diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-08-08 11:47:06 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-08-08 11:48:58 +0200 |
commit | 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 (patch) | |
tree | a5fed51509d35bf3da7672b7ca94bdbe47644090 /web/lib | |
parent | d61b34f2557eb38142c879cbe2dea8598873dfb3 (diff) | |
download | aur-218ccf51e38ad9b0654aa509f2bf8eec44d69c07.tar.gz aur-218ccf51e38ad9b0654aa509f2bf8eec44d69c07.tar.xz |
Add permission checks to the request feature
* Only show the request form to users that are logged in.
* Only show the close request form to Trusted Users and developers.
* Check for a valid login in pkgreq_file().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib')
-rw-r--r-- | web/lib/credentials.inc.php | 2 | ||||
-rw-r--r-- | web/lib/pkgreqfuncs.inc.php | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index efc203d3..0c428f2f 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -18,6 +18,7 @@ define("CRED_PKGBASE_NOTIFY", 13); define("CRED_PKGBASE_SUBMIT_BLACKLISTED", 14); define("CRED_PKGBASE_UNFLAG", 15); define("CRED_PKGBASE_VOTE", 16); +define("CRED_PKGREQ_FILE", 23); define("CRED_PKGREQ_CLOSE", 17); define("CRED_PKGREQ_LIST", 18); define("CRED_TU_ADD_VOTE", 19); @@ -48,6 +49,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: + case CRED_PKGREQ_FILE: return ($atype == 'User' || $atype == 'Trusted User' || $atype == 'Developer' || $atype == 'Trusted User & Developer'); diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 98fb0cb8..92070434 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,6 +91,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; + if (!has_credential(CRED_PKGREQ_FILE)) { + return array(false, __("You must be logged in to file package requests.")); + } + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } |