LDAP team retrieval using wrong credentials

[gitblit]

Originally reported on Google Code with ID 537

What steps will reproduce the problem?
Configure gitblit to use LDAP authorization and read teams from LDAP. Specify LDAP
manager credentials for gitblit to use.

What is the expected output? What do you see instead?
The expected behavior is for gitblit to check team memberships for a user by using
the manager account, not that user's account since that user may not have the privileges
to see team memberships.

What version of the product are you using? On what operating system?
1.6.2 on Jetty 9, CentOS 6.3

Please provide any additional information below.
Browsing the source code, I noticed that after binding with the manager account, gitblit
rebinds as the user trying to log in (the comment says this is to prevent an LDAP injection
attack). Team memberships are then read after this, while bound to the LDAP server
as the user trying to log in, not the manager. I believe this is wrong since the user
doesn't have to be authorized to read team memberships.

Reported by hrvoje@mail.maracic.net on 2014-11-22 01:21:32

[gitblit]

https://github.com/gitblit/gitblit/pull/247

Reported by redsam42 on 2015-03-23 13:46:49

[flaix]

This is fixed in PR #1149

[steveno]

If this issue was fixed in #1149, should this be closed?

[flaix]

Maybe. =)
To be honest I don't know yet what the best workflow is with labels and status and milestones and releases.
This is labeled as "Queued", i.e. implemented but not released. Which means it will be closed when the 1.9.0 is released. Maybe that isn't the smartest workflow and it could also be closed now.
I know, it's not consistent right now, as there are other implemented issues that have been closed. It's a bit of experimenting with workflows to see what works best in the Github frame.

[flaix]

Closing this as fixed. Turns out keeping it open is more irritating than helpful. Adding the issue to a yet-to-be released milestone serves as a better "Queued" status.