Fossil SCM

The "/login?anon=2" page demonstrates the captcha even if the user is currently logged in.

drh 2025-08-14 21:01 trunk

Commit e58112a4f38a12221f5fe7fd6476bbccdb234b4dae121622f9dd0440f48b2e00

Parent 6c8c93a5f7198d5…

1 file changed +20 -9

M src/login.c

+20 -9

		--- src/login.c
		+++ src/login.c
		@@ -584,25 +584,35 @@
584	584	/* If the "Reset Password" button in the form was pressed, render
585	585	** the Request Password Reset page in place of this one. */
586	586	login_reqpwreset_page();
587	587	return;
588	588	}
589		- login_check_credentials();
	589	+
	590	+ /* If the "anon" query parameter is 1 or 2, that means rework the web-page
	591	+ ** to make it a more user-friendly captcha. Extraneous text and boxes
	592	+ ** are omitted. The user has just the captcha image and an entry box
	593	+ ** and a "Verify" button. Underneath is the same login page for user
	594	+ ** "anonymous", just displayed in an easier to digest format for one-time
	595	+ ** visitors.
	596	+ **
	597	+ ** anon=1 is advisory and only has effect if there is not some other login
	598	+ ** cookie. anon=2 means always show the captcha.
	599	+ */
	600	+ anonFlag = atoi(PD("anon","0"));
	601	+ if( anonFlag==2 ){
	602	+ g.zLogin = 0;
	603	+ }else{
	604	+ login_check_credentials();
	605	+ if( g.zLogin!=0 ) anonFlag = 0;
	606	+ }
	607	+
590	608	fossil_redirect_to_https_if_needed(1);
591	609	sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0,
592	610	constant_time_cmp_function, 0, 0);
593	611	zUsername = P("u");
594	612	zPasswd = P("p");
595	613
596		- /* If the anonFlag is set, that means rework the web-page to make it
597		- ** a more user-friendly captcha. Extraneous text and boxes are omitted.
598		- ** The user has just the captcha image and an entry box and a "Verify"
599		- ** button. Underneath is the same login page for user "anonymous", just
600		- ** displayed in an easier to digest format for one-time visitors.
601		- */
602		- anonFlag = g.zLogin==0 && PB("anon");
603		-
604	614	/* Handle log-out requests */
605	615	if( P("out") && cgi_csrf_safe(2) ){
606	616	login_clear_login_data();
607	617	login_redirect_to_g();
608	618	return;
		@@ -728,10 +738,11 @@
728	738	login_redirect_to_g();
729	739	}
730	740	}
731	741	style_set_current_feature("login");
732	742	style_header("Login/Logout");
	743	+ if( anonFlag==2 ) g.zLogin = 0;
733	744	style_adunit_config(ADUNIT_OFF);
734	745	@ %s(zErrMsg)
735	746	if( zGoto && !noAnon ){
736	747	char *zAbbrev = fossil_strdup(zGoto);
737	748	int i;
738	749

	--- src/login.c
	+++ src/login.c
	@@ -584,25 +584,35 @@
584	/* If the "Reset Password" button in the form was pressed, render
585	** the Request Password Reset page in place of this one. */
586	login_reqpwreset_page();
587	return;
588	}
589	login_check_credentials();


















590	fossil_redirect_to_https_if_needed(1);
591	sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0,
592	constant_time_cmp_function, 0, 0);
593	zUsername = P("u");
594	zPasswd = P("p");
595
596	/* If the anonFlag is set, that means rework the web-page to make it
597	** a more user-friendly captcha. Extraneous text and boxes are omitted.
598	** The user has just the captcha image and an entry box and a "Verify"
599	** button. Underneath is the same login page for user "anonymous", just
600	** displayed in an easier to digest format for one-time visitors.
601	*/
602	anonFlag = g.zLogin==0 && PB("anon");
603
604	/* Handle log-out requests */
605	if( P("out") && cgi_csrf_safe(2) ){
606	login_clear_login_data();
607	login_redirect_to_g();
608	return;
	@@ -728,10 +738,11 @@
728	login_redirect_to_g();
729	}
730	}
731	style_set_current_feature("login");
732	style_header("Login/Logout");

733	style_adunit_config(ADUNIT_OFF);
734	@ %s(zErrMsg)
735	if( zGoto && !noAnon ){
736	char *zAbbrev = fossil_strdup(zGoto);
737	int i;
738

	--- src/login.c
	+++ src/login.c
	@@ -584,25 +584,35 @@
584	/* If the "Reset Password" button in the form was pressed, render
585	** the Request Password Reset page in place of this one. */
586	login_reqpwreset_page();
587	return;
588	}
589
590	/* If the "anon" query parameter is 1 or 2, that means rework the web-page
591	** to make it a more user-friendly captcha. Extraneous text and boxes
592	** are omitted. The user has just the captcha image and an entry box
593	** and a "Verify" button. Underneath is the same login page for user
594	** "anonymous", just displayed in an easier to digest format for one-time
595	** visitors.
596	**
597	** anon=1 is advisory and only has effect if there is not some other login
598	** cookie. anon=2 means always show the captcha.
599	*/
600	anonFlag = atoi(PD("anon","0"));
601	if( anonFlag==2 ){
602	g.zLogin = 0;
603	}else{
604	login_check_credentials();
605	if( g.zLogin!=0 ) anonFlag = 0;
606	}
607
608	fossil_redirect_to_https_if_needed(1);
609	sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0,
610	constant_time_cmp_function, 0, 0);
611	zUsername = P("u");
612	zPasswd = P("p");
613








614	/* Handle log-out requests */
615	if( P("out") && cgi_csrf_safe(2) ){
616	login_clear_login_data();
617	login_redirect_to_g();
618	return;
	@@ -728,10 +738,11 @@
738	login_redirect_to_g();
739	}
740	}
741	style_set_current_feature("login");
742	style_header("Login/Logout");
743	if( anonFlag==2 ) g.zLogin = 0;
744	style_adunit_config(ADUNIT_OFF);
745	@ %s(zErrMsg)
746	if( zGoto && !noAnon ){
747	char *zAbbrev = fossil_strdup(zGoto);
748	int i;
749

Fossil SCM

Keyboard Shortcuts