Fossil SCM
* Changed security for timeline. To view the timeline, you must now have History access. The timeline will then display only items which you have access to. "o" (Check-out) is required for source history, "j" (Read-Wiki) is required for Wiki history and "r" (Read-Tkt) is required for Ticket history.
Commit
71ad9b62a762d7a0e9d2e25e2e39f1082d79d086
Parent
efdad08182dc8c0…
3 files changed
+9
-3
+3
-1
+22
-6
+9
-3
| --- src/skins.c | ||
| +++ src/skins.c | ||
| @@ -188,14 +188,16 @@ | ||
| 188 | 188 | @ if {[hascap h]} { |
| 189 | 189 | @ html "<a href=''$baseurl/dir''>Files</a> " |
| 190 | 190 | @ } |
| 191 | 191 | @ if {[hascap o]} { |
| 192 | 192 | @ html "<a href=''$baseurl/leaves''>Leaves</a> " |
| 193 | -@ html "<a href=''$baseurl/timeline''>Timeline</a> " | |
| 194 | 193 | @ html "<a href=''$baseurl/brlist''>Branches</a> " |
| 195 | 194 | @ html "<a href=''$baseurl/taglist''>Tags</a> " |
| 196 | 195 | @ } |
| 196 | +@ if {[hascap h]} { | |
| 197 | +@ html "<a href=''$baseurl/timeline''>Timeline</a> " | |
| 198 | +@ } | |
| 197 | 199 | @ if {[hascap r]} { |
| 198 | 200 | @ html "<a href=''$baseurl/reportlist''>Tickets</a> " |
| 199 | 201 | @ } |
| 200 | 202 | @ if {[hascap j]} { |
| 201 | 203 | @ html "<a href=''$baseurl/wiki''>Wiki</a> " |
| @@ -388,14 +390,16 @@ | ||
| 388 | 390 | @ if {[hascap h]} { |
| 389 | 391 | @ html "<a href=''$baseurl/dir''>Files</a> " |
| 390 | 392 | @ } |
| 391 | 393 | @ if {[hascap o]} { |
| 392 | 394 | @ html "<a href=''$baseurl/leaves''>Leaves</a> " |
| 393 | -@ html "<a href=''$baseurl/timeline''>Timeline</a> " | |
| 394 | 395 | @ html "<a href=''$baseurl/brlist''>Branches</a> " |
| 395 | 396 | @ html "<a href=''$baseurl/taglist''>Tags</a> " |
| 396 | 397 | @ } |
| 398 | +@ if {[hascap h]} { | |
| 399 | +@ html "<a href=''$baseurl/timeline''>Timeline</a> " | |
| 400 | +@ } | |
| 397 | 401 | @ if {[hascap r]} { |
| 398 | 402 | @ html "<a href=''$baseurl/reportlist''>Tickets</a> " |
| 399 | 403 | @ } |
| 400 | 404 | @ if {[hascap j]} { |
| 401 | 405 | @ html "<a href=''$baseurl/wiki''>Wiki</a> " |
| @@ -621,14 +625,16 @@ | ||
| 621 | 625 | @ if {[hascap h]} { |
| 622 | 626 | @ html "<li><a href=''$baseurl/dir''>Files</a></li>" |
| 623 | 627 | @ } |
| 624 | 628 | @ if {[hascap o]} { |
| 625 | 629 | @ html "<li><a href=''$baseurl/leaves''>Leaves</a></li>" |
| 626 | -@ html "<li><a href=''$baseurl/timeline''>Timeline</a></li>" | |
| 627 | 630 | @ html "<li><a href=''$baseurl/brlist''>Branches</a></li>" |
| 628 | 631 | @ html "<li><a href=''$baseurl/taglist''>Tags</a></li>" |
| 629 | 632 | @ } |
| 633 | +@ if {[hascap h]} { | |
| 634 | +@ html "<li><a href=''$baseurl/timeline''>Timeline</a></li>" | |
| 635 | +@ } | |
| 630 | 636 | @ if {[hascap r]} { |
| 631 | 637 | @ html "<li><a href=''$baseurl/reportlist''>Tickets</a></li>" |
| 632 | 638 | @ } |
| 633 | 639 | @ if {[hascap j]} { |
| 634 | 640 | @ html "<li><a href=''$baseurl/wiki''>Wiki</a></li>" |
| 635 | 641 |
| --- src/skins.c | |
| +++ src/skins.c | |
| @@ -188,14 +188,16 @@ | |
| 188 | @ if {[hascap h]} { |
| 189 | @ html "<a href=''$baseurl/dir''>Files</a> " |
| 190 | @ } |
| 191 | @ if {[hascap o]} { |
| 192 | @ html "<a href=''$baseurl/leaves''>Leaves</a> " |
| 193 | @ html "<a href=''$baseurl/timeline''>Timeline</a> " |
| 194 | @ html "<a href=''$baseurl/brlist''>Branches</a> " |
| 195 | @ html "<a href=''$baseurl/taglist''>Tags</a> " |
| 196 | @ } |
| 197 | @ if {[hascap r]} { |
| 198 | @ html "<a href=''$baseurl/reportlist''>Tickets</a> " |
| 199 | @ } |
| 200 | @ if {[hascap j]} { |
| 201 | @ html "<a href=''$baseurl/wiki''>Wiki</a> " |
| @@ -388,14 +390,16 @@ | |
| 388 | @ if {[hascap h]} { |
| 389 | @ html "<a href=''$baseurl/dir''>Files</a> " |
| 390 | @ } |
| 391 | @ if {[hascap o]} { |
| 392 | @ html "<a href=''$baseurl/leaves''>Leaves</a> " |
| 393 | @ html "<a href=''$baseurl/timeline''>Timeline</a> " |
| 394 | @ html "<a href=''$baseurl/brlist''>Branches</a> " |
| 395 | @ html "<a href=''$baseurl/taglist''>Tags</a> " |
| 396 | @ } |
| 397 | @ if {[hascap r]} { |
| 398 | @ html "<a href=''$baseurl/reportlist''>Tickets</a> " |
| 399 | @ } |
| 400 | @ if {[hascap j]} { |
| 401 | @ html "<a href=''$baseurl/wiki''>Wiki</a> " |
| @@ -621,14 +625,16 @@ | |
| 621 | @ if {[hascap h]} { |
| 622 | @ html "<li><a href=''$baseurl/dir''>Files</a></li>" |
| 623 | @ } |
| 624 | @ if {[hascap o]} { |
| 625 | @ html "<li><a href=''$baseurl/leaves''>Leaves</a></li>" |
| 626 | @ html "<li><a href=''$baseurl/timeline''>Timeline</a></li>" |
| 627 | @ html "<li><a href=''$baseurl/brlist''>Branches</a></li>" |
| 628 | @ html "<li><a href=''$baseurl/taglist''>Tags</a></li>" |
| 629 | @ } |
| 630 | @ if {[hascap r]} { |
| 631 | @ html "<li><a href=''$baseurl/reportlist''>Tickets</a></li>" |
| 632 | @ } |
| 633 | @ if {[hascap j]} { |
| 634 | @ html "<li><a href=''$baseurl/wiki''>Wiki</a></li>" |
| 635 |
| --- src/skins.c | |
| +++ src/skins.c | |
| @@ -188,14 +188,16 @@ | |
| 188 | @ if {[hascap h]} { |
| 189 | @ html "<a href=''$baseurl/dir''>Files</a> " |
| 190 | @ } |
| 191 | @ if {[hascap o]} { |
| 192 | @ html "<a href=''$baseurl/leaves''>Leaves</a> " |
| 193 | @ html "<a href=''$baseurl/brlist''>Branches</a> " |
| 194 | @ html "<a href=''$baseurl/taglist''>Tags</a> " |
| 195 | @ } |
| 196 | @ if {[hascap h]} { |
| 197 | @ html "<a href=''$baseurl/timeline''>Timeline</a> " |
| 198 | @ } |
| 199 | @ if {[hascap r]} { |
