summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-11-05Only allow valid HTTP(s) URLs as home pageLukas Fleischer2-0/+24
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Set X-Frame-Options to DENY for all pagesLukas Fleischer1-0/+1
Do not allow to render aurweb pages in a frame to protect against clickjacking. Fixes FS#56168. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Point out that the user name is public when registeringLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Add basic Travis CI supportLukas Fleischer1-0/+23
Add a Travis CI configuration file to setup a test environment with all the required dependencies and run the test suite. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Fix use of test_must_fail with environment variablesLukas Fleischer2-68/+111
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Do not hardcode path to the Python interpreterLukas Fleischer11-11/+11
Use `/usr/bin/env python3` instead of `/usr/bin/python3` in the shebang of Python scripts. This adds support for non-standard Python interpreter paths such as the paths used in virtualenv environments. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-10t1100: Test AUR_OVERWRITELukas Fleischer1-0/+17
Since c5302d3 (Require TUs to explicitly request to overwrite a pkgbase, 2017-07-24), non-fast-forward pushes require setting the AUR_OVERWRITE environment variable. Make sure that git-auth passes this variable to git-serve when it should (and does not pass it if it shouldn't). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-08git-serve: Fix broken SQL statementLukas Fleischer1-1/+1
Add a missing space to the SQL statement performing the disown operation. Fixes FS#55068. Note that the broken query was not discovered by the test suite since SQLite parses "?AND" inside prepared statements gracefully while MySQL does not. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-08t1300: Fix test cases for non-fast-forward pushesLukas Fleischer1-0/+11
Since commit c5302d3 (Require TUs to explicitly request to overwrite a pkgbase, 2017-07-24), non-fast-forward pushes are denied even for Trusted Users, unless the AUR_OVERWRITE environment variable is set. Mark the test case performing a non-fast-forward push from a TU account as test_must_fail and add another test case performing the same operation with AUR_OVERWRITE=1. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01INSTALL: Add new dependenciesLukas Fleischer1-0/+1
Add installation instructions for python-bleach and python-markdown which are required for the rendercomment script. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01mkpkglists: Generate a list of user namesLukas Fleischer4-0/+27
In addition to the packages list and the package base list, also create a list of registered user names. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01Unset PackagerUID before deleting an accountLukas Fleischer1-1/+1
When removing an account, remove the user from all last packager fields before deletion to make sure that no package bases are deleted, even if propagation constraints are missing. Fixes FS#53956. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-25Require TUs to explicitly request to overwrite a pkgbaseEli Schwartz4-1/+11
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the block on non-fast-forward commits. While valid in this case, we should not do so by default, since in at least one case a TU did this without realizing there was an existing package. ( https://aur.archlinux.org/packages/rtmidi/ ) Switch to using allow_overwrite to check for destructive actions. Use .ssh/config "SendEnv" on the TU's side and and sshd_config "AcceptEnv" in the AUR server to specifically request overwrite access. TUs should use: `AUR_OVERWRITE=1 git push --force` Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-22Fix setting keywords in the SSH interfaceEli Schwartz1-1/+1
This was broken in commit 8914a41db938194efc021f842c89d47ff6b522c9 which refactored the argument parsing. Instead of checking for at least the set-keywords command and a pkgbase name, we were checking for *exactly* the command and pkgbase name, leaving no room for keywords... As a result, while we could clear the keywords, we could not set them. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-22Document new git-serve commandsLukas Fleischer1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-05-02gendummydata.py: Fix NOT NULL constraint problemsMark Weiman1-3/+3
PackageBases.FlaggerComment and PackageComments.RenderedComment cannot be NULL and would cause problems in the output file for sqlite users. This patch adds empty strings ("") as values for these fields. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer6-0/+188
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer19-47/+2
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-26Support headings in package commentsLukas Fleischer1-2/+18
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-25Initialize PackageRequests.{Comments,ClosureComment}Lukas Fleischer1-3/+3
Since commit 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15), the PackageRequests.Comments and PackageRequests.ClosureComment fields no longer have a default value. Initialize these fields explicitly whenever a new row is added to the PackageRequests table. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-25Explicitly initialize PackageBases.FlaggerCommentLukas Fleischer6-23/+25
Since commit 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15), the PackageBases.FlaggerComment field no longer has a default value. Initialize this field explicitly whenever a new row is added to the PackageBases table. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-25t1300: Factor out package dumpingLukas Fleischer1-24/+12
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Fix the comment collapse featureLukas Fleischer2-18/+21
In commit 4abde89 (Use JavaScript to collapse long comments, 2017-04-19), support for collapsing/expanding long comments was added. This was broken by the recent Markdown support since comments no longer live inside a single HTML paragraph. Fix this by wrapping each comment in another div container. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Support fenced code in package commentsLukas Fleischer1-2/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Do not keep line breaks in commentsLukas Fleischer2-3/+3
