/* ** Implementation of /json/timeline/wiki. ** */ cson_value * json_timeline_wiki(){ /* This code is 95% the same as json_timeline_ci(), by the way. */ cson_value * payV = NULL; cson_object * pay = NULL; cson_array * list = NULL; int check = 0; Stmt q = empty_Stmt; Blob sql = empty_blob; if( !g.perm.RdWiki && !g.perm.Read ){ json_set_err( FSL_JSON_E_DENIED, "Wiki timeline requires 'o' or 'j' access."); return NULL; } payV = cson_value_new_object(); pay = cson_value_get_object(payV); check = json_timeline_setup_sql( "w", &sql, pay ); if(check){ json_set_err(check, "Query initialization failed."); goto error; } #if 0 /* only for testing! */ cson_object_set(pay, "timelineSql", cson_value_new_string(blob_buffer(&sql),strlen(blob_buffer(&sql)))); #endif db_multi_exec("%s", blob_buffer(&sql) /*safe-for-%s*/); blob_reset(&sql); db_prepare(&q, "SELECT" " uuid AS uuid," " mtime AS timestamp," #if 0 " timestampString AS timestampString," #endif " comment AS comment, " " user AS user," " eventType AS eventType" #if 0 /* can wiki pages have tags? */ " tags AS tags," /*FIXME: split this into a JSON array*/ " tagId AS tagId," #endif " FROM json_timeline" " ORDER BY rowid"); list = cson_new_array(); json_stmt_to_array_of_obj(&q, list); cson_object_set(pay, "timeline", cson_array_value(list)); goto ok; error: assert( 0 != g.json.resultCode ); cson_value_free(payV); payV = NULL; ok: db_finalize(&q); blob_reset(&sql); return payV; }
/* ** Implementation of the /json/anonymousPassword page. */ cson_value * json_page_anon_password(){ cson_value * v = cson_value_new_object(); cson_object * o = cson_value_get_object(v); unsigned const int seed = captcha_seed(); char const * zCaptcha = captcha_decode(seed); cson_object_set(o, "seed", cson_value_new_integer( (cson_int_t)seed ) ); cson_object_set(o, "password", cson_value_new_string( zCaptcha, strlen(zCaptcha) ) ); return v; }
/* ** If any files are associated with the given rid, a JSON array ** containing information about them is returned (and is owned by the ** caller). If no files are associated with it then NULL is returned. ** ** flags may optionally be a bitmask of json_get_changed_files flags, ** or 0 for defaults. */ cson_value * json_get_changed_files(int rid, int flags){ cson_value * rowsV = NULL; cson_array * rows = NULL; Stmt q = empty_Stmt; db_prepare(&q, "SELECT (pid==0) AS isnew," " (fid==0) AS isdel," " (SELECT name FROM filename WHERE fnid=mlink.fnid) AS name," " blob.uuid as uuid," " (SELECT uuid FROM blob WHERE rid=pid) as parent," " blob.size as size" " FROM mlink, blob" " WHERE mid=%d AND pid!=fid" " AND blob.rid=fid AND NOT mlink.isaux" " ORDER BY name /*sort*/", rid ); while( (SQLITE_ROW == db_step(&q)) ){ cson_value * rowV = cson_value_new_object(); cson_object * row = cson_value_get_object(rowV); int const isNew = db_column_int(&q,0); int const isDel = db_column_int(&q,1); char * zDownload = NULL; if(!rowsV){ rowsV = cson_value_new_array(); rows = cson_value_get_array(rowsV); } cson_array_append( rows, rowV ); cson_object_set(row, "name", json_new_string(db_column_text(&q,2))); cson_object_set(row, "uuid", json_new_string(db_column_text(&q,3))); if(!isNew && (flags & json_get_changed_files_ELIDE_PARENT)){ cson_object_set(row, "parent", json_new_string(db_column_text(&q,4))); } cson_object_set(row, "size", json_new_int(db_column_int(&q,5))); cson_object_set(row, "state", json_new_string(json_artifact_status_to_string(isNew,isDel))); zDownload = mprintf("/raw/%s?name=%s", /* reminder: g.zBaseURL is of course not set for CLI mode. */ db_column_text(&q,2), db_column_text(&q,3)); cson_object_set(row, "downloadPath", json_new_string(zDownload)); free(zDownload); } db_finalize(&q); return rowsV; }
