Hello,
As I was trying to setup an environment that used REMOTE_USER, I noticed
that cloning failed. So I turned on --httptrace and found this output:
# cgi: REMOTE_USER = [guest]
# login: [guest] with capabilities [v]
Which looks alright (according to the documentation a user with 'v'
inherits anonymous and nobody privileges), but, it's not happening in
this case. This is what happens when REMOTE_USER is used as the method
for authenticating... At the top of xfer.c:page_xfer():
g.zLogin = "anonymous";
login_set_anon_nobody_capabilities();
login_check_credentials();
Which is great, but then later on, it does:
if( blob_eq(&xfer.aToken[0], "clone") ){
int iVers;
login_check_credentials();
Now, this second call to login_check_credentials will wipe
out the previously set anonymous/nobody capabilities because
login_check_credentials does:
/* Set the capabilities */
login_replace_capabilities(zCap, 0);
login_set_anon_nobody_capabilities();
login_replace_capabilities wipes out any existing permissions, and
calling login_set_anon_nobody_capabilities has a condition that it can
only be called once. So all we're left with when a user has the 'v'
capability are the 'dei' permissions being set, and no others.
I belive the fix is the following patch (should it be committed to
pending-review?)
Thoughts?
Index: src/login.c
==================================================================
--- src/login.c
+++ src/login.c
@@ -1016,26 +1016,38 @@
case 't': g.perm.TktFmt = 1; break;
case 'b': g.perm.Attach = 1; break;
case 'x': g.perm.Private = 1; break;
/* The "u" privileges is a little different. It recursively
- ** inherits all privileges of the user named "reader" */
+ ** inherits all privileges of the user named "reader"
+ ** and also those of the users named "anonymous" and "nobody"
+ */
case 'u': {
if( (flags & LOGIN_IGNORE_UV)==0 ){
const char *zUser;
zUser = db_text("", "SELECT cap FROM user WHERE login='reader'");
+ login_set_capabilities(zUser, flags | LOGIN_IGNORE_UV);
+ zUser = db_text("", "SELECT cap FROM user WHERE login='anonymous'");
+ login_set_capabilities(zUser, flags | LOGIN_IGNORE_UV);
+ zUser = db_text("", "SELECT cap FROM user WHERE login='nobody'");
login_set_capabilities(zUser, flags | LOGIN_IGNORE_UV);
}
break;
}
/* The "v" privileges is a little different. It recursively
- ** inherits all privileges of the user named "developer" */
+ ** inherits all privileges of the user named "developer"
+ ** and also those of the users named "anonymous" and "nobody"
+ */
case 'v': {
if( (flags & LOGIN_IGNORE_UV)==0 ){
const char *zDev;
zDev = db_text("", "SELECT cap FROM user WHERE login='developer'");
+ login_set_capabilities(zDev, flags | LOGIN_IGNORE_UV);
+ zDev = db_text("", "SELECT cap FROM user WHERE login='anonymous'");
+ login_set_capabilities(zDev, flags | LOGIN_IGNORE_UV);
+ zDev = db_text("", "SELECT cap FROM user WHERE login='nobody'");
login_set_capabilities(zDev, flags | LOGIN_IGNORE_UV);
}
break;
}
}
Thanks,
Andy
--
TAI64 timestamp: 400000005200abc4
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
