Use the repository identifier, whenever it is available, for access control.
Adirelle
parent
f25ec32806
commit
4ff2a991ba
41
Redmine.pm
41
Redmine.pm
|
|
@ -442,18 +442,32 @@ sub authz_handler {
|
||||||
return FORBIDDEN;
|
return FORBIDDEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $identifier = get_project_identifier($r)
|
|
||||||
or return DECLINED;
|
|
||||||
|
|
||||||
my $dbh = connect_database($r)
|
my $dbh = connect_database($r)
|
||||||
or return SERVER_ERROR;
|
or return SERVER_ERROR;
|
||||||
|
|
||||||
my $cfg = get_config($r);
|
my $cfg = get_config($r);
|
||||||
|
|
||||||
my ($project_id, $is_public, $status) = $dbh->selectrow_array(
|
my ($identifier, $project_id, $is_public, $status);
|
||||||
"SELECT p.id, p.is_public, p.status FROM projects p JOIN repositories r ON (p.id = r.project_id) WHERE p.identifier = ? AND r.type = ?",
|
|
||||||
|
if($identifier = $cfg->{Project}) {
|
||||||
|
($project_id, $is_public, $status) = $dbh->selectrow_array(
|
||||||
|
"SELECT p.id, p.is_public, p.status
|
||||||
|
FROM projects p JOIN repositories r ON (p.id = r.project_id)
|
||||||
|
WHERE p.identifier = ? AND r.type = ?",
|
||||||
undef, $identifier, $cfg->{RepositoryType}
|
undef, $identifier, $cfg->{RepositoryType}
|
||||||
) or return NOT_FOUND;
|
);
|
||||||
|
|
||||||
|
} elsif(my $repo_id = get_repository_identifier($r)) {
|
||||||
|
($identifier, $project_id, $is_public, $status) = $dbh->selectrow_array(
|
||||||
|
"SELECT p.identifier, p.id, p.is_public, p.status
|
||||||
|
FROM projects p JOIN repositories r ON (p.id = r.project_id)
|
||||||
|
WHERE COALESCE(r.identifier, p.identifier) = ? AND r.type = ?",
|
||||||
|
undef, $repo_id, $cfg->{RepositoryType}
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
return NOT_FOUND unless defined $project_id;
|
||||||
|
|
||||||
$is_public = is_true($is_public);
|
$is_public = is_true($is_public);
|
||||||
|
|
||||||
my($res, $reason) = FORBIDDEN;
|
my($res, $reason) = FORBIDDEN;
|
||||||
|
|
@ -525,16 +539,11 @@ sub authz_handler {
|
||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
# get the project identifier
|
# get the repository identifier from the URI
|
||||||
sub get_project_identifier {
|
sub get_repository_identifier {
|
||||||
my ($r) = @_;
|
my ($r) = @_;
|
||||||
|
|
||||||
my $cfg = get_config($r);
|
my $cfg = get_config($r);
|
||||||
my $identifier = $cfg->{Project};
|
my($identifier) = ($r->uri =~ $cfg->{IdentifierRegex}) if defined $cfg->{IdentifierRegex};
|
||||||
unless(defined $identifier || !defined $cfg->{IdentifierRegex}) {
|
|
||||||
($identifier) = ($r->uri =~ $cfg->{IdentifierRegex});
|
|
||||||
}
|
|
||||||
|
|
||||||
return $identifier;
|
return $identifier;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -600,9 +609,9 @@ sub is_true {
|
||||||
# build credential cache key
|
# build credential cache key
|
||||||
sub get_cache_key {
|
sub get_cache_key {
|
||||||
my ($r, $password) = @_;
|
my ($r, $password) = @_;
|
||||||
my $project = get_project_identifier($r)
|
my $identifier = get_config($r)->{Project} || get_repository_identifier($r)
|
||||||
or return;
|
or return;
|
||||||
return Digest::SHA::sha1_hex(join(':', $project, $r->user, $password, is_read_request($r) ? 'read' : 'write'));
|
return Digest::SHA::sha1_hex(join(':', $identifier, $r->user, $password, is_read_request($r) ? 'read' : 'write'));
|
||||||
}
|
}
|
||||||
|
|
||||||
# check if credentials exist in cache
|
# check if credentials exist in cache
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue