summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2018-05-12Add newline after accept link for orphan requestsLukas Fleischer1-3/+1
Fixes a regression introduced in 0ffa067 (Use a link to accept orphan requests, 2018-05-10). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing dollar signLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing semicolonLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-11Use a link to accept orphan requestsEli Schwartz1-5/+1
Currently, a form is used instead of a link. This forwards to a confirmation page, and currently drops the "via" parameter in the process. As a result, accepted orphan requests usually show: Request #XXXXXX has been accepted automatically by the Arch User Repository package request system: The user YYYYYYY disowned the package. This is wrong, and should show (will show, if you manually add it or use the close button instead of the accept button): Request #XXXXXX has been rejected by YYYYYYY [1]: Fixes FS#56606. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-10Erase login IP addresses after seven daysLukas Fleischer4-0/+73
Add a script to periodically remove old IP addresses from the users database. The login IP addresses are stored for spam protection and to prevent from abuse. It is quite unlikely that we ever need the IP address of a user whose last login is more than a week old. It makes sense to remove such IP addresses to protect our users' privacy. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-10Update copyright year in the cgit footer templateEli Schwartz1-1/+1
Four years just passed in the blink of an eye :) Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-22config: allow reading both the defaults file and the modified configEli Schwartz5-8/+22
In the process, rename config.proto to config.defaults (because that is what it is now). Also use dict.get('key', default_value) when querying os.environ, rather than an if block, as it is more pythonic/readable/concise, and reduces the number of dict lookups. This change allows aurweb configuration to be done via either: - copying config.defaults to config and modifying values - creating a new config only containing modified values, next to a config.defaults containing unmodified values The motivation for this change is to enable ansible configuration in our flagship deployment by storing only changed values, and deferring to config.defaults otherwise. A side benefit is, it is easier to see what has changed by inspecting only the site configuration file. If a config.defaults file does not exist next to $AUR_CONFIG or in $AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to live in the modified config file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-08Allow manual breaks and horizontal lines in commentsLukas Fleischer1-2/+2
When sanitizing rendered comments, keep <hr> tags and <br> tags. The former are generated when using "---" in Markdown comments, the latter are used when putting two spaces at the end of a line. Fixes FS#56649.
2018-03-21Handle empty resultset getting recent 10 packagesnodivbyzero1-3/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-20Terminate execution if config file is missingnodivbyzero1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-14schema/Makefile: Replace MySQL with SQLite in commentnodivbyzero1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-14TESTING: Add two required packagesnodivbyzero1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-13notify: Send vote reminders to TUs that are also devsJohannes Löthberg1-1/+1
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Update cache code to INI style configurationJelle van der Waa3-7/+12
Change the defines to config_get and add one cache option and one option to define memcache_servers. Mention the required dependency to get memcached working in the INSTALL file. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Remove unused variable $dbh in pkgbase_display_detailsJelle van der Waa1-2/+0
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24RPC: Allow to search packages by "*depends" fieldsBaptiste Jonglez2-3/+26
It is now possible to search for packages that depend on a given package, for instance: /rpc/?v=5&type=search&by=depends&arg=ocaml It is similarly possible to match on "makedepends", "checkdepends" and "optdepends". Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add capability for co-maintainers to disown packagesMark Weiman4-6/+24
Implements FS#53832. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add rate limit support to APIFlorian Pritz4-0/+111
This allows us to prevent users from hammering the API every few seconds to check if any of their packages were updated. Real world users check as often as every 5 or 10 seconds. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Remove disjunction in pkg_providers queryFlorian Pritz1-2/+4
For some reason, running the SELECT .. WHERE .. OR .. query takes e.g. 58ms on a randomly generated db for some dependency name. Splitting the OR into two dedicated queries and UNIONing the result takes only 0.42ms. On the Arch Linux installation, searching for the providers of e.g. mongodb takes >=110ms when not cached by the query cache. The new query takes <1ms even when not cached. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-01-26Document required PHP extensions in php.iniRemy Marquis2-0/+4
To people unfamiliar with the code, it is not obvious that the pdo_* PHP extensions must be enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-01-21Move AUR_OVERWRITE privilege check from git/auth to git/updateJohannes Löthberg4-20/+14
git/auth is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it. Instead we need to perform the actual privilege check in git/update instead. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-23Fix regression that stopped maintainers from pinning commentsEli Schwartz1-1/+1
In commit 8c98db0b82cc85a4498589e5d60299fefd93b421 support was added for package co-maintainers to pin comments in addition to maintainers. Due to a typo, the SQL query was reset halfway through and only added the co-maintainer IDs to the list of allowed users. Fixes FS#56783. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Add route for /users.gzLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Allow setting an empty home pageLukas Fleischer1-1/+1
