summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2017-12-03Add route for /users.gzLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Allow setting an empty home pageLukas Fleischer1-1/+1
Since commit 4efba18 (Only allow valid HTTP(s) URLs as home page, 2017-11-05), the home page field in the account settings must be a valid URL. However, this new check prevents from leaving the field empty. Keep the check in place but skip it if the home page field is left empty. Fixes FS#56550. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Release 4.6.0v4.6.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-02Translation updates from TransifexLukas Fleischer29-466/+1197
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-28Update message catalogLukas Fleischer1-4/+32
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-28Sync CSS with archwebLukas Fleischer3-7/+48
This partially fixes FS#56472. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-08Auto-link bug reports in commentsLukas Fleischer1-0/+15
Automatically detect references to Flyspray bug reports in comments and convert them to links to the Arch Linux bug tracker. Implements FS#52008. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-07Fix sorting order when clicking table headingsLukas Fleischer1-1/+1
A bug introduced in commit 7d7e079 (Hide the table sorting links on the dashboard, 2017-02-04) resulted in multiple clicks on a table heading in the package search results table no longer having any effect, instead of changing the sorting order. Fix this by removing erroneous spaces from the GET parameters in the search URL. Fixes FS#56261. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-06Allow package co-maintainers to pin commentsLukas Fleischer1-6/+13
Implements FS#56255. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05login.php: Escape quotes in the referer fieldLukas Fleischer1-1/+1
Replace special characters in the referer GET parameter using htmlspecialchars() before inserting it into the login form fields to prevent from XSS attacks. Fixes FS#55286. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Only allow valid HTTP(s) URLs as home pageLukas Fleischer2-0/+24
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Set X-Frame-Options to DENY for all pagesLukas Fleischer1-0/+1
Do not allow to render aurweb pages in a frame to protect against clickjacking. Fixes FS#56168. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Point out that the user name is public when registeringLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Add basic Travis CI supportLukas Fleischer1-0/+23
Add a Travis CI configuration file to setup a test environment with all the required dependencies and run the test suite. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Fix use of test_must_fail with environment variablesLukas Fleischer2-68/+111
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-25Do not hardcode path to the Python interpreterLukas Fleischer11-11/+11
Use `/usr/bin/env python3` instead of `/usr/bin/python3` in the shebang of Python scripts. This adds support for non-standard Python interpreter paths such as the paths used in virtualenv environments. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-10t1100: Test AUR_OVERWRITELukas Fleischer1-0/+17
Since c5302d3 (Require TUs to explicitly request to overwrite a pkgbase, 2017-07-24), non-fast-forward pushes require setting the AUR_OVERWRITE environment variable. Make sure that git-auth passes this variable to git-serve when it should (and does not pass it if it shouldn't). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-08git-serve: Fix broken SQL statementLukas Fleischer1-1/+1
Add a missing space to the SQL statement performing the disown operation. Fixes FS#55068. Note that the broken query was not discovered by the test suite since SQLite parses "?AND" inside prepared statements gracefully while MySQL does not. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-08t1300: Fix test cases for non-fast-forward pushesLukas Fleischer1-0/+11
Since commit c5302d3 (Require TUs to explicitly request to overwrite a pkgbase, 2017-07-24), non-fast-forward pushes are denied even for Trusted Users, unless the AUR_OVERWRITE environment variable is set. Mark the test case performing a non-fast-forward push from a TU account as test_must_fail and add another test case performing the same operation with AUR_OVERWRITE=1. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01INSTALL: Add new dependenciesLukas Fleischer1-0/+1
Add installation instructions for python-bleach and python-markdown which are required for the rendercomment script. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01mkpkglists: Generate a list of user namesLukas Fleischer4-0/+27
In addition to the packages list and the package base list, also create a list of registered user names. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01Unset PackagerUID before deleting an accountLukas Fleischer1-1/+1
When removing an account, remove the user from all last packager fields before deletion to make sure that no package bases are deleted, even if propagation constraints are missing. Fixes FS#53956. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-25Require TUs to explicitly request to overwrite a pkgbaseEli Schwartz4-1/+11
AUR_PRIVILEGED allows people with privileged AUR accounts to evade the block on non-fast-forward commits. While valid in this case, we should not do so by default, since in at least one case a TU did this without realizing there was an existing package. ( https://aur.archlinux.org/packages/rtmidi/ ) Switch to using allow_overwrite to check for destructive actions. Use .ssh/config "SendEnv" on the TU's side and and sshd_config "AcceptEnv" in the AUR server to specifically request overwrite access. TUs should use: `AUR_OVERWRITE=1 git push --force` Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-22Fix setting keywords in the SSH interfaceEli Schwartz1-1/+1
This was broken in commit 8914a41db938194efc021f842c89d47ff6b522c9 which refactored the argument parsing. Instead of checking for at least the set-keywords command and a pkgbase name, we were checking for *exactly* the command and pkgbase name, leaving no room for keywords... As a result, while we could clear the keywords, we could not set them. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-07-22Document new git-serve commandsLukas Fleischer1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-05-02gendummydata.py: Fix NOT NULL constraint problemsMark Weiman1-3/+3
