/*
** SETTING: auto-captcha    boolean default=on variable=autocaptcha
** If enabled, the /login page provides a button that will automatically
** fill in the captcha password.  This makes things easier for human users,
** at the expense of also making logins easier for malicious robots.
*/
/*
** SETTING: auto-hyperlink  width=16 default=1
**
** If non-zero, enable hyperlinks on web pages even for users that lack

** the "h" privilege as long as the UserAgent string in the HTTP request
** (The HTTP_USER_AGENT cgi variable) looks like it comes from a human and
** not a robot.  Details depend on the value of the setting.
**
**   (0)  Off:  No adjustments are made to the 'h' privilege based on
**        the user agent.
**
**   (1)  UserAgent and Javascript:  The the href= values of hyperlinks
**        initially point to /honeypot and are changed to point to the
**        correct target by javascript that runs after the page loads.
**        The auto-hyperlink-delay and auto-hyperlink-mouseover settings
**        influence that javascript.
**
**   (2)  UserAgent only:  If the HTTP_USER_AGENT looks human
**        then generate hyperlinks, otherwise do not.
**
** Better robot exclusion is obtained when this setting is 1 versus 2.
** However, a value of 1 causes the visited/unvisited colors of hyperlinks
** to stop working on Safari-derived web browsers.  When this setting is 2,
** the hyperlinks work better on Safari, but more robots are able to sneak
** in.
*/
/* SETTING: auto-hyperlink-delay     width=16 default=0
**
** When the auto-hyperlink setting is 1, the javascript that runs to set
** the href= attributes of hyperlinks delays by this many milliseconds
** after the page load.  Suggested values:  50 to 200.
*/
/* Setting: auto-hyperlink-mouseover  boolean default=off
**
** When the auto-hyperlink setting is 1 and this setting is on, the 
** javascript that runs to set the href= attributes of hyperlinks waits
** until either a mousedown or mousemove event is seen.  This helps
** to distinguish real users from robots. For maximum robot defense,
** the recommended setting is ON.
*/
/*
** SETTING: auto-shun       boolean default=on
** If enabled, automatically pull the shunning list
** from a server to which the client autosyncs.
*/
/*

  ** who do not have the "h" permission as long as their UserAgent string
  ** makes it appear that they are human.  Check to see if auto-hyperlink is
  ** enabled for this repository and make appropriate adjustments to the
  ** permission flags if it is.  This should be done before the permissions
  ** are (potentially) copied to the anonymous permission set; otherwise,
  ** those will be out-of-sync.
  */

  if( zCap[0] && !g.perm.Hyperlink && g.isHuman ){

    int autoLink = db_get_int("auto-hyperlink",1);
    if( autoLink==1 ){
      g.jsHref = 1;
      g.perm.Hyperlink = 1;
    }else if( autoLink==2 ){
      g.perm.Hyperlink = 1;
    }
  }

  /*
  ** At this point, the capabilities for the logged in user are not going
  ** to be modified anymore; therefore, we can copy them over to the ones
  ** for the anonymous user.
  **

  int fTimeFormat;        /* 1 for UTC.  2 for localtime.  0 not yet selected */
  int *aCommitFile;       /* Array of files to be committed */
  int markPrivate;        /* All new artifacts are private if true */
  char *ckinLockFail;     /* Check-in lock failure received from server */
  int clockSkewSeen;      /* True if clocks on client and server out of sync */
  int wikiFlags;          /* Wiki conversion flags applied to %W */
  char isHTTP;            /* True if server/CGI modes, else assume CLI. */
  char jsHref;            /* If true, set href= using javascript, not HTML */
  Blob httpHeader;        /* Complete text of the HTTP request header */
  UrlData url;            /* Information about current URL */
  const char *zLogin;     /* Login name.  NULL or "" if not logged in. */
  const char *zCkoutAlias;   /* doc/ uses this branch as an alias for "ckout" */
  const char *zMainMenuFile; /* --mainmenu FILE from server/ui/cgi */
  const char *zSSLIdentity;  /* Value of --ssl-identity option, filename of
                             ** SSL client identity */

