summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2019-04-28git-auth: deny login if no password has been setLukas Fleischer1-1/+2
After creating a new account, users need to verify their email address and set an initial password. Without setting a password, users cannot use their account on the web interface. However, when logging in via SSH, we did not check whether the account is verified. Fix this by only allowing SSH access once a password is set. Reported-by: Pat Hogan <pathtofile@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-04-28Add "Enable notifications" checkbox in "Add Comment" formVladimir Panteleev3-0/+14
Currently, it is a little to easy to forget to enable notifications for a package after leaving a comment, thus never being notified of a reply. Even though the "Enable notifications" link is on the same page, it is not part of the flow for posting a new comment, and so, easy to miss. Most web forums and comment systems include a checkbox to enable notifications when posting for the first time in a thread. This patch implements this in aurweb, as well. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2019-02-08notify: add X-AUR-Reason header to allow conveniently filtering emailsEli Schwartz1-0/+4
Because filtering by matching the sender && regular expressions on the subject is awkward. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2019-01-21aurblup: make provider updates more robustLukas Fleischer1-3/+3
Reverse the order of deletion and addition so that deletion comes first. This prevents corner cases such as failing unique key constraints when a provided package changes from lower case to upper case and the old name is not yet gone. Helped-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-01-14Quote MySql 8.0 reserved keywordsFlorian Pritz6-11/+11
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-26Fix notifications emails going to the right people, part #2Eli Schwartz1-3/+3
Notifications are still going to the wrong people. We tried to fix this in commit b702e5c0e7f13103fc764b7e5613f78f3e7acd30, but only fixed it for the python callers. There's another caller in the php code, which needs to use the right order of arguments as well. Fixes FS#60601 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-17pkg_comments.php: Make comment timestamps link to the commentVladimir Panteleev1-5/+7
As of today, there is no easy way to obtain a link to a specific comment on a package page. Many implementations of forums and comment systems today seem to follow a convention where a comment's timestamp is an unobtrusive link to the comment itself. Some examples are: - phpBB (e.g. bbs.archlinux.org) - GitHub - Disqus - Discourse This patch adopts this convention as well, by making the timestamp a link to the comment.
2018-08-12t2500: add test for disown notificationsLukas Fleischer1-0/+19
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-12t2500: use unique identifiersLukas Fleischer1-36/+39
Use disjoint sets of IDs for users, package bases, package comments and package requests to ensure the notification script expects the parameters in the same order we pass them. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-12Initialize locale directory for testsLukas Fleischer1-0/+1
Since commit a7865ef (Make the locale directory configurable, 2018-07-22), we need to specify the locale directory in the configuration file. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-12Fix notifications emails going to the right peopleEli Schwartz1-5/+5
In commit f3b4c5c (Refactor the notification script, 2018-05-17), the parameters of the adopt, disown, comaintainer-add and comaintainer-remove notification modules were accidentally pushed around without changing the order in the callers. The notify script now expects to see the userid followed by additional arguments like the pkgbase id. As a result, some random userid with the same id as the pkgbase, got sent a notification regarding some package with the same id as the real user's id. Fix this by changing the order in every invocation of the aforementioned modules. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow paginating package commentsJohannes Löthberg2-4/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow listing all comments from a userJohannes Löthberg12-30/+258
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Make the locale directory configurableLukas Fleischer3-2/+7
Add a new configuration option to specify the locale directory to use. This allows the Python scripts to find the translations, even when not being run from the source code checkout. At the same time, multiple parallel aurweb setups can still use different sets of translations. Fixes FS#59278. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-09Fix regression in translating anything at allEli Schwartz2-3/+2
In commit 840ee20 (Rename translation resources from aur to aurweb, 2018-07-07) the translations file was renamed but we never actually switched to using the renamed translations. As a result, every single push to the AUR contains the following traceback: remote: Traceback (most recent call last): remote: File "/usr/bin/aurweb-notify", line 11, in <module> remote: load_entry_point('aurweb==4.7.0', 'console_scripts', 'aurweb-notify')() remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 541, in main remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 69, in send remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 56, in get_body_fmt remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 192, in get_body remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/l10n.py", line 14, in translate remote: File "/usr/lib/python3.6/gettext.py", line 514, in translation remote: raise OSError(ENOENT, 'No translation file found for domain', domain) remote: FileNotFoundError: [Errno 2] No translation file found for domain: 'aur' Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Release 4.7.0v4.7.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Translation updates from TransifexLukas Fleischer29-3788/+19481
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Rename translation resources from aur to aurwebLukas Fleischer4-15/+14
* Rename the aur project to aurweb on Transifex. * Rename aur.pot to aurweb.pot. * Update documentation and Makefile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Sync CSS with archwebLukas Fleischer1-37/+6
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-20Add package base name in request close notificationsLukas Fleischer3-8/+16
Mention both the package base name and the request type in the subject of request closure notification. Implements FS#41607. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-18git-update: accept any arch in arch-dependent metadataEli Schwartz1-1/+1
Currently we hardcode the architectures the official repos historically supported, which seems both inefficient because of hardcoding, and simply wrong, because many packages support various ARM platforms too. If we were to say "only officially supported arches will be supported in the AUR" we'd have to disable i686, which seems silly and arbitrarily restrictive. Also there's better places to implement such a blacklist (via die_commit in the main loop, via a config option to list supported arches, would make much more sense in terms of logic). As for the metadata extraction itself, there's no reason to hardcode the arches to check for at all. We can get this information too, from the .SRCINFO itself. Detecting this dynamically is not incompatible with a blacklist, should we ever decide to implement such a thing. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-17Update message catalogLukas Fleischer1-3/+133
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-17Use modern format strings in notification messagesLukas Fleischer1-44/+52
