summaryrefslogtreecommitdiffstats
path: root/web/lib
AgeCommit message (Collapse)AuthorFilesLines
2013-02-10Add database wrapper class and new connection methodcanyonknight6-98/+108
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30Merge branch 'maint'Lukas Fleischer2-8/+26
2013-01-30acctfuncs.inc.php: Change wording of account editing messagecanyonknight1-1/+1
An error message is printed when the number of affected rows is 0 for an edited account. A count of 0 doesn't imply an error, only that no changes were made in the database. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30Clear a user's active sessions following account suspensioncanyonknight1-0/+19
A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30acctfuncs.inc.php: Change return type of valid_username functioncanyonknight1-6/+5
The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30aur.inc.php: Fix PHP undefined index notice for AURSIDcanyonknight1-1/+1
Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Merge branch 'maint'Lukas Fleischer2-5/+0
2013-01-19stats.inc.php: Remove unnecessary account type lookupcanyonknight1-3/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Remove double htmlspecialcharsMarcel Korpel1-2/+0
This is already done in header.php; doing this double will result in &amp; in title element Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Add description meta-element to package pagesMarcel Korpel2-31/+52
Implements FS#33294 Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Implemented typeahead suggestMarcel Korpel1-1/+21
Use Twitter Bootstrap JavaScript framework for typeahead support. Add a new "suggest" JSON method, which returns the first 20 packages that match the beginning characters of a query. canyonknight: Link format change, commit message Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-22Merge branch 'maint'Lukas Fleischer1-1/+1
2012-12-22Changed 'Dutch' to 'Nederlands'Marcel Korpel1-1/+1
Supported languages are listed in their native language. Only Dutch is in English. Translate reference into Dutch. canyonknight: Commit message clarity Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07Merge branch 'maint'Lukas Fleischer1-2/+31
2012-12-07Split package flagging and unflagging into separate functionscanyonknight@gmail.com1-31/+43
Currently, package flagging and unflagging takes place within the pkg_flag() function. A bool is set to true or false depending on the action. Create new pkg_unflag() function with sole purpose of unflagging and keep pkg_flag() in place. This split will be useful in the overhaul of the notification system. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account privilege escalation vulnerabilitycanyonknight1-2/+2
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight1-0/+29
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-15pkgfuncs.inc.php: Rework query to avoid "Required by" duplicatescanyonknight1-1/+1
Packages with multiple DepConditions are returned multiple times in the "Required by" column. Limit SQL results to distinct packages. Fixes FS#32478 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07Release 2.0.1v2.0.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid double slashes in notificationsLukas Fleischer1-3/+3
Both get_pkg_uri() and get_user_uri() should always return root-relative URLs -- do not prepend another "/". Fixes FS#32460. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04routing.inc.php: Return proper (non-virtual) URIsLukas Fleischer1-2/+2
Make sure we always return root-relative URIs in get_pkg_uri() and in get_user_uri() and prepend a slash ("/") if the virtual URL feature is disabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Release 2.0.0v2.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Add Archive_Tar class to lib/canyonknight3-0/+3066
Some AUR setups do not have PEAR available. While other setups have access to outdated Archive_Tar versions. Avoid these problems completely by including the necessary files for Archive_Tar in lib/. Remove Archive_Tar requirement from INSTALL doc. Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-10-22Release 2.0.0-rc2v2.0.0-rc2Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22aurjson.class.php: Limit number of RPC resultscanyonknight2-5/+21
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to an amount set within config.inc.php to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-21Link to the HTTPs login page in the headerLukas Fleischer1-0/+2
Change the login link so that it points directly to the HTTPs version of the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgfuncs.inc.php: Fix blacklisting functionalitycanyonknight1-1/+1
An array that contains whether the package is blacklisted is being improperly used for a comparison. Use fetchColumn() to avoid the array completely and compare a value directly. Regression with e171f6f34eeacf35cf7142b4788d43e7d0978546 Fixes FS#31867 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11Remove character limit on password lengthcanyonknight1-1/+0
As all new passwords are hashed and therefore stored in the database at the same length, this limitation is no longer needed. Fixes FS#31855 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-08Refactor TU voters listLukas Fleischer1-3/+3
