Differences From:
File src/setup.c part of check-in [1f1d96529c] - Users unconditionally inherit capabilities of "anonymous". New capability "v" means to inherit capabilities of user "developer". Login is prohibited if the password is empty. by drh on 2008-08-03 16:47:43. [view]
To:
File src/setup.c part of check-in [fa6e993017] - New Zip permission. This permission allow someone to download a zipped artifact via the wiki's /zip URL. It can given the user nobody to allow automatic package builder to download the sources they know from fossil-scm.org or other servers without any intervening login necessary.As the /zip page do not expose anything, a spider should have a hard time to crawl thru the project using this URL. So IMO it does not open a break-in hole for spiders.
by cle on 2008-08-12 03:27:54. [view]
@@ -155,8 +155,9 @@
@ <li value="19"><b>Setup:</b> Setup and configure this website</li>
@ <li value="20"><b>Tkt-Report:</b> Create new bug summary reports</li>
@ <li value="22"><b>Developer:</b> Inherit privileges of user "developer"</li>
@ <li value="23"><b>Write-Tkt</b>: Edit tickets</li>
+ @ <li value="26"><b>Zip</b>: Download zipped artifacts</li>
@ </ol>
@ </p></li>
@
@ <li><p>
@@ -192,9 +193,9 @@
void user_edit(void){
const char *zId, *zLogin, *zInfo, *zCap, *zPw;
char *oaa, *oas, *oar, *oaw, *oan, *oai, *oaj, *oao, *oap;
char *oak, *oad, *oac, *oaf, *oam, *oah, *oag, *oae;
- char *oat, *oav;
+ char *oat, *oav, *oaz;
int doWrite;
int uid;
int higherUser = 0; /* True if user being edited is SETUP and the */
/* user doing the editing is ADMIN. Disallow editing */
@@ -246,8 +247,9 @@
int ah = P("ah")!=0;
int ag = P("ag")!=0;
int at = P("at")!=0;
int av = P("av")!=0;
+ int az = P("az")!=0;
if( aa ){ zCap[i++] = 'a'; }
if( ac ){ zCap[i++] = 'c'; }
if( ad ){ zCap[i++] = 'd'; }
if( ae ){ zCap[i++] = 'e'; }
@@ -265,8 +267,9 @@
if( as ){ zCap[i++] = 's'; }
if( at ){ zCap[i++] = 't'; }
if( av ){ zCap[i++] = 'v'; }
if( aw ){ zCap[i++] = 'w'; }
+ if( az ){ zCap[i++] = 'z'; }
zCap[i] = 0;
zPw = P("pw");
if( !isValidPwString(zPw) ){
@@ -299,9 +302,9 @@
zInfo = "";
zCap = "";
zPw = "";
oaa = oac = oad = oae = oaf = oag = oah = oai = oaj = oak = oam =
- oan = oao = oap = oar = oas = oat = oav = oaw = "";
+ oan = oao = oap = oar = oas = oat = oav = oaw = oaz = "";
if( uid ){
zLogin = db_text("", "SELECT login FROM user WHERE uid=%d", uid);
zInfo = db_text("", "SELECT info FROM user WHERE uid=%d", uid);
zCap = db_text("", "SELECT cap FROM user WHERE uid=%d", uid);
@@ -324,8 +327,9 @@
if( strchr(zCap, 's') ) oas = " checked";
if( strchr(zCap, 't') ) oat = " checked";
if( strchr(zCap, 'v') ) oav = " checked";
if( strchr(zCap, 'w') ) oaw = " checked";
+ if( strchr(zCap, 'z') ) oaz = " checked";
}
/* Begin generating the page
*/
@@ -376,9 +380,10 @@
@ <input type="checkbox" name="ar"%s(oar)>Read Tkt</input><br>
@ <input type="checkbox" name="an"%s(oan)>New Tkt</input><br>
@ <input type="checkbox" name="ac"%s(oac)>Append Tkt</input><br>
@ <input type="checkbox" name="aw"%s(oaw)>Write Tkt</input><br>
- @ <input type="checkbox" name="at"%s(oat)>Tkt Report</input>
+ @ <input type="checkbox" name="at"%s(oat)>Tkt Report</input><br>
+ @ <input type="checkbox" name="az"%s(oaz)>Download Zip</input>
@ </td>
@ </tr>
@ <tr>
@ <td align="right">Password:</td>
@@ -429,8 +434,17 @@
@ The <b>History</b> privilege allows a user to see most hyperlinks.
@ This is recommended ON for most logged-in users but OFF for
@ user "nobody" to avoid problems with spiders trying to walk every
@ historical version of every baseline and file.
+ @ </p></li>
+ @
+ @ <li><p>
+ @ The <b>Zip</b> privilege allows a user to see the download as zip hyperlink
+ @ as well as permit access to the <tt>/zip</tt> page. It can be allowed for
+ @ user "nobody" to grant him access to download artifacts he know from the
+ @ server without giving him other rights like <b>Read</b> or <b>History</b>.
+ @ So automatic package dowloaders could be able to obtain the sources without
+ @ going thru the login procedure.
@ </p></li>
@
@ <li><p>
@ The <b>Developer</b> privilege causes all privileges of the user