[SECURITY-810] require ADMINISTER for repo browser check

I've confirmed with a test script in my jenkins-bugs-private directory
that prior to this change, these 5 classes opened the external URL that
was passed as an argument in a GET request and returned a message even
if the user was not authenticated.

I've confirmed with this change that they now behave the same as the
FisheyeGitRepositoryBrowser referenced in SECURITY-810.  If they receive
a GET request from a user without ADMINISTER permission, they return
"<div/>" and do not open the external URL.

Author: MarkEWaite

src/main/java/hudson/plugins/git/browser/AssemblaWeb.java

@@ -9,6 +9,7 @@
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
 import hudson.scm.browsers.QueryBuilder;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -101,6 +102,10 @@ public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String u
             {
                 return FormValidation.ok();
             }
+            // Connect to URL and check content only if we have admin permission
+            Jenkins jenkins = Jenkins.getInstance();
+            if (jenkins == null || !jenkins.hasPermission(Jenkins.ADMINISTER))
+                return FormValidation.ok();
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
                     String v = url;

src/main/java/hudson/plugins/git/browser/GitBlitRepositoryBrowser.java

@@ -8,6 +8,7 @@
 import hudson.scm.RepositoryBrowser;
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -84,6 +85,10 @@ public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String u
             {
                 return FormValidation.ok();
             }
+            // Connect to URL and check content only if we have admin permission
+            Jenkins jenkins = Jenkins.getInstance();
+            if (jenkins == null || !jenkins.hasPermission(Jenkins.ADMINISTER))
+                return FormValidation.ok();
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
                     String v = url;

src/main/java/hudson/plugins/git/browser/Gitiles.java

@@ -8,6 +8,8 @@
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
 
+import jenkins.model.Jenkins;
+
 import java.io.IOException;
 import java.net.URL;
 
@@ -69,6 +71,10 @@ public Gitiles newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject) t
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException {
             if (url == null) // nothing entered yet
                 return FormValidation.ok();
+            // Connect to URL and check content only if we have admin permission
+            Jenkins jenkins = Jenkins.getInstance();
+            if (jenkins == null || !jenkins.hasPermission(Jenkins.ADMINISTER))
+                return FormValidation.ok();
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
                     String v = url;

src/main/java/hudson/plugins/git/browser/TFS2013GitRepositoryBrowser.java

@@ -110,11 +110,16 @@ public TFS2013GitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSON
          */
         public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String value, @AncestorInPath AbstractProject project) throws IOException,
                 ServletException {
-            
+
+            // Connect to URL and check content only if we have admin permission
+            Jenkins jenkins = Jenkins.getInstance();
+            if (jenkins == null || !jenkins.hasPermission(Hudson.ADMINISTER))
+                return FormValidation.ok();
+
             if (value == null) // nothing entered yet
                 value = "origin";
 
-            if (!value.contains("/")) {
+            if (!value.contains("/") && project != null) {
                 GitSCM scm = (GitSCM) project.getScm();
                 RemoteConfig remote = scm.getRepositoryByName(value);
                 if (remote == null)
@@ -128,11 +133,6 @@ public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String val
             if (!URL_PATTERN.matcher(value).matches())
                 return FormValidation.errorWithMarkup("The URL should end like <tt>.../_git/foobar/</tt>");
 
-            // Connect to URL and check content only if we have admin permission
-            Jenkins jenkins = Jenkins.getInstance();
-            if (jenkins != null && jenkins.hasPermission(Hudson.ADMINISTER))
-                return FormValidation.ok();
-
             final String finalValue = value;
             return new FormValidation.URLCheck() {
                 @Override

src/main/java/hudson/plugins/git/browser/ViewGitWeb.java

@@ -9,6 +9,7 @@
 import hudson.scm.browsers.QueryBuilder;
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -89,6 +90,10 @@ public ViewGitWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject
         public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException {
             if (url == null) // nothing entered yet
                 return FormValidation.ok();
+            // Connect to URL and check content only if we have admin permission
+            Jenkins jenkins = Jenkins.getInstance();
+            if (jenkins == null || !jenkins.hasPermission(Jenkins.ADMINISTER))
+                return FormValidation.ok();
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
                     String v = url;