Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Found several more pages protected with "!g.perm.Setup && !g.perm.Admin" guards: changed them all to "!g.perm.Admin" only for the same reason as [558952c8]. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
42c3364f037fb0a0e617aad19fd1387c |
| User & Date: | wyoung 2018-11-28 18:42:53 |
Context
|
2018-11-28
| ||
| 18:48 | The /setup_modreq page was limited to Setup users, but since it controls what users with Moderator capability can do, made it available to Admin users as well. (check-in: 6242e24d user: wyoung tags: trunk) | |
| 18:42 | Found several more pages protected with "!g.perm.Setup && !g.perm.Admin" guards: changed them all to "!g.perm.Admin" only for the same reason as [558952c8]. (check-in: 42c3364f user: wyoung tags: trunk) | |
| 18:34 | The /secaudit0 page was checking for both Admin and Setup capabilities, which means it was only accessible to users with Setup users, since that is the only class that can have both capabilities. Since it's documented as being available to Admin users, changed the logic to allow access to Admin *OR* Setup users. (check-in: 558952c8 user: wyoung tags: trunk) | |
Changes
Changes to src/main.c.
2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 |
** case=6 Call webpage_assert()
** case=7 Call webpage_error()
*/
void test_warning_page(void){
int iCase = atoi(PD("case","0"));
int i;
login_check_credentials();
if( !g.perm.Setup && !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Warning Test Page");
style_submenu_element("Error Log","%R/errorlog");
if( iCase<1 || iCase>4 ){
@ <p>Generate a message to the <a href="%R/errorlog">error log</a>
|
| |
2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 |
** case=6 Call webpage_assert()
** case=7 Call webpage_error()
*/
void test_warning_page(void){
int iCase = atoi(PD("case","0"));
int i;
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Warning Test Page");
style_submenu_element("Error Log","%R/errorlog");
if( iCase<1 || iCase>4 ){
@ <p>Generate a message to the <a href="%R/errorlog">error log</a>
|
Changes to src/security_audit.c.
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ... 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 ... 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 |
const char *zAnonCap; /* Capabilities of user "anonymous" and "nobody" */ const char *zPubPages; /* GLOB pattern for public pages */ const char *zSelfCap; /* Capabilities of self-registered users */ char *z; int n; login_check_credentials(); if( !g.perm.Setup || !g.perm.Admin ){ login_needed(0); return; } style_header("Security Audit"); @ <ol> /* Step 1: Determine if the repository is public or private. "Public" ................................................................................ /* ** WEBPAGE: takeitprivate ** ** Disable anonymous access to this website */ void takeitprivate_page(void){ login_check_credentials(); if( !g.perm.Setup && !g.perm.Admin ){ login_needed(0); return; } if( P("cancel") ){ /* User pressed the cancel button. Go back */ cgi_redirect("secaudit0"); } ................................................................................ ** this page. */ void errorlog_page(void){ i64 szFile; FILE *in; char z[10000]; login_check_credentials(); if( !g.perm.Setup && !g.perm.Admin ){ login_needed(0); return; } style_header("Server Error Log"); style_submenu_element("Test", "%R/test-warning"); style_submenu_element("Refresh", "%R/errorlog"); if( g.zErrlog==0 || fossil_strcmp(g.zErrlog,"-")==0 ){ |
| | | |
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ... 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 ... 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 |
const char *zAnonCap; /* Capabilities of user "anonymous" and "nobody" */
const char *zPubPages; /* GLOB pattern for public pages */
const char *zSelfCap; /* Capabilities of self-registered users */
char *z;
int n;
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Security Audit");
@ <ol>
/* Step 1: Determine if the repository is public or private. "Public"
................................................................................
/*
** WEBPAGE: takeitprivate
**
** Disable anonymous access to this website
*/
void takeitprivate_page(void){
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
if( P("cancel") ){
/* User pressed the cancel button. Go back */
cgi_redirect("secaudit0");
}
................................................................................
** this page.
*/
void errorlog_page(void){
i64 szFile;
FILE *in;
char z[10000];
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Server Error Log");
style_submenu_element("Test", "%R/test-warning");
style_submenu_element("Refresh", "%R/errorlog");
if( g.zErrlog==0 || fossil_strcmp(g.zErrlog,"-")==0 ){
|
Changes to src/setup.c.
1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 .... 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 .... 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 |
void page_admin_log(){
Stmt stLog;
int limit; /* How many entries to show */
int ofst; /* Offset to the first entry */
int fLogEnabled;
int counter = 0;
login_check_credentials();
if( !g.perm.Setup && !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Admin Log");
create_admin_log_table();
limit = atoi(PD("n","200"));
ofst = atoi(PD("x","0"));
................................................................................
/*
** WEBPAGE: srchsetup
**
** Configure the search engine. Requires Admin privilege.
*/
void page_srchsetup(){
login_check_credentials();
if( !g.perm.Setup && !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Search Configuration");
@ <form action="%s(g.zTop)/srchsetup" method="post"><div>
login_insert_csrf_secret();
@ <div style="text-align:center;font-weight:bold;">
................................................................................
** Configure the URL aliases
*/
void page_waliassetup(){
Stmt q;
int cnt = 0;
Blob namelist;
login_check_credentials();
if( !g.perm.Setup && !g.perm.Admin ){
login_needed(0);
return;
}
style_header("URL Alias Configuration");
if( P("submit")!=0 ){
Blob token;
Blob sql;
|
| | | |
1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 .... 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 .... 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 |
void page_admin_log(){
Stmt stLog;
int limit; /* How many entries to show */
int ofst; /* Offset to the first entry */
int fLogEnabled;
int counter = 0;
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Admin Log");
create_admin_log_table();
limit = atoi(PD("n","200"));
ofst = atoi(PD("x","0"));
................................................................................
/*
** WEBPAGE: srchsetup
**
** Configure the search engine. Requires Admin privilege.
*/
void page_srchsetup(){
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
style_header("Search Configuration");
@ <form action="%s(g.zTop)/srchsetup" method="post"><div>
login_insert_csrf_secret();
@ <div style="text-align:center;font-weight:bold;">
................................................................................
** Configure the URL aliases
*/
void page_waliassetup(){
Stmt q;
int cnt = 0;
Blob namelist;
login_check_credentials();
if( !g.perm.Admin ){
login_needed(0);
return;
}
style_header("URL Alias Configuration");
if( P("submit")!=0 ){
Blob token;
Blob sql;
|