From acaa2a2765c4864ef001ae1097285c4f5cf2987d Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 03 Mar 2014 21:37:54 -0500
Subject: [PATCH] Merged #1 "Ticket tracker with patchset contributions"

---
 src/main/java/com/gitblit/git/GitblitReceivePack.java |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/src/main/java/com/gitblit/git/GitblitReceivePack.java b/src/main/java/com/gitblit/git/GitblitReceivePack.java
index 35f0d86..3a0eff2 100644
--- a/src/main/java/com/gitblit/git/GitblitReceivePack.java
+++ b/src/main/java/com/gitblit/git/GitblitReceivePack.java
@@ -50,6 +50,7 @@
 import com.gitblit.manager.IGitblit;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.tickets.BranchTicketService;
 import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.ClientLogger;
 import com.gitblit.utils.CommitCache;
@@ -236,6 +237,16 @@
 				default:
 					break;
 				}
+			} else if (ref.equals(BranchTicketService.BRANCH)) {
+				// ensure pushing user is an administrator OR an owner
+				// i.e. prevent ticket tampering
+				boolean permitted = user.canAdmin() || repository.isOwner(user.username);
+				if (!permitted) {
+					sendRejection(cmd, "{0} is not permitted to push to {1}", user.username, ref);
+				}
+			} else if (ref.startsWith(Constants.R_FOR)) {
+				// prevent accidental push to refs/for
+				sendRejection(cmd, "{0} is not configured to receive patchsets", repository.name);
 			}
 		}
 

--
Gitblit v1.9.1