Nemcio/GitBucket
1
0
Fork 0
mirror of https://github.com/gitbucket/gitbucket.git synced 2025-11-04 20:45:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

(refs #1390)Fix permission control in attachment to wiki page

Browse Source
This commit is contained in:
Naoki Takezoe
2017-02-21 11:00:21 +09:00
parent 200760cc56
commit 5721cbf6f4
2 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/main/scala/gitbucket/core/controller/FileUploadController.scala
View File

@@ -1,6 +1,7 @@
package gitbucket.core.controller
import gitbucket.core.model.Account
import gitbucket.core.service.RepositoryService.RepositoryInfo
import gitbucket.core.service.{AccountService, RepositoryService}
import gitbucket.core.servlet.Database
import gitbucket.core.util._
@@ -9,10 +10,10 @@ import gitbucket.core.util.Directory._
import gitbucket.core.util.Implicits._
import org.eclipse.jgit.api.Git
import org.eclipse.jgit.dircache.DirCache
import org.eclipse.jgit.lib.{FileMode, Constants}
import org.eclipse.jgit.lib.{Constants, FileMode}
import org.scalatra._
import org.scalatra.servlet.{MultipartConfig, FileUploadSupport, FileItem}
import org.apache.commons.io.{IOUtils, FileUtils}
import org.scalatra.servlet.{FileItem, FileUploadSupport, MultipartConfig}
import org.apache.commons.io.{FileUtils, IOUtils}
/**
* Provides Ajax based file upload functionality.
@@ -45,7 +46,7 @@ class FileUploadController extends ScalatraServlet with FileUploadSupport with R
val repository = params("repository")
// Check whether logged-in user is collaborator
collaboratorsOnly(owner, repository, loginAccount){
onlyWikiEditable(owner, repository, loginAccount){
execute({ (file, fileId) =>
val fileName = file.getName
LockUtil.lock(s"${owner}/${repository}/wiki") {
@@ -87,12 +88,16 @@ class FileUploadController extends ScalatraServlet with FileUploadSupport with R
redirect("/admin/data")
}
private def collaboratorsOnly(owner: String, repository: String, loginAccount: Account)(action: => Any): Any = {
private def onlyWikiEditable(owner: String, repository: String, loginAccount: Account)(action: => Any): Any = {
implicit val session = Database.getSession(request)
loginAccount match {
case x if(x.isAdmin) => action
case x if(getCollaborators(owner, repository).contains(x.userName)) => action
case _ => BadRequest()
getRepository(owner, repository) match {
case Some(x) => x.repository.options.wikiOption match {
case "ALL" if !x.repository.isPrivate => action
case "PUBLIC" if hasGuestRole(owner, repository, Some(loginAccount)) => action
case "PRIVATE" if hasDeveloperRole(owner, repository, Some(loginAccount)) => action
case _ => BadRequest()
}
case None => BadRequest()
}
}

2
src/main/twirl/gitbucket/core/settings/options.scala.html
View File

@@ -102,7 +102,7 @@
</div>
<div class="radio for-public-repo">
<label>
<input type="radio" name="wikiOption" value="ALL" @if(repository.repository.options.issuesOption == "ALL"){ checked}> All users can view, create and edit wiki pages
<input type="radio" name="wikiOption" value="ALL" @if(repository.repository.options.wikiOption == "ALL"){ checked}> All users can view, create and edit wiki pages
</label>
</div>
<label for="externalWikiUrl" class="strong">External URL: