return 401 on scm http request if anonymous access is enabled but does not have the required permissions

2025-10-30 10:05:58 +01:00 · 2019-10-14 16:20:27 +02:00
parent b26f9068f4
commit 38ca5f8d22
1 changed files with 7 additions and 1 deletions
--- a/scm-webapp/src/main/java/sonia/scm/web/protocol/HttpProtocolServlet.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/protocol/HttpProtocolServlet.java
@@ -13,6 +13,8 @@ import sonia.scm.repository.NamespaceAndName;
 import sonia.scm.repository.api.RepositoryService;
 import sonia.scm.repository.api.RepositoryServiceFactory;
 import sonia.scm.repository.spi.HttpScmProtocol;
+import sonia.scm.security.Authentications;
+import sonia.scm.util.HttpUtil;
 import sonia.scm.web.UserAgent;
 import sonia.scm.web.UserAgentParser;

@@ -73,7 +75,11 @@ public class HttpProtocolServlet extends HttpServlet {
      resp.setStatus(HttpStatus.SC_NOT_FOUND);
    } catch (AuthorizationException e) {
      log.debug(e.getMessage());
-      resp.setStatus(HttpStatus.SC_FORBIDDEN);
+      if (Authentications.isAuthenticatedSubjectAnonymous()) {
+        HttpUtil.sendUnauthorized(resp);
+      } else {
+        resp.setStatus(HttpStatus.SC_FORBIDDEN);
+      }
    }
  }
 }