const char *zNow;            /* Time of check-in */
  int isBranchCI;              /* name= is a branch name */
  int showId = PB("showid");
  Stmt q1, q2;
  double baseTime;
  login_check_credentials();
  if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
  if( exclude_spiders(0) ) return;
  zName = P("name");
  if( zName==0 ) zName = "tip";
  rid = symbolic_name_to_rid(zName, "ci");
  if( rid==0 ){
    fossil_fatal("not a valid check-in: %s", zName);
  }
  zUuid = db_text("", "SELECT uuid FROM blob WHERE rid=%d", rid);

  const char *zPw = P("name");
  if( zPw==0 || zPw[0]==0 ){
    (void)exclude_spiders(1);
    @ <hr><p>The captcha is shown above.  Add a name=HEX query parameter
    @ to see how HEX would be rendered in the current captcha font.
    @ <h2>Debug/Testing Values:</h2>
    @ <ul>
    @ <li> g.isHuman = %d(g.isHuman)
    @ <li> g.zLogin = %h(g.zLogin)
    @ <li> login_cookie_welformed() = %d(login_cookie_wellformed())
    @ <li> captcha_is_correct(1) = %d(captcha_is_correct(1)).
    @ </ul>
    style_finish_page();
  }else{
    style_set_current_feature("test");
    style_header("Captcha Test");
    @ <pre class="captcha">
    @ %s(captcha_render(zPw))
    @ </pre>
    style_finish_page();
  }
}









/*
** Check to see if the current request is coming from an agent that 
** self-identifies as a spider.
**
** If the agent does not claim to be a spider or if the user has logged
** in (even as anonymous), then return 0 without doing anything.
**
** But if the user agent does self-identify as a spider and there is
** no login, offer a captcha challenge to allow the user agent to prove
** that he is human and return non-zero.
**
** If the bTest argument is non-zero, then show the captcha regardless of
** how the agent identifies.  This is used for testing only.
*/
int exclude_spiders(int bTest){
  if( !bTest ){
    if( g.isHuman ) return 0;  /* This user has already proven human */
    if( g.zLogin!=0 ) return 0;  /* Logged in.  Consider them human */
    if( login_cookie_wellformed() ){
      /* Logged into another member of the login group */
      return 0;
    }
  }

  /* This appears to be a spider.  Offer the captcha */
  style_set_current_feature("captcha");
  style_header("I think you are a robot");
  style_submenu_enable(0);
  @ <form method='POST' action='%R/ityaar'>
  @ <p>You seem like a robot.
  @
  @ <p>If you are human, you can prove that by solving the captcha below,
  @ after which you will be allowed to proceed.
  if( bTest ){
    @ <input type="hidden" name="istest" value="1">
  }
  captcha_generate(3);
  @ </form>
  if( !bTest ){
    if( P("fossil-goto")==0 ){

        /* ^^^^--- Don't overwrite a valid login on another repo! */
        login_set_anon_cookie(0, 0);
      }
      cgi_append_header("X-Robot: 0\r\n");
    }
    login_redirect_to_g();
  }else{
    g.isHuman = 0;
    (void)exclude_spiders(bTest);
    if( bTest ){
      @ <hr><p>Wrong code.  Try again
      style_finish_page();
    }
  }
}

  struct AnnVers *p;
  unsigned clr1, clr2, clr;
  int bBlame = g.zPath[0]!='a';/* True for BLAME output.  False for ANNOTATE. */

  /* Gather query parameters */
  login_check_credentials();
  if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
  if( exclude_spiders(0) ) return;
  if( robot_squelch(990) ) return;
  fossil_nice_default();
  zFilename = P("filename");
  zRevision = PD("checkin",0);
  zOrigin = P("origin");
  zLimit = P("limit");
  showLog = PB("log");
  fileVers = PB("filevers");

  const char *zFrom = P("from");
  const char *zTo = P("to");
  DiffConfig DCfg;
  cgi_check_for_malice();
  login_check_credentials();
  if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
  if( zFrom==0 || zTo==0 ) fossil_redirect_home();
  if( robot_squelch(800) ) return;

  fossil_nice_default();
  cgi_set_content_type("text/plain");
  diff_config_init(&DCfg, DIFF_VERBOSE);
  diff_two_versions(zFrom, zTo, &DCfg, 0);
}

  int graphFlags = 0;
  Blob qp;                /* non-glob= query parameters for generated links */
  Blob qpGlob;            /* glob= query parameter for generated links */
  int bInvert = PB("inv");

  login_check_credentials();
  if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
  if( robot_squelch(950) ) return;
  login_anonymous_available();
  fossil_nice_default();
  blob_init(&qp, 0, 0);
  blob_init(&qpGlob, 0, 0);
  diffType = preferred_diff_type();
  zRe = P("regex");
  if( zRe ) re_compile(&pRe, zRe, 0);

