Fossil SCM
Make all users inherit the capabilities of "nobody" as well as (optionally) of "anonymous".
Commit
eb24a021d641a6a0b67cb7907dbbbddf90bb6f6f
Parent
31824fbf9128ae3…
3 files changed
+4
+10
+6
M
src/db.c
+4
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -1198,10 +1198,13 @@ | ||
| 1198 | 1198 | ** |
| 1199 | 1199 | ** editor Text editor command used for check-in comments. |
| 1200 | 1200 | ** |
| 1201 | 1201 | ** gdiff-command External command to run when performing a graphical |
| 1202 | 1202 | ** diff. If undefined, text diff will be used. |
| 1203 | +** | |
| 1204 | +** inherit-anon If enabled, any web user inherits capabilities from | |
| 1205 | +** anonymous as well as nobody. | |
| 1203 | 1206 | ** |
| 1204 | 1207 | ** localauth If enabled, require that HTTP connections from |
| 1205 | 1208 | ** 127.0.0.1 be authenticated by password. If |
| 1206 | 1209 | ** false, all HTTP requests from localhost have |
| 1207 | 1210 | ** unrestricted access to the repository. |
| @@ -1227,10 +1230,11 @@ | ||
| 1227 | 1230 | static const char *azName[] = { |
| 1228 | 1231 | "autosync", |
| 1229 | 1232 | "diff-command", |
| 1230 | 1233 | "editor", |
| 1231 | 1234 | "gdiff-command", |
| 1235 | + "inherit-anon", | |
| 1232 | 1236 | "localauth", |
| 1233 | 1237 | "clearsign", |
| 1234 | 1238 | "pgp-command", |
| 1235 | 1239 | "proxy", |
| 1236 | 1240 | "web-browser", |
| 1237 | 1241 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1198,10 +1198,13 @@ | |
| 1198 | ** |
| 1199 | ** editor Text editor command used for check-in comments. |
| 1200 | ** |
| 1201 | ** gdiff-command External command to run when performing a graphical |
| 1202 | ** diff. If undefined, text diff will be used. |
| 1203 | ** |
| 1204 | ** localauth If enabled, require that HTTP connections from |
| 1205 | ** 127.0.0.1 be authenticated by password. If |
| 1206 | ** false, all HTTP requests from localhost have |
| 1207 | ** unrestricted access to the repository. |
| @@ -1227,10 +1230,11 @@ | |
| 1227 | static const char *azName[] = { |
| 1228 | "autosync", |
| 1229 | "diff-command", |
| 1230 | "editor", |
| 1231 | "gdiff-command", |
| 1232 | "localauth", |
| 1233 | "clearsign", |
| 1234 | "pgp-command", |
| 1235 | "proxy", |
| 1236 | "web-browser", |
| 1237 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1198,10 +1198,13 @@ | |
| 1198 | ** |
| 1199 | ** editor Text editor command used for check-in comments. |
| 1200 | ** |
| 1201 | ** gdiff-command External command to run when performing a graphical |
| 1202 | ** diff. If undefined, text diff will be used. |
| 1203 | ** |
| 1204 | ** inherit-anon If enabled, any web user inherits capabilities from |
| 1205 | ** anonymous as well as nobody. |
| 1206 | ** |
| 1207 | ** localauth If enabled, require that HTTP connections from |
| 1208 | ** 127.0.0.1 be authenticated by password. If |
| 1209 | ** false, all HTTP requests from localhost have |
| 1210 | ** unrestricted access to the repository. |
| @@ -1227,10 +1230,11 @@ | |
| 1230 | static const char *azName[] = { |
| 1231 | "autosync", |
| 1232 | "diff-command", |
| 1233 | "editor", |
| 1234 | "gdiff-command", |
| 1235 | "inherit-anon", |
| 1236 | "localauth", |
| 1237 | "clearsign", |
| 1238 | "pgp-command", |
| 1239 | "proxy", |
| 1240 | "web-browser", |
| 1241 |
+10
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -238,10 +238,12 @@ | ||
| 238 | 238 | void login_check_credentials(void){ |
| 239 | 239 | int uid = 0; |
| 240 | 240 | const char *zCookie; |
| 241 | 241 | const char *zRemoteAddr; |
| 242 | 242 | const char *zCap = 0; |
| 243 | + const char *zNcap; | |
| 244 | + const char *zAcap; | |
| 243 | 245 | |
| 244 | 246 | /* Only run this check once. */ |
| 245 | 247 | if( g.userUid!=0 ) return; |
| 246 | 248 | |
| 247 | 249 | |
| @@ -296,10 +298,18 @@ | ||
| 296 | 298 | } |
| 297 | 299 | } |
| 298 | 300 | g.userUid = uid; |
| 299 | 301 | if( g.zLogin && strcmp(g.zLogin,"nobody")==0 ){ |
| 300 | 302 | g.zLogin = 0; |
| 303 | + } | |
| 304 | + if( uid>0 ){ | |
| 305 | + zNcap = db_text("", "SELECT cap FROM user WHERE login = 'nobody'"); | |
| 306 | + login_set_capabilities(zNcap); | |
| 307 | + if( db_get_int("inherit-anon",0) ){ | |
| 308 | + zAcap = db_text("", "SELECT cap FROM user WHERE login = 'anonymous'"); | |
| 309 | + login_set_capabilities(zAcap); | |