| 200 | @ html "<a href=''$baseurl/reportlist''>Tickets</a> " |
| 201 | @ } |
| 202 | @ if {[hascap j]} { |
| 203 | @ html "<a href=''$baseurl/wiki''>Wiki</a> " |
| @@ -388,14 +390,16 @@ | |
| 390 | @ if {[hascap h]} { |
| 391 | @ html "<a href=''$baseurl/dir''>Files</a> " |
| 392 | @ } |
| 393 | @ if {[hascap o]} { |
| 394 | @ html "<a href=''$baseurl/leaves''>Leaves</a> " |
| 395 | @ html "<a href=''$baseurl/brlist''>Branches</a> " |
| 396 | @ html "<a href=''$baseurl/taglist''>Tags</a> " |
| 397 | @ } |
| 398 | @ if {[hascap h]} { |
| 399 | @ html "<a href=''$baseurl/timeline''>Timeline</a> " |
| 400 | @ } |
| 401 | @ if {[hascap r]} { |
| 402 | @ html "<a href=''$baseurl/reportlist''>Tickets</a> " |
| 403 | @ } |
| 404 | @ if {[hascap j]} { |
| 405 | @ html "<a href=''$baseurl/wiki''>Wiki</a> " |
| @@ -621,14 +625,16 @@ | |
| 625 | @ if {[hascap h]} { |
| 626 | @ html "<li><a href=''$baseurl/dir''>Files</a></li>" |
| 627 | @ } |
| 628 | @ if {[hascap o]} { |
| 629 | @ html "<li><a href=''$baseurl/leaves''>Leaves</a></li>" |
| 630 | @ html "<li><a href=''$baseurl/brlist''>Branches</a></li>" |
| 631 | @ html "<li><a href=''$baseurl/taglist''>Tags</a></li>" |
| 632 | @ } |
| 633 | @ if {[hascap h]} { |
| 634 | @ html "<li><a href=''$baseurl/timeline''>Timeline</a></li>" |
| 635 | @ } |
| 636 | @ if {[hascap r]} { |
| 637 | @ html "<li><a href=''$baseurl/reportlist''>Tickets</a></li>" |
| 638 | @ } |
| 639 | @ if {[hascap j]} { |
| 640 | @ html "<li><a href=''$baseurl/wiki''>Wiki</a></li>" |
| 641 |
+3
-1
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -210,14 +210,16 @@ | ||
| 210 | 210 | @ if {[hascap h]} { |
| 211 | 211 | @ html "<a href='$baseurl/dir'>Files</a> " |
| 212 | 212 | @ } |
| 213 | 213 | @ if {[hascap o]} { |
| 214 | 214 | @ html "<a href='$baseurl/leaves'>Leaves</a> " |
| 215 | -@ html "<a href='$baseurl/timeline'>Timeline</a> " | |
| 216 | 215 | @ html "<a href='$baseurl/brlist'>Branches</a> " |
| 217 | 216 | @ html "<a href='$baseurl/taglist'>Tags</a> " |
| 218 | 217 | @ } |
| 218 | +@ if {[hascap h]} { | |
| 219 | +@ html "<a href='$baseurl/timeline'>Timeline</a> " | |
| 220 | +@ } | |
| 219 | 221 | @ if {[hascap r]} { |
| 220 | 222 | @ html "<a href='$baseurl/reportlist'>Tickets</a> " |
| 221 | 223 | @ } |
| 222 | 224 | @ if {[hascap j]} { |
| 223 | 225 | @ html "<a href='$baseurl/wiki'>Wiki</a> " |
| 224 | 226 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -210,14 +210,16 @@ | |
| 210 | @ if {[hascap h]} { |
| 211 | @ html "<a href='$baseurl/dir'>Files</a> " |
| 212 | @ } |
| 213 | @ if {[hascap o]} { |
| 214 | @ html "<a href='$baseurl/leaves'>Leaves</a> " |
| 215 | @ html "<a href='$baseurl/timeline'>Timeline</a> " |
| 216 | @ html "<a href='$baseurl/brlist'>Branches</a> " |
