Merge "Make gitweb prompt for authorization"

2014-06-23 08:18:13 +00:00 · 2014-06-23 08:18:13 +00:00 · 886db53b2d
commit 886db53b2d
parent 0a6a19db67 fd7df89ff9
1 changed files with 12 additions and 1 deletions
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java
@ -34,6 +34,7 @@ import com.google.gerrit.extensions.restapi.Url;
 import com.google.gerrit.httpd.GitWebConfig;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.AnonymousUser;
+import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.config.SitePaths;
 import com.google.gerrit.server.git.LocalDiskRepositoryManager;
@ -85,18 +86,21 @@ class GitWebServlet extends HttpServlet {
  private final LocalDiskRepositoryManager repoManager;
  private final ProjectControl.Factory projectControl;
  private final Provider<AnonymousUser> anonymousUserProvider;
+  private final Provider<CurrentUser> userProvider;
  private final EnvList _env;

  @Inject
  GitWebServlet(final LocalDiskRepositoryManager repoManager,
      final ProjectControl.Factory projectControl,
      final Provider<AnonymousUser> anonymousUserProvider,
+      final Provider<CurrentUser> userProvider,
      final SitePaths site,
      final GerritConfig gerritConfig, final GitWebConfig gitWebConfig)
      throws IOException {
    this.repoManager = repoManager;
    this.projectControl = projectControl;
    this.anonymousUserProvider = anonymousUserProvider;
+    this.userProvider = userProvider;
    this.gitwebCgi = gitWebConfig.getGitwebCGI();
    this.deniedActions = new HashSet<>();

@ -377,7 +381,14 @@ class GitWebServlet extends HttpServlet {
        throw new NoSuchProjectException(nameKey);
      }
    } catch (NoSuchProjectException e) {
-      rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+      if (userProvider.get().isIdentifiedUser()) {
+        rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+      } else {
+        // Allow anonymous users a chance to login.
+        // Avoid leaking information by not distinguishing between
+        // project not existing and no access rights.
+        rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+      }
      return;
    }