Do not expose 'source related' links without pull permission

2026-02-21 05:56:53 +01:00 · 2021-12-16 08:56:08 +01:00
parent 11673e6d07
commit bd36756860
3 changed files with 48 additions and 43 deletions
--- a/scm-plugins/scm-git-plugin/src/main/js/RepositoryConfig.tsx
+++ b/scm-plugins/scm-git-plugin/src/main/js/RepositoryConfig.tsx
@@ -73,25 +73,28 @@ class RepositoryConfig extends React.Component<Props, State> {

  componentDidMount() {
    const { repository } = this.props;
-    this.setState({
-      loadingBranches: true,
-    });
    const branchesLink = repository._links.branches as Link;
-    apiClient
-      .get(branchesLink.href)
-      .then((response) => response.json())
-      .then((payload) => payload._embedded.branches)
-      .then((branches) =>
-        this.setState({
-          branches,
-          loadingBranches: false,
-        })
-      )
-      .catch((error) =>
-        this.setState({
-          error,
-        })
-      );
+    if (branchesLink) {
+      apiClient
+        .get(branchesLink.href)
+        .then((response) => response.json())
+        .then((payload) => payload._embedded.branches)
+        .then((branches) =>
+          this.setState({
+            branches,
+            loadingBranches: false,
+          })
+        )
+        .catch((error) =>
+          this.setState({
+            error,
+          })
+        );
+    } else {
+      this.setState({
+        loadingBranches: false,
+      });
+    }

    const configurationLink = repository._links.configuration as Link;
    this.setState({
--- a/scm-ui/ui-webapp/src/repos/containers/RepositoryRoot.tsx
+++ b/scm-ui/ui-webapp/src/repos/containers/RepositoryRoot.tsx
@@ -118,8 +118,10 @@ const RepositoryRoot = () => {
  let redirectedUrl;
  if (redirectUrlFactory) {
    redirectedUrl = url + redirectUrlFactory(props);
-  } else {
+  } else if (repository._links.sources) {
    redirectedUrl = url + "/code/sources/";
+  } else {
+    redirectedUrl = url + "/info";
  }

  const fileControlFactoryFactory: (changeset: Changeset) => FileControlFactory = changeset => file => {
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryToRepositoryDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryToRepositoryDtoMapper.java
@@ -134,34 +134,34 @@ public abstract class RepositoryToRepositoryDtoMapper extends BaseMapper<Reposit
          .map(this::createProtocolLink)
          .collect(toList());
        linksBuilder.array(protocolLinks);
-      }

-      if (repositoryService.isSupported(Command.BUNDLE) && RepositoryPermissions.export(repository).isPermitted()) {
-        linksBuilder.single(link("export", resourceLinks.repository().export(repository.getNamespace(), repository.getName(), repository.getType())));
-        linksBuilder.single(link("fullExport", resourceLinks.repository().fullExport(repository.getNamespace(), repository.getName(), repository.getType())));
-        linksBuilder.single(link("exportInfo", resourceLinks.repository().exportInfo(repository.getNamespace(), repository.getName())));
-      }
-
-      if (repositoryService.isSupported(Command.TAGS)) {
-        linksBuilder.single(link("tags", resourceLinks.tag().all(repository.getNamespace(), repository.getName())));
-      }
-      if (repositoryService.isSupported(Command.BRANCHES)) {
-        linksBuilder.single(link("branches", resourceLinks.branchCollection().self(repository.getNamespace(), repository.getName())));
-      }
-      if (repositoryService.isSupported(Command.BRANCH_DETAILS)) {
-        linksBuilder.single(link("branchDetailsCollection", resourceLinks.branchDetailsCollection().self(repository.getNamespace(), repository.getName())));
-      }
-      if (repositoryService.isSupported(Feature.INCOMING_REVISION)) {
-        linksBuilder.single(link("incomingChangesets", resourceLinks.incoming().changesets(repository.getNamespace(), repository.getName())));
-        linksBuilder.single(link("incomingDiff", resourceLinks.incoming().diff(repository.getNamespace(), repository.getName())));
-        if (repositoryService.isSupported(Command.DIFF_RESULT)) {
-          linksBuilder.single(link("incomingDiffParsed", resourceLinks.incoming().diffParsed(repository.getNamespace(), repository.getName())));
+        if (repositoryService.isSupported(Command.BUNDLE) && RepositoryPermissions.export(repository).isPermitted()) {
+          linksBuilder.single(link("export", resourceLinks.repository().export(repository.getNamespace(), repository.getName(), repository.getType())));
+          linksBuilder.single(link("fullExport", resourceLinks.repository().fullExport(repository.getNamespace(), repository.getName(), repository.getType())));
+          linksBuilder.single(link("exportInfo", resourceLinks.repository().exportInfo(repository.getNamespace(), repository.getName())));
        }
+
+        if (repositoryService.isSupported(Command.TAGS)) {
+          linksBuilder.single(link("tags", resourceLinks.tag().all(repository.getNamespace(), repository.getName())));
+        }
+        if (repositoryService.isSupported(Command.BRANCHES)) {
+          linksBuilder.single(link("branches", resourceLinks.branchCollection().self(repository.getNamespace(), repository.getName())));
+        }
+        if (repositoryService.isSupported(Command.BRANCH_DETAILS)) {
+          linksBuilder.single(link("branchDetailsCollection", resourceLinks.branchDetailsCollection().self(repository.getNamespace(), repository.getName())));
+        }
+        if (repositoryService.isSupported(Feature.INCOMING_REVISION)) {
+          linksBuilder.single(link("incomingChangesets", resourceLinks.incoming().changesets(repository.getNamespace(), repository.getName())));
+          linksBuilder.single(link("incomingDiff", resourceLinks.incoming().diff(repository.getNamespace(), repository.getName())));
+          if (repositoryService.isSupported(Command.DIFF_RESULT)) {
+            linksBuilder.single(link("incomingDiffParsed", resourceLinks.incoming().diffParsed(repository.getNamespace(), repository.getName())));
+          }
+        }
+        linksBuilder.single(link("changesets", resourceLinks.changeset().all(repository.getNamespace(), repository.getName())));
+        linksBuilder.single(link("sources", resourceLinks.source().selfWithoutRevision(repository.getNamespace(), repository.getName())));
+        linksBuilder.single(link("paths", resourceLinks.repository().paths(repository.getNamespace(), repository.getName())));
      }
    }
-    linksBuilder.single(link("changesets", resourceLinks.changeset().all(repository.getNamespace(), repository.getName())));
-    linksBuilder.single(link("sources", resourceLinks.source().selfWithoutRevision(repository.getNamespace(), repository.getName())));
-    linksBuilder.single(link("paths", resourceLinks.repository().paths(repository.getNamespace(), repository.getName())));
    if (RepositoryPermissions.healthCheck(repository).isPermitted() && !healthCheckService.checkRunning(repository)) {
      linksBuilder.single(link("runHealthCheck", resourceLinks.repository().runHealthCheck(repository.getNamespace(), repository.getName())));
    }