Fossil SCM
Provide the "public-pages" glob pattern that can allow anonymous users to access embedded documentation on sites where the source code should not be accessible to anonymous users.
Commit
79ef9618e61b3876b8da75479424557ca8a0d076
Parent
9232fd6946a5d23…
2 files changed
+22
-2
+16
-2
+22
-2
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -464,10 +464,11 @@ | ||
| 464 | 464 | */ |
| 465 | 465 | void login_page(void){ |
| 466 | 466 | const char *zUsername, *zPasswd; |
| 467 | 467 | const char *zNew1, *zNew2; |
| 468 | 468 | const char *zAnonPw = 0; |
| 469 | + const char *zGoto = P("g"); | |
| 469 | 470 | int anonFlag; |
| 470 | 471 | char *zErrMsg = ""; |
| 471 | 472 | int uid; /* User id loged in user */ |
| 472 | 473 | char *zSha1Pw; |
| 473 | 474 | const char *zIpAddr; /* IP address of requestor */ |
| @@ -561,13 +562,16 @@ | ||
| 561 | 562 | redirect_to_g(); |
| 562 | 563 | } |
| 563 | 564 | } |
| 564 | 565 | style_header("Login/Logout"); |
| 565 | 566 | @ %s(zErrMsg) |
| 567 | + if( zGoto ){ | |
| 568 | + @ <p>A login is required for <a href="%h(zGoto)">%h(zGoto)</a>.</p> | |
| 569 | + } | |
| 566 | 570 | @ <form action="login" method="post"> |
| 567 | - if( P("g") ){ | |
| 568 | - @ <input type="hidden" name="g" value="%h(P("g"))" /> | |
| 571 | + if( zGoto ){ | |
| 572 | + @ <input type="hidden" name="g" value="%h(zGoto)" /> | |
| 569 | 573 | } |
| 570 | 574 | @ <table class="login_out"> |
| 571 | 575 | @ <tr> |
| 572 | 576 | @ <td class="login_out_label">User ID:</td> |
| 573 | 577 | if( anonFlag ){ |
| @@ -761,17 +765,20 @@ | ||
| 761 | 765 | /* |
| 762 | 766 | ** This routine examines the login cookie to see if it exists and and |
| 763 | 767 | ** is valid. If the login cookie checks out, it then sets global |
| 764 | 768 | ** variables appropriately. Global variables set include g.userUid |
| 765 | 769 | ** and g.zLogin and the g.perm family of permission booleans. |
| 770 | +** | |
| 771 | +** If the | |
| 766 | 772 | */ |
| 767 | 773 | void login_check_credentials(void){ |
| 768 | 774 | int uid = 0; /* User id */ |
| 769 | 775 | const char *zCookie; /* Text of the login cookie */ |
| 770 | 776 | const char *zIpAddr; /* Raw IP address of the requestor */ |
| 771 | 777 | char *zRemoteAddr; /* Abbreviated IP address of the requestor */ |
| 772 | 778 | const char *zCap = 0; /* Capability string */ |
| 779 | + const char *zPublicPages = 0; /* GLOB patterns of public pages */ | |
| 773 | 780 | |
| 774 | 781 | /* Only run this check once. */ |
| 775 | 782 | if( g.userUid!=0 ) return; |
| 776 | 783 | |
| 777 | 784 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| @@ -908,10 +915,23 @@ | ||
| 908 | 915 | login_set_anon_nobody_capabilities(); |
| 909 | 916 | if( zCap[0] && !g.perm.History && db_get_boolean("auto-enable-hyperlinks",1) |
| 910 | 917 | && isHuman(P("HTTP_USER_AGENT")) ){ |
| 911 | 918 | g.perm.History = 1; |
| 912 | 919 | } |
| 920 | + | |
| 921 | + /* If the public-pages glob pattern is defined and REQUEST_URI matches | |
| 922 | + ** one of the globs in public-pages, then also add in all default-perms | |
| 923 | + ** permissions. | |
| 924 | + */ | |
| 925 | + zPublicPages = db_get("public-pages",0); | |
| 926 | + if( zPublicPages!=0 ){ | |
| 927 | + Glob *pGlob = glob_create(zPublicPages); | |
| 928 | + if( glob_match(pGlob, PD("REQUEST_URI","no-match")) ){ | |
| 929 | + login_set_capabilities(db_get("default-perms","u"), 0); | |
| 930 | + } | |
| 931 | + glob_free(pGlob); | |
