| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Add a script to periodically remove old IP addresses from the users
database.
The login IP addresses are stored for spam protection and to prevent
from abuse. It is quite unlikely that we ever need the IP address of a
user whose last login is more than a week old. It makes sense to remove
such IP addresses to protect our users' privacy.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Four years just passed in the blink of an eye :)
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In the process, rename config.proto to config.defaults (because that is
what it is now).
Also use dict.get('key', default_value) when querying os.environ, rather
than an if block, as it is more pythonic/readable/concise, and reduces
the number of dict lookups.
This change allows aurweb configuration to be done via either:
- copying config.defaults to config and modifying values
- creating a new config only containing modified values, next to a
config.defaults containing unmodified values
The motivation for this change is to enable ansible configuration in our
flagship deployment by storing only changed values, and deferring to
config.defaults otherwise.
A side benefit is, it is easier to see what has changed by inspecting
only the site configuration file.
If a config.defaults file does not exist next to $AUR_CONFIG or in
$AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to
live in the modified config file.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
When sanitizing rendered comments, keep <hr> tags and <br> tags. The
former are generated when using "---" in Markdown comments, the latter
are used when putting two spaces at the end of a line.
Fixes FS#56649.
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Change the defines to config_get and add one cache option and one option
to define memcache_servers. Mention the required dependency to get
memcached working in the INSTALL file.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
It is now possible to search for packages that depend on a given package,
for instance:
/rpc/?v=5&type=search&by=depends&arg=ocaml
It is similarly possible to match on "makedepends", "checkdepends" and
"optdepends".
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Implements FS#53832.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This allows us to prevent users from hammering the API every few seconds
to check if any of their packages were updated. Real world users check
as often as every 5 or 10 seconds.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
For some reason, running the SELECT .. WHERE .. OR .. query takes e.g.
58ms on a randomly generated db for some dependency name. Splitting the
OR into two dedicated queries and UNIONing the result takes only 0.42ms.
On the Arch Linux installation, searching for the providers of e.g.
mongodb takes >=110ms when not cached by the query cache. The new query
takes <1ms even when not cached.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
To people unfamiliar with the code, it is not obvious that
the pdo_* PHP extensions must be enabled.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
git/auth is run as an AutherizedKeysCommand which does not get the
environment variables passed to it, so AUR_OVERWRITE always got
hard-set to '0' by it. Instead we need to perform the actual privilege
check in git/update instead.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In commit 8c98db0b82cc85a4498589e5d60299fefd93b421 support was added for
package co-maintainers to pin comments in addition to maintainers.
Due to a typo, the SQL query was reset halfway through and only added
the co-maintainer IDs to the list of allowed users.
Fixes FS#56783.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Since commit 4efba18 (Only allow valid HTTP(s) URLs as home page,
2017-11-05), the home page field in the account settings must be a valid
URL. However, this new check prevents from leaving the field empty. Keep
the check in place but skip it if the home page field is left empty.
Fixes FS#56550.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This partially fixes FS#56472.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Automatically detect references to Flyspray bug reports in comments and
convert them to links to the Arch Linux bug tracker.
Implements FS#52008.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
A bug introduced in commit 7d7e079 (Hide the table sorting links on the
dashboard, 2017-02-04) resulted in multiple clicks on a table heading in
the package search results table no longer having any effect, instead of
changing the sorting order. Fix this by removing erroneous spaces from
the GET parameters in the search URL.
Fixes FS#56261.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Implements FS#56255.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Replace special characters in the referer GET parameter using
htmlspecialchars() before inserting it into the login form fields to
prevent from XSS attacks.
Fixes FS#55286.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The home page specified in the account settings is converted to a
clickable link on the user's profile. Make sure it is a valid URL which
uses the http or https scheme.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Do not allow to render aurweb pages in a frame to protect against
clickjacking.
Fixes FS#56168.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Add a Travis CI configuration file to setup a test environment with all
the required dependencies and run the test suite.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Use `/usr/bin/env python3` instead of `/usr/bin/python3` in the shebang
of Python scripts. This adds support for non-standard Python interpreter
paths such as the paths used in virtualenv environments.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Since c5302d3 (Require TUs to explicitly request to overwrite a pkgbase,
2017-07-24), non-fast-forward pushes require setting the AUR_OVERWRITE
environment variable. Make sure that git-auth passes this variable to
git-serve when it should (and does not pass it if it shouldn't).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Add a missing space to the SQL statement performing the disown
operation.
Fixes FS#55068.
Note that the broken query was not discovered by the test suite since
SQLite parses "?AND" inside prepared statements gracefully while MySQL
does not.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Since commit c5302d3 (Require TUs to explicitly request to overwrite a
pkgbase, 2017-07-24), non-fast-forward pushes are denied even for
Trusted Users, unless the AUR_OVERWRITE environment variable is set.
Mark the test case performing a non-fast-forward push from a TU
account as test_must_fail and add another test case performing the
same operation with AUR_OVERWRITE=1.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Add installation instructions for python-bleach and python-markdown
which are required for the rendercomment script.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In addition to the packages list and the package base list, also create
a list of registered user names.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
When removing an account, remove the user from all last packager fields
before deletion to make sure that no package bases are deleted, even if
propagation constraints are missing.
Fixes FS#53956.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the
block on non-fast-forward commits. While valid in this case, we should
not do so by default, since in at least one case a TU did this without
realizing there was an existing package.
( https://aur.archlinux.org/packages/rtmidi/ )
Switch to using allow_overwrite to check for destructive actions.
Use .ssh/config "SendEnv" on the TU's side and and sshd_config
"AcceptEnv" in the AUR server to specifically request overwrite access.
TUs should use: `AUR_OVERWRITE=1 git push --force`
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This was broken in commit 8914a41db938194efc021f842c89d47ff6b522c9 which
refactored the argument parsing. Instead of checking for at least the
set-keywords command and a pkgbase name, we were checking for *exactly*
the command and pkgbase name, leaving no room for keywords...
As a result, while we could clear the keywords, we could not set them.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
PackageBases.FlaggerComment and PackageComments.RenderedComment cannot
be NULL and would cause problems in the output file for sqlite users.
This patch adds empty strings ("") as values for these fields.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This allows for adding Terms of Service documents to the database that
registered users need to accept before using the AUR. A revision field
can be used to indicate whether a document was updated. If it is
increased, all users are again asked to accept the new terms.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Instead of calling check_sid() from every single PHP script representing
a web page, add the call to aur.inc.php which is sourced by all of them.
Also, remove set_lang() calls from the scripts since these are also
already included in aur.inc.php.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Since commit 09cb61a (schema: Remove invalid default values for TEXT
columns, 2017-04-15), the PackageRequests.Comments and
PackageRequests.ClosureComment fields no longer have a default value.
Initialize these fields explicitly whenever a new row is added to the
PackageRequests table.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Since commit 09cb61a (schema: Remove invalid default values for TEXT
columns, 2017-04-15), the PackageBases.FlaggerComment field no longer
has a default value. Initialize this field explicitly whenever a new row
is added to the PackageBases table.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
