Nemcio/GitBucket
1
0
Fork 0
mirror of https://github.com/gitbucket/gitbucket.git synced 2025-11-08 22:45:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix security issue on fork

Browse Source
This commit is contained in:
michaeljayt
2014-12-28 10:54:29 +08:00
parent 0a4a4a51ca
commit a1f09117b0
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/scala/app/AccountController.scala
View File

@@ -377,10 +377,12 @@ trait AccountControllerBase extends AccountManagementControllerBase {
post("/:owner/:repository/fork", accountForm)(readableUsersOnly { (form, repository) => post("/:owner/:repository/fork", accountForm)(readableUsersOnly { (form, repository) =>
val loginAccount = context.loginAccount.get val loginAccount = context.loginAccount.get
val loginUserName = loginAccount.userName
val accountName = form.accountName val accountName = form.accountName
LockUtil.lock(s"${accountName}/${repository.name}"){ LockUtil.lock(s"${accountName}/${repository.name}"){
if(getRepository(accountName, repository.name, baseUrl).isDefined){ if(getRepository(accountName, repository.name, baseUrl).isDefined ||
(accountName != loginUserName && !getGroupsByUserName(loginUserName).contains(accountName))){
// redirect to the repository if repository already exists // redirect to the repository if repository already exists
redirect(s"/${accountName}/${repository.name}") redirect(s"/${accountName}/${repository.name}")
} else { } else {
@@ -413,7 +415,7 @@ trait AccountControllerBase extends AccountManagementControllerBase {
getWikiRepositoryDir(accountName, repository.name)) getWikiRepositoryDir(accountName, repository.name))
// Record activity // Record activity
recordForkActivity(repository.owner, repository.name, loginAccount.userName, accountName) recordForkActivity(repository.owner, repository.name, loginUserName, accountName)
// redirect to the repository // redirect to the repository
redirect(s"/${accountName}/${repository.name}") redirect(s"/${accountName}/${repository.name}")
} }