summaryrefslogtreecommitdiffstats
path: root/web/lib
AgeCommit message (Collapse)AuthorFilesLines
2020-02-13Fix more PHP 7.4 warningsEli Schwartz1-0/+1
The try_login() function documents it returns an array containing an 'error' key, and our only caller *only* consults the 'error' key. Then the function returns null instead of an array, if the login succeeded! I question why we bother returning the new SID if we never use it, surely we could either return the error or return default null. But, for now, I'm just going to fix it to return what it's actually supposed to, without changing the API. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-13Fix PHP 7.4 warningsEli Schwartz2-8/+24
If a db query returned NULL instead of an array, then accessing $row[0] now throws a warning. The undocumented behavior of evaluating to NULL is maintained, and we want to return NULL anyway, so add a check for the value and fall back on the default function return type. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add support for backup email addressesLukas Fleischer1-4/+11
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add option to send reset key for a given user nameLukas Fleischer1-6/+7
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when changing account informationLukas Fleischer1-12/+7
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Verify current password against logged in userLukas Fleischer1-5/+4
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Undo accidental code additionLukas Fleischer1-1/+0
Rollback an accidental change that sneaked into commit daee20c (Require current password when setting a new one, 2020-01-30). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require current password when setting a new oneLukas Fleischer1-2/+13
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Store timestamp and user ID when closing requestsLukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-02aurjson: use APCu/memcached for rate limitingLukas Fleischer1-15/+32
There's no need to use permanent storage for rate limiting information; try to keep it in memory if caching is enabled. From experiments with our live setup, this reduces the number of INSERT/DELETE operations per second from 15 to almost 0. Disk writes on the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Release 4.8.0v4.8.0origin/maintLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-09Cache package requirements and sourcesLukas Fleischer1-19/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Make package details cache TTL configurableLukas Fleischer2-7/+14
The TTL for package details can be much longer than for generic values since they never change. Note that when an update is pushed via Git, all packages belonging to that package base are deleted and new packages are created. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Cache package licenses, groups and relationsLukas Fleischer1-44/+22
Cache more package details if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06aurjson: cache extended fieldsLukas Fleischer1-13/+4
Cache the results of the extended fields computation if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06Cache package provider and dependency informationLukas Fleischer2-29/+28
The package provider and dependency queries are quite CPU-intensive and usually yield rather small result sets. Cache these values if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Make CAPTCHA salt invalidation more robustLukas Fleischer1-9/+23
With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Add a simple CAPTCHA to the sign up formLukas Fleischer1-2/+72
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz1-1/+1
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
2019-07-30pkgreqfuncs: Don't leave out non-default ClosureComment columnJohannes Löthberg1-2/+2
Since 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15) the PackageRequests.ClosureComment field no longer has a default value. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-26Display warning when flagging VCS packagesLukas Fleischer1-0/+21
VCS packages should not be flagged out-of-date when the package version does not match the most recent commit. Implements FS#62733. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Use native language name for FinnishLukas Fleischer1-1/+1
Addresses FS#61803. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Ignore merge target for non-merge requestsLukas Fleischer1-0/+5
Fixes FS#59837. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-01-14Quote MySql 8.0 reserved keywordsFlorian Pritz2-4/+4
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-26Fix notifications emails going to the right people, part #2Eli Schwartz1-3/+3
Notifications are still going to the wrong people. We tried to fix this in commit b702e5c0e7f13103fc764b7e5613f78f3e7acd30, but only fixed it for the python callers. There's another caller in the php code, which needs to use the right order of arguments as well. Fixes FS#60601 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-08-06Allow paginating package commentsJohannes Löthberg2-4/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow listing all comments from a userJohannes Löthberg5-1/+110
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Make the locale directory configurableLukas Fleischer1-1/+2
Add a new configuration option to specify the locale directory to use. This allows the Python scripts to find the translations, even when not being run from the source code checkout. At the same time, multiple parallel aurweb setups can still use different sets of translations. Fixes FS#59278. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-09Fix regression in translating anything at allEli Schwartz1-2/+1
