■ ■ ■ ■ ■ ■
server-core/src/main/java/io/onedev/server/rest/jersey/AnonymousCheckFilter.java
| skipped 5 lines |
6 | 6 | | import javax.servlet.http.HttpServletRequest; |
7 | 7 | | import javax.ws.rs.container.ContainerRequestContext; |
8 | 8 | | import javax.ws.rs.container.ContainerRequestFilter; |
| 9 | + | import javax.ws.rs.container.ResourceInfo; |
9 | 10 | | import javax.ws.rs.core.Context; |
10 | 11 | | import javax.ws.rs.ext.Provider; |
11 | 12 | | |
12 | 13 | | import org.apache.shiro.authz.UnauthenticatedException; |
13 | 14 | | |
14 | 15 | | import io.onedev.server.entitymanager.SettingManager; |
| 16 | + | import io.onedev.server.rest.annotation.Api; |
15 | 17 | | import io.onedev.server.security.SecurityUtils; |
16 | 18 | | |
17 | 19 | | @Provider |
| skipped 2 lines |
20 | 22 | | private final SettingManager settingManager; |
21 | 23 | | |
22 | 24 | | @Context |
| 25 | + | private ResourceInfo resourceInfo; |
| 26 | + | |
| 27 | + | @Context |
23 | 28 | | private HttpServletRequest request; |
24 | 29 | | |
25 | 30 | | @Inject |
| skipped 3 lines |
29 | 34 | | |
30 | 35 | | @Override |
31 | 36 | | public void filter(ContainerRequestContext requestContext) throws IOException { |
32 | | - | if (SecurityUtils.getUser() == null) { |
| 37 | + | Api api = resourceInfo.getResourceClass().getAnnotation(Api.class); |
| 38 | + | if ((api == null || !api.internal()) && SecurityUtils.getUser() == null) { |
33 | 39 | | String method = request.getMethod(); |
34 | 40 | | if (method.equals("POST") || method.equals("DELETE") || method.equals("PUT") |
35 | 41 | | || !settingManager.getSecuritySetting().isEnableAnonymousAccess()) { |
| skipped 7 lines |