summaryrefslogtreecommitdiffstats
path: root/web/lib
AgeCommit message (Collapse)AuthorFilesLines
2011-08-12Use secure and httponly session cookiesLukas Fleischer2-3/+3
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add a configuration setting to disallow HTTP loginLukas Fleischer2-2/+8
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Remove unnecessary atype and uid lookup from package_details()Dan McGee1-3/+0
These were never used in the function. Where they are used is in the pkg_details.php template, so move them closer to their actual usage so as not to confuse poor programmers such as myself. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Use 'true' instead of 'True' everywhereDan McGee1-6/+6
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11pkgfuncs.inc.php: allow all DB funcs to take handle argDan McGee1-61/+102
Allows handle reuse if one is available. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11aur.inc.php: allow all functions using DB to take handle as argDan McGee1-25/+49
This prevents needless calls to db_connect() if we already have a reference to a handle we can pass into a function. Although the current underlying implementation using mysql_connect() will return the same connection if all parameters are the same, this might not be true if we switch to a more modern (e.g. PDO) interface. In the face of safe transactions, it is extremely important all actions are being taken over the same connection to the database. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add "mergepkgid" argument to pkg_delete()Lukas Fleischer1-1/+30
This allows for merging comments and votes of deleted packages into another one which is useful if a package needs to be renamed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-11Rename package_exists() to pkgid_from_name()Lukas Fleischer1-1/+1
Describe what this function actually does: Return the ID of a package with a given name and return NULL if such a package doesn't exist. The function name is chosen in a fashion similar to other functions from "pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee1-1/+1
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Allow SQL_DEBUG to be undefinedDan McGee1-1/+1
We shouldn't require this as it is a new config parameter and it causes PHP warnings to be spewed everywhere. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Simplify session ID generationLukas Fleischer1-10/+1
There was too much voodoo going on in new_sid(). Just use uniqid() with a random seed and the optional entropy parameter to generate MD5 input. Use the remote IP address as a salt to reduce the chance of two clients getting the same ID if they login at exactly the same time. Thanks-to: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Stricter email address validationLukas Fleischer1-1/+1
Use PHP's filter extension to validate mail addresses. The filter extension is enabled by default as of PHP 5.2.0. Thanks-to: Florian Pritz <bluewind@xinu.at> Thanks-to: Cédric Girard <girard.cedric@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Use sane ORDER BY clauses in package list queriesDan McGee1-4/+4
We were doing some silly things here with an "ORDER BY Name, CategoryID" clause, due to the fact that Name is unique, and thus any additional ordering after Name will have no effect. Of course, the dumb as a box of rocks MySQL query optimizer doesn't realize this, leading to full table scans every time of ~30000 packages instead of using index scans for the ordering and only retrieving the first 50 rows. The biggest change is noted in the default sort order as it cuts down the columns to one, but we can remove the redundant sort from other orderings as well, even though those will still not be able to use an index-driven query plan. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Do not redirect on single search resultsLukas Fleischer1-29/+22
The use of header() to redirect after previous output was a design flaw. Our only luck here was PHP's "output_buffering" config variable defaulting to 4096, which kind of hid the bug for a long time. Fixes FS#24580. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Make cache type selectable based on config valueelij3-46/+92
Provie a mechanism to specify cache type from NONE, APC, or MEMCACHE based on a config variable. If MEMCACHE type is selected, a list of servers can be specified to provide multiserver support. Note that php-memcaced is required for MEMCACHE support. Lukas: Minor commenting style fixes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij8-8/+8
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22refactor apc code and move to aur.incelij2-55/+66
- move apc cache code to aur.inc (centralize) - refactor the apc usage in stats.inc to utilize new code in aur.inc Lukas: Small commenting style and spelling changes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17add first submitted and last modified to rpc outputkachelaqa1-1/+2
after reading the discussion about the submitter field, i looked again at my previous patch and realized that it was not very good at all. hopefully this simplified version will be more acceptable. the justification for this patch is that many third-party tools will want to know how new a package is, or when it last changed. adding the submitted and modified timestamps will allow users to get all the relevant package data in a single query. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17add support for etag and conditional get (if-none-match)elij1-1/+29
Add etag and if-none-match conditional get support. This will allow 'smart client' to save network bandwidth, as they can save the etag hash value for queries and test it later. Still an http request because this patch specifically sets a cache lifetime of zero, and must-revalidate. The benefit here is bandwidth savings. Caching based on expires headers would likely be counter productive, as the api data can change rather quickly...but etag is a nice compromise, and could be quite beneficial for bandwidth recution in some scenarios. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17fix case where user does not existelij1-0/+3
the query was being performed when $id was not set, resulting in an invalid sql query being performed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17test return value from db_query before assuming it is validelij3-39/+71
make the sql query form consistent in usage by cleaning up instances where db_query's result was not inspected before attempting to fetch row data from the handle Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27add SQL_DEBUG variable and database loggingelij2-0/+16
add a hook to db_query to log all sql queries when SQL_DEBUG is set Additionally, provide better logging for sql error situations (provide backtrace as well as error message). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27stats: capitalize FROM in all SQL queriesDan McGee1-6/+6
Matches our normal code conventions. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27SQL: treat all UID/ID values as numbers, not stringsDan McGee2-12/+12
Ensure we are not quoting these values in any of our SQL queries. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27SQL: use standard LIMIT/OFFSET syntaxDan McGee2-2/+2
Increases compatibility with standard SQL dialect. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-20Use HTTPs for links in out of date notification mails.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-16rpc: unify methods return (fixes FS#17597)tuxce1-29/+19