| 217 | @ html "<a href='$baseurl/taglist'>Tags</a> " |
| 218 | @ } |
| 219 | @ if {[hascap r]} { |
| 220 | @ html "<a href='$baseurl/reportlist'>Tickets</a> " |
| 221 | @ } |
| 222 | @ if {[hascap j]} { |
| 223 | @ html "<a href='$baseurl/wiki'>Wiki</a> " |
| 224 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -210,14 +210,16 @@ | |
| 210 | @ if {[hascap h]} { |
| 211 | @ html "<a href='$baseurl/dir'>Files</a> " |
| 212 | @ } |
| 213 | @ if {[hascap o]} { |
| 214 | @ html "<a href='$baseurl/leaves'>Leaves</a> " |
| 215 | @ html "<a href='$baseurl/brlist'>Branches</a> " |
| 216 | @ html "<a href='$baseurl/taglist'>Tags</a> " |
| 217 | @ } |
| 218 | @ if {[hascap h]} { |
| 219 | @ html "<a href='$baseurl/timeline'>Timeline</a> " |
| 220 | @ } |
| 221 | @ if {[hascap r]} { |
| 222 | @ html "<a href='$baseurl/reportlist'>Tickets</a> " |
| 223 | @ } |
| 224 | @ if {[hascap j]} { |
| 225 | @ html "<a href='$baseurl/wiki'>Wiki</a> " |
| 226 |
+22
-6
| --- src/timeline.c | ||
| +++ src/timeline.c | ||
| @@ -445,14 +445,20 @@ | ||
| 445 | 445 | const char *zString = P("s"); /* String text search of comment and brief */ |
| 446 | 446 | HQuery url; /* URL for various branch links */ |
| 447 | 447 | int tagid; /* Tag ID */ |
| 448 | 448 | int tmFlags; /* Timeline flags */ |
| 449 | 449 | |
| 450 | - /* To view the timeline, must have permission to read project data. | |
| 451 | - */ | |
| 450 | + /* To view the timeline, must have permission to project history.*/ | |
| 452 | 451 | login_check_credentials(); |
| 453 | - if( !g.okRead ){ login_needed(); return; } | |
| 452 | + if( !g.okHistory ){ login_needed(); return; } | |
| 453 | + | |
| 454 | + /* Prevent them from getting an empty list due to security constraints */ | |
| 455 | + if( (p_rid || d_rid) && !g.okRead ){ login_needed(); return; } | |
| 456 | + if( zType[0]=='c' && zType[1]=='i' && !g.okRead){ login_needed(); return; } | |
| 457 | + if( zType[0]=='t' && !g.okRdTkt){ login_needed(); return; } | |
| 458 | + if( zType[0]=='w' && !g.okRdWiki){ login_needed(); return; } | |
| 459 | + | |
| 454 | 460 | if( zTagName ){ |
| 455 | 461 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname='sym-%q'", zTagName); |
| 456 | 462 | }else{ |
| 457 | 463 | tagid = 0; |
| 458 | 464 | } |
| @@ -467,10 +473,20 @@ | ||
| 467 | 473 | timeline_temp_table(); |
| 468 | 474 | blob_zero(&sql); |
| 469 | 475 | blob_zero(&desc); |
| 470 | 476 | blob_append(&sql, "INSERT OR IGNORE INTO timeline ", -1); |
| 471 | 477 | blob_append(&sql, timeline_query_for_www(), -1); |
| 478 | + /* limit the types of objects found in history */ | |
| 479 | + if( !g.okRead ){ | |
| 480 | + blob_appendf(&sql, " AND event.type<>'ci'"); | |