  ReCompiled *pRe = 0;
  u32 objdescFlags = 0;
  int verbose = PB("verbose");
  DiffConfig DCfg;

  login_check_credentials();
  if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
  if( robot_squelch(800) ) return;
  diff_config_init(&DCfg, 0);
  diffType = preferred_diff_type();
  if( P("from") && P("to") ){
    v1 = artifact_from_ci_and_filename("from");
    v2 = artifact_from_ci_and_filename("to");
    if( v1==0 || v2==0 ) fossil_redirect_home();
  }else{

  blob_zero(&downloadName);
  if( P("verbose")!=0 ) objdescFlags |= OBJDESC_DETAIL;
  object_description(rid, objdescFlags, 0, &downloadName);
  style_submenu_element("Download", "%R/raw/%s?at=%T",
                        zUuid, file_tail(blob_str(&downloadName)));
  @ <hr>
  content_get(rid, &content);
  if( !g.isHuman ){
    /* Prevent robots from running hexdump on megabyte-sized source files
    ** and there by eating up lots of CPU time and bandwidth.  There is
    ** no good reason for a robot to need a hexdump. */
    @ <p>A hex dump of this file is not available.
    @  Please download the raw binary file and generate a hex dump yourself.</p>
  }else{
    @ <blockquote><pre>
    hexdump(&content);
    @ </pre></blockquote>
  }
  style_finish_page();

  const char *zName = P("name");
  const char *zCI = P("ci");
  HQuery url;
  char *zCIUuid = 0;
  int isSymbolicCI = 0;  /* ci= exists and is a symbolic name, not a hash */
  int isBranchCI = 0;    /* ci= refers to a branch name */
  char *zHeader = 0;
  int iCost;

  login_check_credentials();
  if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
  cgi_check_for_malice();
  style_set_current_feature("artifact");
  if( fossil_strcmp(g.zPath, "docfile")==0 ){
    isFile = 1;
    docOnly = 1;
  }
  iCost = 200;
  if( isFile ) iCost += 100;
  if( zCI ) iCost += 100;
  if( robot_squelch(iCost) ) return;

  /* Capture and normalize the name= and ci= query parameters */
  if( zName==0 ){
    zName = P("filename");
    if( zName==0 ){
      zName = P("fn");
    }

      fossil_exit(0);
    }
  }
  fossil_free(zDecode);
  return uid;
}

/*
** SETTING: robot-restrict                width=40 block-text
** The VALUE of this setting is a list of GLOB patterns that match
** pages for which complex HTTP requests from robots should be disallowed.
** The recommended value for this setting is:
** 
**      timeline,vdiff,fdiff,annotate,blame
** 
*/

/*
** Check to see if the current HTTP request is a complex request that
** is coming from a robot and if access should restricted for such robots.
** For the purposes of this module, a "complex request" is an HTTP
** request with one or more query parameters other than "name".
**
** If this routine determines that robots should be restricted, then
** this routine publishes a redirect to the honeypot and exits without
** returning to the caller.
**
** This routine believes that this is a complex request is coming from
** a robot if all of the following are true:
**
**    *   The user is "nobody".
**    *   Either the REFERER field of the HTTP header is missing or empty,
**        or the USERAGENT field of the HTTP header suggests that
**        the request as coming from a robot.
**    *   There are one or more query parameters other than "name".
**
** Robot restrictions are governed by settings.
**
**    robot-restrict    The value is a list of GLOB patterns for pages
**                      that should restrict robot access.  No restrictions
**                      are applied if this setting is undefined or is
**                      an empty string.
*/
void login_restrict_robot_access(void){
  const char *zGlob;
  int isMatch = 1;
  int nQP;  /* Number of query parameters other than name= */
  if( g.zLogin!=0 ) return;
  zGlob = db_get("robot-restrict",0);
  if( zGlob==0 || zGlob[0]==0 ) return;
  if( g.isHuman ){
    const char *zReferer;
    const char *zAccept;
    const char *zBr;
    zReferer = P("HTTP_REFERER");
    if( zReferer && zReferer[0]!=0 ) return;

