Fossil SCM

This branch adds an admin-only "user elevation" subscription notification. When enabled, all subscribers to this capability receive an alert when an admin either creates a new user or explicitly adds new permissions to a user.

To keep it simple, this does not account for inherited permissions, nor does it consider any given permissions to be "higher" than any others. Its rule is simple: when an admin edits a user account, if that account explicitly receives permissions letters which it did not formerly have (even if the newly-assigned permissions are more restrictive or were previously indirectly assigned via inheritance), it sends a notification alerting of the change.

The purpose of this is essentially to improve situational awareness. It does not eliminate the possibility that an attacker who finds a hypothetical/as-yet-unknown XSS hijacking attack can silently create a back door user: such a hijacked account could remove any such subscriptions and (if the account has Setup access) disable the admin log (where user edits are logged).