Make gitweb prompt for authorization Make gitweb return a 401 UNAUTHORIZED response if the user isn't currently logged in and the project can't be found. This response is uniform to cover both the cases where anonymous doesn't have access to the project, or if the project just doesn't exist. If the user is authorized then a 404 is continued to be returned. Bug: Issue 2595 Change-Id: I199a725fc3ec73e3493cadb6ccf2d7ad54262a2e

commit: fd7df89ff9045fd5d5f87506c7d214653729cf4e [log] [tgz]
author: Thomas Swindells <tswindells@nds.com> Tue Apr 08 16:04:28 2014 +0100
committer: Hugo Arès <hugo.ares@ericsson.com> Mon Jun 16 09:32:38 2014 -0400
tree: 89839ab86c0349fd1fdd1ae3c7c64c50e528a8bb
parent: b4edfabc035cc87ca47e5d3b627befa1959acc7e [diff]
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java
index f831ab5..2902335 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/gitweb/GitWebServlet.java

@@ -34,6 +34,7 @@
 import com.google.gerrit.httpd.GitWebConfig;
 import com.google.gerrit.reviewdb.client.Project;
 import com.google.gerrit.server.AnonymousUser;
+import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.config.SitePaths;
 import com.google.gerrit.server.git.LocalDiskRepositoryManager;
@@ -85,18 +86,21 @@
   private final LocalDiskRepositoryManager repoManager;
   private final ProjectControl.Factory projectControl;
   private final Provider<AnonymousUser> anonymousUserProvider;
+  private final Provider<CurrentUser> userProvider;
   private final EnvList _env;
 
   @Inject
   GitWebServlet(final LocalDiskRepositoryManager repoManager,
       final ProjectControl.Factory projectControl,
       final Provider<AnonymousUser> anonymousUserProvider,
+      final Provider<CurrentUser> userProvider,
       final SitePaths site,
       final GerritConfig gerritConfig, final GitWebConfig gitWebConfig)
       throws IOException {
     this.repoManager = repoManager;
     this.projectControl = projectControl;
     this.anonymousUserProvider = anonymousUserProvider;
+    this.userProvider = userProvider;
     this.gitwebCgi = gitWebConfig.getGitwebCGI();
     this.deniedActions = new HashSet<>();
 
@@ -377,7 +381,14 @@
         throw new NoSuchProjectException(nameKey);
       }
     } catch (NoSuchProjectException e) {
-      rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+      if (userProvider.get().isIdentifiedUser()) {
+        rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+      } else {
+        // Allow anonymous users a chance to login.
+        // Avoid leaking information by not distinguishing between
+        // project not existing and no access rights.
+        rsp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+      }
       return;
     }
commit	fd7df89ff9045fd5d5f87506c7d214653729cf4e	[log] [tgz]
author	Thomas Swindells <tswindells@nds.com>	Tue Apr 08 16:04:28 2014 +0100
committer	Hugo Arès <hugo.ares@ericsson.com>	Mon Jun 16 09:32:38 2014 -0400
tree	89839ab86c0349fd1fdd1ae3c7c64c50e528a8bb
parent	b4edfabc035cc87ca47e5d3b627befa1959acc7e [diff]