In commit 840ee20 (Rename translation resources from aur to aurweb, 2018-07-07) the translations file was renamed but we never actually switched to using the renamed translations. As a result, every single push to the AUR contains the following traceback: remote: Traceback (most recent call last): remote: File "/usr/bin/aurweb-notify", line 11, in <module> remote: load_entry_point('aurweb==4.7.0', 'console_scripts', 'aurweb-notify')() remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 541, in main remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 69, in send remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 56, in get_body_fmt remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 192, in get_body remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/l10n.py", line 14, in translate remote: File "/usr/lib/python3.6/gettext.py", line 514, in translation remote: raise OSError(ENOENT, 'No translation file found for domain', domain) remote: FileNotFoundError: [Errno 2] No translation file found for domain: 'aur' Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Release 4.7.0v4.7.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing dollar signLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing semicolonLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-22config: allow reading both the defaults file and the modified configEli Schwartz1-1/+11
In the process, rename config.proto to config.defaults (because that is what it is now). Also use dict.get('key', default_value) when querying os.environ, rather than an if block, as it is more pythonic/readable/concise, and reduces the number of dict lookups. This change allows aurweb configuration to be done via either: - copying config.defaults to config and modifying values - creating a new config only containing modified values, next to a config.defaults containing unmodified values The motivation for this change is to enable ansible configuration in our flagship deployment by storing only changed values, and deferring to config.defaults otherwise. A side benefit is, it is easier to see what has changed by inspecting only the site configuration file. If a config.defaults file does not exist next to $AUR_CONFIG or in $AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to live in the modified config file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-21Handle empty resultset getting recent 10 packagesnodivbyzero1-3/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-20Terminate execution if config file is missingnodivbyzero1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Update cache code to INI style configurationJelle van der Waa1-7/+3
Change the defines to config_get and add one cache option and one option to define memcache_servers. Mention the required dependency to get memcached working in the INSTALL file. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Remove unused variable $dbh in pkgbase_display_detailsJelle van der Waa1-2/+0
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24RPC: Allow to search packages by "*depends" fieldsBaptiste Jonglez1-2/+19
It is now possible to search for packages that depend on a given package, for instance: /rpc/?v=5&type=search&by=depends&arg=ocaml It is similarly possible to match on "makedepends", "checkdepends" and "optdepends". Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add capability for co-maintainers to disown packagesMark Weiman1-2/+10
Implements FS#53832. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add rate limit support to APIFlorian Pritz1-0/+86
This allows us to prevent users from hammering the API every few seconds to check if any of their packages were updated. Real world users check as often as every 5 or 10 seconds. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Remove disjunction in pkg_providers queryFlorian Pritz1-2/+4
For some reason, running the SELECT .. WHERE .. OR .. query takes e.g. 58ms on a randomly generated db for some dependency name. Splitting the OR into two dedicated queries and UNIONing the result takes only 0.42ms. On the Arch Linux installation, searching for the providers of e.g. mongodb takes >=110ms when not cached by the query cache. The new query takes <1ms even when not cached. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-23Fix regression that stopped maintainers from pinning commentsEli Schwartz1-1/+1
In commit 8c98db0b82cc85a4498589e5d60299fefd93b421 support was added for package co-maintainers to pin comments in addition to maintainers. Due to a typo, the SQL query was reset halfway through and only added the co-maintainer IDs to the list of allowed users. Fixes FS#56783. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Allow setting an empty home pageLukas Fleischer1-1/+1
Since commit 4efba18 (Only allow valid HTTP(s) URLs as home page, 2017-11-05), the home page field in the account settings must be a valid URL. However, this new check prevents from leaving the field empty. Keep the check in place but skip it if the home page field is left empty. Fixes FS#56550. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Release 4.6.0v4.6.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-06Allow package co-maintainers to pin commentsLukas Fleischer1-6/+13
Implements FS#56255. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Only allow valid HTTP(s) URLs as home pageLukas Fleischer2-0/+24
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Set X-Frame-Options to DENY for all pagesLukas Fleischer1-0/+1
Do not allow to render aurweb pages in a frame to protect against clickjacking. Fixes FS#56168. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01Unset PackagerUID before deleting an accountLukas Fleischer1-1/+1
When removing an account, remove the user from all last packager fields before deletion to make sure that no package bases are deleted, even if propagation constraints are missing. Fixes FS#53956. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer3-0/+98
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer1-0/+2
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>