From 8fb8cd0ee54e910cb8aa7dc4bcb565fb73b3c863 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 4 Oct 2011 17:17:31 +0200 Subject: [PATCH] [#619] Restrict anonymous read access with Redmine.pm Redmine.pm now also checks for public projects whether the anonymous user has the browse_repository right for a read operation. --- extra/svn/Redmine.pm | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm index a780f11461..6ecb457a84 100644 --- a/extra/svn/Redmine.pm +++ b/extra/svn/Redmine.pm @@ -318,7 +318,7 @@ sub access_handler { my $project_id = get_project_identifier($r); $r->set_handlers(PerlAuthenHandler => [\&OK]) - if is_public_project($project_id, $r); + if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r); return OK } @@ -390,6 +390,29 @@ sub is_public_project { $ret; } +sub anonymous_role_allows_browse_repository { + my $r = shift; + + my $dbh = connect_database($r); + my $sth = $dbh->prepare( + "SELECT permissions FROM roles WHERE builtin = 2;" + ); + + $sth->execute(); + my $ret = 0; + if (my @row = $sth->fetchrow_array) { + if ($row[0] =~ /:browse_repository/) { + $ret = 1; + } + } + $sth->finish(); + undef $sth; + $dbh->disconnect(); + undef $dbh; + + $ret; +} + # perhaps we should use repository right (other read right) to check public access. # it could be faster BUT it doesn't work for the moment. # sub is_public_project_by_file {