User modern Python format() strings with curly braces. Also, convert all placeholders to named arguments. This allows translators to reorder messages. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-17Localize notification emailsLukas Fleischer4-124/+189
Add support for translating notification emails and send localized notifications, based on the user's language preferences. Also, update the translations Makefile to add strings from the notification script to the message catalog. Implements FS#31850. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-17Refactor the notification scriptLukas Fleischer1-393/+429
Reimplement most of the notification script logic. Create a separate class for each notification type. Each class provides methods for generating the list of recipients, the message subject, the message body, the references to add at the end of the message and the message headers. Additionally, a method for sending notification emails is provided. One major benefit of the new implementation is that both the generation of recipients and message contents are much more flexible. For example, it is now easily possible to make user-specific adjustments to every single notification of a batch. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-17t2500: Add test cases for all notificationsLukas Fleischer1-2/+348
Check that for all kinds of notifications, the generated messages match what we expect. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-16notify.py: Do not add stray newlinesLukas Fleischer1-4/+4
Make sure we are consistent with not adding newlines at the end of notification emails. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12Stop using each()Lukas Fleischer11-29/+29
The each() function has been deprecated as of PHP 7.2.0. Use foreach loops instead. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12Add newline after accept link for orphan requestsLukas Fleischer1-3/+1
Fixes a regression introduced in 0ffa067 (Use a link to accept orphan requests, 2018-05-10). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing dollar signLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing semicolonLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-11Use a link to accept orphan requestsEli Schwartz1-5/+1
Currently, a form is used instead of a link. This forwards to a confirmation page, and currently drops the "via" parameter in the process. As a result, accepted orphan requests usually show: Request #XXXXXX has been accepted automatically by the Arch User Repository package request system: The user YYYYYYY disowned the package. This is wrong, and should show (will show, if you manually add it or use the close button instead of the accept button): Request #XXXXXX has been rejected by YYYYYYY [1]: Fixes FS#56606. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-10Erase login IP addresses after seven daysLukas Fleischer4-0/+73
Add a script to periodically remove old IP addresses from the users database. The login IP addresses are stored for spam protection and to prevent from abuse. It is quite unlikely that we ever need the IP address of a user whose last login is more than a week old. It makes sense to remove such IP addresses to protect our users' privacy. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-10Update copyright year in the cgit footer templateEli Schwartz1-1/+1
Four years just passed in the blink of an eye :) Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-22config: allow reading both the defaults file and the modified configEli Schwartz5-8/+22
In the process, rename config.proto to config.defaults (because that is what it is now). Also use dict.get('key', default_value) when querying os.environ, rather than an if block, as it is more pythonic/readable/concise, and reduces the number of dict lookups. This change allows aurweb configuration to be done via either: - copying config.defaults to config and modifying values - creating a new config only containing modified values, next to a config.defaults containing unmodified values The motivation for this change is to enable ansible configuration in our flagship deployment by storing only changed values, and deferring to config.defaults otherwise. A side benefit is, it is easier to see what has changed by inspecting only the site configuration file. If a config.defaults file does not exist next to $AUR_CONFIG or in $AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to live in the modified config file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-08Allow manual breaks and horizontal lines in commentsLukas Fleischer1-2/+2
When sanitizing rendered comments, keep <hr> tags and <br> tags. The former are generated when using "---" in Markdown comments, the latter are used when putting two spaces at the end of a line. Fixes FS#56649.
2018-03-21Handle empty resultset getting recent 10 packagesnodivbyzero1-3/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-20Terminate execution if config file is missingnodivbyzero1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-14schema/Makefile: Replace MySQL with SQLite in commentnodivbyzero1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-14TESTING: Add two required packagesnodivbyzero1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-13notify: Send vote reminders to TUs that are also devsJohannes Löthberg1-1/+1
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Update cache code to INI style configurationJelle van der Waa3-7/+12
Change the defines to config_get and add one cache option and one option to define memcache_servers. Mention the required dependency to get memcached working in the INSTALL file. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Remove unused variable $dbh in pkgbase_display_detailsJelle van der Waa1-2/+0
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24RPC: Allow to search packages by "*depends" fieldsBaptiste Jonglez2-3/+26
It is now possible to search for packages that depend on a given package, for instance: /rpc/?v=5&type=search&by=depends&arg=ocaml It is similarly possible to match on "makedepends", "checkdepends" and "optdepends". Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add capability for co-maintainers to disown packagesMark Weiman4-6/+24
Implements FS#53832. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add rate limit support to APIFlorian Pritz4-0/+111
This allows us to prevent users from hammering the API every few seconds to check if any of their packages were updated. Real world users check as often as every 5 or 10 seconds. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Remove disjunction in pkg_providers queryFlorian Pritz1-2/+4
For some reason, running the SELECT .. WHERE .. OR .. query takes e.g. 58ms on a randomly generated db for some dependency name. Splitting the OR into two dedicated queries and UNIONing the result takes only 0.42ms. On the Arch Linux installation, searching for the providers of e.g. mongodb takes >=110ms when not cached by the query cache. The new query takes <1ms even when not cached. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-01-26Document required PHP extensions in php.iniRemy Marquis2-0/+4
To people unfamiliar with the code, it is not obvious that the pdo_* PHP extensions must be enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-01-21Move AUR_OVERWRITE privilege check from git/auth to git/updateJohannes Löthberg4-20/+14
git/auth is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it. Instead we need to perform the actual privilege check in git/update instead. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-23Fix regression that stopped maintainers from pinning commentsEli Schwartz1-1/+1
In commit 8c98db0b82cc85a4498589e5d60299fefd93b421 support was added for package co-maintainers to pin comments in addition to maintainers. Due to a typo, the SQL query was reset halfway through and only added the co-maintainer IDs to the list of allowed users. Fixes FS#56783. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>