Since commit 4efba18 (Only allow valid HTTP(s) URLs as home page, 2017-11-05), the home page field in the account settings must be a valid URL. However, this new check prevents from leaving the field empty. Keep the check in place but skip it if the home page field is left empty. Fixes FS#56550. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Release 4.6.0v4.6.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-02Translation updates from TransifexLukas Fleischer29-466/+1197
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-28Update message catalogLukas Fleischer1-4/+32
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-28Sync CSS with archwebLukas Fleischer3-7/+48
This partially fixes FS#56472. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-08Auto-link bug reports in commentsLukas Fleischer1-0/+15
Automatically detect references to Flyspray bug reports in comments and convert them to links to the Arch Linux bug tracker. Implements FS#52008. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-07Fix sorting order when clicking table headingsLukas Fleischer1-1/+1
A bug introduced in commit 7d7e079 (Hide the table sorting links on the dashboard, 2017-02-04) resulted in multiple clicks on a table heading in the package search results table no longer having any effect, instead of changing the sorting order. Fix this by removing erroneous spaces from the GET parameters in the search URL. Fixes FS#56261. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-06Allow package co-maintainers to pin commentsLukas Fleischer1-6/+13
Implements FS#56255. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05login.php: Escape quotes in the referer fieldLukas Fleischer1-1/+1
Replace special characters in the referer GET parameter using htmlspecialchars() before inserting it into the login form fields to prevent from XSS attacks. Fixes FS#55286. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Only allow valid HTTP(s) URLs as home pageLukas Fleischer2-0/+24
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Set X-Frame-Options to DENY for all pagesLukas Fleischer1-0/+1
Do not allow to render aurweb pages in a frame to protect against clickjacking. Fixes FS#56168. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Point out that the user name is public when registeringLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Add basic Travis CI supportLukas Fleischer1-0/+23
Add a Travis CI configuration file to setup a test environment with all the required dependencies and run the test suite. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Fix use of test_must_fail with environment variablesLukas Fleischer2-68/+111
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Do not hardcode path to the Python interpreterLukas Fleischer11-11/+11
Use `/usr/bin/env python3` instead of `/usr/bin/python3` in the shebang of Python scripts. This adds support for non-standard Python interpreter paths such as the paths used in virtualenv environments. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-10t1100: Test AUR_OVERWRITELukas Fleischer1-0/+17
Since c5302d3 (Require TUs to explicitly request to overwrite a pkgbase, 2017-07-24), non-fast-forward pushes require setting the AUR_OVERWRITE environment variable. Make sure that git-auth passes this variable to git-serve when it should (and does not pass it if it shouldn't). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-08git-serve: Fix broken SQL statementLukas Fleischer1-1/+1
Add a missing space to the SQL statement performing the disown operation. Fixes FS#55068. Note that the broken query was not discovered by the test suite since SQLite parses "?AND" inside prepared statements gracefully while MySQL does not. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-08t1300: Fix test cases for non-fast-forward pushesLukas Fleischer1-0/+11
Since commit c5302d3 (Require TUs to explicitly request to overwrite a pkgbase, 2017-07-24), non-fast-forward pushes are denied even for Trusted Users, unless the AUR_OVERWRITE environment variable is set. Mark the test case performing a non-fast-forward push from a TU account as test_must_fail and add another test case performing the same operation with AUR_OVERWRITE=1. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01INSTALL: Add new dependenciesLukas Fleischer1-0/+1
Add installation instructions for python-bleach and python-markdown which are required for the rendercomment script. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01mkpkglists: Generate a list of user namesLukas Fleischer4-0/+27
In addition to the packages list and the package base list, also create a list of registered user names. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01Unset PackagerUID before deleting an accountLukas Fleischer1-1/+1
When removing an account, remove the user from all last packager fields before deletion to make sure that no package bases are deleted, even if propagation constraints are missing. Fixes FS#53956. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-25Require TUs to explicitly request to overwrite a pkgbaseEli Schwartz4-1/+11
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the block on non-fast-forward commits. While valid in this case, we should not do so by default, since in at least one case a TU did this without realizing there was an existing package. ( https://aur.archlinux.org/packages/rtmidi/ ) Switch to using allow_overwrite to check for destructive actions. Use .ssh/config "SendEnv" on the TU's side and and sshd_config "AcceptEnv" in the AUR server to specifically request overwrite access. TUs should use: `AUR_OVERWRITE=1 git push --force` Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-22Fix setting keywords in the SSH interfaceEli Schwartz1-1/+1
This was broken in commit 8914a41db938194efc021f842c89d47ff6b522c9 which refactored the argument parsing. Instead of checking for at least the set-keywords command and a pkgbase name, we were checking for *exactly* the command and pkgbase name, leaving no room for keywords... As a result, while we could clear the keywords, we could not set them. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-22Document new git-serve commandsLukas Fleischer1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-05-02gendummydata.py: Fix NOT NULL constraint problemsMark Weiman1-3/+3
PackageBases.FlaggerComment and PackageComments.RenderedComment cannot be NULL and would cause problems in the output file for sqlite users. This patch adds empty strings ("") as values for these fields. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer6-0/+188
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer19-47/+2
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>