/*
** Impl of /json/dir. 98% of it was taken directly
** from browse.c::page_dir()
*/
static cson_value * json_page_dir_list(){
cson_object * zPayload = NULL; /* return value */
cson_array * zEntries = NULL; /* accumulated list of entries. */
cson_object * zEntry = NULL; /* a single dir/file entry. */
cson_array * keyStore = NULL; /* garbage collector for shared strings. */
cson_string * zKeyName = NULL;
cson_string * zKeySize = NULL;
cson_string * zKeyIsDir = NULL;
cson_string * zKeyUuid = NULL;
cson_string * zKeyTime = NULL;
cson_string * zKeyRaw = NULL;
char * zD = NULL;
char const * zDX = NULL;
int nD;
char * zUuid = NULL;
char const * zCI = NULL;
Manifest * pM = NULL;
Stmt q = empty_Stmt;
int rid = 0;
if( !g.perm.Read ){
json_set_err(FSL_JSON_E_DENIED, "Requires 'o' permissions.");
return NULL;
}
zCI = json_find_option_cstr("checkin",NULL,"ci" );
/* If a specific check-in is requested, fetch and parse it. If the
** specific check-in does not exist, clear zCI. zCI==0 will cause all
** files from all check-ins to be displayed.
*/
if( zCI && *zCI ){
pM = manifest_get_by_name(zCI, &rid);
if( pM ){
zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
}else{
json_set_err(FSL_JSON_E_UNRESOLVED_UUID,
"Checkin name [%s] is unresolved.",
zCI);
return NULL;
}
}
/* Jump through some hoops to find the directory name... */
zDX = json_find_option_cstr("name",NULL,NULL);
if(!zDX && !g.isHTTP){
zDX = json_command_arg(g.json.dispatchDepth+1);
}
if(zDX && (!*zDX || (0==strcmp(zDX,"/")))){
zDX = NULL;
}
zD = zDX ? fossil_strdup(zDX) : NULL;
nD = zD ? strlen(zD)+1 : 0;
while( nD>1 && zD[nD-2]=='/' ){ zD[(--nD)-1] = 0; }
sqlite3_create_function(g.db, "pathelement", 2, SQLITE_UTF8, 0,
pathelementFunc, 0, 0);
/* Compute the temporary table "localfiles" containing the names
** of all files and subdirectories in the zD[] directory.
**
** Subdirectory names begin with "/". This causes them to sort
** first and it also gives us an easy way to distinguish files
** from directories in the loop that follows.
*/
if( zCI ){
Stmt ins;
ManifestFile *pFile;
ManifestFile *pPrev = 0;
int nPrev = 0;
int c;
db_multi_exec(
"CREATE TEMP TABLE json_dir_files("
" n UNIQUE NOT NULL," /* file name */
" fn UNIQUE NOT NULL," /* full file name */
" u DEFAULT NULL," /* file uuid */
" sz DEFAULT -1," /* file size */
" mtime DEFAULT NULL" /* file mtime in unix epoch format */
");"
);
db_prepare(&ins,
"INSERT OR IGNORE INTO json_dir_files (n,fn,u,sz,mtime) "
"SELECT"
" pathelement(:path,0),"
" CASE WHEN %Q IS NULL THEN '' ELSE %Q||'/' END ||:abspath,"
" a.uuid,"
" a.size,"
" CAST(strftime('%%s',e.mtime) AS INTEGER) "
"FROM"
" mlink m, "
" event e,"
" blob a,"
" blob b "
"WHERE"
" e.objid=m.mid"
" AND a.rid=m.fid"/*FILE artifact*/
" AND b.rid=m.mid"/*CHECKIN artifact*/
" AND a.uuid=:uuid",
zD, zD
);
manifest_file_rewind(pM);
while( (pFile = manifest_file_next(pM,0))!=0 ){
if( nD>0
&& ((pFile->zName[nD-1]!='/') || (0!=memcmp(pFile->zName, zD, nD-1)))
){
continue;
}
/*printf("zD=%s, nD=%d, pFile->zName=%s\n", zD, nD, pFile->zName);*/
if( pPrev
&& memcmp(&pFile->zName[nD],&pPrev->zName[nD],nPrev)==0
&& (pFile->zName[nD+nPrev]==0 || pFile->zName[nD+nPrev]=='/')
){
continue;
}
