Fossil

Check-in [a2e1f9fb]
Login

Check-in [a2e1f9fb]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:More cases of incorrect permission checks.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: a2e1f9fb40a8b29cd1c91002be6e7c733ed3b2902c5aa608b63b6fc5767db4d8
User & Date: drh 2018-07-14 22:16:33
Context
2018-07-15
18:31
Improvements to error logging. Only log fossil_panic() calls, not fossil_fatal() calls. ... (check-in: 06d4751a user: drh tags: trunk)
2018-07-14
22:16
More cases of incorrect permission checks. ... (check-in: a2e1f9fb user: drh tags: trunk)
20:11
The -DFOSSIL_OMIT_DNS compile-time option avoids trying to link -lresolv. ... (check-in: 023ce4ed user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/moderate.c.

142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
** Show all pending moderation request
*/
void modreq_page(void){
  Blob sql;
  Stmt q;

  login_check_credentials();
  if( !g.perm.RdWiki && !g.perm.RdTkt ){
    login_needed(g.anon.RdWiki && g.anon.RdTkt);
    return;
  }
  style_header("Pending Moderation Requests");
  @ <h2>All Pending Moderation Requests</h2>
  if( moderation_table_exists() ){
    blob_init(&sql, timeline_query_for_www(), -1);
    blob_append_sql(&sql,







|
|







142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
** Show all pending moderation request
*/
void modreq_page(void){
  Blob sql;
  Stmt q;

  login_check_credentials();
  if( !g.perm.ModWiki && !g.perm.ModTkt ){
    login_needed(g.anon.ModWiki && g.anon.ModTkt);
    return;
  }
  style_header("Pending Moderation Requests");
  @ <h2>All Pending Moderation Requests</h2>
  if( moderation_table_exists() ){
    blob_init(&sql, timeline_query_for_www(), -1);
    blob_append_sql(&sql,

Changes to src/skins.c.

718
719
720
721
722
723
724
725
726
727



728
729
730
731
732
733
734
735
736
737

  /* Figure out which skin we are editing */
  iSkin = atoi(PD("sk","1"));
  if( iSkin<1 || iSkin>9 ) iSkin = 1;

  /* Check that the user is authorized to edit this skin. */
  if( !g.perm.Setup ){
    char *zAllowedEditors = db_get_mprintf("", "draft%d-users", iSkin);
    Glob *pAllowedEditors;
    int isMatch = 0;



    if( zAllowedEditors[0] ){
      pAllowedEditors = glob_create(zAllowedEditors);
      isMatch = glob_match(pAllowedEditors, zAllowedEditors);
      glob_free(pAllowedEditors);
    }
    if( isMatch==0 ){
      login_needed(0);
      return;
    }
  }







|


>
>
>


|







718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740

  /* Figure out which skin we are editing */
  iSkin = atoi(PD("sk","1"));
  if( iSkin<1 || iSkin>9 ) iSkin = 1;

  /* Check that the user is authorized to edit this skin. */
  if( !g.perm.Setup ){
    char *zAllowedEditors = "";
    Glob *pAllowedEditors;
    int isMatch = 0;
    if( login_is_individual() ){
      zAllowedEditors = db_get_mprintf("", "draft%d-users", iSkin);
    }
    if( zAllowedEditors[0] ){
      pAllowedEditors = glob_create(zAllowedEditors);
      isMatch = glob_match(pAllowedEditors, g.zLogin);
      glob_free(pAllowedEditors);
    }
    if( isMatch==0 ){
      login_needed(0);
      return;
    }
  }