Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 6:44 AM, Ron Aaron r...@ronware.org wrote: I set up the reader user so that (I thought) it could access things needing read access. What are the capability characters you have assigned to reader. The r and j capabilities are for reading tickets and wiki, respectively. For a user to see check-in content, they need o (check-out). There really is no (security) difference between doing a checkout and viewing the content in a web page, after all. When I put a link to ./doc/tip... something on my main repo page, I found that having hyperlinks permission was not enough, but check out permission was also required. Is this correct behavior? It seems odd to me. This is with the very latest trunk version of Fossil. Thanks! -- For confidential messages, please use my GnuPG key http://ronware.org/gpg_key.html ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
As of now, a reader has the capabilities bcfhjkmnoprtw I guess you are right about the security difference, but I would like to have a more fine-grained ability to allow access to (say) documents in a certain folder to readers, but no access to the source code (or whatever). On 01/15/2014 01:50 PM, Richard Hipp wrote: On Wed, Jan 15, 2014 at 6:44 AM, Ron Aaron r...@ronware.org mailto:r...@ronware.org wrote: I set up the reader user so that (I thought) it could access things needing read access. What are the capability characters you have assigned to reader. The r and j capabilities are for reading tickets and wiki, respectively. For a user to see check-in content, they need o (check-out). There really is no (security) difference between doing a checkout and viewing the content in a web page, after all. When I put a link to ./doc/tip... something on my main repo page, I found that having hyperlinks permission was not enough, but check out permission was also required. Is this correct behavior? It seems odd to me. This is with the very latest trunk version of Fossil. Thanks! -- For confidential messages, please use my GnuPG key http://ronware.org/gpg_key.html ___ fossil-users mailing list fossil-users@lists.fossil-scm.org mailto:fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org mailto:d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- For confidential messages, please use my GnuPG key http://ronware.org/gpg_key.html signature.asc Description: OpenPGP digital signature ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 6:54 AM, Ron Aaron r...@ronware.org wrote: As of now, a reader has the capabilities bcfhjkmnoprtw I guess you are right about the security difference, but I would like to have a more fine-grained ability to allow access to (say) documents in a certain folder to readers, but no access to the source code (or whatever). Under Admin/Access the Public Pages entry box allows you to specify a comma-separated list of GLOB patterns for file that will be visible to the public even if the source code access is turned off. This is used, for example, to make the SQLite Encryption Extension documentation files in the www/ directory visible (http://www.sqlite.org/see/doc/trunk/www/readme.wiki) without making the source code visible to non-licensees. On 01/15/2014 01:50 PM, Richard Hipp wrote: On Wed, Jan 15, 2014 at 6:44 AM, Ron Aaron r...@ronware.org wrote: I set up the reader user so that (I thought) it could access things needing read access. What are the capability characters you have assigned to reader. The r and j capabilities are for reading tickets and wiki, respectively. For a user to see check-in content, they need o (check-out). There really is no (security) difference between doing a checkout and viewing the content in a web page, after all. When I put a link to ./doc/tip... something on my main repo page, I found that having hyperlinks permission was not enough, but check out permission was also required. Is this correct behavior? It seems odd to me. This is with the very latest trunk version of Fossil. Thanks! -- For confidential messages, please use my GnuPG key http://ronware.org/gpg_key.html ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing listfossil-users@lists.fossil-scm.orghttp://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- For confidential messages, please use my GnuPG keyhttp://ronware.org/gpg_key.html ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
Yes, thanks; I know about that, but that's too coarse-grained for my needs. In this case, I have a project I want to be *non-public* altogether, but I also don't want some people to have access to everything, and I can't put everything in the wiki. The current permission system works well, but not for this kind of scenario. On 01/15/2014 02:58 PM, Richard Hipp wrote: Under Admin/Access the Public Pages entry box allows you to specify a comma-separated list of GLOB patterns for file that will be visible to the public even if the source code access is turned off. This is used, for example, to make the SQLite Encryption Extension documentation files in the www/ directory visible (http://www.sqlite.org/see/doc/trunk/www/readme.wiki) without making the source code visible to non-licensees. 8080/cgi-bin/mailman/listinfo/fossil-users -- For confidential messages, please use my GnuPG key http://ronware.org/gpg_key.html signature.asc Description: OpenPGP digital signature ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 6:44 AM, Ron Aaron r...@ronware.org wrote: I set up the reader user so that (I thought) it could access things needing read access. When I put a link to ./doc/tip... something on my main repo page, I found that having hyperlinks permission was not enough, but check out permission was also required. Is this correct behavior? It seems odd to me. check out permission is read permission for files. There are also read permission settings for (internal) wiki pages and for tickets, hyperlink permission is just whether the links are shown. In theory, it would make sense for the wiki read permission to apply to embedded documents accessed via /doc/, but since they are otherwise files, they are currently covered by the check out permission. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 6:54 AM, Ron Aaron r...@ronware.org wrote: As of now, a reader has the capabilities bcfhjkmnoprtw I guess you are right about the security difference, but I would like to have a more fine-grained ability to allow access to (say) documents in a certain folder to readers, but no access to the source code (or whatever). If you run Fossil as a CGI behind a web server, I think that the URL based access rules will also work on the path information passed to CGI scripts. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 8:04 AM, Ron Aaron r...@ronware.org wrote: Yes, thanks; I know about that, but that's too coarse-grained for my needs. In this case, I have a project I want to be *non-public* altogether, but I also don't want some people to have access to everything, and I can't put everything in the wiki. /doc/ is not just for wiki (or markdown) pages, you can put other types of files there as well. Also, the Public Pages GLOB can potentially specify individual files On 01/15/2014 02:58 PM, Richard Hipp wrote: Under Admin/Access the Public Pages entry box allows you to specify a comma-separated list of GLOB patterns for file that will be visible to the public even if the source code access is turned off. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 7:58 AM, Richard Hipp d...@sqlite.org wrote: Under Admin/Access the Public Pages entry box allows you to specify a comma-separated list of GLOB patterns for file that will be visible to the public even if the source code access is turned off. This is used, for example, to make the SQLite Encryption Extension documentation files in the www/ directory visible ( http://www.sqlite.org/see/doc/trunk/www/readme.wiki) without making the source code visible to non-licensees. Just for clarification,I noticed the description of the Public Pages settings only talks about anonymous and not-logged-in users. I assume this setting also applies in the case of a named, logged-in user who otherwise lacks check out permission, (I also assume the repository owner should also remove clone permission from the defaults (at least in 1.27, nobody has g (clone) permission by default).) ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Odd permissions issue
On Wed, Jan 15, 2014 at 11:36 AM, Ron Wilson ronw.m...@gmail.com wrote: On Wed, Jan 15, 2014 at 7:58 AM, Richard Hipp d...@sqlite.org wrote: Under Admin/Access the Public Pages entry box allows you to specify a comma-separated list of GLOB patterns for file that will be visible to the public even if the source code access is turned off. This is used, for example, to make the SQLite Encryption Extension documentation files in the www/ directory visible ( http://www.sqlite.org/see/doc/trunk/www/readme.wiki) without making the source code visible to non-licensees. Just for clarification,I noticed the description of the Public Pages settings only talks about anonymous and not-logged-in users. I assume this setting also applies in the case of a named, logged-in user who otherwise lacks check out permission, The Public Page GLOB pattern means that any file that matches one of the patterns (and note that you can identify individual files as part of the list) can be accessed by anyone as if that person had the permissions specified in the Default privileges box a little further down the page. Anyone means anyone, logged in or otherwise. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users