| 932 | + } | |
| 913 | 933 | } |
| 914 | 934 | |
| 915 | 935 | /* |
| 916 | 936 | ** Memory of settings |
| 917 | 937 | */ |
| 918 | 938 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -464,10 +464,11 @@ | |
| 464 | */ |
| 465 | void login_page(void){ |
| 466 | const char *zUsername, *zPasswd; |
| 467 | const char *zNew1, *zNew2; |
| 468 | const char *zAnonPw = 0; |
| 469 | int anonFlag; |
| 470 | char *zErrMsg = ""; |
| 471 | int uid; /* User id loged in user */ |
| 472 | char *zSha1Pw; |
| 473 | const char *zIpAddr; /* IP address of requestor */ |
| @@ -561,13 +562,16 @@ | |
| 561 | redirect_to_g(); |
| 562 | } |
| 563 | } |
| 564 | style_header("Login/Logout"); |
| 565 | @ %s(zErrMsg) |
| 566 | @ <form action="login" method="post"> |
| 567 | if( P("g") ){ |
| 568 | @ <input type="hidden" name="g" value="%h(P("g"))" /> |
| 569 | } |
| 570 | @ <table class="login_out"> |
| 571 | @ <tr> |
| 572 | @ <td class="login_out_label">User ID:</td> |
| 573 | if( anonFlag ){ |
| @@ -761,17 +765,20 @@ | |
| 761 | /* |
| 762 | ** This routine examines the login cookie to see if it exists and and |
| 763 | ** is valid. If the login cookie checks out, it then sets global |
| 764 | ** variables appropriately. Global variables set include g.userUid |
| 765 | ** and g.zLogin and the g.perm family of permission booleans. |
| 766 | */ |
| 767 | void login_check_credentials(void){ |
| 768 | int uid = 0; /* User id */ |
| 769 | const char *zCookie; /* Text of the login cookie */ |
| 770 | const char *zIpAddr; /* Raw IP address of the requestor */ |
| 771 | char *zRemoteAddr; /* Abbreviated IP address of the requestor */ |
| 772 | const char *zCap = 0; /* Capability string */ |
| 773 | |
| 774 | /* Only run this check once. */ |
| 775 | if( g.userUid!=0 ) return; |
| 776 | |
| 777 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| @@ -908,10 +915,23 @@ | |
| 908 | login_set_anon_nobody_capabilities(); |
| 909 | if( zCap[0] && !g.perm.History && db_get_boolean("auto-enable-hyperlinks",1) |
| 910 | && isHuman(P("HTTP_USER_AGENT")) ){ |
| 911 | g.perm.History = 1; |
| 912 | } |
| 913 | } |
| 914 | |
| 915 | /* |
| 916 | ** Memory of settings |
| 917 | */ |
| 918 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -464,10 +464,11 @@ | |
| 464 | */ |
| 465 | void login_page(void){ |
| 466 | const char *zUsername, *zPasswd; |
| 467 | const char *zNew1, *zNew2; |
| 468 | const char *zAnonPw = 0; |
| 469 | const char *zGoto = P("g"); |
| 470 | int anonFlag; |
| 471 | char *zErrMsg = ""; |
| 472 | int uid; /* User id loged in user */ |
| 473 | char *zSha1Pw; |
| 474 | const char *zIpAddr; /* IP address of requestor */ |
| @@ -561,13 +562,16 @@ | |
| 562 | redirect_to_g(); |
| 563 | } |
| 564 | } |
| 565 | style_header("Login/Logout"); |
| 566 | @ %s(zErrMsg) |
| 567 | if( zGoto ){ |
| 568 | @ <p>A login is required for <a href="%h(zGoto)">%h(zGoto)</a>.</p> |
| 569 | } |
| 570 | @ <form action="login" method="post"> |
| 571 | if( zGoto ){ |
| 572 | @ <input type="hidden" name="g" value="%h(zGoto)" /> |
| 573 | } |
| 574 | @ <table class="login_out"> |
| 575 | @ <tr> |
| 576 | @ <td class="login_out_label">User ID:</td> |
| 577 | if( anonFlag ){ |
| @@ -761,17 +765,20 @@ | |
| 765 | /* |
| 766 | ** This routine examines the login cookie to see if it exists and and |
| 767 | ** is valid. If the login cookie checks out, it then sets global |
| 768 | ** variables appropriately. Global variables set include g.userUid |
| 769 | ** and g.zLogin and the g.perm family of permission booleans. |
| 770 | ** |
| 771 | ** If the |
| 772 | */ |
| 773 | void login_check_credentials(void){ |
| 774 | int uid = 0; /* User id */ |
| 775 | const char *zCookie; /* Text of the login cookie */ |
| 776 | const char *zIpAddr; /* Raw IP address of the requestor */ |
| 777 | char *zRemoteAddr; /* Abbreviated IP address of the requestor */ |
| 778 | const char *zCap = 0; /* Capability string */ |
| 779 | const char *zPublicPages = 0; /* GLOB patterns of public pages */ |
| 780 | |
| 781 | /* Only run this check once. */ |
| 782 | if( g.userUid!=0 ) return; |
| 783 | |
| 784 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| @@ -908,10 +915,23 @@ | |
| 915 | login_set_anon_nobody_capabilities(); |
| 916 | if( zCap[0] && !g.perm.History && db_get_boolean("auto-enable-hyperlinks",1) |
| 917 | && isHuman(P("HTTP_USER_AGENT")) ){ |
| 918 | g.perm.History = 1; |
| 919 | } |
| 920 | |
| 921 | /* If the public-pages glob pattern is defined and REQUEST_URI matches |
| 922 | ** one of the globs in public-pages, then also add in all default-perms |
| 923 | ** permissions. |
| 924 | */ |
| 925 | zPublicPages = db_get("public-pages",0); |
| 926 | if( zPublicPages!=0 ){ |
| 927 | Glob *pGlob = glob_create(zPublicPages); |
| 928 | if( glob_match(pGlob, PD("REQUEST_URI","no-match")) ){ |
| 929 | login_set_capabilities(db_get("default-perms","u"), 0); |
| 930 | } |
| 931 | glob_free(pGlob); |
| 932 | } |
| 933 | } |
| 934 | |
| 935 | /* |
| 936 | ** Memory of settings |
| 937 | */ |
| 938 |
+16
-2
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -900,10 +900,22 @@ | ||
| 900 | 900 | @ indicates that the request is coming from an actual human being and not a |
| 901 | 901 | @ a robot or script. Note: Bots can specify whatever User-Agent string they |
| 902 | 902 | @ that want. So a bot that wants to impersonate a human can easily do so. |
| 903 | 903 | @ Hence, this technique does not necessarily exclude malicious bots. |
| 904 | 904 | @ </p> |
| 905 | + | |
| 906 | + @ <hr /> | |
| 907 | + entry_attribute("Public pages", 30, "public-pages", | |
| 908 | + "pubpage", ""); | |
| 909 | + @ <p>A comma-separated list of glob patterns for pages that are accessible | |
| 910 | + @ without needing a login and using the privileges given by the | |
| 911 | + @ "Default privileges" setting below. Example use case: Set this field | |
| 912 | + @ to "/doc/trunk/www/*" to give anonymous users read-only permission to the | |
| 913 | + @ latest version of the embedded documentation in the www/ folder without | |
| 914 | + @ allowing them to see the rest of the source code. | |
| 915 | + @ </p> | |
| 916 | + | |
| 905 | 917 | |
| 906 | 918 | @ <hr /> |
| 907 | 919 | onoff_attribute("Allow users to register themselves", |
| 908 | 920 | "self-register", "selfregister", 0); |
| 909 | 921 | @ <p>Allow users to register themselves through the HTTP UI. |
| @@ -914,12 +926,14 @@ | ||
| 914 | 926 | @ "Anonymous".</p> |
| 915 | 927 | |
| 916 | 928 | @ <hr /> |
| 917 | 929 | entry_attribute("Default privileges", 10, "default-perms", |
| 918 | 930 | "defaultperms", "u"); |
| 919 | - @ <p>Permissions given to users that register themselves using the HTTP UI | |
| 920 | - @ or are registered by the administrator using the command line interface. | |
| 931 | + @ <p>Permissions given to users that... <ul><li>register themselves using | |
| 932 | + @ the self-registration procedure (if enabled), or <li>access "public" | |