/* ** Implements the /json/whoami page/command. */ cson_value * json_page_whoami(){ cson_value * payload = NULL; cson_object * obj = NULL; Stmt q; if(!g.json.authToken){ /* assume we just logged out. */ db_prepare(&q, "SELECT login, cap FROM user WHERE login='******'"); } else{ db_prepare(&q, "SELECT login, cap FROM user WHERE uid=%d", g.userUid); } if( db_step(&q)==SQLITE_ROW ){ /* reminder: we don't use g.zLogin because it's 0 for the guest user and the HTML UI appears to currently allow the name to be changed (but doing so would break other code). */ char const * str; payload = cson_value_new_object(); obj = cson_value_get_object(payload); str = (char const *)sqlite3_column_text(q.pStmt,0); if( str ){ cson_object_set( obj, "name", cson_value_new_string(str,strlen(str)) ); } str = (char const *)sqlite3_column_text(q.pStmt,1); if( str ){ cson_object_set( obj, "capabilities", cson_value_new_string(str,strlen(str)) ); } if( g.json.authToken ){ cson_object_set( obj, "authToken", g.json.authToken ); } }else{ g.json.resultCode = FSL_JSON_E_RESOURCE_NOT_FOUND; } db_finalize(&q); return payload; }
/* ** Implementation of the /json/login page. ** */ cson_value * json_page_login(){ char preciseErrors = /* if true, "complete" JSON error codes are used, else they are "dumbed down" to a generic login error code. */ #if 1 g.json.errorDetailParanoia ? 0 : 1 #else 0 #endif ; /* FIXME: we want to check the GET/POST args in this order: - GET: name, n, password, p - POST: name, password but a bug in cgi_parameter() is breaking that, causing PD() to return the last element of the PATH_INFO instead. Summary: If we check for P("name") first, then P("n"), then ONLY a GET param of "name" will match ("n" is not recognized). If we reverse the order of the checks then both forms work. Strangely enough, the "p"/"password" check is not affected by this. */ char const * name = cson_value_get_cstr(json_req_payload_get("name")); char const * pw = NULL; char const * anonSeed = NULL; cson_value * payload = NULL; int uid = 0; /* reminder to self: Fossil internally (for the sake of /wiki) interprets paths in the form /foo/bar/baz such that P("name") == "bar/baz". This collides with our name/password checking, and thus we do some rather elaborate name=... checking. */ pw = cson_value_get_cstr(json_req_payload_get("password")); if( !pw ){ pw = PD("p",NULL); if( !pw ){ pw = PD("password",NULL); } } if(!pw){ g.json.resultCode = preciseErrors ? FSL_JSON_E_LOGIN_FAILED_NOPW : FSL_JSON_E_LOGIN_FAILED; return NULL; } if( !name ){ name = PD("n",NULL); if( !name ){ name = PD("name",NULL); if( !name ){ g.json.resultCode = preciseErrors ? FSL_JSON_E_LOGIN_FAILED_NONAME : FSL_JSON_E_LOGIN_FAILED; return NULL; } } } if(0 == strcmp("anonymous",name)){ /* check captcha/seed values... */ enum { SeedBufLen = 100 /* in some JSON tests i once actually got an 80-digit number. */ }; static char seedBuffer[SeedBufLen]; cson_value const * jseed = json_getenv(FossilJsonKeys.anonymousSeed); seedBuffer[0] = 0; if( !jseed ){ jseed = json_req_payload_get(FossilJsonKeys.anonymousSeed); if( !jseed ){ jseed = json_getenv("cs") /* name used by HTML interface */; } } if(jseed){ if( cson_value_is_number(jseed) ){ sprintf(seedBuffer, "%"CSON_INT_T_PFMT, cson_value_get_integer(jseed)); anonSeed = seedBuffer; }else if( cson_value_is_string(jseed) ){ anonSeed = cson_string_cstr(cson_value_get_string(jseed)); } } if(!anonSeed){ g.json.resultCode = preciseErrors ? FSL_JSON_E_LOGIN_FAILED_NOSEED : FSL_JSON_E_LOGIN_FAILED; return NULL; } } #if 0 { /* only for debugging the PD()-incorrect-result problem */ cson_object * o = NULL; uid = login_search_uid( name, pw ); payload = cson_value_new_object(); o = cson_value_get_object(payload); cson_object_set( o, "n", cson_value_new_string(name,strlen(name))); cson_object_set( o, "p", cson_value_new_string(pw,strlen(pw))); return payload; } #endif uid = anonSeed ? login_is_valid_anonymous(name, pw, anonSeed) : login_search_uid(name, pw) ; if( !uid ){ g.json.resultCode = preciseErrors ? FSL_JSON_E_LOGIN_FAILED_NOTFOUND : FSL_JSON_E_LOGIN_FAILED; return NULL; }else{ char * cookie = NULL; cson_object * po; char * cap = NULL; if(anonSeed){ login_set_anon_cookie(NULL, &cookie); }else{ login_set_user_cookie(name, uid, &cookie); } payload = cson_value_new_object(); po = cson_value_get_object(payload); cson_object_set(po, "authToken", json_new_string(cookie)); free(cookie); cson_object_set(po, "name", json_new_string(name)); cap = db_text(NULL, "SELECT cap FROM user WHERE login=%Q", name); cson_object_set(po, "capabilities", cap ? json_new_string(cap) : cson_value_null() ); free(cap); cson_object_set(po, "loginCookieName", json_new_string( login_cookie_name() ) ); /* TODO: add loginExpiryTime to the payload. To do this properly we "should" add an ([unsigned] int *) to login_set_user_cookie() and login_set_anon_cookie(), to which the expiry time is assigned. (Remember that JSON doesn't do unsigned int.) For non-anonymous users we could also simply query the user.cexpire db field after calling login_set_user_cookie(), but for anonymous we need to get the time when the cookie is set because anon does not get a db entry like normal users do. Anonymous cookies currently have a hard-coded lifetime in login_set_anon_cookie() (currently 6 hours), which we "should arguably" change to use the time configured for non-anonymous users (see login_set_user_cookie() for details). */ return payload; } }
/* ** Generates an artifact Object for the given rid, ** which must refer to a Checkin. ** ** Returned value is NULL or an Object owned by the caller. */ cson_value * json_artifact_for_ci( int rid, char showFiles ){ cson_value * v = NULL; Stmt q = empty_Stmt; static cson_value * eventTypeLabel = NULL; if(!eventTypeLabel){ eventTypeLabel = json_new_string("checkin"); json_gc_add("$EVENT_TYPE_LABEL(commit)", eventTypeLabel); } db_prepare(&q, "SELECT b.uuid, " " cast(strftime('%%s',e.mtime) as int), " " strftime('%%s',e.omtime)," " e.user, " " e.comment" " FROM blob b, event e" " WHERE b.rid=%d" " AND e.objid=%d", rid, rid ); if( db_step(&q)==SQLITE_ROW ){ cson_object * o; cson_value * tmpV = NULL; const char *zUuid = db_column_text(&q, 0); const char *zUser; const char *zComment; char * zEUser, * zEComment; int mtime, omtime; v = cson_value_new_object(); o = cson_value_get_object(v); #define SET(K,V) cson_object_set(o,(K), (V)) SET("type", eventTypeLabel ); SET("uuid",json_new_string(zUuid)); SET("isLeaf", cson_value_new_bool(is_a_leaf(rid))); mtime = db_column_int(&q,1); SET("timestamp",json_new_int(mtime)); omtime = db_column_int(&q,2); if(omtime && (omtime!=mtime)){ SET("originTime",json_new_int(omtime)); } zUser = db_column_text(&q,3); zEUser = db_text(0, "SELECT value FROM tagxref WHERE tagid=%d AND rid=%d", TAG_USER, rid); if(zEUser){ SET("user", json_new_string(zEUser)); if(0!=strcmp(zEUser,zUser)){ SET("originUser",json_new_string(zUser)); } free(zEUser); }else{ SET("user",json_new_string(zUser)); } zComment = db_column_text(&q,4); zEComment = db_text(0, "SELECT value FROM tagxref WHERE tagid=%d AND rid=%d", TAG_COMMENT, rid); if(zEComment){ SET("comment",json_new_string(zEComment)); if(0 != strcmp(zEComment,zComment)){ SET("originComment", json_new_string(zComment)); } free(zEComment); }else{ SET("comment",json_new_string(zComment)); } tmpV = json_parent_uuids_for_ci(rid); if(tmpV){ SET("parents", tmpV); } tmpV = json_tags_for_checkin_rid(rid,0); if(tmpV){ SET("tags",tmpV); } if( showFiles ){ tmpV = json_get_changed_files(rid, 1); if(tmpV){ SET("files",tmpV); } } #undef SET } db_finalize(&q); return v; }
/* ** Implementation of /json/timeline/ticket. ** */ static cson_value * json_timeline_ticket(){ /* This code is 95% the same as json_timeline_ci(), by the way. */ cson_value * payV = NULL; cson_object * pay = NULL; cson_value * tmp = NULL; cson_value * listV = NULL; cson_array * list = NULL; int check = 0; Stmt q = empty_Stmt; Blob sql = empty_blob; if( !g.perm.RdTkt && !g.perm.Read ){ json_set_err(FSL_JSON_E_DENIED, "Ticket timeline requires 'o' or 'r' access."); return NULL; } payV = cson_value_new_object(); pay = cson_value_get_object(payV); check = json_timeline_setup_sql( "t", &sql, pay ); if(check){ json_set_err(check, "Query initialization failed."); goto error; } db_multi_exec("%s", blob_buffer(&sql) /*safe-for-%s*/); #define SET(K) if(0!