(refs #1390)Fix permission control in attachment to wiki page

2025-11-04 20:45:58 +01:00 · 2017-02-21 11:00:21 +09:00
parent 200760cc56
commit 5721cbf6f4
2 changed files with 15 additions and 10 deletions
--- a/src/main/scala/gitbucket/core/controller/FileUploadController.scala
+++ b/src/main/scala/gitbucket/core/controller/FileUploadController.scala
@@ -1,6 +1,7 @@
 package gitbucket.core.controller

 import gitbucket.core.model.Account
+import gitbucket.core.service.RepositoryService.RepositoryInfo
 import gitbucket.core.service.{AccountService, RepositoryService}
 import gitbucket.core.servlet.Database
 import gitbucket.core.util._
@@ -9,10 +10,10 @@ import gitbucket.core.util.Directory._
 import gitbucket.core.util.Implicits._
 import org.eclipse.jgit.api.Git
 import org.eclipse.jgit.dircache.DirCache
-import org.eclipse.jgit.lib.{FileMode, Constants}
+import org.eclipse.jgit.lib.{Constants, FileMode}
 import org.scalatra._
-import org.scalatra.servlet.{MultipartConfig, FileUploadSupport, FileItem}
-import org.apache.commons.io.{IOUtils, FileUtils}
+import org.scalatra.servlet.{FileItem, FileUploadSupport, MultipartConfig}
+import org.apache.commons.io.{FileUtils, IOUtils}

 /**
 * Provides Ajax based file upload functionality.
@@ -45,7 +46,7 @@ class FileUploadController extends ScalatraServlet with FileUploadSupport with R
      val repository = params("repository")

      // Check whether logged-in user is collaborator
-      collaboratorsOnly(owner, repository, loginAccount){
+      onlyWikiEditable(owner, repository, loginAccount){
        execute({ (file, fileId) =>
          val fileName = file.getName
          LockUtil.lock(s"${owner}/${repository}/wiki") {
@@ -87,13 +88,17 @@ class FileUploadController extends ScalatraServlet with FileUploadSupport with R
    redirect("/admin/data")
  }

-  private def collaboratorsOnly(owner: String, repository: String, loginAccount: Account)(action: => Any): Any = {
+  private def onlyWikiEditable(owner: String, repository: String, loginAccount: Account)(action: => Any): Any = {
    implicit val session = Database.getSession(request)
-    loginAccount match {
-      case x if(x.isAdmin) => action
-      case x if(getCollaborators(owner, repository).contains(x.userName)) => action
+    getRepository(owner, repository) match {
+      case Some(x) => x.repository.options.wikiOption match {
+        case "ALL"     if !x.repository.isPrivate => action
+        case "PUBLIC"  if hasGuestRole(owner, repository, Some(loginAccount)) => action
+        case "PRIVATE" if hasDeveloperRole(owner, repository, Some(loginAccount)) => action
        case _  => BadRequest()
      }
+      case None => BadRequest()
+    }
  }

  private def execute(f: (FileItem, String) => Unit, mimeTypeChcker: (String) => Boolean) = fileParams.get("file") match {
--- a/src/main/twirl/gitbucket/core/settings/options.scala.html
+++ b/src/main/twirl/gitbucket/core/settings/options.scala.html
@@ -102,7 +102,7 @@
              </div>
              <div class="radio for-public-repo">
                <label>
-                  <input type="radio" name="wikiOption" value="ALL" @if(repository.repository.options.issuesOption == "ALL"){ checked}> All users can view, create and edit wiki pages
+                  <input type="radio" name="wikiOption" value="ALL" @if(repository.repository.options.wikiOption == "ALL"){ checked}> All users can view, create and edit wiki pages
                </label>
              </div>
              <label for="externalWikiUrl" class="strong">External URL: