summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2020-01-30Update copyright range in the cgit footerLukas Fleischer1-1/+1
2020-01-30Require password when changing account informationLukas Fleischer4-24/+21
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when deleting an accountLukas Fleischer2-6/+22
Further reduce the attack surface in case of a stolen session ID. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Verify current password against logged in userLukas Fleischer2-7/+6
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Undo accidental code additionLukas Fleischer1-1/+0
Rollback an accidental change that sneaked into commit daee20c (Require current password when setting a new one, 2020-01-30). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30t2500: fix test casesLukas Fleischer1-0/+3
Since commit eeaa1c3 (Separate text from footer in notification emails, 2020-01-04), information about unsubscribing from notifications is added in a signature block. Fix the test cases accordingly. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Keep signature delimiters intact in notificationsLukas Fleischer1-0/+3
Since commit eeaa1c3 (Separate text from footer in notification emails, 2020-01-04), information about unsubscribing from notifications is added in a signature block. However, the code to format the email body trimmed the RFC 3676 signature delimiter, replacing "-- " by "--". Fix this by adding a special case for signature delimiters. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require current password when setting a new oneLukas Fleischer4-14/+36
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-06Separate text from footer in notification emailsStephan Springer1-2/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-12-11Copy Git repository URL on clickLukas Fleischer2-4/+30
The Git repository URLs are not meant to be visited using a web browser. Copy the link to the clipboard instead. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-24.gitignore: add schema/aur-schema-sqlite.sqlLukas Fleischer1-0/+1
The SQLite schema is generated automatically from the main schema and used in the test suite. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23t2500: fix test case for orphan request notificationsLukas Fleischer1-1/+1
Since commit a66c7fa (notify.py: Use a/an correctly when sending request notifications, 2019-08-09), the body of notification emails sent when filing orphan requests refers to "an orphan request" instead of "a orphan request". Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Store timestamp and user ID when closing requestsLukas Fleischer5-6/+21
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Don't require all Python database modules to be installedLukas Fleischer1-2/+9
We support multiple database backends. Don't require Python modules for all backends to be installed. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Upgrade Sharness to 1.1.0Lukas Fleischer1-40/+153
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23git-serve: check update hook permissionsLukas Fleischer2-0/+9
Verify that the update hook exists and is executable before running Git to prevent from broken repositories when permissions are broken. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-02aurjson: use APCu/memcached for rate limitingLukas Fleischer1-15/+32
There's no need to use permanent storage for rate limiting information; try to keep it in memory if caching is enabled. From experiments with our live setup, this reduces the number of INSERT/DELETE operations per second from 15 to almost 0. Disk writes on the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-01Document maintenance tasks and internalsLukas Fleischer1-0/+108
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-27Display popularity with less decimal pointsLukas Fleischer2-2/+2
Limit the display to two decimal points for packages with a popularity of at least 0.2. Suggested-by: Allan McRae <allan@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Release 4.8.0v4.8.0origin/maintLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Translation updates from TransifexLukas Fleischer6-132/+136
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Sync CSS with archwebLukas Fleischer1-8/+10
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-09Cache package requirements and sourcesLukas Fleischer1-19/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Make package details cache TTL configurableLukas Fleischer3-7/+15
The TTL for package details can be much longer than for generic values since they never change. Note that when an update is pushed via Git, all packages belonging to that package base are deleted and new packages are created. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Cache package licenses, groups and relationsLukas Fleischer1-44/+22
Cache more package details if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06aurjson: cache extended fieldsLukas Fleischer1-13/+4
Cache the results of the extended fields computation if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06Cache package provider and dependency informationLukas Fleischer2-29/+28
The package provider and dependency queries are quite CPU-intensive and usually yield rather small result sets. Cache these values if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Make CAPTCHA salt invalidation more robustLukas Fleischer1-9/+23
With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Add a simple CAPTCHA to the sign up formLukas Fleischer3-4/+95
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-19notify.py: Use a/an correctly when sending request notificationsLars Rustand1-2/+3
