Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Support secondary email addresses that can be used to recover an account
in case access to the primary email address is lost. Reset keys for an
account are always sent to both the primary and the backup email
address.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In addition to supporting email addresses in the reset key form, also
support user names. The reset key is then sent to the email address in
the user's profile.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Since commits daee20c (Require current password when setting a new one,
2020-01-30) and 8fc8898 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Further reduce the attack surface in case of a stolen session ID.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Prevent from easily taking over an account by changing the password with
a stolen session ID.
Fixes FS#65325.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Add a CAPTCHA to protect against automated account creation. The CAPTCHA
changes whenever three new accounts are registered.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.
In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.
|
|
VCS packages should not be flagged out-of-date when the package version
does not match the most recent commit.
Implements FS#62733.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Currently, it is a little to easy to forget to enable notifications
for a package after leaving a comment, thus never being notified of a
reply. Even though the "Enable notifications" link is on the same
page, it is not part of the flow for posting a new comment, and so,
easy to miss.
Most web forums and comment systems include a checkbox to enable
notifications when posting for the first time in a thread. This patch
implements this in aurweb, as well.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
|
|
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The each() function has been deprecated as of PHP 7.2.0. Use foreach
loops instead.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Implements FS#53832.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This partially fixes FS#56472.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Replace special characters in the referer GET parameter using
htmlspecialchars() before inserting it into the login form fields to
prevent from XSS attacks.
Fixes FS#55286.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This allows for adding Terms of Service documents to the database that
registered users need to accept before using the AUR. A revision field
can be used to indicate whether a document was updated. If it is
increased, all users are again asked to accept the new terms.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Instead of calling check_sid() from every single PHP script representing
a web page, add the call to aur.inc.php which is sourced by all of them.
Also, remove set_lang() calls from the scripts since these are also
already included in aur.inc.php.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In commit 4abde89 (Use JavaScript to collapse long comments,
2017-04-19), support for collapsing/expanding long comments was added.
This was broken by the recent Markdown support since comments no longer
live inside a single HTML paragraph. Fix this by wrapping each comment
in another div container.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Instead of using CSS to limit the height of package comments as
implemented in 7b13203 (Limit comment height to 15 lines, 2016-03-12),
use JavaScript to collapse long comments and add a link to expand them.
Clicking the same link twice results in the corresponding comment being
collapsed again.
If JavaScript is disabled, the full comments are shown (without any
possibility to collapse or expand).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Drop the fragment part of the redirection code which is an artifact of
the original code copy-pasted in commit ca954fe (Do not redirect when
showing errors during flagging, 2015-10-21).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Replace the default hash function used for storing passwords by
password_hash() which internally uses bcrypt. Legacy MD5 hashes are
still supported and are immediately converted to the new format when a
user logs in.
Since big parts of the authentication system needed to be rewritten in
this context, this patch also includes some simplification and
refactoring of all code related to password checking and resetting.
Fixes FS#52297.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Use "<?=" instead of "<?" for printing.
Fixes a regression introduced in a9048bb (Dedupe translatable strings,
2015-11-25).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Instead of triggering a PHP warning and using an empty title if no
package base is specified, use a default title.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Only show package requests created less than 6 months ago on the
dashboard.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Move the package search links below the section headings.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Add a new table which shows all package requests affecting the currently
logged in user.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Introduce a new boolean flag that can be used to disable extended
headers, pagination and forms.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Do not include the wrapper div container in the template.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Implement a table that shows all packages which are flagged out-of-date
and either maintained or co-maintained by the currently logged in user.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In addition to showing the 50 most recent maintained and co-maintained
packages, add links to all packages one owns or co-maintains.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
For logged in users, the home page is replaced with an overview of the
packages the user maintains or co-maintains.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Do not print the wrapper div container when calling pkg_search_page().
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
* Pass search parameters using an associative array instead of $_GET.
* Add a boolean parameter to enable and disable headers/footers.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This makes it easier to display search results without showing the
search form.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Modify the call to process_account_form() to only having one parameter per
line.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Currently, aurweb displays all dates and times in UTC time. This patch
adds a capability for each logged in user to set their preferred
timezone.
Implements FS#48729.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
When clicking on the linked Git clone URL of a package base, users are
faced with a 404 error page since the URL is not supposed to be opened
in a web browser. Add some notes to 404 error pages corresponding to Git
clone URLs that explain how to use them instead.
Fixes FS#51266.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Commits 6ec4a35 (Send notifications when changing ownership, 2016-02-21)
and e3670ef (Add a homepage field to accounts, 2016-06-02) forgot to
change some usages of display_account_form() and process_account_form()
to account for the new parameter. The former also forgot to add the new
column to the database schema.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Allow users to add a link to their homepage to their profile.
Implements FS#22774.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|