Re: [fossil-users] impersonating users

2015-11-03 Thread Richard Hipp 
On 11/3/15, Eduard  wrote:
> Hi,
>
> It seems that anyone with checkin privileges can push anything to a
> fossil server, including artifacts that claim to come from other users.
> I understand why this is (I'm not complaining); I just want to know
> whether there's some command/page for listing recently received control
> artifacts whose user does not match the user pushing them, so they can
> be further inspected.
>

The artifact receipt log (/rcvfromlist) shows *all* artifacts that
have been received.  But it does not filter by artifact type or user -
it shows everything.

The list-of-artifacts pages (/bloblist) show all artifacts and
describes each one.  But it also omits the user and where it was
received.

Perhaps you could use those two pages as a guide to devise a new page
that shows what you want, then send in patches?
-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] impersonating users

2015-11-03 Thread Eduard 
On 11/03/2015 06:38 AM, Richard Hipp wrote:
> On 11/3/15, Eduard  wrote:
> 
> The artifact receipt log (/rcvfromlist) shows *all* artifacts that
> have been received.  But it does not filter by artifact type or user -
> it shows everything.
> 
> The list-of-artifacts pages (/bloblist) show all artifacts and
> describes each one.  But it also omits the user and where it was
> received.
That's actually amusing.

> Perhaps you could use those two pages as a guide to devise a new page
> that shows what you want, then send in patches?
I would love to! I doubt I'll have the time over the next month though.
I should probably fill out and send a contributor agreement just in case
I do, though.

Best,
Eduard




signature.asc
Description: OpenPGP digital signature
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] impersonating users

2015-11-02 Thread jungle Boogie 
On 2 November 2015 at 22:02, Andy Bradford  wrote:
> 1) Browse to your server  (e.g. http://localhost:8080/ in your example),
> login and click on a checkin. You will see something like:
>
> Received From: tester @ 127.0.0.1 on 2015-11-03 05:56:22


Follow up question that I hope you don't mind

http://www.fossil-scm.org/index.html/info/653b6b92404c53f3
Do I not see the received from because I am not logged into the repo?

-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] impersonating users

2015-11-02 Thread Andy Bradford 
Thus said jungle Boogie on Mon, 02 Nov 2015 22:17:50 -0800:

> http://www.fossil-scm.org/index.html/info/653b6b92404c53f3
> Do I not see the received from because I am not logged into the repo?

Correct.

Also, I  might add, that even  if you do  have a login, only  having the
right privileges will enable access  to that information. For example, a
``Developer'' does not  have access to that. Only a  user with the Admin
privilege can view it.

Andy
-- 
TAI64 timestamp: 400056385535


___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] impersonating users

2015-11-02 Thread Andy Bradford 
Thus said Eduard on Tue, 03 Nov 2015 00:20:08 -0500:

> I understand  why this is (I'm  not complaining); I just  want to know
> whether  there's  some  command/page  for  listing  recently  received
> control artifacts whose user does not  match the user pushing them, so
> they can be further inspected.

The  owner of  the  Fossil repository  (as well  as  user accounts  with
sufficient  privileges) can  inspect  how the  artifacts were  received.
There are a couple ways:

1) Browse to your server  (e.g. http://localhost:8080/ in your example),
login and click on a checkin. You will see something like:

Received From: tester @ 127.0.0.1 on 2015-11-03 05:56:22

The ``tester''  in that Received corresponds  to an actual user  in your
Fossil server's user database, not  the user information recorded in the
manifest of the checkin.

2) Under Admin->Artifact Receipts Log (
http://localhost:8080/rcvfromlist ) there is a list

Andy
-- 
TAI64 timestamp: 400056384e02


___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users