With the new Markdown support, text paragraphs are now properly converted to HTML paragraphs, so we no longer need to keep line breaks. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Rerender package comments after editingLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24t2600: Test Markdown and HTML sanitizingLukas Fleischer1-0/+42
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Make references to Git commits clickableLukas Fleischer4-5/+57
Automatically detect Git commit identifiers, shorten them, and make them link to the cgit interface. Implements FS#43290. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Reintroduce backwards-compatible hyperlink syntaxLukas Fleischer1-1/+15
Before switching to the new comment rendering script and Markdown, no special syntax was needed to make URLs clickable. Reintroduce this feature and automatically detect links in addition to the hyperlink syntax already supported by Markdown. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Add Markdown support to package commentsLukas Fleischer2-4/+7
Support Markdown syntax in package comments. Among other things, this makes it easier to paste command line output and patches. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Render comments when storing them in the databaseLukas Fleischer9-4/+107
Instead of converting package comments from plain text to HTML code when they are displayed, do the conversion when the comment is posted and store the rendered result in the database. The conversion itself is done by a Python script which uses Bleach for sanitizing the text. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-20Use JavaScript to collapse long commentsLukas Fleischer3-6/+36
Instead of using CSS to limit the height of package comments as implemented in 7b13203 (Limit comment height to 15 lines, 2016-03-12), use JavaScript to collapse long comments and add a link to expand them. Clicking the same link twice results in the corresponding comment being collapsed again. If JavaScript is disabled, the full comments are shown (without any possibility to collapse or expand). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-19Store dependency descriptions in a separate columnLukas Fleischer5-35/+28
Split optional dependency descriptions from dependency names before storing them in the database and use a separate column to store the descriptions. This allows us to simplify and optimize the SQL queries in pkg_dependencies() as well as pkg_required(). Suggested-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check return value of get_extended_fields()Lukas Fleischer1-1/+4
Make sure that the get_extended_fields() invocation succeeded before merging regular and extended fields in process_query(). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in db_cache_value()Lukas Fleischer1-0/+3
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in search_results_page()Lukas Fleischer1-2/+5
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Also, make sure that the results array is always initialized, even if the result set is empty. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in pkgbase_user_notify()Lukas Fleischer1-4/+3
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-16schema: Fix invalid NULL on primary keyFlorian Pritz1-1/+1
>From the mysql 5.7 breaking change page: Columns in a PRIMARY KEY must be NOT NULL, but if declared explicitly as NULL produced no error. Now an error occurs. For example, a statement such as CREATE TABLE t (i INT NULL PRIMARY KEY) is rejected. The same occurs for similar ALTER TABLE statements. (Bug #13995622, Bug #66987, Bug #15967545, Bug #16545198) References: http://stackoverflow.com/a/22314073 Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-16schema: Remove invalid default values for TEXT columnsFlorian Pritz1-4/+4
When running in strict mode, mysql throws an error upon encountering these definitions since they are not supported. References: https://dev.mysql.com/doc/refman/5.7/en/data-type-defaults.html Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-12Add TESTING instructions for web interfaceMark Weiman2-0/+40
Add instructions to test aurweb's web interface via the PHP built-in web server. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-06git-update: Check for missing pkgname entriesLukas Fleischer1-0/+3
Reject commits containing .SRCINFO files without any pkgname entries. Suggested-by: Bruno Pagani <bruno.n.pagani@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-09Release 4.5.1v4.5.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-09Translation updates from TransifexLukas Fleischer7-151/+196
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-04index.php: Remove routes for dropped imagesLukas Fleischer1-3/+0
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-03test/setup.sh: Error out on missing SQLite schemaLukas Fleischer1-1/+3
Instead of making all tests fail, error out during initialization if the SQLite schema has not been generated. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-02account_delete.php: Fix variable nameLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-01gendummydata.py: Fix to make it less db specificMark Weiman1-6/+9
Sqlite3 does not support the MD5 function like MySQL does, instead of the database program hash the passwords, have Python's hashlib module do it instead. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-01Fix quote for Source column defaultMark Weiman1-1/+1
Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-01Add a Makefile to build an SQLite-compatible schemaLukas Fleischer3-10/+18
Allow for automatically converting the schema into a schema that works with SQLite by running `make` from the schema/ subdirectory. Use the new Makefile in the test suite. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-01aur-schema.sql: Do not recreate the databaseLukas Fleischer1-3/+0
Modify the schema such that it only creates the necessary tables, indices and predefined data. This makes it easier to import the schema into a database with a name other than "AUR". Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>