Lockdown access to custom css and js files in repo

lib/gollum/app.rb

@@ -144,6 +144,10 @@ module Precious
       end
     end
 
+    get %r{\/edit\/custom.(js|css)} do
+      forbid
+    end
+
     get '/edit/*' do
       forbid unless @allow_editing
       wikip = wiki_page(params[:splat].first)
@@ -212,6 +216,10 @@ module Precious
       end
     end
 
+    post %r{\/(deleteFile|rename|edit|revert)\/custom.(js|css)} do
+      forbid
+    end
+
     post '/deleteFile/*' do
       forbid unless @allow_editing
       wiki = wiki_new

test/test_app.rb

@@ -505,6 +505,28 @@ context "Frontend" do
     Precious::App.set(:wiki_options, { :js => nil })
   end
 
+  test "don't allow editing custom js or css" do
+    Precious::App.set(:wiki_options, { :js => true, :css => true })
+    page = 'yaycustom'
+    text = 'customized!'
+
+    @wiki.write_page(page, :markdown, text,
+                     { :name => 'user1', :email => 'user1' });
+
+    ['.css', '.js'].each do |ext|
+      get "/edit/custom#{ext}"
+      assert_equal last_response.status 403
+    end
+
+    ['deleteFile', 'rename', 'edit', 'revert'].each do |route|
+      ['.css', '.js'].each do |ext|
+        post "/#{route}/custom#{ext}"
+        assert_equal last_response.status 403
+      end
+    end
+    Precious::App.set(:wiki_options, { :js => nil })
+  end
+
   test "change custom.css path if page-file-dir is set" do
     Precious::App.set(:wiki_options, { :css => true, :page_file_dir => 'docs'})
     page = 'docs/yaycustom'