    @ robots walking a nearly endless progression of pages on public-facing
    @ repositories, causing excessive server load and possible DoS.
    @ Suggested remediation:
    @ <ol type="a">
    @ <li>Remove the 'h' privilege from the
    @     <a href="%R/setup_uedit?id=%d(nobodyId)">'nobody' user</a> so that
    @     robots cannot see hyperlinks.
    @ <li>Activate <a href="%R/setup_robot">autohyperlink</a> so that
    @     human readers can still see hyperlinks even if they are not logged in.
    @     Set the delay to at least 50 milliseconds and require a mouse
    @     event for maximum robot defense.
    if( anonId>0 ){
      @ <li>Perhaps set the 'h' privilege on the
      @     <a href="%R/setup_uedit?id=%d(anonId)">'anonymous' user</a> so
      @     that humans that have javascript disabled in their browsers can
      @     still see hyperlinks if they will log in as "anonymous".
    }

      "Control access settings.");
    setup_menu_entry("Configuration", "setup_config",
      "Configure the WWW components of the repository");
  }
  setup_menu_entry("Security-Audit", "secaudit0",
    "Analyze the current configuration for security problems");
  if( setup_user ){
    setup_menu_entry("Robot-Defense", "setup_robot",
      "Settings for configure defense against robots");
    setup_menu_entry("Settings", "setup_settings",
      "Web interface to the \"fossil settings\" command");
  }
  setup_menu_entry("Timeline", "setup_timeline",
    "Timeline display preferences");
  if( setup_user ){
    setup_menu_entry("Login-Group", "setup_login_group",

  for(i=0; i<nChoice*2; i+=2){
    const char *zSel = fossil_strcmp(azChoice[i],z)==0 ? " selected" : "";
    @ <option value="%h(azChoice[i])"%s(zSel)>%h(azChoice[i+1])</option>
  }
  @ </select> <b>%h(zLabel)</b>
}

/*
** Insert code into the current page that allows the user to configure
** auto-hyperlink related robot defense settings.
*/
static void addAutoHyperlinkSettings(void){
  static const char *const azDefenseOpts[] = {
    "0", "Off",
    "2", "UserAgent only",
    "1", "UserAgent and Javascript",
  };
  multiple_choice_attribute(
     "Enable hyperlinks base on User-Agent and/or Javascript",
     "auto-hyperlink", "autohyperlink", "1",
     count(azDefenseOpts)/2, azDefenseOpts);
  @ <p>Enable hyperlinks (the equivalent of the "h" permission) for all users,
  @ including user "nobody", as long as the User-Agent string in the
  @ HTTP header indicates that the request is coming from an actual human
  @ being.  If this setting is "UserAgent only" (2) then the
  @ UserAgent string is the only factor considered.  If the value of this
  @ setting is "UserAgent And Javascript" (1) then Javascript is added that
  @ runs after the page loads and fills in the href= values of &lt;a&gt;
  @ elements.  In either case, &lt;a&gt; tags are only generated if the
  @ UserAgent string indicates that the request is coming from a human and
  @ not a robot.
  @
  @ <p>This setting is designed to give easy access to humans while
  @ keeping out robots.
  @ You do not normally want a robot to walk your entire repository because
  @ if it does, your server will end up computing diffs and annotations for
  @ every historical version of every file and creating ZIPs and tarballs of
  @ every historical check-in, which can use a lot of CPU and bandwidth
  @ even for relatively small projects.</p>
  @
  @ <p>The "UserAgent and Javascript" value for this setting provides
  @ superior protection from robots.  However, that setting also prevents
  @ the visited/unvisited colors on hyperlinks from displaying correctly
  @ on Safara-derived browsers.  (Chrome and Firefox work fine.)  Since
  @ Safari is the underlying rendering engine on all iPhones and iPads,
  @ this means that hyperlink visited/unvisited colors will not operate
  @ on those platforms when "UserAgent and Javascript" is selected.</p>
  @
  @ <p>Additional parameters that control the behavior of Javascript:</p>
  @ <blockquote>
  entry_attribute("Delay in milliseconds before enabling hyperlinks", 5,
                  "auto-hyperlink-delay", "ah-delay", "50", 0);
  @ <br />
  onoff_attribute("Also require a mouse event before enabling hyperlinks",
                  "auto-hyperlink-mouseover", "ahmo", 0, 0);
  @ </blockquote>
  @ <p>For maximum robot defense, "Delay" should be at least 50 milliseconds
  @ and "require a mouse event" should be turned on.  These values only come
  @ into play when the main auto-hyperlink settings is 2 ("UserAgent and
  @ Javascript").</p>
  @
  @ <p>To see if Javascript-base hyperlink enabling mechanism is working,
  @ visit the <a href="%R/test_env">/test_env</a> page (from a separate
  @ web browser that is not logged in, even as "anonymous") and verify
  @ that the "g.jsHref" value is "1".</p>
  @ <p>(Properties: "auto-hyperlink", "auto-hyperlink-delay", and
  @ "auto-hyperlink-mouseover"")</p>
}

/*
** WEBPAGE: setup_robot
**
** Settings associated with defense against robots.  Requires setup privilege.
*/
void setup_robots(void){
  login_check_credentials();
  if( !g.perm.Setup ){
    login_needed(0);
    return;
  }
  style_set_current_feature("setup");
  style_header("Robot Defense Settings");
  db_begin_transaction();
  @ <p>A Fossil website can have billions of pages in its tree, even for a
  @ modest project.  Many of those pages (examples: diffs and tarballs)
  @ might be expensive to compute. A robot that tries to walk the entire
  @ website can present a crippling CPU and bandwidth load.
  @
  @ <p>The settings on this page are intended to help site administrators
  @ defend the site against robots.
  @
  @ <form action="%R/setup_robot" method="post"><div>
  login_insert_csrf_secret();
  @ <input type="submit"  name="submit" value="Apply Changes" /></p>
  @ <hr />
  addAutoHyperlinkSettings();
  @ <hr />
  @ <p><input type="submit"  name="submit" value="Apply Changes" /></p>
  @ </div></form>
  db_end_transaction(0);
  style_finish_page();
}

/*
** WEBPAGE: setup_access
**
** The access-control settings page.  Requires Setup privileges.
*/
void setup_access(void){

  @ computer is too large.  Set the threshold for disallowing expensive
  @ computations here.  Set this to 0.0 to disable the load average limit.
  @ This limit is only enforced on Unix servers.  On Linux systems,
  @ access to the /proc virtual filesystem is required, which means this limit
  @ might not work inside a chroot() jail.
  @ (Property: "max-loadavg")</p>

  /* Add the auto-hyperlink settings controls.  These same controls
  ** are also accessible from the /setup_robot page.
  */

  @ <hr />











































  addAutoHyperlinkSettings();

  @ <hr />
  onoff_attribute("Require a CAPTCHA if not logged in",
                  "require-captcha", "reqcapt", 1, 0);
  @ <p>Require a CAPTCHA for edit operations (appending, creating, or
  @ editing wiki or tickets or adding attachments to wiki or tickets)
  @ for users who are not logged in. (Property: "require-captcha")</p>

  login_check_credentials();
  if( P("popup")!=0 ){
    /* The "popup" query parameter
    ** then disable anti-robot defenses */
    isPopup = 1;
    g.perm.Hyperlink = 1;
    g.jsHref = 0;
  }
  srchFlags = search_restrict(SRCH_ALL);
  if( !isPopup ){
    style_header("Site Map");
    style_adunit_config(ADUNIT_RIGHT_OK);
  }
    

  login_check_credentials();
  style_set_current_feature("sitemap");
  if( P("popup")!=0 && cgi_csrf_safe(0) ){
    /* If this is a POST from the same origin with the popup=1 parameter,
    ** then disable anti-robot defenses */
    isPopup = 1;
    g.perm.Hyperlink = 1;
    g.jsHref = 0;
  }
  if( !isPopup ){
    style_header("Test Page Map");
    style_adunit_config(ADUNIT_RIGHT_OK);
  }
  @ <ul id="sitemap" class="columns" style="column-width:20em">
  if( g.perm.Admin || db_get_boolean("test_env_enable",0) ){

  login_check_credentials();
  style_set_current_feature("sitemap");
  if( P("popup")!=0 && cgi_csrf_safe(0) ){
    /* If this is a POST from the same origin with the popup=1 parameter,
    ** then disable anti-robot defenses */
    isPopup = 1;
    g.perm.Hyperlink = 1;
    g.jsHref = 0;
  }
  if( !isPopup ){
    style_header("Timeline Examples");
    style_adunit_config(ADUNIT_RIGHT_OK);
  }
  @ <ul id="sitemap" class="columns" style="column-width:20em">
  @ <li>%z(href("%R/timeline?ymd"))Current day</a></li>

