From 841651baee2181c1543555d1eabcd0e4fee48827 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 05 Oct 2011 22:22:43 -0400
Subject: [PATCH] New setting to disable RPC administration. Advancing the RPC client.

---
 src/com/gitblit/RpcFilter.java |   22 +++++++++++++++-------
 1 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/com/gitblit/RpcFilter.java b/src/com/gitblit/RpcFilter.java
index 49df844..f92dd96 100644
--- a/src/com/gitblit/RpcFilter.java
+++ b/src/com/gitblit/RpcFilter.java
@@ -57,20 +57,21 @@
 		HttpServletRequest httpRequest = (HttpServletRequest) request;
 		HttpServletResponse httpResponse = (HttpServletResponse) response;
 
-		if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, false)) {
-			logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests.");
-			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
-			return;
-		}
-
 		String fullUrl = getFullUrl(httpRequest);
 		RpcRequest requestType = RpcRequest.fromName(httpRequest.getParameter("req"));
 
 		boolean adminRequest = requestType.exceeds(RpcRequest.LIST_REPOSITORIES);
 
+		// conditionally reject all rpc requests
+		if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, true)) {
+			logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests.");
+			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return;
+		}
+
 		boolean authenticateView = GitBlit.getBoolean(Keys.web.authenticateViewPages, false);
 		boolean authenticateAdmin = GitBlit.getBoolean(Keys.web.authenticateAdminPages, true);
-
+		
 		// Wrap the HttpServletRequest with the RpcServletnRequest which
 		// overrides the servlet container user principal methods.
 		AuthenticatedRequest authenticatedRequest = new AuthenticatedRequest(httpRequest);
@@ -79,6 +80,13 @@
 			authenticatedRequest.setUser(user);
 		}
 		
+		// conditionally reject rpc administration requests
+		if (adminRequest && !GitBlit.getBoolean(Keys.web.enableRpcAdministration, false)) {
+			logger.warn(Keys.web.enableRpcAdministration + " must be set TRUE for administrative rpc requests.");
+			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return;
+		}
+		
 		// BASIC authentication challenge and response processing
 		if ((adminRequest && authenticateAdmin) || (!adminRequest && authenticateView)) {
 			if (user == null) {

--
Gitblit v1.9.1