From 0ee2aaaa45000a7f14e6e5eaa2b9be4bd73ba0bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= Date: Mon, 30 Mar 2020 12:28:57 +0200 Subject: [PATCH] Fix authentication for repositories with anonymous read access Repositories with anonymous read access could not be written any more, because for write requests there was no authentication request. This fixes the check for anonymous access and requests username and password, again. --- CHANGELOG.md | 4 ++++ .../java/sonia/scm/web/filter/PermissionFilter.java | 6 +++--- .../sonia/scm/web/filter/PermissionFilterTest.java | 13 ++++++++++++- scm-core/src/test/resources/sonia/scm/shiro.ini | 1 + 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6ce1222f5..846b69b283 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +### Fixed +- Authentication for write requests for repositories with anonymous read access ([#108](https://github.com/scm-manager/scm-manager/pull/1081)) + ## 2.0.0-rc6 - 2020-03-26 ### Added - Extension point to add links to the repository cards from plug ins ([#1041](https://github.com/scm-manager/scm-manager/pull/1041)) diff --git a/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java b/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java index a254edcb41..9cfa95c1d5 100644 --- a/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java +++ b/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java @@ -21,7 +21,7 @@ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ - + package sonia.scm.web.filter; import org.apache.shiro.SecurityUtils; @@ -35,7 +35,7 @@ import sonia.scm.repository.Repository; import sonia.scm.repository.RepositoryPermissions; import sonia.scm.repository.spi.ScmProviderHttpServlet; import sonia.scm.repository.spi.ScmProviderHttpServletDecorator; -import sonia.scm.security.Role; +import sonia.scm.security.Authentications; import sonia.scm.security.ScmSecurityException; import sonia.scm.util.HttpUtil; @@ -177,7 +177,7 @@ public abstract class PermissionFilter extends ScmProviderHttpServletDecorator HttpServletResponse response, Subject subject) throws IOException { - if (subject.hasRole(Role.USER)) + if (!Authentications.isAuthenticatedSubjectAnonymous()) { sendNotEnoughPrivilegesError(request, response); } diff --git a/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java b/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java index ad21e501e7..5ba99bd2f1 100644 --- a/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java +++ b/scm-core/src/test/java/sonia/scm/web/filter/PermissionFilterTest.java @@ -21,7 +21,7 @@ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ - + package sonia.scm.web.filter; import com.github.sdorra.shiro.ShiroRule; @@ -82,6 +82,17 @@ public class PermissionFilterTest { permissionFilter.service(request, response, REPOSITORY); + verify(response).sendError(eq(403)); + verify(delegateServlet, never()).service(request, response, REPOSITORY); + } + + @Test + @SubjectAware(username = "_anonymous", password = "secret") + public void shouldBlockForAnonymousOnWriteRequestWithAuthenticationRequest() throws IOException, ServletException { + writeRequest = true; + + permissionFilter.service(request, response, REPOSITORY); + verify(response).sendError(eq(401), anyString()); verify(delegateServlet, never()).service(request, response, REPOSITORY); } diff --git a/scm-core/src/test/resources/sonia/scm/shiro.ini b/scm-core/src/test/resources/sonia/scm/shiro.ini index fda268ec83..4bd34d3a41 100644 --- a/scm-core/src/test/resources/sonia/scm/shiro.ini +++ b/scm-core/src/test/resources/sonia/scm/shiro.ini @@ -4,6 +4,7 @@ admin = secret, admin writer = secret, repo_write reader = secret, repo_read unpriv = secret +_anonymous = secret [roles] admin = *