I cloned the official fossil repo, expecting to browse the forum locally, but it seems that even from the localhost web UI the "Forum" link takes me to https://fossil-scm.org/forum , and if i manually go to http://localhost:8080/forum it is empty. Are forum posts not actually part of the cloned repo? I understand that obviously "pushing" forum posts would require authentication, but is it possible to do? That would be incredibly cool.

The forum posts are all artifacts on the blockchain, just like anything else. You should have gotten everything when you cloned. I don't know why you didn't.

DRH has decided to house the forum for the Fossil project itself in a separate Fossil repo used only for that purpose. If you clone that one, you will get all the forum posts. Otherwise yes, everything generally works in the way that you suspect.

Makes sense. I managed to clone the url at /forum and i can see the messages on localhost now. I got a "not authorized to write" message when i tried to push a forum post so i'm guessing that you need higher privileges than when posting directly to via the web server, right? Anyway, this is really neat.

so i'm guessing that you need higher privileges than when posting directly to via the web server, right?

right. Just like if you clone the hosted fossil repo, you would not be able to commit any file changes, because your user account lacks check-in privileges.

I suggest going into admin, configuration and adding

My Clone, or whatever

after Fossil

Then each screen will remind you that it is a clone. It stands out better than the localhost, in my opinion.

could i allow people to post via fossil push without giving them the ability to commit files?

No.

Fossil views a repository as a "bag of artifacts". Some of those artifacts might be files, others might be forum posts, or wiki pages, or ticket changes, or check-in manifest, etc. In other words, the artifacts have various meanings. But when syncing, an artifact is just an artifact.

So if you allow someone to push to your repository, they can push any content they want. The idea is that you trust your collaborators.

Now, there is still an audit trail and we try to make all changes to the repository easily visible so that a malcontent will have difficulty slipping in a malicious change unnoticed. For auditing, each Fossil repository tracks the origin of every artifact - who originally pushed it, when it was pushed, what other files were pushed at the same time. If you belatedly discover that one of your collaborators was not as trustworthy as you thought, you should be able to track down all the files he pushed and if necessary shun them.

But hopefully, it will never come to that. We've never had to do anything like that on Fossil itself, nor on SQLite which is the project for which Fossil was created.

So people who can push can do just about anything. But we do not trust random passers-by on the internet quite as much, and so for the web interface there is a more detailed and nuanced permission structure.