Fossil SCM

Fix more cases where updates to the SUBSCRIBER table should be allowed to occur even if not a request from the same origin.

drh 2022-12-31 12:16 trunk
Commit f33976f7cc12ba4fc006d205a6d179d9d58146547c504809ef875a1522b95299
Parent 7c2c4457961f473…
1 file changed +6
~ src/alerts.c
M src/alerts.c
+6
--- src/alerts.c
+++ src/alerts.c
@@ -129,15 +129,17 @@
129129
 return;
130130
 }
131131
 if( db_table_has_column("repository","subscriber","lastContact") ){
132132
 return;
133133
 }
134
+ db_unprotect(PROTECT_READONLY);
134135
 db_multi_exec(
135136
 "DROP TABLE IF EXISTS repository.alert_bounce;\n"
136137
 "ALTER TABLE repository.subscriber ADD COLUMN lastContact INT;\n"
137138
 "UPDATE subscriber SET lastContact=mtime/86400;"
138139
 );
140
+ db_protect_pop();
139141
 if( db_table_has_column("repository","pending_alert","sentMod") ){
140142
 return;
141143
 }
142144
 db_multi_exec(
143145
 "ALTER TABLE repository.pending_alert"
@@ -1938,14 +1940,16 @@
19381940
 smip = db_column_text(&q, 5);
19391941
 mtime = db_column_text(&q, 7);
19401942
 sctime = db_column_text(&q, 8);
19411943
 if( !g.perm.Admin && !sverified ){
19421944
 if( nName==64 ){
1945
+ db_unprotect(PROTECT_READONLY);
19431946
 db_multi_exec(
19441947
 "UPDATE subscriber SET sverified=1"
19451948
 " WHERE subscriberCode=hextoblob(%Q)",
19461949
 zName);
1950
+ db_protect_pop();
19471951
 if( db_get_boolean("selfreg-verify",0) ){
19481952
 char *zNewCap = db_get("default-perms","u");
19491953
 db_unprotect(PROTECT_USER);
19501954
 db_multi_exec(
19511955
 "UPDATE user"
@@ -2116,10 +2120,11 @@
21162120
 @ No renewals are necessary.</p>
21172121
 style_finish_page();
21182122
 return;
21192123
 }
21202124
2125
+ db_unprotect(PROTECT_READONLY);
21212126
 db_prepare(&s,
21222127
 "UPDATE subscriber"
21232128
 " SET lastContact=now()/86400"
21242129
 " WHERE subscriberCode=hextoblob(%Q)"
21252130
 " RETURNING semail, date('now','+%d days');",
@@ -2131,10 +2136,11 @@
21312136
 @ has been extended until %h(db_column_text(&s,1)) UTC.
21322137
 }else{
21332138
 @ <p>No such subscriber-id: %h(zName)</p>
21342139
 }
21352140
 db_finalize(&s);
2141
+ db_protect_pop();
21362142
 style_finish_page();
21372143
 }
21382144
21392145
21402146
 /* This is the message that gets sent to describe how to change
21412147
--- src/alerts.c
+++ src/alerts.c
@@ -129,15 +129,17 @@
129 return;
130 }
131 if( db_table_has_column("repository","subscriber","lastContact") ){
132 return;
133 }
 
134 db_multi_exec(
135 "DROP TABLE IF EXISTS repository.alert_bounce;\n"
136 "ALTER TABLE repository.subscriber ADD COLUMN lastContact INT;\n"
137 "UPDATE subscriber SET lastContact=mtime/86400;"
138 );
 
139 if( db_table_has_column("repository","pending_alert","sentMod") ){
140 return;
141 }
142 db_multi_exec(
143 "ALTER TABLE repository.pending_alert"
@@ -1938,14 +1940,16 @@
1938 smip = db_column_text(&q, 5);
1939 mtime = db_column_text(&q, 7);
1940 sctime = db_column_text(&q, 8);
1941 if( !g.perm.Admin && !sverified ){
1942 if( nName==64 ){
 
1943 db_multi_exec(
1944 "UPDATE subscriber SET sverified=1"
1945 " WHERE subscriberCode=hextoblob(%Q)",
1946 zName);
 
1947 if( db_get_boolean("selfreg-verify",0) ){
1948 char *zNewCap = db_get("default-perms","u");
1949 db_unprotect(PROTECT_USER);
1950 db_multi_exec(
1951 "UPDATE user"
@@ -2116,10 +2120,11 @@
2116 @ No renewals are necessary.</p>
2117 style_finish_page();
2118 return;
2119 }
2120
 
2121 db_prepare(&s,
2122 "UPDATE subscriber"
2123 " SET lastContact=now()/86400"
2124 " WHERE subscriberCode=hextoblob(%Q)"
2125 " RETURNING semail, date('now','+%d days');",
@@ -2131,10 +2136,11 @@
2131 @ has been extended until %h(db_column_text(&s,1)) UTC.
2132 }else{
2133 @ <p>No such subscriber-id: %h(zName)</p>
2134 }
2135 db_finalize(&s);
 
2136 style_finish_page();
2137 }
2138
2139
2140 /* This is the message that gets sent to describe how to change
2141
--- src/alerts.c
+++ src/alerts.c
@@ -129,15 +129,17 @@
129 return;
130 }
131 if( db_table_has_column("repository","subscriber","lastContact") ){
132 return;
133 }
134 db_unprotect(PROTECT_READONLY);
135 db_multi_exec(
136 "DROP TABLE IF EXISTS repository.alert_bounce;\n"
137 "ALTER TABLE repository.subscriber ADD COLUMN lastContact INT;\n"
138 "UPDATE subscriber SET lastContact=mtime/86400;"
139 );
140 db_protect_pop();
141 if( db_table_has_column("repository","pending_alert","sentMod") ){
142 return;
143 }
144 db_multi_exec(
145 "ALTER TABLE repository.pending_alert"
@@ -1938,14 +1940,16 @@
1940 smip = db_column_text(&q, 5);
1941 mtime = db_column_text(&q, 7);
1942 sctime = db_column_text(&q, 8);
1943 if( !g.perm.Admin && !sverified ){
1944 if( nName==64 ){
1945 db_unprotect(PROTECT_READONLY);
1946 db_multi_exec(
1947 "UPDATE subscriber SET sverified=1"
1948 " WHERE subscriberCode=hextoblob(%Q)",
1949 zName);
1950 db_protect_pop();
1951 if( db_get_boolean("selfreg-verify",0) ){
1952 char *zNewCap = db_get("default-perms","u");
1953 db_unprotect(PROTECT_USER);
1954 db_multi_exec(
1955 "UPDATE user"
@@ -2116,10 +2120,11 @@
2120 @ No renewals are necessary.</p>
2121 style_finish_page();
2122 return;
2123 }
2124
2125 db_unprotect(PROTECT_READONLY);
2126 db_prepare(&s,
2127 "UPDATE subscriber"
2128 " SET lastContact=now()/86400"
2129 " WHERE subscriberCode=hextoblob(%Q)"
2130 " RETURNING semail, date('now','+%d days');",
@@ -2131,10 +2136,11 @@
2136 @ has been extended until %h(db_column_text(&s,1)) UTC.
2137 }else{
2138 @ <p>No such subscriber-id: %h(zName)</p>
2139 }
2140 db_finalize(&s);
2141 db_protect_pop();
2142 style_finish_page();
2143 }
2144
2145
2146 /* This is the message that gets sent to describe how to change
2147

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button