From 606d1992249d7bfb391012d92a72550ffe495f1a Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Sun, 22 Mar 2020 01:37:34 +0000
Subject: [PATCH 1/6] fix: upgrade javax.xml.bind:jaxb-api from 2.3.0 to 2.3.1

Snyk has created this PR to upgrade javax.xml.bind:jaxb-api from 2.3.0 to 2.3.1.

See this package in NPM:
https://www.npmjs.com/package/javax.xml.bind:jaxb-api

See this project in Snyk:
https://app.snyk.io/org/scm-manager/project/e67572ee-5940-4f2b-93b0-dced62d7ed85?utm_source=github&utm_medium=upgrade-pr
---
 scm-webapp/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scm-webapp/pom.xml b/scm-webapp/pom.xml
index 8dd7873238..dd504200fb 100644
--- a/scm-webapp/pom.xml
+++ b/scm-webapp/pom.xml
@@ -179,7 +179,7 @@
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>
-      <version>2.3.0</version>
+      <version>2.3.1</version>
     </dependency>
 
     <dependency>

From cfbce89717953f2c620e43ceaddc51349cc8cb10 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Mon, 23 Mar 2020 04:42:53 +0000
Subject: [PATCH 2/6] fix: upgrade mini-css-extract-plugin from 0.8.2 to 0.9.0

Snyk has created this PR to upgrade mini-css-extract-plugin from 0.8.2 to 0.9.0.

See this package in NPM:
https://www.npmjs.com/package/mini-css-extract-plugin

See this project in Snyk:
https://app.snyk.io/org/scm-manager/project/e563ed8d-dedf-4b52-af75-5d89b1e70f44?utm_source=github&utm_medium=upgrade-pr
---
 scm-ui/ui-scripts/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scm-ui/ui-scripts/package.json b/scm-ui/ui-scripts/package.json
index 5df93fa572..e200893c27 100644
--- a/scm-ui/ui-scripts/package.json
+++ b/scm-ui/ui-scripts/package.json
@@ -14,7 +14,7 @@
     "babel-loader": "^8.0.6",
     "css-loader": "^3.2.0",
     "file-loader": "^4.2.0",
-    "mini-css-extract-plugin": "^0.8.0",
+    "mini-css-extract-plugin": "^0.9.0",
     "mustache": "^3.1.0",
     "optimize-css-assets-webpack-plugin": "^5.0.3",
     "react-refresh": "^0.7.2",

From 5e430a373f71b54b6f42e7d0164c57cce4692ba8 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Mon, 23 Mar 2020 04:42:58 +0000
Subject: [PATCH 3/6] fix: upgrade react-refresh from 0.7.2 to 0.8.0

Snyk has created this PR to upgrade react-refresh from 0.7.2 to 0.8.0.

See this package in NPM:
https://www.npmjs.com/package/react-refresh

See this project in Snyk:
https://app.snyk.io/org/scm-manager/project/e563ed8d-dedf-4b52-af75-5d89b1e70f44?utm_source=github&utm_medium=upgrade-pr
---
 scm-ui/ui-scripts/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scm-ui/ui-scripts/package.json b/scm-ui/ui-scripts/package.json
index 5df93fa572..8a80763cc8 100644
--- a/scm-ui/ui-scripts/package.json
+++ b/scm-ui/ui-scripts/package.json
@@ -17,7 +17,7 @@
     "mini-css-extract-plugin": "^0.8.0",
     "mustache": "^3.1.0",
     "optimize-css-assets-webpack-plugin": "^5.0.3",
-    "react-refresh": "^0.7.2",
+    "react-refresh": "^0.8.0",
     "sass": "^1.26.3",
     "sass-loader": "^8.0.0",
     "script-loader": "^0.7.2",

From 0ee2aaaa45000a7f14e6e5eaa2b9be4bd73ba0bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= <rene.pfeuffer@cloudogu.com>
Date: Mon, 30 Mar 2020 12:28:57 +0200
Subject: [PATCH 4/6] Fix authentication for repositories with anonymous read
 access

Repositories with anonymous read access could not be written any more,
because for write requests there was no authentication request. This
fixes the check for anonymous access and requests username and
password, again.
---
 CHANGELOG.md                                        |  4 ++++
 .../java/sonia/scm/web/filter/PermissionFilter.java |  6 +++---
 .../sonia/scm/web/filter/PermissionFilterTest.java  | 13 ++++++++++++-
 scm-core/src/test/resources/sonia/scm/shiro.ini     |  1 +
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6ce1222f5..846b69b283 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+### Fixed
+- Authentication for write requests for repositories with anonymous read access ([#108](https://github.com/scm-manager/scm-manager/pull/1081))
+
 ## 2.0.0-rc6 - 2020-03-26
 ### Added
 - Extension point to add links to the repository cards from plug ins ([#1041](https://github.com/scm-manager/scm-manager/pull/1041))
diff --git a/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java b/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
index a254edcb41..9cfa95c1d5 100644
--- a/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.web.filter;
 
 import org.apache.shiro.SecurityUtils;
@@ -35,7 +35,7 @@ import sonia.scm.repository.Repository;
 import sonia.scm.repository.RepositoryPermissions;
 import sonia.scm.repository.spi.ScmProviderHttpServlet;
 import sonia.scm.repository.spi.ScmProviderHttpServletDecorator;
-import sonia.scm.security.Role;
+import sonia.scm.security.Authentications;
 import sonia.scm.security.ScmSecurityException;
 import sonia.scm.util.HttpUtil;
 