=(check=cson_object_set(pay,K,tmp))){ \ json_set_err((cson_rc.AllocError==check) \ ? FSL_JSON_E_ALLOC : FSL_JSON_E_UNKNOWN, \ "Object property insertion failed."); \ goto error;\ } (void)0 #if 0 /* only for testing! */ tmp = cson_value_new_string(blob_buffer(&sql),strlen(blob_buffer(&sql))); SET("timelineSql"); #endif blob_reset(&sql); /* REMINDER/FIXME(?): we have both uuid (the change uuid?) and ticketUuid (the actual ticket). This is different from the wiki timeline, where we only have the wiki page uuid. */ db_prepare(&q, "SELECT rid AS rid," " uuid AS uuid," " mtime AS timestamp," #if 0 " timestampString AS timestampString," #endif " user AS user," " eventType AS eventType," " comment AS comment," " brief AS briefComment" " FROM json_timeline" " ORDER BY rowid"); listV = cson_value_new_array(); list = cson_value_get_array(listV); tmp = listV; SET("timeline"); while( (SQLITE_ROW == db_step(&q) )){ /* convert each row into a JSON object...*/ int rc; int const rid = db_column_int(&q,0); Manifest * pMan = NULL; cson_value * rowV; cson_object * row; /*printf("rid=%d\n",rid);*/ pMan = manifest_get(rid, CFTYPE_TICKET, 0); if(!pMan){ /* this might be an attachment? I'm seeing this with rid 15380, uuid [1292fef05f2472108]. /json/artifact/1292fef05f2472108 returns not-found, probably because we haven't added artifact/ticket yet(?). */ continue; } rowV = cson_sqlite3_row_to_object(q.pStmt); row = cson_value_get_object(rowV); if(!row){ manifest_destroy(pMan); json_warn( FSL_JSON_W_ROW_TO_JSON_FAILED, "Could not convert at least one timeline result row to JSON." ); continue; } /* FIXME: certainly there's a more efficient way for use to get the ticket UUIDs? */ cson_object_set(row,"ticketUuid",json_new_string(pMan->zTicketUuid)); manifest_destroy(pMan); rc = cson_array_append( list, rowV ); if( 0 != rc ){ cson_value_free(rowV); g.json.resultCode = (cson_rc.AllocError==rc) ? FSL_JSON_E_ALLOC : FSL_JSON_E_UNKNOWN; goto error; } } #undef SET goto ok; error: assert( 0 != g.json.resultCode ); cson_value_free(payV); payV = NULL; ok: blob_reset(&sql); db_finalize(&q); return payV; }
/* ** Implementation of /json/timeline/ci. ** ** Still a few TODOs (like figuring out how to structure ** inheritance info). */ static cson_value * json_timeline_ci(){ cson_value * payV = NULL; cson_object * pay = NULL; cson_value * tmp = NULL; cson_value * listV = NULL; cson_array * list = NULL; int check = 0; char verboseFlag; Stmt q = empty_Stmt; char warnRowToJsonFailed = 0; Blob sql = empty_blob; if( !g.perm.Hyperlink ){ /* Reminder to self: HTML impl requires 'o' (Read) rights. */ json_set_err( FSL_JSON_E_DENIED, "Check-in timeline requires 'h' access." ); return NULL; } verboseFlag = json_find_option_bool("verbose",NULL,"v",0); if( !verboseFlag ){ verboseFlag = json_find_option_bool("files",NULL,"f",0); } payV = cson_value_new_object(); pay = cson_value_get_object(payV); check = json_timeline_setup_sql( "ci", &sql, pay ); if(check){ json_set_err(check, "Query initialization failed."); goto error; } #define SET(K) if(0!=(check=cson_object_set(pay,K,tmp))){ \ json_set_err((cson_rc.AllocError==check) \ ? FSL_JSON_E_ALLOC : FSL_JSON_E_UNKNOWN,\ "Object property insertion failed"); \ goto error;\ } (void)0 #if 0 /* only for testing! */ tmp = cson_value_new_string(blob_buffer(&sql),strlen(blob_buffer(&sql))); SET("timelineSql"); #endif db_multi_exec("%s", blob_buffer(&sql)/*safe-for-%s*/); blob_reset(&sql); db_prepare(&q, "SELECT " " rid AS rid" " FROM json_timeline" " ORDER BY rowid"); listV = cson_value_new_array(); list = cson_value_get_array(listV); tmp = listV; SET("timeline"); while( (SQLITE_ROW == db_step(&q) )){ /* convert each row into a JSON object...*/ int const rid = db_column_int(&q,0); cson_value * rowV = json_artifact_for_ci(rid, verboseFlag); cson_object * row = cson_value_get_object(rowV); if(!row){ if( !warnRowToJsonFailed ){ warnRowToJsonFailed = 1; json_warn( FSL_JSON_W_ROW_TO_JSON_FAILED, "Could not convert at least one timeline result row to JSON." ); } continue; } cson_array_append(list, rowV); } #undef SET goto ok; error: assert( 0 != g.json.resultCode ); cson_value_free(payV); payV = NULL; ok: db_finalize(&q); return payV; }