| 310 | + } | |
| 301 | 311 | } |
| 302 | 312 | login_set_capabilities(zCap); |
| 303 | 313 | } |
| 304 | 314 | |
| 305 | 315 | /* |
| 306 | 316 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -238,10 +238,12 @@ | |
| 238 | void login_check_credentials(void){ |
| 239 | int uid = 0; |
| 240 | const char *zCookie; |
| 241 | const char *zRemoteAddr; |
| 242 | const char *zCap = 0; |
| 243 | |
| 244 | /* Only run this check once. */ |
| 245 | if( g.userUid!=0 ) return; |
| 246 | |
| 247 | |
| @@ -296,10 +298,18 @@ | |
| 296 | } |
| 297 | } |
| 298 | g.userUid = uid; |
| 299 | if( g.zLogin && strcmp(g.zLogin,"nobody")==0 ){ |
| 300 | g.zLogin = 0; |
| 301 | } |
| 302 | login_set_capabilities(zCap); |
| 303 | } |
| 304 | |
| 305 | /* |
| 306 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -238,10 +238,12 @@ | |
| 238 | void login_check_credentials(void){ |
| 239 | int uid = 0; |
| 240 | const char *zCookie; |
| 241 | const char *zRemoteAddr; |
| 242 | const char *zCap = 0; |
| 243 | const char *zNcap; |
| 244 | const char *zAcap; |
| 245 | |
| 246 | /* Only run this check once. */ |
| 247 | if( g.userUid!=0 ) return; |
| 248 | |
| 249 | |
| @@ -296,10 +298,18 @@ | |
| 298 | } |
| 299 | } |
| 300 | g.userUid = uid; |
| 301 | if( g.zLogin && strcmp(g.zLogin,"nobody")==0 ){ |
| 302 | g.zLogin = 0; |
| 303 | } |
| 304 | if( uid>0 ){ |
| 305 | zNcap = db_text("", "SELECT cap FROM user WHERE login = 'nobody'"); |
| 306 | login_set_capabilities(zNcap); |
| 307 | if( db_get_int("inherit-anon",0) ){ |
| 308 | zAcap = db_text("", "SELECT cap FROM user WHERE login = 'anonymous'"); |
| 309 | login_set_capabilities(zAcap); |
| 310 | } |
| 311 | } |
| 312 | login_set_capabilities(zCap); |
| 313 | } |
| 314 | |
| 315 | /* |
| 316 |
+6
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -553,10 +553,16 @@ | ||
| 553 | 553 | @ from 127.0.0.1 is allows without any login - the user id is selected |
| 554 | 554 | @ from the ~/.fossil database. Password login is always required |
| 555 | 555 | @ for incoming web connections on internet addresses other than |
| 556 | 556 | @ 127.0.0.1.</p></li> |
| 557 | 557 | |
| 558 | + @ <hr> | |
| 559 | + onoff_attribute("Inherit capabilities from anonymous user", | |
| 560 | + "inherit-anon", "inherit-anon", 0); | |
| 561 | + @ <p>When enabled, all web users inherit capabilities from | |
| 562 | + @ "anonymous", as well as from "nobody".</p></li> | |
| 563 | + | |
| 558 | 564 | @ <hr> |
| 559 | 565 | entry_attribute("Login expiration time", 6, "cookie-expire", "cex", "8766"); |
| 560 | 566 | @ <p>The number of hours for which a login is valid. This must be a |
| 561 | 567 | @ positive number. The default is 8760 hours which is approximately equal |
| 562 | 568 | @ to a year.</p> |
| 563 | 569 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -553,10 +553,16 @@ | |
| 553 | @ from 127.0.0.1 is allows without any login - the user id is selected |
| 554 | @ from the ~/.fossil database. Password login is always required |
| 555 | @ for incoming web connections on internet addresses other than |
| 556 | @ 127.0.0.1.</p></li> |
| 557 | |
| 558 | @ <hr> |
| 559 | entry_attribute("Login expiration time", 6, "cookie-expire", "cex", "8766"); |
| 560 | @ <p>The number of hours for which a login is valid. This must be a |
| 561 | @ positive number. The default is 8760 hours which is approximately equal |
| 562 | @ to a year.</p> |
| 563 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -553,10 +553,16 @@ | |
| 553 | @ from 127.0.0.1 is allows without any login - the user id is selected |
| 554 | @ from the ~/.fossil database. Password login is always required |
| 555 | @ for incoming web connections on internet addresses other than |
| 556 | @ 127.0.0.1.</p></li> |
| 557 | |
| 558 | @ <hr> |
| 559 | onoff_attribute("Inherit capabilities from anonymous user", |
| 560 | "inherit-anon", "inherit-anon", 0); |
| 561 | @ <p>When enabled, all web users inherit capabilities from |
| 562 | @ "anonymous", as well as from "nobody".</p></li> |
| 563 | |
| 564 | @ <hr> |
| 565 | entry_attribute("Login expiration time", 6, "cookie-expire", "cex", "8766"); |
| 566 | @ <p>The number of hours for which a login is valid. This must be a |
| 567 | @ positive number. The default is 8760 hours which is approximately equal |
| 568 | @ to a year.</p> |
| 569 |