Fossil: Check-in [fa6e993017]

Overview

SHA1 Hash: fa6e9930177e84ce089b30ad768c454a012364f7

Date: 2008-08-12 03:27:54

User: cle

Comment: New Zip permission. This permission allow someone to download a zipped artifact via the wiki's /zip URL. It can given the user nobody to allow automatic package builder to download the sources they know from fossil-scm.org or other servers without any intervening login necessary.
As the /zip page do not expose anything, a spider should have a hard time to crawl thru the project using this URL. So IMO it does not open a break-in hole for spiders.

Timelines: ancestors | descendants | both | trunk

Other Links: files | ZIP archive | manifest

SHA1 Hash:	fa6e9930177e84ce089b30ad768c454a012364f7
Date:	2008-08-12 03:27:54
User:	cle
Comment:	New Zip permission. This permission allow someone to download a zipped artifact via the wiki's `/zip` URL. It can given the user `nobody` to allow automatic package builder to download the sources they know from `fossil-scm.org` or other servers without any intervening login necessary. As the `/zip` page do not expose anything, a spider should have a hard time to crawl thru the project using this URL. So IMO it does not open a break-in hole for spiders.
Timelines:	ancestors \| descendants \| both \| trunk
Other Links:	files \| ZIP archive \| manifest

Tags And Properties

branch=trunk inherited from [a28c83647d]
sym-trunk inherited from [a28c83647d]

Changes

[hide diffs]

Modified src/login.c from [0807191c83] to [bef38b39f7].

@@ -328,10 +328,11 @@
                               g.okApndWiki = g.okHistory = g.okClone =
                               g.okNewTkt = g.okPassword = g.okRdAddr =
                               g.okTktFmt = 1;
       case 'i':   g.okRead = g.okWrite = 1;                     break;
       case 'o':   g.okRead = 1;                                 break;
+      case 'z':   g.okZip = 1;                                  break;
 
       case 'd':   g.okDelete = 1;                               break;
       case 'h':   g.okHistory = 1;                              break;
       case 'g':   g.okClone = 1;                                break;
       case 'p':   g.okPassword = 1;                             break;

Modified src/main.c from [7cc029d992] to [e3e3bcd32f].

@@ -117,10 +117,11 @@
   int okNewTkt;           /* n: create new tickets */
   int okApndTkt;          /* c: append to tickets via the web */
   int okWrTkt;            /* w: make changes to tickets via web */
   int okTktFmt;           /* t: create new ticket report formats */
   int okRdAddr;           /* e: read email addresses or other private data */
+  int okZip;              /* z: download zipped artifact via /zip URL */
 
   FILE *fDebug;           /* Write debug information here, if the file exists */
 
   /* Storage for the aux() and/or option() SQL function arguments */
   int nAux;                    /* Number of distinct aux() or option() values */

Modified src/setup.c from [1c7a1834ca] to [8cee80c836].

@@ -154,10 +154,11 @@
   @ <li value="18"><b>Read-Tkt</b>: View tickets</li>
   @ <li value="19"><b>Setup:</b> Setup and configure this website</li>
   @ <li value="20"><b>Tkt-Report:</b> Create new bug summary reports</li>
   @ <li value="22"><b>Developer:</b> Inherit privileges of user "developer"</li>
   @ <li value="23"><b>Write-Tkt</b>: Edit tickets</li>
+  @ <li value="26"><b>Zip</b>: Download zipped artifacts</li>
   @ </ol>
   @ </p></li>
   @
   @ <li><p>
   @ Every user, logged in or not, inherits the privileges of <b>nobody</b>.
@@ -191,11 +192,11 @@
 */
 void user_edit(void){
   const char *zId, *zLogin, *zInfo, *zCap, *zPw;
   char *oaa, *oas, *oar, *oaw, *oan, *oai, *oaj, *oao, *oap;
   char *oak, *oad, *oac, *oaf, *oam, *oah, *oag, *oae;
-  char *oat, *oav;
+  char *oat, *oav, *oaz;
   int doWrite;
   int uid;
   int higherUser = 0;  /* True if user being edited is SETUP and the */
                        /* user doing the editing is ADMIN.  Disallow editing */
 
