From fc3a39d464b1303f0b7d01d0160f81cbbb80a98b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Sun, 07 Sep 2014 11:42:40 -0400
Subject: [PATCH] Create infrastructure for XSS sanitization

---
 src/main/java/com/gitblit/wicket/pages/TicketPage.java |   35 +++++++++++++++++++++++++----------
 1 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/TicketPage.java b/src/main/java/com/gitblit/wicket/pages/TicketPage.java
index c282695..b1f94a5 100644
--- a/src/main/java/com/gitblit/wicket/pages/TicketPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/TicketPage.java
@@ -57,6 +57,7 @@
 
 import com.gitblit.Constants;
 import com.gitblit.Constants.AccessPermission;
+import com.gitblit.Constants.AuthorizationControl;
 import com.gitblit.Keys;
 import com.gitblit.git.PatchsetCommand;
 import com.gitblit.git.PatchsetReceivePack;
@@ -248,17 +249,24 @@
 			add(new Label("milestone"));
 		} else {
 			// link to milestone query
-			TicketMilestone milestone = app().tickets().getMilestone(repository, ticket.milestone);
-			PageParameters milestoneParameters = new PageParameters();
-			milestoneParameters.put("r", repositoryName);
+			TicketMilestone tm = app().tickets().getMilestone(repository, ticket.milestone);
+			if (tm == null) {
+				tm = new TicketMilestone(ticket.milestone);
+			}
+			PageParameters milestoneParameters;
+			if (tm.isOpen()) {
+				milestoneParameters = WicketUtils.newOpenTicketsParameter(repositoryName);
+			} else {
+				milestoneParameters = WicketUtils.newRepositoryParameter(repositoryName);
+			}
 			milestoneParameters.put(Lucene.milestone.name(), ticket.milestone);
 			int progress = 0;
 			int open = 0;
 			int closed = 0;
-			if (milestone != null) {
-				progress = milestone.getProgress();
-				open = milestone.getOpenTickets();
-				closed = milestone.getClosedTickets();
+			if (tm != null) {
+				progress = tm.getProgress();
+				open = tm.getOpenTickets();
+				closed = tm.getClosedTickets();
 			}
 
 			Fragment milestoneProgress = new Fragment("milestone", "milestoneProgressFragment", this);
@@ -383,9 +391,16 @@
 				 * RESPONSIBLE LIST
 				 */
 				Set<String> userlist = new TreeSet<String>(ticket.getParticipants());
-				for (RegistrantAccessPermission rp : app().repositories().getUserAccessPermissions(getRepositoryModel())) {
-					if (rp.permission.atLeast(AccessPermission.PUSH) && !rp.isTeam()) {
-						userlist.add(rp.registrant);
+				if (UserModel.ANONYMOUS.canPush(getRepositoryModel())
+						|| AuthorizationControl.AUTHENTICATED == getRepositoryModel().authorizationControl) {
+					// 	authorization is ANONYMOUS or AUTHENTICATED (i.e. all users can be set responsible)
+					userlist.addAll(app().users().getAllUsernames());
+				} else {
+					// authorization is by NAMED users (users with PUSH permission can be set responsible)
+					for (RegistrantAccessPermission rp : app().repositories().getUserAccessPermissions(getRepositoryModel())) {
+						if (rp.permission.atLeast(AccessPermission.PUSH)) {
+							userlist.add(rp.registrant);
+						}
 					}
 				}
 				List<TicketResponsible> responsibles = new ArrayList<TicketResponsible>();

--
Gitblit v1.9.1