Merge branch 'release-v1.5.3' into stable-1.x

4cea676d · Holger Just · 3f518259 · c06cba31 · 4cea676d · 4cea676d
Commit 4cea676d authored Oct 04, 2011 by Holger Just
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 7 deletions

CHANGELOG.rdoc doc/CHANGELOG.rdoc +6 -2

Redmine.pm extra/svn/Redmine.pm +24 -1

version.rb lib/redmine/version.rb +4 -4

No files found.
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
 = ChiliProject changelog

+== 2011-10-04 v1.5.3
+
+* Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it
+
 == 2011-08-01 v1.5.2

 * Bug #547: Multiple XSS vulnerabilities
@@ -1520,7 +1524,7 @@ Note: Previous versions referred to Redmine, which ChiliProject forked from in D

 * simple SVN browser added (just needs svn binaries in PATH)
 * comments can now be added on news
-* "my page" is now customizable 
+* "my page" is now customizable
 * more powerfull and savable filters for issues lists
 * improved issues change history
 * new functionality: move an issue to another project or tracker
@@ -1559,7 +1563,7 @@ Note: Previous versions referred to Redmine, which ChiliProject forked from in D
 * token based "lost password" functionality
 * user self-registration functionality (optional)
 * custom fields now available for issues, users and projects
-* new custom field format "text" (displayed as a textarea field) 
+* new custom field format "text" (displayed as a textarea field)
 * project & administration drop down menus in navigation bar for quicker access
 * text formatting is preserved for long text fields (issues, projects and news descriptions)
 * urls and emails are turned into clickable links in long text fields

--- a/extra/svn/Redmine.pm
+++ b/extra/svn/Redmine.pm
@@ -318,7 +318,7 @@ sub access_handler {
  my $project_id = get_project_identifier($r);

  $r->set_handlers(PerlAuthenHandler => [\&OK])
-      if is_public_project($project_id, $r);
+      if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);

  return OK
 }
@@ -390,6 +390,29 @@ sub is_public_project {
    $ret;
 }

+sub anonymous_role_allows_browse_repository {
+  my $r = shift;
+  
+  my $dbh = connect_database($r);
+  my $sth = $dbh->prepare(
+      "SELECT permissions FROM roles WHERE builtin = 2;"
+  );
+  
+  $sth->execute();
+  my $ret = 0;
+  if (my @row = $sth->fetchrow_array) {
+    if ($row[0] =~ /:browse_repository/) {
+      $ret = 1;
+    }
+  }
+  $sth->finish();
+  undef $sth;
+  $dbh->disconnect();
+  undef $dbh;
+  
+  $ret;
+}
+
 # perhaps we should use repository right (other read right) to check public access.
 # it could be faster BUT it doesn't work for the moment.
 # sub is_public_project_by_file {

--- a/lib/redmine/version.rb
+++ b/lib/redmine/version.rb
@@ -4,9 +4,9 @@ module Redmine
  module VERSION #:nodoc:
    MAJOR = 1
    MINOR = 5
-    PATCH = 2
+    PATCH = 3
    TINY  = PATCH # Redmine compat
-    
+
    def self.revision
      revision = nil
      entries_path = "#{RAILS_ROOT}/.svn/entries"
@@ -31,9 +31,9 @@ module Redmine
    REVISION = self.revision
    ARRAY = [MAJOR, MINOR, PATCH, REVISION].compact
    STRING = ARRAY.join('.')
-    
+
    def self.to_a; ARRAY end
-    def self.to_s; STRING end    
+    def self.to_s; STRING end
    def self.to_semver
      [MAJOR, MINOR, PATCH].join('.')
    end