Fossil SCM

Server send empty response for non authorative user's 'configure pull' command.

I create three patch variations. (I think first version is simple and good.)

1. when 'reqconfig' card received, grant 'nobody' capabilities to non-authoratives. (like 'clone' card)
   xfer.c / page_xfer()

   ``` --- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900 +++ xfer-1.c 2009-10-09 09:11:39.000000000 +0900 @@ -747,6 +747,7 @@ if( blob_eq(&xfer.aToken[0], "reqconfig") && xfer.nToken==2 ){

2. login_check_credentials(); if( g.okRead ){ char *zName = blob_str(&xfer.aToken[1]); if( configure_is_exportable(zName) ){

``` Currently, 'check_login()' function defined in 'xfer.c' grants no capabilities to unauthoratives.

1. when 'login' card received, grant 'nobody' capabilities if authorization failed.
   (This patch also accept non-registered users and registered but wrong password specified as 'nobody')
   This patch always need 'login' card.
   xfer.c / check_login()

   ``` --- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900 +++ xfer-2.c 2009-10-09 09:13:16.000000000 +0900 @@ -421,6 +421,8 @@ if( rc==0 ){ / If the login was successful. / login_set_anon_nobody_capabilities();

2. }else{
3. login_check_credentials(); } }

```

1. when 'login' card received, grant 'anonymous' capabilities to 'anonymous' with empty password.
   (This patch deny non-registered users and registered but wrong password specified.
   User who not registered need 'anonymous@' for 'configure pull' command URL parameter.)
   NG: fossil configure pull skin http://example.net
   OK: fossil configure pull skin http://[email protected]
   This patch always need 'login' card.
   xfer.c / check_login()

   ``` --- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900 +++ xfer-3.c 2009-10-09 09:14:21.000000000 +0900 @@ -391,14 +391,16 @@ db_prepare(&q, "SELECT pw, cap, uid FROM user" " WHERE login=%Q"

2. " AND login NOT IN ('anonymous','nobody','developer','reader')"
3. " AND login NOT IN ('nobody','developer','reader')" " AND length(pw)>0", zLogin ); if( db_step(&q)==SQLITE_ROW ){ Blob pw, combined, hash; blob_zero(&pw);
4. db_ephemeral_blob(&q, 0, &pw);
5. if( strcmp(zLogin,"anonymous")!=0 ){
6. db_ephemeral_blob(&q, 0, &pw);
7. } blob_zero(&combined); blob_copy(&combined, pNonce); blob_append(&combined, blob_buffer(&pw), blob_size(&pw));

```

anonymous added on 2011-02-18 19:52:23 UTC: This would be nice to see. At present, if you aren't logged in via remote-url, fs config pull all silently fails unless you're really observant and notice there weren't any received cards. This took me a few minutes of head scratching to figure out. I'm not sure the patch is the right way to solve this (it could be), but I'm glad I'm not the only one who's run in to this oddity.

% fs config pull all
                Bytes      Cards  Artifacts     Deltas
Sent:             660         26          0          0
waiting for server...Total network traffic: 428 bytes sent, 0 bytes received
% fs remote-url
http://127.0.0.1:9023/
% fs remote-url http://[email protected]:9023/
password for sean: 
http://[email protected]:9023/
% fs config pull all
                Bytes      Cards  Artifacts     Deltas
Sent:             660         26          0          0
Received:       55201         15          0          0
Total network traffic: 490 bytes sent, 39537 bytes received