| 481 | + } | |
| 482 | + if( !g.okRdTkt ){ | |
| 483 | + blob_appendf(&sql, " AND event.type<>'t'"); | |
| 484 | + } | |
| 485 | + if( !g.okRdWiki ){ | |
| 486 | + blob_appendf(&sql, " AND event.type<>'w'"); | |
| 487 | + } | |
| 472 | 488 | if( p_rid || d_rid ){ |
| 473 | 489 | /* If p= or d= is present, ignore all other parameters other than n= */ |
| 474 | 490 | char *zUuid; |
| 475 | 491 | int np, nd; |
| 476 | 492 | |
| @@ -636,17 +652,17 @@ | ||
| 636 | 652 | free(zDate); |
| 637 | 653 | }else if( tagid==0 ){ |
| 638 | 654 | if( zType[0]!='a' ){ |
| 639 | 655 | timeline_submenu(&url, "All Types", "y", "all", 0); |
| 640 | 656 | } |
| 641 | - if( zType[0]!='w' ){ | |
| 657 | + if( zType[0]!='w' && g.okRdWiki ){ | |
| 642 | 658 | timeline_submenu(&url, "Wiki Only", "y", "w", 0); |
| 643 | 659 | } |
| 644 | - if( zType[0]!='c' ){ | |
| 660 | + if( zType[0]!='c' && g.okRead ){ | |
| 645 | 661 | timeline_submenu(&url, "Checkins Only", "y", "ci", 0); |
| 646 | 662 | } |
| 647 | - if( zType[0]!='t' ){ | |
| 663 | + if( zType[0]!='t' && g.okRdTkt ){ | |
| 648 | 664 | timeline_submenu(&url, "Tickets Only", "y", "t", 0); |
| 649 | 665 | } |
| 650 | 666 | } |
| 651 | 667 | if( nEntry>20 ){ |
| 652 | 668 | timeline_submenu(&url, "20 Events", "n", "20", 0); |
| 653 | 669 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -445,14 +445,20 @@ | |
| 445 | const char *zString = P("s"); /* String text search of comment and brief */ |
| 446 | HQuery url; /* URL for various branch links */ |
| 447 | int tagid; /* Tag ID */ |
| 448 | int tmFlags; /* Timeline flags */ |
| 449 | |
| 450 | /* To view the timeline, must have permission to read project data. |
| 451 | */ |
| 452 | login_check_credentials(); |
| 453 | if( !g.okRead ){ login_needed(); return; } |
| 454 | if( zTagName ){ |
| 455 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname='sym-%q'", zTagName); |
| 456 | }else{ |
| 457 | tagid = 0; |
| 458 | } |
| @@ -467,10 +473,20 @@ | |
| 467 | timeline_temp_table(); |
| 468 | blob_zero(&sql); |
| 469 | blob_zero(&desc); |
| 470 | blob_append(&sql, "INSERT OR IGNORE INTO timeline ", -1); |
| 471 | blob_append(&sql, timeline_query_for_www(), -1); |
| 472 | if( p_rid || d_rid ){ |
| 473 | /* If p= or d= is present, ignore all other parameters other than n= */ |
| 474 | char *zUuid; |
| 475 | int np, nd; |
| 476 | |
| @@ -636,17 +652,17 @@ | |
| 636 | free(zDate); |
| 637 | }else if( tagid==0 ){ |
| 638 | if( zType[0]!='a' ){ |
| 639 | timeline_submenu(&url, "All Types", "y", "all", 0); |
| 640 | } |
| 641 | if( zType[0]!='w' ){ |
| 642 | timeline_submenu(&url, "Wiki Only", "y", "w", 0); |
| 643 | } |
| 644 | if( zType[0]!='c' ){ |