    /* Robots typically do not accept the brotli encoding, at least not
    ** at the time of this writing (2025-04-01), but standard web-browser
    ** all generally do accept brotli.  So if brotli is accepted,
    ** assume we are not talking to a robot.  We might want to revisit this
    ** heuristic in the future...
    */
    if( (zAccept = P("HTTP_ACCEPT_ENCODING"))!=0
     && (zBr = strstr(zAccept,"br"))!=0
     && !fossil_isalnum(zBr[2])
     && (zBr==zAccept || !fossil_isalnum(zBr[-1]))
    ){
      return;
    }
  }
  nQP = cgi_qp_count();
  if( nQP<1 ) return;
  isMatch = glob_multi_match(zGlob, g.zPath);
  if( !isMatch ) return;

  /* Check for exceptions to the restriction on the number of query
  ** parameters. */
  zGlob = db_get("robot-restrict-qp",0);
  if( zGlob && zGlob[0] ){
    char *zPath = mprintf("%s/%d", g.zPath, nQP);
    isMatch = glob_multi_match(zGlob, zPath);
    fossil_free(zPath);
    if( isMatch ) return;
  }

  /* If we reach this point, it means we have a situation where we
  ** want to restrict the activity of a robot.
  */
  g.isHuman = 0;
  (void)exclude_spiders(0);
  cgi_reply();
  fossil_exit(0);
}

/*
** When this routine is called, we know that the request does not
** have a login on the present repository.  This routine checks to
** see if their login cookie might be for another member of the
** login-group.
**
** If this repository is not a part of any login group, then this

** is valid.  If the login cookie checks out, it then sets global
** variables appropriately.
**
**    g.userUid      Database USER.UID value.  Might be -1 for "nobody"
**    g.zLogin       Database USER.LOGIN value.  NULL for user "nobody"
**    g.perm         Permissions granted to this user
**    g.anon         Permissions that would be available to anonymous
**    g.isHuman      True if the user is human, not a spider or robot
**    g.perm         Populated based on user account's capabilities
**
*/
void login_check_credentials(void){
  int uid = 0;                  /* User id */
  const char *zCookie;          /* Text of the login cookie */
  const char *zIpAddr;          /* Raw IP address of the requestor */

      uid = db_int(0, "SELECT uid FROM user WHERE login=%Q", zLogin);
    }else{
      uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'");
    }
    g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid);
    zCap = "sxy";
    g.noPswd = 1;
    g.isHuman = 1;
    zSeed = db_text("??", "SELECT uid||quote(login)||quote(pw)||quote(cookie)"
                          "  FROM user WHERE uid=%d", uid);
    login_create_csrf_secret(zSeed);
    fossil_free(zSeed);
  }

  /* Check the login cookie to see if it matches a known valid user.

      zCap = "";
    }
    login_create_csrf_secret("none");
  }

  login_set_uid(uid, zCap);

  /* Maybe restrict access to robots */
  login_restrict_robot_access();



}

/*
** Set the current logged in user to be uid.  zCap is precomputed
** (override) capabilities.  If zCap==0, then look up the capabilities
** in the USER table.
*/

  ** "nobody" user is a special case in that g.zLogin==0.
  */
  g.userUid = uid;
  if( fossil_strcmp(g.zLogin,"nobody")==0 ){
    g.zLogin = 0;
  }
  if( PB("isrobot") ){
    g.isHuman = 0;
  }else if( g.zLogin==0 ){
    g.isHuman = isHuman(P("HTTP_USER_AGENT"));
  }else{
    g.isHuman = 1;
  }

  /* Set the capabilities */
  login_replace_capabilities(zCap, 0);

  /* The auto-hyperlink setting allows hyperlinks to be displayed for users
  ** who do not have the "h" permission as long as their UserAgent string
  ** makes it appear that they are human.  Check to see if auto-hyperlink is
  ** enabled for this repository and make appropriate adjustments to the
  ** permission flags if it is.  This should be done before the permissions
  ** are (potentially) copied to the anonymous permission set; otherwise,
  ** those will be out-of-sync.
  */
  if( zCap[0] && !g.perm.Hyperlink && g.isHuman ){
    int autoLink = db_get_int("auto-hyperlink",1);
    if( autoLink==1 ){
      g.jsHref = 1;
      g.perm.Hyperlink = 1;
    }else if( autoLink==2 ){
      g.perm.Hyperlink = 1;
    }

#if USE_SEE
  const char *zPidKey;    /* Saved value of the --usepidkey option.  Only
                           * applicable when using SEE on Windows or Linux. */
#endif
  int useLocalauth;       /* No login required if from 127.0.0.1 */
  int noPswd;             /* Logged in without password (on 127.0.0.1) */
  int userUid;            /* Integer user id */
  int isHuman;            /* True if access by a human, not a spider or bot */

  int comFmtFlags;        /* Zero or more "COMMENT_PRINT_*" bit flags, should be
                          ** accessed through get_comment_format(). */
  const char *zSockName;  /* Name of the unix-domain socket file */
  const char *zSockMode;  /* File permissions for unix-domain socket */
  const char *zSockOwner; /* Owner, or owner:group for unix-domain socket */

  /* Information used to populate the RCVFROM table */

** Fossil is run as a service.
*/
#include "config.h"
#include "robot.h"
#include <assert.h>
#include <time.h>

/*
** SETTING: robot-squelch                width=10 default=200
** The VALUE of is an integer between 0 and 1000 that determines how
** readily Fossil will squelch requests from robots.  A value of 0
** means "never squelch requests".  A value of 1000 means "always
** squelch requests from user 'nobody'".  For values greater than 0
** and less than 1000, the decision to squelch is based on a variety
** of heuristics, but is more likely to occur the larger the number.
*/


/*
** Rewrite the current page with a robot squelch captcha and return 1.
**
** Or, if valid proof-of-work is present as either a query parameter or
** as a cookie, then return 0.
*/

  }
  h1 = (h1 % 900000000) + 100000000;
  h2 = (h2 % 900000000) + 100000000;

  /* If there is already a proof-of-work cookie with this value
  ** that means that the user agent has already authenticated.
  */
  z = P("fossil-proofofwork");
  if( z
   && (atoi(z)==h1 || atoi(z)==h2) 
   && !cgi_is_qp("fossil-proofofwork") ){
    return 0;
  }

  /* Check for a proof query parameter.  If found, that means that
  ** the captcha has just now passed, so set the proof-of-work cookie
  ** in addition to letting the request through.
  */
  z = P("proof");
  if( z
   && (atoi(z)==h1 || atoi(z)==h2)
  ){
    cgi_set_cookie("fossil-proofofwork",z,"/",900);
    return 0;
  }
  cgi_tag_query_parameter("proof");

  /* Ask the client to present proof-of-work */
  cgi_reset_content();
  cgi_set_content_type("text/html");
  style_header("Captcha");
  @ <h1>Prove That You Are Human</h1>
  @ <form method="GET">
  @ <p>Press the button below</p><p>

  cgi_query_parameters_to_hidden();
  @ <input id="vx" type="hidden" name="proof" value="0">
  @ <input id="cx" type="submit" value="Wait..." disabled>
  @ </form>
  @ <script nonce='%s(style_nonce())'>
  @ function Nhtot1520(x){return document.getElementById(x);}
  @ function Aoxlxzajv(h){\
  @ Nhtot1520("vx").value=h;\
  @ Nhtot1520("cx").value="Ok";\
  @ Nhtot1520("cx").disabled=false;\
  @ }
  @ function Vhcnyarsm(h,a){\
  @ if(a>0){setTimeout(Vhcnyarsm,1,h+a,a-1);}else{Aoxlxzajv(h);}\






  @ }
  k = 200 + h2%99;
  h2 = (k*k + k)/2;
  @ setTimeout(function(){Vhcnyarsm(%u(h1-h2),%u(k));},10);
  @ </script>
  style_finish_page();
  return 1;
}



















/*
** WEBPAGE functions can invoke this routine with an argument





** that is between 0 and 1000.  Based on that argument, and on
** other factors, this routine decides whether or not to squelch
** the request.  "Squelch" in this context, means to require the
** client to show proof-of-work before the request is processed.
** The idea here is to prevent server overload due to excess robot