db_bind_text( &ins, ":path", &pFile->zName[nD] );
db_bind_text( &ins, ":abspath", &pFile->zName[nD] );
db_bind_text( &ins, ":uuid", pFile->zUuid );
db_step(&ins);
db_reset(&ins);
pPrev = pFile;
for(nPrev=0; (c=pPrev->zName[nD+nPrev]) && c!='/'; nPrev++){}
if( c=='/' ) nPrev++;
}
db_finalize(&ins);
}else if( zD && *zD ){
db_multi_exec(
"CREATE TEMP VIEW json_dir_files AS"
" SELECT DISTINCT(pathelement(name,%d)) AS n,"
" %Q||'/'||name AS fn,"
" NULL AS u, NULL AS sz, NULL AS mtime"
" FROM filename"
" WHERE name GLOB '%q/*'"
" GROUP BY n",
nD, zD, zD
);
}else{
db_multi_exec(
"CREATE TEMP VIEW json_dir_files"
" AS SELECT DISTINCT(pathelement(name,0)) AS n, NULL AS fn"
" FROM filename"
);
}
if(zCI){
db_prepare( &q, "SELECT"
" n as name,"
" fn as fullname,"
" u as uuid,"
" sz as size,"
" mtime as mtime "
"FROM json_dir_files ORDER BY n");
}else{/* UUIDs are all NULL. */
db_prepare( &q, "SELECT n, fn FROM json_dir_files ORDER BY n");
}
zKeyName = cson_new_string("name",4);
zKeyUuid = cson_new_string("uuid",4);
zKeyIsDir = cson_new_string("isDir",5);
keyStore = cson_new_array();
cson_array_append( keyStore, cson_string_value(zKeyName) );
cson_array_append( keyStore, cson_string_value(zKeyUuid) );
cson_array_append( keyStore, cson_string_value(zKeyIsDir) );
if( zCI ){
zKeySize = cson_new_string("size",4);
cson_array_append( keyStore, cson_string_value(zKeySize) );
zKeyTime = cson_new_string("timestamp",9);
cson_array_append( keyStore, cson_string_value(zKeyTime) );
zKeyRaw = cson_new_string("downloadPath",12);
cson_array_append( keyStore, cson_string_value(zKeyRaw) );
}
zPayload = cson_new_object();
cson_object_set_s( zPayload, zKeyName,
json_new_string((zD&&*zD) ? zD : "/") );
if( zUuid ){
cson_object_set( zPayload, "checkin", json_new_string(zUuid) );
}
while( (SQLITE_ROW==db_step(&q)) ){
cson_value * name = NULL;
char const * n = db_column_text(&q,0);
char const isDir = ('/'==*n);
zEntry = cson_new_object();
if(!zEntries){
zEntries = cson_new_array();
cson_object_set( zPayload, "entries", cson_array_value(zEntries) );
}
cson_array_append(zEntries, cson_object_value(zEntry) );
if(isDir){
name = json_new_string( n+1 );
cson_object_set_s(zEntry, zKeyIsDir, cson_value_true() );
} else{
name = json_new_string( n );
}
cson_object_set_s(zEntry, zKeyName, name );
if( zCI && !isDir){
/* Don't add the uuid/size for dir entries - that data refers to
one of the files in that directory :/. Entries with no
--checkin may refer to N versions, and therefore we cannot
associate a single size and uuid with them (and fetching all
would be overkill for most use cases).
*/
char const * fullName = db_column_text(&q,1);
char const * u = db_column_text(&q,2);
sqlite_int64 const sz = db_column_int64(&q,3);
sqlite_int64 const ts = db_column_int64(&q,4);
cson_object_set_s(zEntry, zKeyUuid, json_new_string( u ) );
cson_object_set_s(zEntry, zKeySize,
cson_value_new_integer( (cson_int_t)sz ));
cson_object_set_s(zEntry, zKeyTime,
cson_value_new_integer( (cson_int_t)ts ));
cson_object_set_s(zEntry, zKeyRaw,
json_new_string_f("/raw/%T?name=%t",
fullName, u));
}
}
db_finalize(&q);
if(pM){
manifest_destroy(pM);
}
cson_free_array( keyStore );
free( zUuid );
free( zD );
return cson_object_value(zPayload);
