Hi, It seems that anyone with checkin privileges can push anything to a fossil server, including artifacts that claim to come from other users. I understand why this is (I'm not complaining); I just want to know whether there's some command/page for listing recently received control artifacts whose user does not match the user pushing them, so they can be further inspected.
Best, Eduard -- Example: $ fossil init -A administrator server.fossil project-id: 72f4d8be530ccd96c6b31e92c82ea56aebfc02da server-id: 2a5ea9e0a70478ed38f1b2b7025204a7593a798f admin-user: administrator (initial password is "e4efba") $ fossil user new user '' secret use --repository or -R to specify the repository database $ fossil user -R server.fossil new user '' secret $ fossil user -R server.fossil cap user v v $ fossil serve server.fossil & [1] 18317 $ Listening for HTTP requests on TCP port 8080 $ fossil clone http://user:secret@127.0.0.1:8080/ client.fossil remember password (Y/n)? y Round-trips: 2 Artifacts sent: 0 received: 3 Clone done, sent: 531 received: 1215 ip: 127.0.0.1 Rebuilding repository meta-data... 100.0% complete... Extra delta compression... Vacuuming the database... project-id: 72f4d8be530ccd96c6b31e92c82ea56aebfc02da server-id: ab8a46a5ddb7d7454c1a1cb23d82ea9f33adb634 admin-user: user (password is "6ec876") $ mkdir test $ cd test $ fossil open ../client.fossil project-name: <unnamed> repository: /home/.../test/../client.fossil local-root: /home/.../test/ config-db: /home/.../.fossil project-code: 72f4d8be530ccd96c6b31e92c82ea56aebfc02da checkout: 632e45dd3e6d773b0766dbea32ff3a521c58c7f0 2015-11-03 05:02:44 UTC tags: trunk comment: initial empty check-in (user: administrator) check-ins: 1 $ echo 'sudo rm -rf /' > run-me.sh $ fossil add run-me.sh ADDED run-me.sh $ fossil user new administrator contact-info: password: $ fossil user default administrator $ fossil commit Autosync: http://user@127.0.0.1:8080/ Round-trips: 1 Artifacts sent: 0 received: 0 Pull done, sent: 343 received: 311 ip: 127.0.0.1 nano "./ci-comment-5A5355BE2052.txt" New_Version: b04c52709369dd6ae12a1ac4595c081c4cd51dbb Autosync: http://user@127.0.0.1:8080/ Round-trips: 1 Artifacts sent: 2 received: 0 Sync done, sent: 597 received: 366 ip: 127.0.0.1 $ cd .. $ fossil timeline -R server.fossil === 2015-11-03 === 05:10:21 [b04c527093] Trust me! Just run it. I am administrator after all. (user: administrator tags: trunk) 05:02:44 [632e45dd3e] initial empty check-in (user: administrator tags: trunk) +++ no more data (2) +++ $ _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users