Fossil: Check-in [883c2ea218]

Fossil SCM

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improved documentation for the "localauth" setting.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:883c2ea218b590735895c77657929e2af8f3b749360c221f097b456c296d0dac
User & Date: drh 2018-12-03 02:44:31
Context
2018-12-04
23:00
The new blockquote tinting feature of the default skin now works in the forum post editor screen as well, not just in the forum post display screen. check-in: 19bb3b88fa user: wyoung tags: trunk
2018-12-03
12:08
Merge trunk check-in: e88c1ff4cc user: jan.nijtmans tags: openssl-1.1
02:44
Improved documentation for the "localauth" setting. check-in: 883c2ea218 user: drh tags: trunk
2018-12-01
13:00
Incorporate the official release of SQLite version 3.26.0 check-in: e0a6ff0adb user: drh tags: trunk
Changes

Changes to src/db.c.

  3200   3200   /*
  3201   3201   ** SETTING: keep-glob        width=40 versionable block-text
  3202   3202   ** The value is a comma or newline-separated list of GLOB
  3203   3203   ** patterns specifying files that the "clean" command will keep.
  3204   3204   */
  3205   3205   /*
  3206   3206   ** SETTING: localauth        boolean default=off
  3207         -** If enabled, require that HTTP connections from
  3208         -** 127.0.0.1 be authenticated by password.  If
  3209         -** false, all HTTP requests from localhost have
  3210         -** unrestricted access to the repository.
         3207  +** If enabled, require that HTTP connections from the loopback
         3208  +** address (127.0.0.1) be authenticated by password.  If false,
         3209  +** some HTTP requests might be granted full "Setup" user
         3210  +** privileges without having to present login credentials.
         3211  +** This mechanism allows the "fossil ui" command to provide
         3212  +** full access to the repository without requiring the user to
         3213  +** log in first.
         3214  +**
         3215  +** In order for full "Setup" privilege to be granted without a
         3216  +** login, the following conditions must be met:
         3217  +**
         3218  +**   (1)  This setting ("localauth") must be off
         3219  +**   (2)  The HTTP request arrive over the loopback TCP/IP
         3220  +**        address (127.0.01) or else via SSH.
         3221  +**   (3)  The request must be HTTP, not HTTPS. (This
         3222  +**        restriction is designed to help prevent accidentally
         3223  +**        providing "Setup" privileges to requests arriving
         3224  +**        over a reverse proxy.)
         3225  +**   (4)  The command that launched the fossil server must be
         3226  +**        one of the following:
         3227  +**        (a) "fossil ui"
         3228  +**        (b) "fossil server" with the --localauth option
         3229  +**        (c) "fossil http" with the --localauth option
         3230  +**        (d) CGI with the "localauth" setting in the cgi script.
         3231  +**
         3232  +** For maximum security, set "localauth" to 1.  However, because
         3233  +** of the other restrictions (2) through (4), it should be safe
         3234  +** to leave "localauth" set to 0 in most installations, and 
         3235  +** especially on cloned repositories on workstations. Leaving
         3236  +** "localauth" at 0 makes the "fossil ui" command more convenient
         3237  +** to use.
  3211   3238   */
  3212   3239   /*
  3213   3240   ** SETTING: main-branch      width=40 default=trunk
  3214   3241   ** The value is the primary branch for the project.
  3215   3242   */
  3216   3243   /*
  3217   3244   ** SETTING: manifest         width=5 versionable