** traffic.  If a robot (or any client application really) wants us
** to spend a lot of CPU computing some result for it, then it needs
** to first demonstrate good faith by doing some make-work for us.
**
** This routine returns true for a squelch and false if the original
** request should go through.
**
** The input parameter is an estimate of how much CPU time
** and bandwidth is needed to compute a response.  The higher the
** value of this parameter, the more likely this routine is to squelch
** the page.  A value of zero means "never squelch".  A value of
** 1000 means always squelch if the user is "nobody".
**
** Squelching only happens if the user is "nobody".  If the request
** comes from any other user, including user "anonymous", the request
** is never squelched.
*/
int robot_squelch(int n){

  const char *zToken;
  int iSquelch;
  assert( n>=0 && n<=1000 );
  if( g.zLogin ) return 0;   /* Logged in users always get through */

  if( n==0 ) return 0;       /* Squelch is completely disabled */

  zToken = P("token");
  if( zToken!=0
   && db_exists("SELECT 1 FROM config WHERE name='token-%q'", zToken)
  ){
    return 0;                /* There is a valid token= query parameter */
  }
  iSquelch = db_get_int("robot-squelch",200);
  if( iSquelch<=0 ) return 0;
  if( n+iSquelch>=1000 && robot_proofofwork() ){
    return 1;
  }
  return 0;
}

  @ <p>The settings on this page are intended to help site administrators
  @ defend the site against robots.
  @
  @ <form action="%R/setup_robot" method="post"><div>
  login_insert_csrf_secret();
  @ <input type="submit"  name="submit" value="Apply Changes"></p>
  @ <hr>
  entry_attribute("Robot Squelch", 6, "robot-squelch", "rsq", "200", 0);
  @ <p>The "squelch" setting determines how aggressive Fossil is about
  @ trying to weed out robots using captchas.  Squelch only applies to
  @ expensive requests from user "nobody".  The higher the squelch setting,

  @ the more likely the request is to generate a captcha instead of the
  @ requested page.  Squelch can be any integer between 0 and 1000.
  @ 0 means squelch is disabled and all requests go through without a
  @ captcha.  1000 means every expensive request from user "nobody" gets
  @ a captcha.






  @ (Property: "robot-squelch")</p>




  @ <hr>
  addAutoHyperlinkSettings();

  @ <hr>
  entry_attribute("Server Load Average Limit", 11, "max-loadavg", "mxldavg",
                  "0.0", 0);
  @ <p>Some expensive operations (such as computing tarballs, zip archives,
  @ or annotation/blame pages) are prohibited if the load average on the host
  @ computer is too large.  Set the threshold for disallowing expensive
  @ computations here.  Set this to 0.0 to disable the load average limit.
  @ This limit is only enforced on Unix servers.  On Linux systems,
  @ access to the /proc virtual filesystem is required, which means this limit
  @ might not work inside a chroot() jail.
  @ (Property: "max-loadavg")</p>

  @ <hr>
  @ <p><b>Do not allow robots to make complex requests
  @ against the following pages.</b>
  @ <p> A "complex request" is an HTTP request that has one or more query
  @ parameters. Some robots will spend hours juggling around query parameters
  @ or even forging fake query parameters in an effort to discover new
  @ behavior or to find an SQL injection opportunity or similar.  This can
  @ waste hours of CPU time and gigabytes of bandwidth on the server.  A
  @ suggested value for this setting is:
  @ "<tt>timeline,*diff,vpatch,annotate,blame,praise,dir,tree</tt>".
  @ (Property: robot-restrict)
  @ <br>
  textarea_attribute("", 2, 80,
      "robot-restrict", "rbrestrict", "", 0);
  @ <br> The following comma-separated GLOB pattern allows for exceptions
  @ in the maximum number of query parameters before a request is considered
  @ complex.  If this GLOB pattern exists and is non-empty and if it
  @ matches against the pagename followed by "/" and the number of query
  @ parameters, then the request is allowed through.  For example, the
  @ suggested pattern of "timeline/[012]" allows the /timeline page to
  @ pass with up to 2 query parameters besides "name".
  @ (Property: robot-restrict-qp)
  @ <br>
  textarea_attribute("", 2, 80,
      "robot-restrict-qp", "rbrestrictqp", "", 0);

  @ <hr>
  @ <p><input type="submit"  name="submit" value="Apply Changes"></p>
  @ </div></form>
  db_end_transaction(0);
  style_finish_page();
}

** Display CGI-variables and other aspects of the run-time
** environment, for debugging and trouble-shooting purposes.
*/
void page_test_env(void){
  webpage_error("");
}