@@ -177,7 +177,7 @@ public abstract class PermissionFilter extends ScmProviderHttpServletDecorator
     HttpServletResponse response, Subject subject)
     throws IOException
   {
-    if (subject.hasRole(Role.USER))
+    if (!Authentications.isAuthenticatedSubjectAnonymous())
     {
       sendNotEnoughPrivilegesError(request, response);
     }
diff --git a/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java b/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java
index ad21e501e7..5ba99bd2f1 100644
--- a/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java
+++ b/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java
@@ -21,7 +21,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-    
+
 package sonia.scm.web.filter;
 
 import com.github.sdorra.shiro.ShiroRule;
@@ -82,6 +82,17 @@ public class PermissionFilterTest {
 
     permissionFilter.service(request, response, REPOSITORY);
 
+    verify(response).sendError(eq(403));
+    verify(delegateServlet, never()).service(request, response, REPOSITORY);
+  }
+
+  @Test
+  @SubjectAware(username = "_anonymous", password = "secret")
+  public void shouldBlockForAnonymousOnWriteRequestWithAuthenticationRequest() throws IOException, ServletException {
+    writeRequest = true;
+
+    permissionFilter.service(request, response, REPOSITORY);
+
     verify(response).sendError(eq(401), anyString());
     verify(delegateServlet, never()).service(request, response, REPOSITORY);
   }
diff --git a/scm-core/src/test/resources/sonia/scm/shiro.ini b/scm-core/src/test/resources/sonia/scm/shiro.ini
index fda268ec83..4bd34d3a41 100644
--- a/scm-core/src/test/resources/sonia/scm/shiro.ini
+++ b/scm-core/src/test/resources/sonia/scm/shiro.ini
@@ -4,6 +4,7 @@ admin = secret, admin
 writer = secret, repo_write
 reader = secret, repo_read
 unpriv = secret
+_anonymous = secret
 
 [roles]
 admin = *

From 898eb9c7550548b7baded5090845d35db77bdab9 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Mon, 30 Mar 2020 22:15:56 +0000
Subject: [PATCH 5/6] fix: upgrade com.fasterxml.jackson.core:jackson-databind
 from 2.10.2 to 2.10.3

Snyk has created this PR to upgrade com.fasterxml.jackson.core:jackson-databind from 2.10.2 to 2.10.3.

See this package in NPM:
https://www.npmjs.com/package/com.fasterxml.jackson.core:jackson-databind

See this project in Snyk:
https://app.snyk.io/org/scm-manager/project/0397d943-538d-483e-9c87-a3f7e7665d7b?utm_source=github&utm_medium=upgrade-pr
---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 2054116a65..6a56a1fd5a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -912,7 +912,7 @@
     <jaxrs.version>2.1.1</jaxrs.version>
     <resteasy.version>4.5.2.Final</resteasy.version>
     <jersey-client.version>1.19.4</jersey-client.version>
-    <jackson.version>2.10.2</jackson.version>
+    <jackson.version>2.10.3</jackson.version>
     <guice.version>4.2.2</guice.version>
     <jaxb.version>2.3.1</jaxb.version>
     <hibernate-validator.version>6.1.2.Final</hibernate-validator.version>
@@ -944,7 +944,7 @@
     <project.test.javaLevel>8</project.test.javaLevel>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <netbeans.hint.license>SCM-MIT</netbeans.hint.license>
-    <jdk.classifier />
+    <jdk.classifier/>
     <org.mapstruct.version>1.3.1.Final</org.mapstruct.version>
 
     <!-- Sonar exclusions -->

From 1425a4e9539b644d15fb5a15abd9e81138cd394f Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Tue, 31 Mar 2020 06:35:06 +0000
Subject: [PATCH 6/6] fix: upgrade
 org.kohsuke.metainf-services:metainf-services from 1.7 to 1.8

Snyk has created this PR to upgrade org.kohsuke.metainf-services:metainf-services from 1.7 to 1.8.

See this package in NPM:
https://www.npmjs.com/package/org.kohsuke.metainf-services:metainf-services

See this project in Snyk:
https://app.snyk.io/org/scm-manager/project/31334444-8fef-42b0-9d09-7db866678fbb?utm_source=github&utm_medium=upgrade-pr
---
 scm-annotation-processor/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scm-annotation-processor/pom.xml b/scm-annotation-processor/pom.xml
index 4881cf3110..eafc3f5c58 100644
--- a/scm-annotation-processor/pom.xml
+++ b/scm-annotation-processor/pom.xml
@@ -78,7 +78,7 @@
     <dependency>
       <groupId>org.kohsuke.metainf-services</groupId>
       <artifactId>metainf-services</artifactId>
-      <version>1.7</version>
+      <version>1.8</version>
     </dependency>
     
   </dependencies>