From 0f3cb24604e7c3c1a78d5b97f6f4fce6f796b510 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 29 Mar 2013 10:02:23 -0400
Subject: [PATCH] Enforce security on raw blob page (issue 198)

---
 src/main/java/com/gitblit/wicket/pages/BasePage.java |   35 +----------------------------------
 1 files changed, 1 insertions(+), 34 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/BasePage.java b/src/main/java/com/gitblit/wicket/pages/BasePage.java
index 5c73df3..bb7d8c9 100644
--- a/src/main/java/com/gitblit/wicket/pages/BasePage.java
+++ b/src/main/java/com/gitblit/wicket/pages/BasePage.java
@@ -38,15 +38,12 @@
 import org.apache.wicket.RequestCycle;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.markup.html.CSSPackageResource;
-import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.markup.html.link.BookmarkablePageLink;
 import org.apache.wicket.markup.html.link.ExternalLink;
 import org.apache.wicket.markup.html.panel.FeedbackPanel;
 import org.apache.wicket.markup.html.panel.Fragment;
 import org.apache.wicket.protocol.http.RequestUtils;
-import org.apache.wicket.protocol.http.WebRequest;
-import org.apache.wicket.protocol.http.WebResponse;
 import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -68,7 +65,7 @@
 import com.gitblit.wicket.WicketUtils;
 import com.gitblit.wicket.panels.LinkPanel;
 
-public abstract class BasePage extends WebPage {
+public abstract class BasePage extends SessionPage {
 
 	private final Logger logger;
 	
@@ -78,14 +75,12 @@
 		super();
 		logger = LoggerFactory.getLogger(getClass());
 		customizeHeader();
-		login();
 	}
 
 	public BasePage(PageParameters params) {
 		super(params);
 		logger = LoggerFactory.getLogger(getClass());
 		customizeHeader();
-		login();
 	}
 	
 	private void customizeHeader() {
@@ -132,34 +127,6 @@
 		}
 		super.onAfterRender();
 	}	
-
-	private void login() {
-		GitBlitWebSession session = GitBlitWebSession.get();
-		if (session.isLoggedIn() && !session.isSessionInvalidated()) {
-			// already have a session, refresh usermodel to pick up
-			// any changes to permissions or roles (issue-186)
-			UserModel user = GitBlit.self().getUserModel(session.getUser().username);
-			session.setUser(user);
-			return;
-		}
-		
-		// try to authenticate by servlet request
-		HttpServletRequest httpRequest = ((WebRequest) getRequestCycle().getRequest()).getHttpServletRequest();
-		UserModel user = GitBlit.self().authenticate(httpRequest);
-
-		// Login the user
-		if (user != null) {
-			// issue 62: fix session fixation vulnerability
-			session.replaceSession();
-			session.setUser(user);
-
-			// Set Cookie
-			WebResponse response = (WebResponse) getRequestCycle().getResponse();
-			GitBlit.self().setCookie(response, user);
-			
-			session.continueRequest();
-		}
-	}
 
 	protected void setupPage(String repositoryName, String pageName) {
 		if (repositoryName != null && repositoryName.trim().length() > 0) {

--
Gitblit v1.9.1