issue-545: Enforce repository permissions in patch page

src/main/java/com/gitblit/wicket/pages/PatchPage.java

@@ -20,6 +20,8 @@
 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.revwalk.RevCommit;
 
+import com.gitblit.models.RepositoryModel;
+import com.gitblit.models.UserModel;
 import com.gitblit.utils.DiffUtils;
 import com.gitblit.utils.JGitUtils;
 import com.gitblit.utils.StringUtils;
@@ -31,23 +33,33 @@
 @CacheControl(LastModified.BOOT)
 public class PatchPage extends SessionPage {
 
-	public PatchPage(PageParameters params) {
+	public PatchPage(final PageParameters params) {
 		super(params);
 
 		if (!params.containsKey("r")) {
-			GitBlitWebSession.get().cacheErrorMessage(getString("gb.repositoryNotSpecified"));
+			error(getString("gb.repositoryNotSpecified"));
 			redirectToInterceptPage(new RepositoriesPage());
-			return;
 		}
 
 		final String repositoryName = WicketUtils.getRepositoryName(params);
 		final String baseObjectId = WicketUtils.getBaseObjectId(params);
 		final String objectId = WicketUtils.getObject(params);
 		final String blobPath = WicketUtils.getPath(params);
 
+		GitBlitWebSession session = GitBlitWebSession.get();
+		UserModel user = session.getUser();
+
+		RepositoryModel model = app().repositories().getRepositoryModel(user, repositoryName);
+		if (model == null) {
+			// user does not have permission
+			error(getString("gb.canNotLoadRepository") + " " + repositoryName);
+			redirectToInterceptPage(new RepositoriesPage());
+			return;
+		}
+
 		Repository r = app().repositories().getRepository(repositoryName);
 		if (r == null) {
-			GitBlitWebSession.get().cacheErrorMessage(getString("gb.canNotLoadRepository") + " " + repositoryName);
+			error(getString("gb.canNotLoadRepository") + " " + repositoryName);
 			redirectToInterceptPage(new RepositoriesPage());
 			return;
 		}
@@ -67,4 +79,5 @@ public PatchPage(PageParameters params) {
 		add(new Label("patchText", patch));
 		r.close();
 	}
+
 }