summaryrefslogtreecommitdiffstats
path: root/web/html
AgeCommit message (Collapse)AuthorFilesLines
2020-02-02Add support for backup email addressesLukas Fleischer4-5/+10
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add option to send reset key for a given user nameLukas Fleischer1-13/+12
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when changing account informationLukas Fleischer2-4/+5
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when deleting an accountLukas Fleischer1-4/+13
Further reduce the attack surface in case of a stolen session ID. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require current password when setting a new oneLukas Fleischer2-0/+3
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Sync CSS with archwebLukas Fleischer1-8/+10
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Add a simple CAPTCHA to the sign up formLukas Fleischer1-2/+12
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz1-1/+1
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
2019-05-26Display warning when flagging VCS packagesLukas Fleischer2-0/+13
VCS packages should not be flagged out-of-date when the package version does not match the most recent commit. Implements FS#62733. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-25Sync CSS with archwebLukas Fleischer1-47/+25
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-04-28Add "Enable notifications" checkbox in "Add Comment" formVladimir Panteleev2-0/+8
Currently, it is a little to easy to forget to enable notifications for a package after leaving a comment, thus never being notified of a reply. Even though the "Enable notifications" link is on the same page, it is not part of the flow for posting a new comment, and so, easy to miss. Most web forums and comment systems include a checkbox to enable notifications when posting for the first time in a thread. This patch implements this in aurweb, as well. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-08-06Allow listing all comments from a userJohannes Löthberg4-2/+72
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Sync CSS with archwebLukas Fleischer1-37/+6
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12Stop using each()Lukas Fleischer2-3/+3
The each() function has been deprecated as of PHP 7.2.0. Use foreach loops instead. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add capability for co-maintainers to disown packagesMark Weiman2-3/+13
Implements FS#53832. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Add route for /users.gzLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-28Sync CSS with archwebLukas Fleischer3-7/+48
This partially fixes FS#56472. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05login.php: Escape quotes in the referer fieldLukas Fleischer1-1/+1
Replace special characters in the referer GET parameter using htmlspecialchars() before inserting it into the login form fields to prevent from XSS attacks. Fixes FS#55286. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer1-0/+50
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer18-47/+0
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Fix the comment collapse featureLukas Fleischer1-11/+12
In commit 4abde89 (Use JavaScript to collapse long comments, 2017-04-19), support for collapsing/expanding long comments was added. This was broken by the recent Markdown support since comments no longer live inside a single HTML paragraph. Fix this by wrapping each comment in another div container. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-20Use JavaScript to collapse long commentsLukas Fleischer2-5/+35
Instead of using CSS to limit the height of package comments as implemented in 7b13203 (Limit comment height to 15 lines, 2016-03-12), use JavaScript to collapse long comments and add a link to expand them. Clicking the same link twice results in the corresponding comment being collapsed again. If JavaScript is disabled, the full comments are shown (without any possibility to collapse or expand). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-04index.php: Remove routes for dropped imagesLukas Fleischer1-3/+0
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28pkgbase.php: Fix PHP noticeLukas Fleischer1-3/+2
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28pkgbase.php: Squelch PHP warningLukas Fleischer1-13/+19
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28account.php: Always initialize $successLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27pkgflag.php: Remove stray variableLukas Fleischer1-1/+1
Drop the fragment part of the redirection code which is an artifact of the original code copy-pasted in commit ca954fe (Do not redirect when showing errors during flagging, 2015-10-21). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27404.php: Squelch warning on empty PATH_INFOLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-24Use bcrypt to hash passwordsLukas Fleischer1-4/+1
Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in. Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting. Fixes FS#52297. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-15Fix several PHP short open tagsLukas Fleischer4-4/+4
Use "<?=" instead of "<?" for printing. Fixes a regression introduced in a9048bb (Dedupe translatable strings, 2015-11-25). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-15pkgbase.php: Add default titleLukas Fleischer1-1/+1
Instead of triggering a PHP warning and using an empty title if no package base is specified, use a default title. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-15Hide old requests from the dashboardLukas Fleischer1-1/+3
Only show package requests created less than 6 months ago on the dashboard. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-12Move package search links on the dashboardLukas Fleischer1-2/+4
Move the package search links below the section headings. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-08Move my packages to separate dashboard sectionsLukas Fleischer1-6/+10
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-08Add requests to dashboardLukas Fleischer1-0/+6
Add a new table which shows all package requests affecting the currently logged in user. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-08pkgreq_results.php: Add a flag to hide headersLukas Fleischer1-0/+1
Introduce a new boolean flag that can be used to disable extended headers, pagination and forms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-08pkgreq_results.php: Split out package results boxLukas Fleischer1-0/+2
Do not include the wrapper div container in the template. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-08Add flagged packages to the dashboardLukas Fleischer1-0/+12
Implement a table that shows all packages which are flagged out-of-date and either maintained or co-maintained by the currently logged in user. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-08Add links to all owned packages to the dashboardLukas Fleischer1-2/+2
In addition to showing the 50 most recent maintained and co-maintained packages, add links to all packages one owns or co-maintains. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-04Add dashboardLukas Fleischer1-2/+34
For logged in users, the home page is replaced with an overview of the packages the user maintains or co-maintains. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-04pkg_search_results.php: Split out package results boxLukas Fleischer1-0/+2
Do not print the wrapper div container when calling pkg_search_page(). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-04Refactor pkg_search_page()Lukas Fleischer1-2/+2
* Pass search parameters using an associative array instead of $_GET. * Add a boolean parameter to enable and disable headers/footers. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-03Split out the search form from pkg_search_page()Lukas Fleischer1-1/+2
This makes it easier to display search results without showing the search form. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-01-20account.php: Reformat process_account_form() callMark Weiman1-6/+18
Modify the call to process_account_form() to only having one parameter per line. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-01-20Add user set timezonesMark Weiman3-1/+6
Currently, aurweb displays all dates and times in UTC time. This patch adds a capability for each logged in user to set their preferred timezone. Implements FS#48729. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-10-08Add clone hints to 404 error pagesLukas Fleischer1-0/+33
When clicking on the linked Git clone URL of a package base, users are faced with a 404 error page since the URL is not supposed to be opened in a web browser. Add some notes to 404 error pages corresponding to Git clone URLs that explain how to use them instead. Fixes FS#51266. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-06-25Add missing database and account fieldsJohannes Löthberg2-11/+43
Commits 6ec4a35 (Send notifications when changing ownership, 2016-02-21) and e3670ef (Add a homepage field to accounts, 2016-06-02) forgot to change some usages of display_account_form() and process_account_form() to account for the new parameter. The former also forgot to add the new column to the database schema. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-06-08Add a homepage field to accountsLukas Fleischer1-15/+38
Allow users to add a link to their homepage to their profile. Implements FS#22774. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-03-13Remove code referencing non-existent and unused fileIan D. Scott1-4/+0
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-03-13Limit comment height to 15 linesEric Engestrom1-0/+5
Signed-off-by: Eric Engestrom <eric@engestrom.ch> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>