Include maintainer in info and search method. Lukas: Adjustments for "multiinfo" queries. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-16rpc: introduce multiinfo query (fixes FS#17583)Dan McGee1-1/+66
The majority of "real world" info requests [1] come in hefty batches. We would be better served to handle these in one request rather than multiple by allowing AUR clients to send multiple arguments. This enables things like this to work: http://aur.test/rpc.php?type=multiinfo&arg[]=cups-xerox&arg[]=cups-mc2430dl&arg[]=10673 Note to RPC users: unfortunately due to the asinine design of PHP, you unfortunately have to use the 'arg[]' syntax if you want more than one query argument, or you will only get the package satisfying the last arg you pass. [1] Rough data from April 11, 2011, with a total hit count of 1,109,163: 12 /login.php 13 /rpc.php?type=sarch 15 /rpc.php?type=msearch 16 /pingserver.php 16 /rpc.php 22 /logout.php 163 /passreset.php 335 /account.php 530 /pkgsubmit.php 916 /rss2.php 3838 /index.php 6752 /rss.php 9699 / 42478 /rpc.php?type=search 184737 /packages.php 681725 /rpc.php?type=info That means a whopping 61.5% of our requests were for info over the RPC interface; package pages are a distant second at only 16.7%. Lukas: Introduce "multiinfo" query instead of extending "info" (for the sake of backward compatibility). Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-16rpc.php: be a bit more consistent in query buildingDan McGee1-10/+10
Do the implode as the same but separate step each time, and remove indentation where no other query has it. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-16rpc.php overhaulDan McGee1-69/+44
* Mark things static in the class rather than use a constructor every single invocation of the service. * Don't call mysql_real_escape_string() before we even have a database connection, and don't do work in the database if we don't need to. * Formatting consistency fixups in a few places. * Add new process_query() helper function; use this instead of copy-pasted code in all of the RPC method calls. * Remove the escaping code meant to fix FS#15526, introduced in commit 4d1eb4dd7ac631. It broke more than it solved, only fixed the output in one of three RPC calls (and who knows what the web interface then also does), and proper encoding should be done at the database level rather than up here. Lukas: Add special case for "info" queries to process_query() (return a single result instead of an array of results here). Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-13Don't allow dl() of json moduleDan McGee1-4/+0
You need this enabled for the AUR, period. No need for this BS. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-13Pass array_map() callback function properly.Lukas Fleischer1-1/+1
PHP requires callback functions to be passed as strings. Fix this to supress PHP notices. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-13Remove "New Package Notify" option from user account settings.Lukas Fleischer1-27/+6
Do this in preparation for the upcoming notification script removal. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-10Remove comment on translation helpers from "web/lib/translator.inc".Lukas Fleischer1-9/+0
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-10Replace translation engine with php-gettext.Lukas Fleischer2-14/+10
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-10Add php-gettext libraries to "web/lib/".Lukas Fleischer2-0/+599
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-10Release 1.8.2.1.8.2Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-06Add option to search for exact name matches only (fixes FS#23556).Lukas Fleischer1-1/+6
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-05Initialize "$name" in pkgname_from_id().Lukas Fleischer1-2/+1
Ensures "$name" is always initialized, even if the package doesn't exist. Fixes PHP warnings appearing when retrieving package details of a package with an invalid ID. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-05Remove File_Find PEAR module from code base.Lukas Fleischer1-485/+0
We removed the code depending on this a long time ago - drop it and add some note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Add more stats to the front page tableDan McGee1-2/+16
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Remove Dummy Package conceptDan McGee4-51/+16
Instead, we just store dependencies directly in the PackageDepends table. Since we don't use this info anywhere besides the package details page, there is little value in precalculating what is in the AUR vs. what is not. An upgrade path is provided via several SQL statements in the UPGRADING document. There should be no user-visible change from this, but the DB schema gets a bit more sane and we no longer have loads of junk packages in our tables that are never shown to the end user. This should also help the MySQL query planner in several cases as we no longer have to be careful to exclude dummy packages on every query. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Always set ModifiedTS including new packagesDan McGee2-3/+3
Set it equal to the SubmittedTS field, which will be our indication the package is new when we show the logo on the front page of the AUR. This results in the ability to remove the use of the unindexable GREATEST() function from the AUR code everywhere we had to use it before to handle the 0 timestamp case. Note that there is no race condition here in calling UNIX_TIMESTAMP() twice- it always returns the time at the beginning of statment execution: mysql> select unix_timestamp(), sleep(2), unix_timestamp(); +------------------+----------+------------------+ | unix_timestamp() | sleep(2) | unix_timestamp() | +------------------+----------+------------------+ | 1300851746 | 0 | 1300851746 | +------------------+----------+------------------+ 1 row in set (2.00 sec) Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-24Bump up default per-page value to 50Dan McGee1-6/+6
25 is woefully small for the number of packages many searches can return, and with 28000+ packages in AUR, it makes sense to show a lot more per page by default. The new choices of (50, 100, 250) happen to match those from the main site. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-12Fix searching for orphans with "$LANG != 'en'" (fixes FS#23252).Lukas Fleischer1-1/+1
Regression introduced in commit ef8fab0c. Removed the strict check again instead of wrapping it in __() to ensure search URLs are language independent. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer1-38/+41
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10Perform a second query to find total search countDan McGee1-7/+11
This removes the need for SQL_CALC_FOUND_ROWS which can really slow down queries in a lot of cases. The COUNT(*) query we end up performing can reuse a lot of the original clauses from our primary query, but we can really slim it up by omitting some joins and the sorting/limiting clauses. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10Split package search query into partsDan McGee1-20/+20
No functional change here; we should be rebuilding the same query at the end of the process. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10More PHP Notice undefined fixupsDan McGee1-1/+2
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-09Release 1.8.1.1.8.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>