summaryrefslogtreecommitdiffstats
path: root/web/lib
AgeCommit message (Collapse)AuthorFilesLines
2021-02-20Support conjunctive keyword search in RPC interfaceKevin Morris2-24/+39
Newly supported API Version 6 modifies `type=search` for _by_ type `name-desc`: it now behaves the same as `name-desc` search through the https://aur.archlinux.org/packages/ search page. Search for packages containing the literal keyword `blah blah` AND `haha`: https://aur.archlinux.org/rpc/?v=6&type=search&arg="blah blah"%20haha Search for packages containing the literal keyword `abc 123`: https://aur.archlinux.org/rpc/?v=6&type=search&arg="abc 123" The following example searches for packages that contain `blah` AND `abc`: https://aur.archlinux.org/rpc/?v=6&type=search&arg=blah%20abc The legacy method still searches for packages that contain `blah abc`: https://aur.archlinux.org/rpc/?v=5&type=search&arg=blah%20abc https://aur.archlinux.org/rpc/?v=5&type=search&arg=blah%20abc API Version 6 is currently only considered during a `search` of `name-desc`. Note: This change was written as a solution to https://bugs.archlinux.org/task/49133. PS: + Some spacing issues fixed in comments. Signed-off-by: Kevin Morris <kevr.gtalk@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20rewrite query to support both mysql/sqliteEli Schwartz1-9/+5
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20prevent running mysql-specific query in sqliteEli Schwartz1-1/+3
We usually guard such queries and have both mysql and sqlite branches. But I have not implemented the sqlite branch. Given sqlite is typically used for local dev setups, the fact that "users with more than the configured max simultaneous logins" can avoid getting some logins annulled is probably not a huge risk. And this always *used* to fail on sqlite, silently. Now, in php 8, it raises PDOException, which prevents running the test server Document this as a FIXME for now, until someone reimplements the query for sqlite. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20fix broken SQL query that always failedEli Schwartz1-1/+1
Due to missing whitespace at the end of strings during joining, we ended up with the query fragment "DelTS IS NULLAND NOT PinnedTS" which should be "DelTS IS NULL AND NOT PinnedTS" So the check for pinned comments > 5 likely always failed. In php 7, a completely broken query that raises exceptions in the database engine was silently ignored... in php 8, it raises Uncaught PDOException: SQLSTATE[HY000]: General error: 1 near "PinnedTS": syntax error in <file> and aborts the page building. End result: users with permission to pin comments cannot see any comments, or indeed page content below the first comment header Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-09-05pkg_search_page: Limit number of results on package searchMorten Linderud1-4/+3
The current package search query is quite poorly optimized and becomes a resource hog when the offsets gets large enough. This DoSes the service. A quick fix is to just ensure we have some limit to the number of hits we return. The current hardcoding of 2500 is based on the following: * 250 hits per page max * 10 pages We can maybe consider having it lower, but it seems easier to just have this a multiple of 250 in the first iteration. Signed-off-by: Morten Linderud <morten@linderud.pw> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-04-05Fix invalid session ID checkLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-03-27Release 5.0.0v5.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-13Fix more PHP 7.4 warningsEli Schwartz1-0/+1
The try_login() function documents it returns an array containing an 'error' key, and our only caller *only* consults the 'error' key. Then the function returns null instead of an array, if the login succeeded! I question why we bother returning the new SID if we never use it, surely we could either return the error or return default null. But, for now, I'm just going to fix it to return what it's actually supposed to, without changing the API. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-13Fix PHP 7.4 warningsEli Schwartz2-8/+24
If a db query returned NULL instead of an array, then accessing $row[0] now throws a warning. The undocumented behavior of evaluating to NULL is maintained, and we want to return NULL anyway, so add a check for the value and fall back on the default function return type. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add support for backup email addressesLukas Fleischer1-4/+11
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add option to send reset key for a given user nameLukas Fleischer1-6/+7
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when changing account informationLukas Fleischer1-12/+7
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Verify current password against logged in userLukas Fleischer1-5/+4
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Undo accidental code additionLukas Fleischer1-1/+0
Rollback an accidental change that sneaked into commit daee20c (Require current password when setting a new one, 2020-01-30). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require current password when setting a new oneLukas Fleischer1-2/+13
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Store timestamp and user ID when closing requestsLukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-02aurjson: use APCu/memcached for rate limitingLukas Fleischer1-15/+32
There's no need to use permanent storage for rate limiting information; try to keep it in memory if caching is enabled. From experiments with our live setup, this reduces the number of INSERT/DELETE operations per second from 15 to almost 0. Disk writes on the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Release 4.8.0v4.8.0origin/maintLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-09Cache package requirements and sourcesLukas Fleischer1-19/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Make package details cache TTL configurableLukas Fleischer2-7/+14
The TTL for package details can be much longer than for generic values since they never change. Note that when an update is pushed via Git, all packages belonging to that package base are deleted and new packages are created. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Cache package licenses, groups and relationsLukas Fleischer1-44/+22
Cache more package details if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06aurjson: cache extended fieldsLukas Fleischer1-13/+4
Cache the results of the extended fields computation if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06Cache package provider and dependency informationLukas Fleischer2-29/+28
The package provider and dependency queries are quite CPU-intensive and usually yield rather small result sets. Cache these values if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Make CAPTCHA salt invalidation more robustLukas Fleischer1-9/+23
With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Add a simple CAPTCHA to the sign up formLukas Fleischer1-2/+72
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz1-1/+1
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
