Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-12 16:35:45 +01:00
Code Issues Packages Projects Releases Activity

System roles should not be modifiable

Browse Source
This commit is contained in:
René Pfeuffer
2019-05-08 10:55:24 +02:00
parent dd312308fa
commit c88654739b
2 changed files with 98 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scm-webapp/src/main/java/sonia/scm/repository/DefaultRepositoryRoleManager.java
View File

@@ -35,6 +35,7 @@ package sonia.scm.repository;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import org.apache.shiro.authz.UnauthorizedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.EagerSingleton;
@@ -76,6 +77,7 @@ public class DefaultRepositoryRoleManager extends AbstractRepositoryRoleManager
@Override
public RepositoryRole create(RepositoryRole repositoryRole) {
assertNoSystemRole(repositoryRole);
String type = repositoryRole.getType();
if (Util.isEmpty(type)) {
repositoryRole.setType(repositoryRoleDAO.getType());
@@ -93,6 +95,7 @@ public class DefaultRepositoryRoleManager extends AbstractRepositoryRoleManager
@Override
public void delete(RepositoryRole repositoryRole) {
assertNoSystemRole(repositoryRole);
logger.info("delete repositoryRole {} of type {}", repositoryRole.getName(), repositoryRole.getType());
managerDaoAdapter.delete(
repositoryRole,
@@ -108,6 +111,7 @@ public class DefaultRepositoryRoleManager extends AbstractRepositoryRoleManager
@Override
public void modify(RepositoryRole repositoryRole) {
assertNoSystemRole(repositoryRole);
logger.info("modify repositoryRole {} of type {}", repositoryRole.getName(), repositoryRole.getType());
managerDaoAdapter.modify(
repositoryRole,
@@ -130,11 +134,17 @@ public class DefaultRepositoryRoleManager extends AbstractRepositoryRoleManager
@Override
public RepositoryRole get(String id) {
RepositoryRolePermissions.read();
RepositoryRolePermissions.read().check();
return findSystemRole(id).orElse(findCustomRole(id));
}
private void assertNoSystemRole(RepositoryRole repositoryRole) {
if (findSystemRole(repositoryRole.getId()).isPresent()) {
throw new UnauthorizedException("system roles cannot be modified");
}
}
private RepositoryRole findCustomRole(String id) {
RepositoryRole repositoryRole = repositoryRoleDAO.get(id);