Re: [fossil-users] impersonating users
On 11/3/15, Eduardwrote: > Hi, > > It seems that anyone with checkin privileges can push anything to a > fossil server, including artifacts that claim to come from other users. > I understand why this is (I'm not complaining); I just want to know > whether there's some command/page for listing recently received control > artifacts whose user does not match the user pushing them, so they can > be further inspected. > The artifact receipt log (/rcvfromlist) shows *all* artifacts that have been received. But it does not filter by artifact type or user - it shows everything. The list-of-artifacts pages (/bloblist) show all artifacts and describes each one. But it also omits the user and where it was received. Perhaps you could use those two pages as a guide to devise a new page that shows what you want, then send in patches? -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] impersonating users
On 11/03/2015 06:38 AM, Richard Hipp wrote: > On 11/3/15, Eduardwrote: > > The artifact receipt log (/rcvfromlist) shows *all* artifacts that > have been received. But it does not filter by artifact type or user - > it shows everything. > > The list-of-artifacts pages (/bloblist) show all artifacts and > describes each one. But it also omits the user and where it was > received. That's actually amusing. > Perhaps you could use those two pages as a guide to devise a new page > that shows what you want, then send in patches? I would love to! I doubt I'll have the time over the next month though. I should probably fill out and send a contributor agreement just in case I do, though. Best, Eduard signature.asc Description: OpenPGP digital signature ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] impersonating users
On 2 November 2015 at 22:02, Andy Bradfordwrote: > 1) Browse to your server (e.g. http://localhost:8080/ in your example), > login and click on a checkin. You will see something like: > > Received From: tester @ 127.0.0.1 on 2015-11-03 05:56:22 Follow up question that I hope you don't mind http://www.fossil-scm.org/index.html/info/653b6b92404c53f3 Do I not see the received from because I am not logged into the repo? -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] impersonating users
Thus said jungle Boogie on Mon, 02 Nov 2015 22:17:50 -0800: > http://www.fossil-scm.org/index.html/info/653b6b92404c53f3 > Do I not see the received from because I am not logged into the repo? Correct. Also, I might add, that even if you do have a login, only having the right privileges will enable access to that information. For example, a ``Developer'' does not have access to that. Only a user with the Admin privilege can view it. Andy -- TAI64 timestamp: 400056385535 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] impersonating users
Thus said Eduard on Tue, 03 Nov 2015 00:20:08 -0500: > I understand why this is (I'm not complaining); I just want to know > whether there's some command/page for listing recently received > control artifacts whose user does not match the user pushing them, so > they can be further inspected. The owner of the Fossil repository (as well as user accounts with sufficient privileges) can inspect how the artifacts were received. There are a couple ways: 1) Browse to your server (e.g. http://localhost:8080/ in your example), login and click on a checkin. You will see something like: Received From: tester @ 127.0.0.1 on 2015-11-03 05:56:22 The ``tester'' in that Received corresponds to an actual user in your Fossil server's user database, not the user information recorded in the manifest of the checkin. 2) Under Admin->Artifact Receipts Log ( http://localhost:8080/rcvfromlist ) there is a list Andy -- TAI64 timestamp: 400056384e02 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users