summaryrefslogtreecommitdiffstats
path: root/web/html/account.php
AgeCommit message (Collapse)AuthorFilesLines
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz1-1/+1
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
2018-08-06Allow listing all comments from a userJohannes Löthberg1-1/+19
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer1-3/+0
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28account.php: Always initialize $successLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-01-20account.php: Reformat process_account_form() callMark Weiman1-6/+18
Modify the call to process_account_form() to only having one parameter per line. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-01-20Add user set timezonesMark Weiman1-0/+3
Currently, aurweb displays all dates and times in UTC time. This patch adds a capability for each logged in user to set their preferred timezone. Implements FS#48729. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-06-25Add missing database and account fieldsJohannes Löthberg1-3/+6
Commits 6ec4a35 (Send notifications when changing ownership, 2016-02-21) and e3670ef (Add a homepage field to accounts, 2016-06-02) forgot to change some usages of display_account_form() and process_account_form() to account for the new parameter. The former also forgot to add the new column to the database schema. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-06-08Add a homepage field to accountsLukas Fleischer1-15/+38
Allow users to add a link to their homepage to their profile. Implements FS#22774. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-02-07Add support for package update notificationsLukas Fleischer1-5/+5
Introduce a new notification option to receive notifications when a new commit is pushed to a package repository. Implements FS#30109. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-02-07Add global comment notification settingLukas Fleischer1-6/+12
Add a configuration option to the account edit page that allows for globally enabling/disabling package base comment notifications. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-20Add option to hide one's email addressMarcel Korpel1-9/+10
Implements FS#42343. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Set correct 'My Account' link after changing usernameMarcel Korpel1-10/+28
Don't print messages (and the account form) in process_account_form() anymore, but return them to the caller. When updating accounts, this function will be called before the headers are written. If a username has been changed by process_account_form(), the headers now show the updated username from the database in the 'My Account' link. Clicking on it immediately after changing a username will no longer lead to a non-existing URL. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Use username from the database if one is provided by the userMarcel Korpel1-2/+2
This fixes a bug where the new user name input by the user was invalid, causing the account deletion link and the form action to be wrong. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Add support for multiple SSH public keysLukas Fleischer1-1/+2
Attaching more than one SSH public key to the same account is useful, e.g. if one uses different machines to access the AUR SSH interface. Multiple keys can now be specified by adding multiple lines to the text area on the account edit form. Implements FS#45469. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> Acked-by: Leonidas Spyropoulos <artafinde@gmail.com>
2015-06-27Move registration code to a separate unitLukas Fleischer1-17/+1
Until now, we used the same unit to register and edit accounts. Split these features into separate source files for clarity. This also allows us to redirect to the home page when a logged-in user tries to access the registration page. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-09Drop suffixes from confirm parametersLukas Fleischer1-1/+1
Remove the _delete and _disown suffixes from HTTP POST confirmation parameters. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-05-31Show the SSH key field on the registration pageLukas Fleischer1-1/+2
Now that we have a short explanation on how we use the SSH public key, we can show that field on the registration page. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-02-04Rename the AUR software to aurwebLukas Fleischer1-1/+1
Rename the project to help differentiate between the software providing access to the Arch User Repository and the collection of source packages itself. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-12-27Add support for adding SSH public keys to profilesLukas Fleischer1-2/+3
Users can now add an SSH public key on the account edit page. This will later be used to authenticate users via SSH. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-12-13Show user name in title on the account details pageLukas Fleischer1-13/+19
Suggested-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-29Fix the registration formLukas Fleischer1-3/+3
Pass the right parameters to display_account_form() and process_account_form() when showing/processing the registration form. Fixes a regression introduced in 03c6304 (Rework permission handling, 2014-07-15). Reported-by: Karthik K <hashken.distro@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-25Add support for deleting user accountsLukas Fleischer1-0/+16
Users can now delete their own accounts by clicking a link in the account edit form and confirming the deletion on a follow-up page. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-15Rework permission handlingLukas Fleischer1-13/+7
Add a new function has_credential() that checks whether the currently logged in user is allowed to perform a given action. Moving all permission handling to this central place makes adding new user groups and adjusting permissions much more convenient. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-08-27Pick sane default registration languageLukas Fleischer1-1/+1
Instead of defaulting to Català (which is the first entry in the list of supported languages), choose whatever language the unregistered user is browsing the AUR in. Fixes FS#34825. Suggested-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-08-22Allow for setting an account's inactivity statusLukas Fleischer1-2/+3
This adds a field to the users table and corresponding fields to the account edit and display forms that allow for setting an (in-)activity status. This might turn out to be useful if a user is on vacation and can not respond to update/orphan/deletion requests. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-04-24Remove superfluous search wrapper functioncanyonknight1-1/+1
The search_accounts_form() wrapper function doesn't have any arguments and only makes it unclear what is happening within account.php Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-03-19Enforce e-mail validation during registrationLukas Fleischer1-2/+2
Remove the password field from the account creation form and always send a password reset request via e-mail instead. This ensures that only users with valid e-mail addresses are able to login. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Fix default selection on the account edit pageLukas Fleischer1-1/+1
We used a mixture of account type IDs and account type descriptions on the account edit page. This resulted in the account type field always defaulting to "Normal user" after an invalid form had been submitted. Consistently use account type IDs to avoid this. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove unneeded database connection callscanyonknight1-1/+0
Since all database related functions will establish a connection when needed, there is no need to pre-emptively try and establish a database connection. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Add database wrapper class and new connection methodcanyonknight1-1/+1
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30Replace permission check code with can_edit_account()canyonknight1-5/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight1-3/+8
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Overhaul ability to edit own accountcanyonknight1-25/+9
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer1-7/+7
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-06acctfuncs.inc.php: Move XHTML to account_details.php templatecanyonknight1-3/+1
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML out of the display_account_info function that echoes the code, and moves it to the new account_details.php template file. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06account.php: Pull out DB codecanyonknight1-34/+10
* Move DB code in account.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface * Consolidate redudant SQL statements from DisplayAccount and AccountInfo * Consolidation also adds ability to edit accounts based on username Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Overhaul account pages to match archwebcanyonknight1-3/+1
* Use CSS from archweb * General clean-up of XHTML formatting Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer1-1/+1
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-5/+7
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Support canonical links to accountsLukas Fleischer1-1/+5
Addresses FS#9582 and FS#21600. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Add field for PGP key in profile informationLukas Fleischer1-6/+7
This is handy for verifying the PGP key of new Trusted Users. Also, this could potentially used as a basis to allow signed package uploads in the future. Implements FS#29028. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Show last voted date on account details pageDan McGee1-1/+1
We already show it in the account listing page as well, so we should show it here too. Also use a standard date format; we weren't using this non-punctuated format anywhere else. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-2/+2
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-13Remove "New Package Notify" option from user account settings.Lukas Fleischer1-4/+4
Do this in preparation for the upcoming notification script removal. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in account pagesDan McGee1-18/+20
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2009-08-11Use include_once where applicableDan McGee1-1/+1
All of these are sourcing function libraries so we don't need to include them more than once. Things that insert actual HTML into the output were left calling include(). Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-19Use new conglomerated translation files.Loui Chang1-3/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-12-21Introduce function include_lang for translations.Loui Chang1-6/+7
This includes only the requested language for each page and makes top level language include files obsolete. Signed-off-by: Loui Chang <louipc.ist@gmail.com>