| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We already display the 404 error page if someone tries to access an
invalid package via virtual URLs ("/packages/nonexistent"). Add the same
check to "web/html/packages.php" to make sure the same error is shown if
a user requests package details of a nonexistent package ID via legacy
URLs ("/packages.php?ID=-1").
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Remove the password field from the account creation form and always send
a password reset request via e-mail instead. This ensures that only
users with valid e-mail addresses are able to login.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This allows for reusing reset key submission for other things, such as
sending an initial password reset code during account registration.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This allows for adding a metadata file called ".AURINFO" to source
tarballs to overwrite specific PKGBUILD fields. .AURINFO files are
parsed line by line. The syntax for each line is "key = value", where
key is any of the following field names:
* pkgname
* pkgver
* pkgdesc
* url
* license
* depend
Multiple "depend" lines can be specified to add multiple dependencies.
This format closely matches the .PKGINFO format that is used for binary
packages in pacman/libalpm. It can be extended by field name prefixes or
sections to support split packages later.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Move all PKGBUILD field validations to a central location.
Also, change $pkgbuild[] to $new_pkgbuild[] in order to parse evaluated
PKGBUILD fields instead of raw ones.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Remove redundant filters -- single quotes are already removed in
$pkgbuild_new and we do not pass the package name to a shell
(additionally, the regular expression already checks for potentially
evil characters).
Also, move the $pkg_name extraction up to fix the split package check.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We used a mixture of account type IDs and account type descriptions on
the account edit page. This resulted in the account type field always
defaulting to "Normal user" after an invalid form had been submitted.
Consistently use account type IDs to avoid this.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Since all database related functions will establish a connection
when needed, there is no need to pre-emptively try and establish
a database connection.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Large amount of boilerplate code that checks if a database
connection exists is useless now that the new connection method
automatically does the same check.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
All functions now have a database connection method that will use
the same database connection. This imitates the functionality of
passing a database connection as an argument and makes it redundant.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Uses the Singleton pattern to ensure all queries use the same
database connection that is released upon script completion.
All database connections should now be called with DB::connect() and
not db_connect().
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Implements FS#33294
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use Twitter Bootstrap JavaScript framework for typeahead support.
Add a new "suggest" JSON method, which returns the first 20
packages that match the beginning characters of a query.
canyonknight: Link format change, commit message
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
|
|
Currently, package flagging and unflagging takes place within the
pkg_flag() function. A bool is set to true or false depending on the
action.
Create new pkg_unflag() function with sole purpose of unflagging
and keep pkg_flag() in place. This split will be useful in the
overhaul of the notification system.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.
This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.
Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Voter page token check takes place in the same way as other
existing token checks. Move the check for consistency.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Display a special error message if the package is identified as split
package.
Currently, the AUR displays a very vague error message when a split
package is submitted ("Invalid name: only lowercase letters are
allowed"). This often caused confusion among package submitters, see
FS#22834 and FS#32450.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32449.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Display an error page and return a 404 status code in the following
cases:
* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Users are able to upload tarballs without a directory.
The directory count for a tarball is available, so use it to
display an error when there is not a single directory.
This patch has no effect on users who generate their uploaded
tarballs using makepkg. All other users must include a directory
in their tarball.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Word-wrap labels in the package statistics box, just as we wrap package
names in the "Recent Updates" box.
Addresses FS#32160.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The main site, wiki, and BBS are using HTTPS exclusively, so link
directly to the correct protocol rather than forcing a redirect.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Add missing <p> tag
* Move <h4> outside of a <p> tag
* Rename an id to avoid a conflict with an already existing id
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Give user feedback instead of bailing out with an empty HTTP response
body.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Parameters were not correct for a package update operation.
Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c
Fixes FS#31868
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
As all new passwords are hashed and therefore stored in the database
at the same length, this limitation is no longer needed.
Fixes FS#31855
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
An ended vote details page will report a user hasn't voted even when
they have. This is a result of faulty logic that only checks if a user
has voted if the vote is still running.
Regression with commit c15441762c6f6ab4438eaf2854c0ee3146a98b30
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
A foreach() is run without verifying an uploaded package has any depends.
Fix the undefined index notice for packages uploaded with no depends.
Similar to commit 857de725d1c87da005b4ab8e9a88222fd19aab4b.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now have a separate box on the package details page. Add
a package merge link in that box.
Link leads to a new page (pkgmerge.php) that can be used to confirm package
merging. A separate page with confirmation is used to avoid CSRFs.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now have a separate box on the package details page. Make
a package deletion link in that box.
Link leads to a new page (pkgdel.php) that can be used to confirm package
deletion. A separate page with confirmation is used to avoid CSRFs.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Use "<label>"/"</label>" for form labels.
* Use "<strong>"/"</strong>" for important text.
* Use "<h4>"/"</h4>" for headings.
* Drop "<b>"/"</b>" everywhere else.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Use archweb classes for search result statistics.
* Add some space between page numbers.
* Display current page number instead of current item range.
* Hide page numbers if the result fits into a single page.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Sync the sidebar layout with archweb, use the "pkg-name" class to wrap
long package names.
* Move the "New!" logo to a separate column to make sure it isn't
wrapped to a new line on its own.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add a package ID parameter to pkg_change_category() instead of relying
on the "ID" or "N" GET parameters.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Setting GET parameters manually is bad style and causes some strange
side effects when using virtual URLs and mkurl().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Spotted when browsing the package details page while being logged out.
Reported-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Restructure account.php to remove redundant code.
* Remove own_account_details().
* Rework logic check to default to no access to account edit form.
* Make default account action viewing account info.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The "UpdateAccount" page displays information as to whether an account
update was successful. All POST account info goes to this page, so use
it with sane URLs.
Before:
AUR_URL/account/?Action=UpdateAccount&U=userfoo
After:
AUR_URL/account/userfoo/update
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Allows for easier account editing and saner URLs. Update account editing links
to use new URL.
Before:
AUR_URL/account/?Action=DisplayAccount&U=userfoo
After:
AUR_URL/account/userfoo/edit
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Navigation to the "AccountInfo" page should only require a user to know the
username of the account they are looking for. Update all AUR links that use
the user info page to reflect the new URL.
Before:
AUR_URL/account/?Action=AccountInfo&U=userfoo
After:
AUR_URL/account/userfoo
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
