On Tue, Sep 30, 2014 at 2:32 PM, Andreas Kupries <andre...@activestate.com> wrote:
> On Tue, Sep 30, 2014 at 11:23 AM, Stephan Beal <sgb...@googlemail.com> > wrote: > > On Tue, Sep 30, 2014 at 8:14 PM, Gaurav M. Bhandarkar > > <gaurav.a...@gmail.com> wrote: > >> > >> I get following error while creating new ticket : > >> ERROR: SQL error: access to table "user" is restricted > >> error code 23: access to user.info is prohibited > >> > >> How can I resolve this? > > > > > > i can't answer that one, but i suspect that Joe M. will be able to. > > The restriction is coded in fossil as a special sqlite authorizer callback. > It also ensures that reports can only do SELECTS and not INSERT, UPDATE, > etc. > > I believe/speculate that access to the user table is restricted to > prevent accidental (or malicious) exposure of the password hashes for > the users. > ... > Of course, creating such a shadow then creates the need to somehow > track changes to the users table and copy them over into the shadow. > It seems to me that selecting by user name or using user name in reports is a very reasonable expectation. Can the authorizer mechanism allow access to safe fields? If not, maybe Fossil should store the safe and sensitive fields in separate tables.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users