Will no longer send notifications about "a orphan request", but determine whether to use a/an based on the first character of the request type. Signed-off-by: Lars Rustand <rustand.lars@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz3-3/+3
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
2019-07-30pkgreqfuncs: Don't leave out non-default ClosureComment columnJohannes Löthberg1-2/+2
Since 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15) the PackageRequests.ClosureComment field no longer has a default value. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-06-30Update copyright year in the cgit footer templateMichael Straube1-1/+1
Signed-off-by: Michael Straube <michael.straube@posteo.de> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-26Display warning when flagging VCS packagesLukas Fleischer3-0/+34
VCS packages should not be flagged out-of-date when the package version does not match the most recent commit. Implements FS#62733. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-25Sync CSS with archwebLukas Fleischer1-47/+25
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Use native language name for FinnishLukas Fleischer1-1/+1
Addresses FS#61803. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Ignore merge target for non-merge requestsLukas Fleischer1-0/+5
Fixes FS#59837. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-04-28git-auth: deny login if no password has been setLukas Fleischer1-1/+2
After creating a new account, users need to verify their email address and set an initial password. Without setting a password, users cannot use their account on the web interface. However, when logging in via SSH, we did not check whether the account is verified. Fix this by only allowing SSH access once a password is set. Reported-by: Pat Hogan <pathtofile@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-04-28Add "Enable notifications" checkbox in "Add Comment" formVladimir Panteleev3-0/+14
Currently, it is a little to easy to forget to enable notifications for a package after leaving a comment, thus never being notified of a reply. Even though the "Enable notifications" link is on the same page, it is not part of the flow for posting a new comment, and so, easy to miss. Most web forums and comment systems include a checkbox to enable notifications when posting for the first time in a thread. This patch implements this in aurweb, as well. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2019-02-08notify: add X-AUR-Reason header to allow conveniently filtering emailsEli Schwartz1-0/+4
Because filtering by matching the sender && regular expressions on the subject is awkward. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2019-01-21aurblup: make provider updates more robustLukas Fleischer1-3/+3
Reverse the order of deletion and addition so that deletion comes first. This prevents corner cases such as failing unique key constraints when a provided package changes from lower case to upper case and the old name is not yet gone. Helped-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-01-14Quote MySql 8.0 reserved keywordsFlorian Pritz6-11/+11
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-26Fix notifications emails going to the right people, part #2Eli Schwartz1-3/+3
Notifications are still going to the wrong people. We tried to fix this in commit b702e5c0e7f13103fc764b7e5613f78f3e7acd30, but only fixed it for the python callers. There's another caller in the php code, which needs to use the right order of arguments as well. Fixes FS#60601 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-17pkg_comments.php: Make comment timestamps link to the commentVladimir Panteleev1-5/+7
As of today, there is no easy way to obtain a link to a specific comment on a package page. Many implementations of forums and comment systems today seem to follow a convention where a comment's timestamp is an unobtrusive link to the comment itself. Some examples are: - phpBB (e.g. bbs.archlinux.org) - GitHub - Disqus - Discourse This patch adopts this convention as well, by making the timestamp a link to the comment.
2018-08-12t2500: add test for disown notificationsLukas Fleischer1-0/+19
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-12t2500: use unique identifiersLukas Fleischer1-36/+39
Use disjoint sets of IDs for users, package bases, package comments and package requests to ensure the notification script expects the parameters in the same order we pass them. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-12Initialize locale directory for testsLukas Fleischer1-0/+1
Since commit a7865ef (Make the locale directory configurable, 2018-07-22), we need to specify the locale directory in the configuration file. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-12Fix notifications emails going to the right peopleEli Schwartz1-5/+5
In commit f3b4c5c (Refactor the notification script, 2018-05-17), the parameters of the adopt, disown, comaintainer-add and comaintainer-remove notification modules were accidentally pushed around without changing the order in the callers. The notify script now expects to see the userid followed by additional arguments like the pkgbase id. As a result, some random userid with the same id as the pkgbase, got sent a notification regarding some package with the same id as the real user's id. Fix this by changing the order in every invocation of the aforementioned modules. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow paginating package commentsJohannes Löthberg2-4/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow listing all comments from a userJohannes Löthberg12-30/+258
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>