/*
** WEBPAGE: honeypot
** This page is a honeypot for spiders and bots.
*/
void honeypot_page(void){
  unsigned int uSeed = captcha_seed();
  const char *zDecoded = captcha_decode(uSeed, 0);
  int bAutoCaptcha = db_get_boolean("auto-captcha", 0);
  char *zCaptcha = captcha_render(zDecoded);
  style_header("I think you are a robot");
  @ <p>You seem like a robot.</p>
  @
  @ <p>Is that incorrect?  Are you really human?
  @ If so, please prove it by transcribing the captcha text
  @ into the entry box below and pressing "Submit".
  @ <form action="%R/login" method="post">
  @ <input type="hidden" id="u" name="u" value="anonymous">
  @ <p>
  @ Captcha: <input type="text" id="p" name="p" value="">
  @ <input type="submit" name="in" value="Submit">
  @ 
  @ <p>Alternatively, you can <a href="%R/login">log in</a> using an
  @ existing userid.
  @
  @ <p><input type="hidden" name="cs" value="%u(uSeed)">
  @ <div class="captcha"><table class="captcha"><tr><td>\
  @ <pre class="captcha">
  @ %h(zCaptcha)
  @ </pre></td></tr></table>
  if( bAutoCaptcha ) {
     @ <input type="button" value="Fill out captcha" id='autofillButton' \
     @ data-af='%s(zDecoded)'>
     builtin_request_js("login.js");
  }
  @ </div>
  free(zCaptcha);
  @
  @ <p>We regret this inconvenience. However, robots have become so
  @ prolific and so aggressive that they will soak up too much CPU time
  @ and network bandwidth on our servers if allowed to run unchecked.
  @ Your cooperation in demonstrating that you are human is
  @ appreciated.
  style_finish_page();
}

/*
** Webpages that encounter an error due to missing or incorrect
** query parameters can jump to this routine to render an error
** message screen.
**
** For administators, or if the test_env_enable setting is true, then
** details of the request environment are displayed.  Otherwise, just

  #endif
    @ g.zBaseURL = %h(g.zBaseURL)<br>
    @ g.zHttpsURL = %h(g.zHttpsURL)<br>
    @ g.zTop = %h(g.zTop)<br>
    @ g.zPath = %h(g.zPath)<br>
    @ g.userUid = %d(g.userUid)<br>
    @ g.zLogin = %h(g.zLogin)<br>
    @ g.isHuman = %d(g.isHuman)<br>
    @ g.jsHref = %d(g.jsHref)<br>
    if( g.zLocalRoot ){
      @ g.zLocalRoot = %h(g.zLocalRoot)<br>
    }else{
      @ g.zLocalRoot = <i>none</i><br>
    }
    if( g.nRequest ){

  Glob *pInclude = 0;           /* The compiled in= glob pattern */
  Glob *pExclude = 0;           /* The compiled ex= glob pattern */
  Blob tarball;                 /* Tarball accumulated here */
  const char *z;

  login_check_credentials();
  if( !g.perm.Zip ){ login_needed(g.anon.Zip); return; }
  if( robot_squelch(900) ) return;
  fossil_nice_default();
  zName = fossil_strdup(PD("name",""));
  z = P("r");
  if( z==0 ) z = P("uuid");
  if( z==0 ) z = tar_uuid_from_name(&zName);
  if( z==0 ) z = "trunk";
  g.zOpenRevision = zRid = fossil_strdup(z);

  }
  if( (!g.perm.Read && !g.perm.RdTkt && !g.perm.RdWiki && !g.perm.RdForum)
   || (bisectLocal && !g.perm.Setup)
  ){
    login_needed(g.anon.Read && g.anon.RdTkt && g.anon.RdWiki);
    return;
  }

  if( !bisectLocal ){
    etag_check(ETAG_QUERY|ETAG_COOKIE|ETAG_DATA|ETAG_CONFIG, 0);
  }
  cookie_read_parameter("y","y");
  zType = P("y");
  if( zType==0 ){
    zType = g.perm.Read ? "ci" : "all";

  Glob *pExclude = 0;           /* The compiled ex= glob pattern */
  Blob zip;                     /* ZIP archive accumulated here */
  int eType = ARCHIVE_ZIP;      /* Type of archive to generate */
  char *zType;                  /* Human-readable archive type */

  login_check_credentials();
  if( !g.perm.Zip ){ login_needed(g.anon.Zip); return; }
  if( robot_squelch(900) ) return;
  if( fossil_strcmp(g.zPath, "sqlar")==0 ){
    eType = ARCHIVE_SQLAR;
    zType = "SQL";
    /* For some reason, SQL-archives are like catnip for robots.  So
    ** don't allow them to be downloaded by user "nobody" */
    if( g.zLogin==0 ){ login_needed(g.anon.Zip); return; }
  }else{