* Change voters_list() to return an array of voters instead of generating HTML code in the library call. * Change the template to generate HTML code for the list of voters instead of displaying the library's return value. * Use HTML lists. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04Release 2.0.0-rc1v2.0.0-rc1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04pkgfuncs.inc.php: Document all functions using PHPDoc formatcanyonknight1-40/+263
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03Do not notify if status is unchanged in pkg_flag()Lukas Fleischer1-2/+6
Check if a package actually changed its status before sending an email to prevent from spamming. Addresses FS#31745. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03pkgfuncs.inc.php: Fix undefined variable noticeLukas Fleischer1-0/+1
Fixes a undefined variable notice in getvotes() that popped up when a package without any votes was requested. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Avoid use of "<b>"/"</b>"Lukas Fleischer3-8/+8
* Use "<label>"/"</label>" for form labels. * Use "<strong>"/"</strong>" for important text. * Use "<h4>"/"</h4>" for headings. * Drop "<b>"/"</b>" everywhere else. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24stats.inc.php: Document all functions using PHPDoc formatcanyonknight1-0/+22
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24acctfuncs.inc.php: Document all functions using PHPDoc formatcanyonknight1-81/+270
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24aur.inc.php: Document all functions using PHPDoc formatcanyonknight1-40/+191
PHPDoc is a standardized format for commenting on PHP code. Using it allows for a more cohesive use of IDEs and documentation generators with the AUR code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-20Remove unused pkgnotify_from_sid functioncanyonknight1-23/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-20Remove unused canManagePackage() functioncanyonknight1-22/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-20Remove unused chmod_group() functioncanyonknight1-28/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-19Sync search result statistics with archwebLukas Fleischer1-6/+0
* Use archweb classes for search result statistics. * Add some space between page numbers. * Display current page number instead of current item range. * Hide page numbers if the result fits into a single page. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Fix category selectionLukas Fleischer1-9/+1
Add a package ID parameter to pkg_change_category() instead of relying on the "ID" or "N" GET parameters. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Fix package notificationLukas Fleischer1-5/+5
One cannot check if the PDOStatement object returned by query() evaluates to true in order to check for a non-empty record set. Modify the SQL query to count the number of records instead of retrieving the records themselves and fixing the check. Regression introduced in e171f6f34eeacf35cf7142b4788d43e7d0978546. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18pkgfuncs.inc.php: Add missing global keywordLukas Fleischer1-0/+2
Use the global keyword to import "$AUR_LOCATION" in add_package_comment(). Regression introduced in d3de6679010a1d140794305e747f1af0e7f21834. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Overhaul ability to edit own accountcanyonknight1-18/+0
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Use URL rewriting for user info pagecanyonknight3-2/+19
Navigation to the "AccountInfo" page should only require a user to know the username of the account they are looking for. Update all AUR links that use the user info page to reflect the new URL. Before: AUR_URL/account/?Action=AccountInfo&U=userfoo After: AUR_URL/account/userfoo Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Adjust user directions after registering to reflect new login pagecanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Migrate all DB code to use PDOcanyonknight8-379/+349
All DB code currently uses the quickly aging mysql_* functions. These functions are strongly discouraged and may eventually be deprecated. Transition all code to utilize the PDO data access abstraction layer. PDO allows for consistent query code across multiple databases. This could potentially allow for someone to use a database other than MySQL with minimal code changes. All functions and behaviors are reproduced as faithfully as possible with PDO equivalents and some changes in code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23Allow only Trusted Users, Developers, and Maintainers to unflag packagescanyonknight1-0/+4
Currently everyone is allowed to unflag a package as out of date. This should be limited to only the appropriate people for a specific package. Fixes FS#27263 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-18Use virtual paths for voters pageLukas Fleischer1-1/+0
Link to "/packages/$pkgname/voters/" instead of using "/voters/" and a get parameter to request a specific package by ID. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>