| 645 | timeline_submenu(&url, "Checkins Only", "y", "ci", 0); |
| 646 | } |
| 647 | if( zType[0]!='t' ){ |
| 648 | timeline_submenu(&url, "Tickets Only", "y", "t", 0); |
| 649 | } |
| 650 | } |
| 651 | if( nEntry>20 ){ |
| 652 | timeline_submenu(&url, "20 Events", "n", "20", 0); |
| 653 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -445,14 +445,20 @@ | |
| 445 | const char *zString = P("s"); /* String text search of comment and brief */ |
| 446 | HQuery url; /* URL for various branch links */ |
| 447 | int tagid; /* Tag ID */ |
| 448 | int tmFlags; /* Timeline flags */ |
| 449 | |
| 450 | /* To view the timeline, must have permission to project history.*/ |
| 451 | login_check_credentials(); |
| 452 | if( !g.okHistory ){ login_needed(); return; } |
| 453 | |
| 454 | /* Prevent them from getting an empty list due to security constraints */ |
| 455 | if( (p_rid || d_rid) && !g.okRead ){ login_needed(); return; } |
| 456 | if( zType[0]=='c' && zType[1]=='i' && !g.okRead){ login_needed(); return; } |
| 457 | if( zType[0]=='t' && !g.okRdTkt){ login_needed(); return; } |
| 458 | if( zType[0]=='w' && !g.okRdWiki){ login_needed(); return; } |
| 459 | |
| 460 | if( zTagName ){ |
| 461 | tagid = db_int(0, "SELECT tagid FROM tag WHERE tagname='sym-%q'", zTagName); |
| 462 | }else{ |
| 463 | tagid = 0; |
| 464 | } |
| @@ -467,10 +473,20 @@ | |
| 473 | timeline_temp_table(); |
| 474 | blob_zero(&sql); |
| 475 | blob_zero(&desc); |
| 476 | blob_append(&sql, "INSERT OR IGNORE INTO timeline ", -1); |
| 477 | blob_append(&sql, timeline_query_for_www(), -1); |
| 478 | /* limit the types of objects found in history */ |
| 479 | if( !g.okRead ){ |
| 480 | blob_appendf(&sql, " AND event.type<>'ci'"); |
| 481 | } |
| 482 | if( !g.okRdTkt ){ |
| 483 | blob_appendf(&sql, " AND event.type<>'t'"); |
| 484 | } |
| 485 | if( !g.okRdWiki ){ |
| 486 | blob_appendf(&sql, " AND event.type<>'w'"); |
| 487 | } |
| 488 | if( p_rid || d_rid ){ |
| 489 | /* If p= or d= is present, ignore all other parameters other than n= */ |
| 490 | char *zUuid; |
| 491 | int np, nd; |
| 492 | |
| @@ -636,17 +652,17 @@ | |
| 652 | free(zDate); |
| 653 | }else if( tagid==0 ){ |
| 654 | if( zType[0]!='a' ){ |
| 655 | timeline_submenu(&url, "All Types", "y", "all", 0); |
| 656 | } |
| 657 | if( zType[0]!='w' && g.okRdWiki ){ |
| 658 | timeline_submenu(&url, "Wiki Only", "y", "w", 0); |
| 659 | } |
| 660 | if( zType[0]!='c' && g.okRead ){ |
| 661 | timeline_submenu(&url, "Checkins Only", "y", "ci", 0); |
| 662 | } |
| 663 | if( zType[0]!='t' && g.okRdTkt ){ |
| 664 | timeline_submenu(&url, "Tickets Only", "y", "t", 0); |
| 665 | } |
| 666 | } |
| 667 | if( nEntry>20 ){ |
| 668 | timeline_submenu(&url, "20 Events", "n", "20", 0); |
| 669 |