedOperationException, ServletException, GitAPIException,
             SVNException, NoSuchMethodException {

d91a576

9f0f83d

app/controllers/GitApp.java

--- app/controllers/GitApp.java

+++ app/controllers/GitApp.java


     private static boolean isAllowed(Project project, String service) throws
             UnsupportedOperationException, IOException, ServletException {
         Operation operation = Operation.UPDATE;
+
         if (service.equals("git-upload-pack")) {
             operation = Operation.READ;
+        }
+
+        // Only members can access code?
+        if(project.isCodeAccessibleMemberOnly && !project.hasMember(UserApp.currentUser())) {
+            operation = Operation.UPDATE;
         }
 
         PlayRepository repository = RepositoryService.getRepository(project);

         }
 
         models.User user = UserApp.currentUser();
-
-        // Only members can access code?
-        // Only members can access code?
-        if(project.isCodeAccessibleMemberOnly && !project.hasMember(UserApp.currentUser())) {
-            return forbidden(Messages.get(Lang.defaultLang(),
-                        "git.error.permission", user.loginId, ownerName, projectName));
-        }
 
         if (!isAllowed(project, service)) {
             if (user.isAnonymous()) {

Add a comment

Open 0
Closed 0

List

...	...	@@ -20,6 +20,7 @@
20	20	*/
21	21	package controllers;
22	22
	23	+import actions.CodeAccessCheckAction;
23	24	import actions.DefaultProjectCheckAction;
24	25	import com.fasterxml.jackson.databind.node.ObjectNode;
25	26	import controllers.annotation.AnonymousCheck;
...	...	@@ -29,16 +30,12 @@
29	30	import org.apache.commons.io.FilenameUtils;
30	31	import org.apache.tika.Tika;
31	32	import org.apache.tika.mime.MediaType;
32		-import org.eclipse.jgit.api.ArchiveCommand;
33		-import org.eclipse.jgit.api.Git;
34	33	import org.eclipse.jgit.api.errors.GitAPIException;
35		-import org.eclipse.jgit.archive.ZipFormat;
36	34	import org.tmatesoft.svn.core.SVNException;
37	35	import play.mvc.Controller;
38	36	import play.mvc.Http;
39	37	import play.mvc.Result;
40	38	import play.mvc.With;
41		-import playRepository.GitRepository;
42	39	import playRepository.PlayRepository;
43	40	import playRepository.RepositoryService;
44	41	import utils.ErrorViews;
...	...	@@ -95,7 +92,7 @@
95	92	return redirect(routes.CodeApp.codeBrowserWithBranch(userName, projectName, defaultBranch, ""));
96	93	}
97	94
98		- @With(DefaultProjectCheckAction.class)
	95	+ @With(CodeAccessCheckAction.class)
99	96	public static Result codeBrowserWithBranch(String userName, String projectName, String branch, String path)
100	97	throws UnsupportedOperationException, IOException, SVNException, GitAPIException, ServletException {
101	98	Project project = Project.findByOwnerAndProjectName(userName, projectName);
...	...	@@ -119,7 +116,7 @@
119	116	return ok(view.render(project, branches, recursiveData, branch, path));
120	117	}
121	118
122		- @With(DefaultProjectCheckAction.class)
	119	+ @With(CodeAccessCheckAction.class)
123	120	public static Result ajaxRequest(String userName, String projectName, String path) throws Exception{
124	121	PlayRepository repository = RepositoryService.getRepository(userName, projectName);
125	122	path = HttpUtil.decodePathSegment(path);
...	...	@@ -132,7 +129,7 @@
132	129	}
133	130	}
134	131
135		- @With(DefaultProjectCheckAction.class)
	132	+ @With(CodeAccessCheckAction.class)
136	133	public static Result download(String userName, String projectName, String branch, String path)
137	134	throws UnsupportedOperationException, IOException, SVNException, GitAPIException, ServletException {
138	135	Project project = Project.findByOwnerAndProjectName(userName, projectName);
...	...	@@ -164,7 +161,7 @@
164	161	return ok(chunks);
165	162	}
166	163
167		- @With(DefaultProjectCheckAction.class)
	164	+ @With(CodeAccessCheckAction.class)
168	165	public static Result ajaxRequestWithBranch(String userName, String projectName, String branch, String path)
169	166	throws UnsupportedOperationException, IOException, SVNException, GitAPIException, ServletException{
170	167	CodeApp.hostName = request().host();
...	...	@@ -180,7 +177,7 @@
180	177	}
181	178	}
182	179
183		- @With(DefaultProjectCheckAction.class)
	180	+ @With(CodeAccessCheckAction.class)
184	181	public static Result showRawFile(String userName, String projectName, String revision, String path) throws Exception{
185	182	path = HttpUtil.decodePathSegment(path);
186	183	revision = HttpUtil.decodePathSegment(revision);
...	...	@@ -200,7 +197,7 @@
200	197	return ok(fileAsRaw).as(mediaTypeString);
201	198	}
202	199
203		- @With(DefaultProjectCheckAction.class)
	200	+ @With(CodeAccessCheckAction.class)
204	201	public static Result showImageFile(String userName, String projectName, String revision, String path) throws Exception{
205	202	revision = HttpUtil.decodePathSegment(revision);
206	203	path = HttpUtil.decodePathSegment(path);

...	...	@@ -49,8 +49,14 @@
49	49	private static boolean isAllowed(Project project, String service) throws
50	50	UnsupportedOperationException, IOException, ServletException {
51	51	Operation operation = Operation.UPDATE;
	52	+
52	53	if (service.equals("git-upload-pack")) {
53	54	operation = Operation.READ;
	55	+ }
	56	+
	57	+ // Only members can access code?
	58	+ if(project.isCodeAccessibleMemberOnly && !project.hasMember(UserApp.currentUser())) {
	59	+ operation = Operation.UPDATE;
54	60	}
55	61
56	62	PlayRepository repository = RepositoryService.getRepository(project);
...	...	@@ -102,13 +108,6 @@
102	108	}
103	109
104	110	models.User user = UserApp.currentUser();
105		-
106		- // Only members can access code?
107		- // Only members can access code?
108		- if(project.isCodeAccessibleMemberOnly && !project.hasMember(UserApp.currentUser())) {
109		- return forbidden(Messages.get(Lang.defaultLang(),
110		- "git.error.permission", user.loginId, ownerName, projectName));
111		- }
112	111
113	112	if (!isAllowed(project, service)) {
114	113	if (user.isAnonymous()) {

Delete comment