@@ -245,10 +246,11 @@
     int am = P("am")!=0;
     int ah = P("ah")!=0;
     int ag = P("ag")!=0;
     int at = P("at")!=0;
     int av = P("av")!=0;
+    int az = P("az")!=0;
     if( aa ){ zCap[i++] = 'a'; }
     if( ac ){ zCap[i++] = 'c'; }
     if( ad ){ zCap[i++] = 'd'; }
     if( ae ){ zCap[i++] = 'e'; }
     if( af ){ zCap[i++] = 'f'; }
@@ -264,10 +266,11 @@
     if( ar ){ zCap[i++] = 'r'; }
     if( as ){ zCap[i++] = 's'; }
     if( at ){ zCap[i++] = 't'; }
     if( av ){ zCap[i++] = 'v'; }
     if( aw ){ zCap[i++] = 'w'; }
+    if( az ){ zCap[i++] = 'z'; }
 
     zCap[i] = 0;
     zPw = P("pw");
     if( !isValidPwString(zPw) ){
       zPw = db_text(0, "SELECT pw FROM user WHERE uid=%d", uid);
@@ -298,11 +301,11 @@
   zLogin = "";
   zInfo = "";
   zCap = "";
   zPw = "";
   oaa = oac = oad = oae = oaf = oag = oah = oai = oaj = oak = oam =
-        oan = oao = oap = oar = oas = oat = oav = oaw = "";
+        oan = oao = oap = oar = oas = oat = oav = oaw = oaz = "";
   if( uid ){
     zLogin = db_text("", "SELECT login FROM user WHERE uid=%d", uid);
     zInfo = db_text("", "SELECT info FROM user WHERE uid=%d", uid);
     zCap = db_text("", "SELECT cap FROM user WHERE uid=%d", uid);
     zPw = db_text("", "SELECT pw FROM user WHERE uid=%d", uid);
@@ -323,10 +326,11 @@
     if( strchr(zCap, 'r') ) oar = " checked";
     if( strchr(zCap, 's') ) oas = " checked";
     if( strchr(zCap, 't') ) oat = " checked";
     if( strchr(zCap, 'v') ) oav = " checked";
     if( strchr(zCap, 'w') ) oaw = " checked";
+    if( strchr(zCap, 'z') ) oaz = " checked";
   }
 
   /* Begin generating the page
   */
   style_submenu_element("Cancel", "Cancel", "setup_ulist");
@@ -375,11 +379,12 @@
   @     <input type="checkbox" name="ak"%s(oak)>Write Wiki</input><br>
   @     <input type="checkbox" name="ar"%s(oar)>Read Tkt</input><br>
   @     <input type="checkbox" name="an"%s(oan)>New Tkt</input><br>
   @     <input type="checkbox" name="ac"%s(oac)>Append Tkt</input><br>
   @     <input type="checkbox" name="aw"%s(oaw)>Write Tkt</input><br>
-  @     <input type="checkbox" name="at"%s(oat)>Tkt Report</input>
+  @     <input type="checkbox" name="at"%s(oat)>Tkt Report</input><br>
+  @     <input type="checkbox" name="az"%s(oaz)>Download Zip</input>
   @   </td>
   @ </tr>
   @ <tr>
   @   <td align="right">Password:</td>
   if( strcmp(zLogin, "anonymous")==0 ){
@@ -428,10 +433,19 @@
   @ <li><p>
   @ The <b>History</b> privilege allows a user to see most hyperlinks.
   @ This is recommended ON for most logged-in users but OFF for
   @ user "nobody" to avoid problems with spiders trying to walk every
   @ historical version of every baseline and file.
+  @ </p></li>
+  @
+  @ <li><p>
+  @ The <b>Zip</b> privilege allows a user to see the download as zip hyperlink
+  @ as well as permit access to the <tt>/zip</tt> page. It can be allowed for
+  @ user "nobody" to grant him access to download artifacts he know from the
+  @ server without giving him other rights like <b>Read</b> or <b>History</b>.
+  @ So automatic package dowloaders could be able to obtain the sources without
+  @ going thru the login procedure.
   @ </p></li>
   @
   @ <li><p>
   @ The <b>Developer</b> privilege causes all privileges of the user
   @ named "developer" to be inherited by this user.

Modified src/zip.c from [8367a41493] to [3fb9ffbe5f].

@@ -356,11 +356,11 @@
   char *zName;
   int nName;
   Blob zip;
 
   login_check_credentials();
-  if( !g.okRead || !g.okHistory ){ login_needed(); return; }
+  if( !g.okZip && (!g.okRead || !g.okHistory) ){ login_needed(); return; }
   zName = mprintf("%s", PD("name",""));
   nName = strlen(zName);
   for(nName=strlen(zName)-1; nName>5; nName--){
     if( zName[nName]=='.' ){
       zName[nName] = 0;