2019-07-30pkgreqfuncs: Don't leave out non-default ClosureComment columnJohannes Löthberg1-2/+2
Since 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15) the PackageRequests.ClosureComment field no longer has a default value. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-26Display warning when flagging VCS packagesLukas Fleischer1-0/+21
VCS packages should not be flagged out-of-date when the package version does not match the most recent commit. Implements FS#62733. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Use native language name for FinnishLukas Fleischer1-1/+1
Addresses FS#61803. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Ignore merge target for non-merge requestsLukas Fleischer1-0/+5
Fixes FS#59837. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-01-14Quote MySql 8.0 reserved keywordsFlorian Pritz2-4/+4
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-26Fix notifications emails going to the right people, part #2Eli Schwartz1-3/+3
Notifications are still going to the wrong people. We tried to fix this in commit b702e5c0e7f13103fc764b7e5613f78f3e7acd30, but only fixed it for the python callers. There's another caller in the php code, which needs to use the right order of arguments as well. Fixes FS#60601 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-08-06Allow paginating package commentsJohannes Löthberg2-4/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow listing all comments from a userJohannes Löthberg5-1/+110
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Make the locale directory configurableLukas Fleischer1-1/+2
Add a new configuration option to specify the locale directory to use. This allows the Python scripts to find the translations, even when not being run from the source code checkout. At the same time, multiple parallel aurweb setups can still use different sets of translations. Fixes FS#59278. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-09Fix regression in translating anything at allEli Schwartz1-2/+1
In commit 840ee20 (Rename translation resources from aur to aurweb, 2018-07-07) the translations file was renamed but we never actually switched to using the renamed translations. As a result, every single push to the AUR contains the following traceback: remote: Traceback (most recent call last): remote: File "/usr/bin/aurweb-notify", line 11, in <module> remote: load_entry_point('aurweb==4.7.0', 'console_scripts', 'aurweb-notify')() remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 541, in main remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 69, in send remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 56, in get_body_fmt remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 192, in get_body remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/l10n.py", line 14, in translate remote: File "/usr/lib/python3.6/gettext.py", line 514, in translation remote: raise OSError(ENOENT, 'No translation file found for domain', domain) remote: FileNotFoundError: [Errno 2] No translation file found for domain: 'aur' Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Release 4.7.0v4.7.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing dollar signLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing semicolonLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-22config: allow reading both the defaults file and the modified configEli Schwartz1-1/+11
In the process, rename config.proto to config.defaults (because that is what it is now). Also use dict.get('key', default_value) when querying os.environ, rather than an if block, as it is more pythonic/readable/concise, and reduces the number of dict lookups. This change allows aurweb configuration to be done via either: - copying config.defaults to config and modifying values - creating a new config only containing modified values, next to a config.defaults containing unmodified values The motivation for this change is to enable ansible configuration in our flagship deployment by storing only changed values, and deferring to config.defaults otherwise. A side benefit is, it is easier to see what has changed by inspecting only the site configuration file. If a config.defaults file does not exist next to $AUR_CONFIG or in $AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to live in the modified config file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-21Handle empty resultset getting recent 10 packagesnodivbyzero1-3/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-20Terminate execution if config file is missingnodivbyzero1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Update cache code to INI style configurationJelle van der Waa1-7/+3
Change the defines to config_get and add one cache option and one option to define memcache_servers. Mention the required dependency to get memcached working in the INSTALL file. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Remove unused variable $dbh in pkgbase_display_detailsJelle van der Waa1-2/+0
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24RPC: Allow to search packages by "*depends" fieldsBaptiste Jonglez1-2/+19
It is now possible to search for packages that depend on a given package, for instance: /rpc/?v=5&type=search&by=depends&arg=ocaml It is similarly possible to match on "makedepends", "checkdepends" and "optdepends". Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add capability for co-maintainers to disown packagesMark Weiman1-2/+10
Implements FS#53832. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add rate limit support to APIFlorian Pritz1-0/+86
This allows us to prevent users from hammering the API every few seconds to check if any of their packages were updated. Real world users check as often as every 5 or 10 seconds. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Remove disjunction in pkg_providers queryFlorian Pritz1-2/+4
For some reason, running the SELECT .. WHERE .. OR .. query takes e.g. 58ms on a randomly generated db for some dependency name. Splitting the OR into two dedicated queries and UNIONing the result takes only 0.42ms. On the Arch Linux installation, searching for the providers of e.g. mongodb takes >=110ms when not cached by the query cache. The new query takes <1ms even when not cached. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-23Fix regression that stopped maintainers from pinning commentsEli Schwartz1-1/+1
In commit 8c98db0b82cc85a4498589e5d60299fefd93b421 support was added for package co-maintainers to pin comments in addition to maintainers. Due to a typo, the SQL query was reset halfway through and only added the co-maintainer IDs to the list of allowed users. Fixes FS#56783. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Allow setting an empty home pageLukas Fleischer1-1/+1
Since commit 4efba18 (Only allow valid HTTP(s) URLs as home page, 2017-11-05), the home page field in the account settings must be a valid URL. However, this new check prevents from leaving the field empty. Keep the check in place but skip it if the home page field is left empty. Fixes FS#56550. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>