}
/*
** Expects pUser to contain fossil user fields in JSON form: name,
** uid, info, capabilities, password.
**
** At least one of (name, uid) must be included. All others are
** optional and their db fields will not be updated if those fields
** are not included in pUser.
**
** If uid is specified then name may refer to a _new_ name
** for a user, otherwise the name must refer to an existing user.
** If uid=-1 then the name must be specified and a new user is
** created (fails if one already exists).
**
** If uid is not set, this function might modify pUser to contain the
** db-found (or inserted) user ID.
**
** On error g.json's error state is set and one of the FSL_JSON_E_xxx
** values from FossilJsonCodes is returned.
**
** On success the db record for the given user is updated.
**
** Requires either Admin, Setup, or Password access. Non-admin/setup
** users can only change their own information. Non-setup users may
** not modify the 's' permission. Admin users without setup
** permissions may not edit any other user who has the 's' permission.
**
*/
int json_user_update_from_json( cson_object * pUser ){
#define CSTR(X) cson_string_cstr(cson_value_get_string( cson_object_get(pUser, X ) ))
char const * zName = CSTR("name");
char const * zNameNew = zName;
char * zNameFree = NULL;
char const * zInfo = CSTR("info");
char const * zCap = CSTR("capabilities");
char const * zPW = CSTR("password");
cson_value const * forceLogout = cson_object_get(pUser, "forceLogout");
int gotFields = 0;
#undef CSTR
cson_int_t uid = cson_value_get_integer( cson_object_get(pUser, "uid") );
char const tgtHasSetup = zCap && (NULL!=strchr(zCap, 's'));
char tgtHadSetup = 0;
Blob sql = empty_blob;
Stmt q = empty_Stmt;
#if 0
if(!g.perm.Admin && !g.perm.Setup && !g.perm.Password){
return json_set_err( FSL_JSON_E_DENIED,
"Password change requires 'a', 's', "
"or 'p' permissions.");
}
#endif
if(uid<=0 && (!zName||!*zName)){
return json_set_err(FSL_JSON_E_MISSING_ARGS,
"One of 'uid' or 'name' is required.");
}else if(uid>0){
zNameFree = db_text(NULL, "SELECT login FROM user WHERE uid=%d",uid);
if(!zNameFree){
return json_set_err(FSL_JSON_E_RESOURCE_NOT_FOUND,
"No login found for uid %d.", uid);
}
zName = zNameFree;
}else if(-1==uid){
/* try to create a new user */
if(!g.perm.Admin && !g.perm.Setup){
json_set_err(FSL_JSON_E_DENIED,
"Requires 'a' or 's' privileges.");
goto error;
}else if(!zName || !*zName){
json_set_err(FSL_JSON_E_MISSING_ARGS,
"No name specified for new user.");
goto error;
}else if( db_exists("SELECT 1 FROM user WHERE login=%Q", zName) ){
json_set_err(FSL_JSON_E_RESOURCE_ALREADY_EXISTS,
"User %s already exists.", zName);
goto error;
}else{
Stmt ins = empty_Stmt;
db_prepare(&ins, "INSERT INTO user (login) VALUES(%Q)",zName);
db_step( &ins );
db_finalize(&ins);
uid = db_int(0,"SELECT uid FROM user WHERE login=%Q", zName);
assert(uid>0);
zNameNew = zName;
cson_object_set( pUser, "uid", cson_value_new_integer(uid) );
}
}else{
uid = db_int(0,"SELECT uid FROM user WHERE login=%Q", zName);
if(uid<=0){
json_set_err(FSL_JSON_E_RESOURCE_NOT_FOUND,
"No login found for user [%s].", zName);
goto error;
}
cson_object_set( pUser, "uid", cson_value_new_integer(uid) );
}
/* Maintenance note: all error-returns from here on out should go
via 'goto error' in order to clean up.
*/
if(uid != g.userUid){
if(!g.perm.Admin && !g.perm.Setup){
json_set_err(FSL_JSON_E_DENIED,
"Changing another user's data requires "
"'a' or 's' privileges.");
goto error;
}
}
/* check if the target uid currently has setup rights. */
tgtHadSetup = db_int(0,"SELECT 1 FROM user where uid=%d"
" AND cap GLOB '*s*'", uid);
if((tgtHasSetup || tgtHadSetup) && !g.perm.Setup){
/*
Do not allow a non-setup user to set or remove setup
privileges. setup.c uses similar logic.
*/
json_set_err(FSL_JSON_E_DENIED,
"Modifying 's' users/privileges requires "
"'s' privileges.");
goto error;
}
/*
Potential todo: do not allow a setup user to remove 's' from
himself, to avoid locking himself out?
*/
blob_append(&sql, "UPDATE user SET",-1 );
blob_append(&sql, " mtime=cast(strftime('%s') AS INTEGER)", -1);
if((uid>0) && zNameNew){
/* Check for name change... */
if(0!=strcmp(zName,zNameNew)){
if( (!g.perm.Admin && !g.perm.Setup)
&& (zName != zNameNew)){
json_set_err( FSL_JSON_E_DENIED,
"Modifying user names requires 'a' or 's' privileges.");
goto error;
}
forceLogout = cson_value_true()
/* reminders: 1) does not allocate.
2) we do this because changing a name
invalidates any login token because the old name
is part of the token hash.
*/;
blob_append_sql(&sql, ", login=%Q", zNameNew);
++gotFields;
}
}
if( zCap && *zCap ){
if(!g.perm.Admin || !g.perm.Setup){
/* we "could" arguably silently ignore cap in this case. */
json_set_err(FSL_JSON_E_DENIED,
"Changing capabilities requires 'a' or 's' privileges.");
goto error;
}
blob_append_sql(&sql, ", cap=%Q", zCap);
++gotFields;
}
if( zPW && *zPW ){
if(!g.perm.Admin && !g.perm.Setup && !g.perm.Password){
json_set_err( FSL_JSON_E_DENIED,
"Password change requires 'a', 's', "
"or 'p' permissions.");
goto error;
}else{
#define TRY_LOGIN_GROUP 0 /* login group support is not yet implemented. */
#if !TRY_LOGIN_GROUP
char * zPWHash = NULL;
++gotFields;
zPWHash = sha1_shared_secret(zPW, zNameNew ? zNameNew : zName, NULL);
blob_append_sql(&sql, ", pw=%Q", zPWHash);
free(zPWHash);
#else
++gotFields;
blob_append_sql(&sql, ", pw=coalesce(shared_secret(%Q,%Q,"
"(SELECT value FROM config WHERE name='project-code')))",
zPW, zNameNew ? zNameNew : zName);
/* shared_secret() func is undefined? */
#endif
}
}
if( zInfo ){
blob_append_sql(&sql, ", info=%Q", zInfo);
++gotFields;
}
if((g.perm.Admin || g.perm.Setup)
&& forceLogout && cson_value_get_bool(forceLogout)){
blob_append(&sql, ", cookie=NULL, cexpire=NULL", -1);
++gotFields;
}
if(!gotFields){
json_set_err( FSL_JSON_E_MISSING_ARGS,
"Required user data are missing.");
goto error;
}
assert(uid>0);
#if !TRY_LOGIN_GROUP
blob_append_sql(&sql, " WHERE uid=%d", uid);
#else /* need name for login group support :/ */
blob_append_sql(&sql, " WHERE login=%Q", zName);
#endif
#if 0
puts(blob_str(&sql));
cson_output_FILE( cson_object_value(pUser), stdout, NULL );
#endif
db_prepare(&q, "%s", blob_sql_text(&sql));
db_exec(&q);
db_finalize(&q);
#if TRY_LOGIN_GROUP
if( zPW || cson_value_get_bool(forceLogout) ){
Blob groupSql = empty_blob;
char * zErr = NULL;
blob_append_sql(&groupSql,
"INSERT INTO user(login)"
" SELECT %Q WHERE NOT EXISTS(SELECT 1 FROM user WHERE login=%Q);",
zName, zName
);
blob_append(&groupSql, blob_str(&sql), blob_size(&sql));
login_group_sql(blob_str(&groupSql), NULL, NULL, &zErr);
blob_reset(&groupSql);
if( zErr ){
json_set_err( FSL_JSON_E_UNKNOWN,
"Repo-group update at least partially failed: %s",
zErr);
free(zErr);
goto error;
}
}
#endif /* TRY_LOGIN_GROUP */
#undef TRY_LOGIN_GROUP
free( zNameFree );
blob_reset(&sql);
return 0;
error:
assert(0 != g.json.resultCode);
free(zNameFree);
blob_reset(&sql);
return g.json.resultCode;
}
