hide permissions to improve security

2025-11-10 07:25:44 +01:00 · 2011-01-28 17:55:54 +01:00
parent 1aee9ed756
commit c08990a9e0
2 changed files with 44 additions and 59 deletions
--- a/scm-webapp/src/main/java/sonia/scm/repository/xml/XmlRepositoryManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/repository/xml/XmlRepositoryManager.java
@@ -48,6 +48,7 @@ import sonia.scm.SCMContext;
 import sonia.scm.SCMContextProvider;
 import sonia.scm.Type;
 import sonia.scm.repository.AbstractRepositoryManager;
+import sonia.scm.repository.Permission;
 import sonia.scm.repository.PermissionType;
 import sonia.scm.repository.PermissionUtil;
 import sonia.scm.repository.Repository;
@@ -68,6 +69,7 @@ import sonia.scm.web.security.WebSecurityContext;

 import java.io.IOException;

+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -330,6 +332,7 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
    {
      assertIsReader(repository);
      repository = repository.clone();
+      prepareRepository(repository);
    }

    return repository;
@@ -357,6 +360,7 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
      if (isReader(repository))
      {
        repository = repository.clone();
+        prepareRepository(repository);
      }
      else
      {
@@ -382,7 +386,10 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
    {
      if (handlerMap.containsKey(repository.getType()) && isReader(repository))
      {
-        repositories.add(repository.clone());
+        Repository r = repository.clone();
+
+        prepareRepository(r);
+        repositories.add(r);
      }
    }

@@ -486,6 +493,27 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
                                    PermissionType.READ);
  }

+  /**
+   * Method description
+   *
+   *
+   * @param repository
+   */
+  private void prepareRepository(Repository repository)
+  {
+    if (isOwner(repository))
+    {
+      if (repository.getPermissions() == null)
+      {
+        repository.setPermissions(new ArrayList<Permission>());
+      }
+    }
+    else
+    {
+      repository.setPermissions(null);
+    }
+  }
+
  /**
   * Method description
   *
@@ -546,6 +574,20 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
    return handler;
  }

+  /**
+   * Method description
+   *
+   *
+   * @param repository
+   *
+   * @return
+   */
+  private boolean isOwner(Repository repository)
+  {
+    return PermissionUtil.hasPermission(repository, securityContextProvider,
+            PermissionType.OWNER);
+  }
+
  /**
   * Method description
   *