Make gitweb prompt for authorization
Make gitweb return a 401 UNAUTHORIZED response if the user isn't currently logged in and the project can't be found. This response is uniform to cover both the cases where anonymous doesn't have access to the project, or if the project just doesn't exist. If the user is authorized then a 404 is continued to be returned. Bug: Issue 2595 Change-Id: I199a725fc3ec73e3493cadb6ccf2d7ad54262a2e
This commit is contained in:
Thomas Swindells
committed by
Hugo Arès
Hugo Arès
parent
b4edfabc03
commit
fd7df89ff9
@@ -34,6 +34,7 @@ import com.google.gerrit.extensions.restapi.Url;
|
||||
import com.google.gerrit.httpd.GitWebConfig;
|
||||
import com.google.gerrit.reviewdb.client.Project;
|
||||
import com.google.gerrit.server.AnonymousUser;
|
||||
import com.google.gerrit.server.CurrentUser;
|
||||
import com.google.gerrit.server.IdentifiedUser;
|
||||
import com.google.gerrit.server.config.SitePaths;
|
||||
import com.google.gerrit.server.git.LocalDiskRepositoryManager;
|
||||
@@ -85,18 +86,21 @@ class GitWebServlet extends HttpServlet {
|
||||
private final LocalDiskRepositoryManager repoManager;
|
||||
private final ProjectControl.Factory projectControl;
|
||||
private final Provider<AnonymousUser> anonymousUserProvider;
|
||||
private final Provider<CurrentUser> userProvider;
|
||||
private final EnvList _env;
|
||||
|
||||
@Inject
|
||||
GitWebServlet(final LocalDiskRepositoryManager repoManager,
|
||||
final ProjectControl.Factory projectControl,
|
||||
final Provider<AnonymousUser> anonymousUserProvider,
|
||||
final Provider<CurrentUser> userProvider,
|
||||
final SitePaths site,
|
||||
final GerritConfig gerritConfig, final GitWebConfig gitWebConfig)
|
||||
throws IOException {
|
||||
this.repoManager = repoManager;
|
||||
this.projectControl = projectControl;
|
||||
this.anonymousUserProvider = anonymousUserProvider;
|
||||
this.userProvider = userProvider;
|
||||
this.gitwebCgi = gitWebConfig.getGitwebCGI();
|
||||
this.deniedActions = new HashSet<>();
|
||||
|
||||
@@ -377,7 +381,14 @@ class GitWebServlet extends HttpServlet {
|
||||
throw new NoSuchProjectException(nameKey);
|
||||
}
|
||||
} catch (NoSuchProjectException e) {
|
||||
rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
|
||||
if (userProvider.get().isIdentifiedUser()) {
|
||||
rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
|
||||
} else {
|
||||
// Allow anonymous users a chance to login.
|
||||
// Avoid leaking information by not distinguishing between
|
||||
// project not existing and no access rights.
|
||||
rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user