From 65f55e2a2cdbce33ed4d2d7111b49ff00b2fd575 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 06 Aug 2012 17:39:25 -0400
Subject: [PATCH] Drop failed attempt to add user or team (issue 118)

---
 src/com/gitblit/RpcFilter.java |   31 +++++++++++++++++++++++--------
 1 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/src/com/gitblit/RpcFilter.java b/src/com/gitblit/RpcFilter.java
index 49df844..4c0f03d 100644
--- a/src/com/gitblit/RpcFilter.java
+++ b/src/com/gitblit/RpcFilter.java
@@ -57,28 +57,41 @@
 		HttpServletRequest httpRequest = (HttpServletRequest) request;
 		HttpServletResponse httpResponse = (HttpServletResponse) response;
 
-		if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, false)) {
+		String fullUrl = getFullUrl(httpRequest);
+		RpcRequest requestType = RpcRequest.fromName(httpRequest.getParameter("req"));
+		if (requestType == null) {
+			httpResponse.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED);
+			return;
+		}
+
+		boolean adminRequest = requestType.exceeds(RpcRequest.LIST_SETTINGS);
+
+		// conditionally reject all rpc requests
+		if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, true)) {
 			logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests.");
 			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
 			return;
 		}
 
-		String fullUrl = getFullUrl(httpRequest);
-		RpcRequest requestType = RpcRequest.fromName(httpRequest.getParameter("req"));
-
-		boolean adminRequest = requestType.exceeds(RpcRequest.LIST_REPOSITORIES);
-
 		boolean authenticateView = GitBlit.getBoolean(Keys.web.authenticateViewPages, false);
 		boolean authenticateAdmin = GitBlit.getBoolean(Keys.web.authenticateAdminPages, true);
 
-		// Wrap the HttpServletRequest with the RpcServletnRequest which
+		// Wrap the HttpServletRequest with the RpcServletRequest which
 		// overrides the servlet container user principal methods.
 		AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest);
 		UserModel user = getUser(httpRequest);
 		if (user != null) {
 			authenticatedRequest.setUser(user);
 		}
-		
+
+		// conditionally reject rpc management/administration requests
+		if (adminRequest && !GitBlit.getBoolean(Keys.web.enableRpcManagement, false)) {
+			logger.warn(MessageFormat.format("{0} must be set TRUE for {1} rpc requests.",
+					Keys.web.enableRpcManagement, requestType.toString()));
+			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return;
+		}
+
 		// BASIC authentication challenge and response processing
 		if ((adminRequest && authenticateAdmin) || (!adminRequest && authenticateView)) {
 			if (user == null) {
@@ -122,6 +135,8 @@
 
 	private boolean canAccess(UserModel user, RpcRequest requestType) {
 		switch (requestType) {
+		case GET_PROTOCOL:
+			return true;
 		case LIST_REPOSITORIES:
 			return true;
 		default:

--
Gitblit v1.9.1