PackageBases.FlaggerComment and PackageComments.RenderedComment cannot be NULL and would cause problems in the output file for sqlite users. This patch adds empty strings ("") as values for these fields. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer6-0/+188
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer19-47/+2
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-26Support headings in package commentsLukas Fleischer1-2/+18
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-25Initialize PackageRequests.{Comments,ClosureComment}Lukas Fleischer1-3/+3
Since commit 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15), the PackageRequests.Comments and PackageRequests.ClosureComment fields no longer have a default value. Initialize these fields explicitly whenever a new row is added to the PackageRequests table. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-25Explicitly initialize PackageBases.FlaggerCommentLukas Fleischer6-23/+25
Since commit 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15), the PackageBases.FlaggerComment field no longer has a default value. Initialize this field explicitly whenever a new row is added to the PackageBases table. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-25t1300: Factor out package dumpingLukas Fleischer1-24/+12
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Fix the comment collapse featureLukas Fleischer2-18/+21
In commit 4abde89 (Use JavaScript to collapse long comments, 2017-04-19), support for collapsing/expanding long comments was added. This was broken by the recent Markdown support since comments no longer live inside a single HTML paragraph. Fix this by wrapping each comment in another div container. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Support fenced code in package commentsLukas Fleischer1-2/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Do not keep line breaks in commentsLukas Fleischer2-3/+3
With the new Markdown support, text paragraphs are now properly converted to HTML paragraphs, so we no longer need to keep line breaks. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Rerender package comments after editingLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24t2600: Test Markdown and HTML sanitizingLukas Fleischer1-0/+42
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Make references to Git commits clickableLukas Fleischer4-5/+57
Automatically detect Git commit identifiers, shorten them, and make them link to the cgit interface. Implements FS#43290. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Reintroduce backwards-compatible hyperlink syntaxLukas Fleischer1-1/+15
Before switching to the new comment rendering script and Markdown, no special syntax was needed to make URLs clickable. Reintroduce this feature and automatically detect links in addition to the hyperlink syntax already supported by Markdown. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Add Markdown support to package commentsLukas Fleischer2-4/+7
Support Markdown syntax in package comments. Among other things, this makes it easier to paste command line output and patches. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Render comments when storing them in the databaseLukas Fleischer9-4/+107
Instead of converting package comments from plain text to HTML code when they are displayed, do the conversion when the comment is posted and store the rendered result in the database. The conversion itself is done by a Python script which uses Bleach for sanitizing the text. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-20Use JavaScript to collapse long commentsLukas Fleischer3-6/+36
Instead of using CSS to limit the height of package comments as implemented in 7b13203 (Limit comment height to 15 lines, 2016-03-12), use JavaScript to collapse long comments and add a link to expand them. Clicking the same link twice results in the corresponding comment being collapsed again. If JavaScript is disabled, the full comments are shown (without any possibility to collapse or expand). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-19Store dependency descriptions in a separate columnLukas Fleischer5-35/+28
Split optional dependency descriptions from dependency names before storing them in the database and use a separate column to store the descriptions. This allows us to simplify and optimize the SQL queries in pkg_dependencies() as well as pkg_required(). Suggested-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check return value of get_extended_fields()Lukas Fleischer1-1/+4
Make sure that the get_extended_fields() invocation succeeded before merging regular and extended fields in process_query(). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in db_cache_value()Lukas Fleischer1-0/+3
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in search_results_page()Lukas Fleischer1-2/+5
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Also, make sure that the results array is always initialized, even if the result set is empty. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in pkgbase_user_notify()Lukas Fleischer1-4/+3
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-16schema: Fix invalid NULL on primary keyFlorian Pritz1-1/+1
>From the mysql 5.7 breaking change page: Columns in a PRIMARY KEY must be NOT NULL, but if declared explicitly as NULL produced no error. Now an error occurs. For example, a statement such as CREATE TABLE t (i INT NULL PRIMARY KEY) is rejected. The same occurs for similar ALTER TABLE statements. (Bug #13995622, Bug #66987, Bug #15967545, Bug #16545198) References: http://stackoverflow.com/a/22314073 Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-16schema: Remove invalid default values for TEXT columnsFlorian Pritz1-4/+4
When running in strict mode, mysql throws an error upon encountering these definitions since they are not supported. References: https://dev.mysql.com/doc/refman/5.7/en/data-type-defaults.html Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-12Add TESTING instructions for web interfaceMark Weiman2-0/+40
Add instructions to test aurweb's web interface via the PHP built-in web server. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>