From ba2f9aa95ee55f3672cd59474c65b959d0fe7fb5 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 26 Feb 2014 23:52:45 -0500
Subject: [PATCH] Do not grant fork CLONE permissions to users/teams with implied regex CLONE permissions (issue-320)

---
 src/main/java/com/gitblit/manager/GitblitManager.java |   11 ++++++-----
 releases.moxie                                        |    1 +
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/releases.moxie b/releases.moxie
index e498f6e..18a41f0 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -16,6 +16,7 @@
     fixes:
 	- Fixed incorrect tagger attribution in the dashboard (issue-276)
 	- Fixed support for implied SSH urls in web.otherUrls (issue-311)
+	- Fixed injection of unnecessary explicit CLONE permissions for a fork when users or teams already had implied regex permissions (issue-320)
 	- Bind LDAP connection after establishing TLS initialization (issue-343)
 	- Fixed NPE when attempting to add a permission without a registrant (issue-344)
 	- Invalidate all cached repository data on "clear cache" (issue-346)
diff --git a/src/main/java/com/gitblit/manager/GitblitManager.java b/src/main/java/com/gitblit/manager/GitblitManager.java
index 95d50ac..9d096dd 100644
--- a/src/main/java/com/gitblit/manager/GitblitManager.java
+++ b/src/main/java/com/gitblit/manager/GitblitManager.java
@@ -172,7 +172,8 @@
 		if (!ArrayUtils.isEmpty(repository.owners)) {
 			for (String owner : repository.owners) {
 				UserModel originOwner = userManager.getUserModel(owner);
-				if (originOwner != null) {
+				if (originOwner != null && !originOwner.canClone(cloneModel)) {
+					// origin owner can't yet clone fork, grant explicit clone access
 					originOwner.setRepositoryPermission(cloneName, AccessPermission.CLONE);
 					reviseUser(originOwner.username, originOwner);
 				}
@@ -185,8 +186,8 @@
 		for (String name : users) {
 			if (!name.equalsIgnoreCase(user.username)) {
 				UserModel cloneUser = userManager.getUserModel(name);
-				if (cloneUser.canClone(repository)) {
-					// origin user can clone origin, grant clone access to fork
+				if (cloneUser.canClone(repository) && !cloneUser.canClone(cloneModel)) {
+					// origin user can't yet clone fork, grant explicit clone access
 					cloneUser.setRepositoryPermission(cloneName, AccessPermission.CLONE);
 				}
 				cloneUsers.add(cloneUser);
@@ -199,8 +200,8 @@
 		List<TeamModel> cloneTeams = new ArrayList<TeamModel>();
 		for (String name : teams) {
 			TeamModel cloneTeam = userManager.getTeamModel(name);
-			if (cloneTeam.canClone(repository)) {
-				// origin team can clone origin, grant clone access to fork
+			if (cloneTeam.canClone(repository) && !cloneTeam.canClone(cloneModel)) {
+				// origin team can't yet clone fork, grant explicit clone access
 				cloneTeam.setRepositoryPermission(cloneName, AccessPermission.CLONE);
 			}
 			cloneTeams.add(cloneTeam);

--
Gitblit v1.9.1