/*
** Generate and return a anchor tag like this:
**
**        <a href="URL">
**  or    <a id="ID">
**
** The form of the anchor tag is determined by the g.jsHref
** and g.perm.Hyperlink variables.
**
**   g.perm.Hyperlink  g.jsHref        Returned anchor format
**   ----------------  --------        ------------------------
**          0             0              (empty string)
**          0             1              (empty string)
**          1             0              <a href="URL">
**          1             1              <a data-href="URL">
**
** No anchor tag is generated if g.perm.Hyperlink is false.
** The href="URL" form is used if g.jsHref is false.
** If g.jsHref is true then the data-href="URL" and
** href="/honeypot" is generated and javascript is added to the footer
** to cause data-href values to be inserted into href
** after the page has loaded. The use of the data-href="URL" form
** instead of href="URL" is a defense against bots.
**
** If the user lacks the Hyperlink (h) property and the "auto-hyperlink"
** setting is true, then g.perm.Hyperlink is changed from 0 to 1 and
** g.jsHref is set to 1 by login_check_credentials().  Thus
** the g.perm.Hyperlink property will be true even if the user does not
** have the "h" privilege if the "auto-hyperlink" setting is true.
**
**  User has "h"  auto-hyperlink      g.perm.Hyperlink  g.jsHref
**  ------------  --------------      ----------------  ---------------------
**        0             0                    0                    0
**        1             0                    1                    0
**        0             1                    1                    1
**        1             1                    1                    0
**
** So, in other words, tracing input configuration to final actions we have:

char *xhref(const char *zExtra, const char *zFormat, ...){
  char *zUrl;
  va_list ap;
  if( !g.perm.Hyperlink ) return fossil_strdup("");
  va_start(ap, zFormat);
  zUrl = vmprintf(zFormat, ap);
  va_end(ap);
  if( !g.jsHref ){
    char *zHUrl;
    if( zExtra ){
      zHUrl = mprintf("<a %s href=\"%h\">", zExtra, zUrl);
    }else{
      zHUrl = mprintf("<a href=\"%h\">", zUrl);
    }
    fossil_free(zUrl);

char *chref(const char *zExtra, const char *zFormat, ...){
  char *zUrl;
  va_list ap;
  if( !g.perm.Hyperlink ) return fossil_strdup("");
  va_start(ap, zFormat);
  zUrl = vmprintf(zFormat, ap);
  va_end(ap);
  if( !g.jsHref ){
    char *zHUrl = mprintf("<a class=\"%s\" href=\"%h\">", zExtra, zUrl);
    fossil_free(zUrl);
    return zHUrl;
  }
  needHrefJs = 1;
  return mprintf("<a class='%s' data-href='%z' href='%R/honeypot'>",
                 zExtra, zUrl);
}
char *href(const char *zFormat, ...){
  char *zUrl;
  va_list ap;
  if( !g.perm.Hyperlink ) return fossil_strdup("");
  va_start(ap, zFormat);
  zUrl = vmprintf(zFormat, ap);
  va_end(ap);
  if( !g.jsHref ){
    char *zHUrl = mprintf("<a href=\"%h\">", zUrl);
    fossil_free(zUrl);
    return zHUrl;
  }
  needHrefJs = 1;
  return mprintf("<a data-href='%s' href='%R/honeypot'>",
                  zUrl);
}

/*
** Generate <form method="post" action=ARG>.  The ARG value is determined
** by the arguments.
**
** As a defense against robots, the action=ARG might instead by data-action=ARG
** and javascript (href.js) added to the page so that the data-action= is
** changed into action= after the page loads.  Whether or not this happens
** depends on if the user has the "h" privilege and whether or not the
** auto-hyperlink setting is on.  These setings determine the values of
** variables g.perm.Hyperlink and g.jsHref.
**
**    User has "h"  auto-hyperlink      g.perm.Hyperlink  g.jsHref
**    ------------  --------------      ----------------  --------
**  1:      0             0                    0             0
**  2:      1             0                    1             0
**  3:      0             1                    1             1
**  4:      1             1                    1             0
**
** The data-action=ARG form is used for cases 1 and 3.  In case 1, the href.js
** javascript is omitted and so the form is effectively disabled.
*/
void form_begin(const char *zOtherArgs, const char *zAction, ...){
  char *zLink;
  va_list ap;

    @ g.zBaseURL = %h(g.zBaseURL)<br />
    @ g.zHttpsURL = %h(g.zHttpsURL)<br />
    @ g.zTop = %h(g.zTop)<br />
    @ g.zPath = %h(g.zPath)<br />
    @ g.userUid = %d(g.userUid)<br />
    @ g.zLogin = %h(g.zLogin)<br />
    @ g.isHuman = %d(g.isHuman)<br />
    @ g.jsHref = %d(g.jsHref)<br />
    if( g.nRequest ){
      @ g.nRequest = %d(g.nRequest)<br />
    }
    if( g.nPendingRequest>1 ){
      @ g.nPendingRequest = %d(g.nPendingRequest)<br />
    }
    @ capabilities = %s(find_capabilities(zCap))<br />