| 933 | + @ pages identified by the public-pages glob pattern above, or <li> | |
| 934 | + @ are users newly created by the administrator.</ul> | |
| 921 | 935 | @ </p> |
| 922 | 936 | |
| 923 | 937 | @ <hr /> |
| 924 | 938 | onoff_attribute("Show javascript button to fill in CAPTCHA", |
| 925 | 939 | "auto-captcha", "autocaptcha", 0); |
| 926 | 940 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -900,10 +900,22 @@ | |
| 900 | @ indicates that the request is coming from an actual human being and not a |
| 901 | @ a robot or script. Note: Bots can specify whatever User-Agent string they |
| 902 | @ that want. So a bot that wants to impersonate a human can easily do so. |
| 903 | @ Hence, this technique does not necessarily exclude malicious bots. |
| 904 | @ </p> |
| 905 | |
| 906 | @ <hr /> |
| 907 | onoff_attribute("Allow users to register themselves", |
| 908 | "self-register", "selfregister", 0); |
| 909 | @ <p>Allow users to register themselves through the HTTP UI. |
| @@ -914,12 +926,14 @@ | |
| 914 | @ "Anonymous".</p> |
| 915 | |
| 916 | @ <hr /> |
| 917 | entry_attribute("Default privileges", 10, "default-perms", |
| 918 | "defaultperms", "u"); |
| 919 | @ <p>Permissions given to users that register themselves using the HTTP UI |
| 920 | @ or are registered by the administrator using the command line interface. |
| 921 | @ </p> |
| 922 | |
| 923 | @ <hr /> |
| 924 | onoff_attribute("Show javascript button to fill in CAPTCHA", |
| 925 | "auto-captcha", "autocaptcha", 0); |
| 926 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -900,10 +900,22 @@ | |
| 900 | @ indicates that the request is coming from an actual human being and not a |
| 901 | @ a robot or script. Note: Bots can specify whatever User-Agent string they |
| 902 | @ that want. So a bot that wants to impersonate a human can easily do so. |
| 903 | @ Hence, this technique does not necessarily exclude malicious bots. |
| 904 | @ </p> |
| 905 | |
| 906 | @ <hr /> |
| 907 | entry_attribute("Public pages", 30, "public-pages", |
| 908 | "pubpage", ""); |
| 909 | @ <p>A comma-separated list of glob patterns for pages that are accessible |
| 910 | @ without needing a login and using the privileges given by the |
| 911 | @ "Default privileges" setting below. Example use case: Set this field |
| 912 | @ to "/doc/trunk/www/*" to give anonymous users read-only permission to the |
| 913 | @ latest version of the embedded documentation in the www/ folder without |
| 914 | @ allowing them to see the rest of the source code. |
| 915 | @ </p> |
| 916 | |
| 917 | |
| 918 | @ <hr /> |
| 919 | onoff_attribute("Allow users to register themselves", |
| 920 | "self-register", "selfregister", 0); |
| 921 | @ <p>Allow users to register themselves through the HTTP UI. |
| @@ -914,12 +926,14 @@ | |
| 926 | @ "Anonymous".</p> |
| 927 | |
| 928 | @ <hr /> |
| 929 | entry_attribute("Default privileges", 10, "default-perms", |
| 930 | "defaultperms", "u"); |
| 931 | @ <p>Permissions given to users that... <ul><li>register themselves using |
| 932 | @ the self-registration procedure (if enabled), or <li>access "public" |
| 933 | @ pages identified by the public-pages glob pattern above, or <li> |
| 934 | @ are users newly created by the administrator.</ul> |
| 935 | @ </p> |
| 936 | |
| 937 | @ <hr /> |
| 938 | onoff_attribute("Show javascript button to fill in CAPTCHA", |
| 939 | "auto-captcha", "autocaptcha", 0); |
| 940 |