summaryrefslogtreecommitdiffstats
path: root/web
AgeCommit message (Collapse)AuthorFilesLines
2020-02-13Fix more PHP 7.4 warningsEli Schwartz1-0/+1
The try_login() function documents it returns an array containing an 'error' key, and our only caller *only* consults the 'error' key. Then the function returns null instead of an array, if the login succeeded! I question why we bother returning the new SID if we never use it, surely we could either return the error or return default null. But, for now, I'm just going to fix it to return what it's actually supposed to, without changing the API. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-13Fix PHP 7.4 warningsEli Schwartz2-8/+24
If a db query returned NULL instead of an array, then accessing $row[0] now throws a warning. The undocumented behavior of evaluating to NULL is maintained, and we want to return NULL anyway, so add a check for the value and fall back on the default function return type. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Explain syntax/features in the comments sectionLukas Fleischer1-0/+4
Addresses FS#64983. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Explain the hide email address settingLukas Fleischer1-5/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add support for backup email addressesLukas Fleischer6-10/+32
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add option to send reset key for a given user nameLukas Fleischer2-19/+19
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Update copyright range in the cgit footerLukas Fleischer1-1/+1
2020-01-30Require password when changing account informationLukas Fleischer4-24/+21
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when deleting an accountLukas Fleischer2-6/+22
Further reduce the attack surface in case of a stolen session ID. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Verify current password against logged in userLukas Fleischer2-7/+6
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Undo accidental code additionLukas Fleischer1-1/+0
Rollback an accidental change that sneaked into commit daee20c (Require current password when setting a new one, 2020-01-30). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require current password when setting a new oneLukas Fleischer4-14/+36
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-12-11Copy Git repository URL on clickLukas Fleischer2-4/+30
The Git repository URLs are not meant to be visited using a web browser. Copy the link to the clipboard instead. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Store timestamp and user ID when closing requestsLukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-02aurjson: use APCu/memcached for rate limitingLukas Fleischer1-15/+32
There's no need to use permanent storage for rate limiting information; try to keep it in memory if caching is enabled. From experiments with our live setup, this reduces the number of INSERT/DELETE operations per second from 15 to almost 0. Disk writes on the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-27Display popularity with less decimal pointsLukas Fleischer2-2/+2
Limit the display to two decimal points for packages with a popularity of at least 0.2. Suggested-by: Allan McRae <allan@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Release 4.8.0v4.8.0origin/maintLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Sync CSS with archwebLukas Fleischer1-8/+10
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-09Cache package requirements and sourcesLukas Fleischer1-19/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Make package details cache TTL configurableLukas Fleischer2-7/+14
The TTL for package details can be much longer than for generic values since they never change. Note that when an update is pushed via Git, all packages belonging to that package base are deleted and new packages are created. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Cache package licenses, groups and relationsLukas Fleischer1-44/+22
Cache more package details if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06aurjson: cache extended fieldsLukas Fleischer1-13/+4
Cache the results of the extended fields computation if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06Cache package provider and dependency informationLukas Fleischer2-29/+28
The package provider and dependency queries are quite CPU-intensive and usually yield rather small result sets. Cache these values if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Make CAPTCHA salt invalidation more robustLukas Fleischer1-9/+23
With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Add a simple CAPTCHA to the sign up formLukas Fleischer3-4/+95
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz3-3/+3
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
2019-07-30pkgreqfuncs: Don't leave out non-default ClosureComment columnJohannes Löthberg1-2/+2
Since 09cb61a (schema: Remove invalid default values for TEXT columns, 2017-04-15) the PackageRequests.ClosureComment field no longer has a default value. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-06-30Update copyright year in the cgit footer templateMichael Straube1-1/+1
Signed-off-by: Michael Straube <michael.straube@posteo.de> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-26Display warning when flagging VCS packagesLukas Fleischer3-0/+34
VCS packages should not be flagged out-of-date when the package version does not match the most recent commit. Implements FS#62733. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-25Sync CSS with archwebLukas Fleischer1-47/+25
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Use native language name for FinnishLukas Fleischer1-1/+1
Addresses FS#61803. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-05-24Ignore merge target for non-merge requestsLukas Fleischer1-0/+5
Fixes FS#59837. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-04-28Add "Enable notifications" checkbox in "Add Comment" formVladimir Panteleev3-0/+14
Currently, it is a little to easy to forget to enable notifications for a package after leaving a comment, thus never being notified of a reply. Even though the "Enable notifications" link is on the same page, it is not part of the flow for posting a new comment, and so, easy to miss. Most web forums and comment systems include a checkbox to enable notifications when posting for the first time in a thread. This patch implements this in aurweb, as well. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2019-01-14Quote MySql 8.0 reserved keywordsFlorian Pritz2-4/+4
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-26Fix notifications emails going to the right people, part #2Eli Schwartz1-3/+3
Notifications are still going to the wrong people. We tried to fix this in commit b702e5c0e7f13103fc764b7e5613f78f3e7acd30, but only fixed it for the python callers. There's another caller in the php code, which needs to use the right order of arguments as well. Fixes FS#60601 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-10-17pkg_comments.php: Make comment timestamps link to the commentVladimir Panteleev1-5/+7
As of today, there is no easy way to obtain a link to a specific comment on a package page. Many implementations of forums and comment systems today seem to follow a convention where a comment's timestamp is an unobtrusive link to the comment itself. Some examples are: - phpBB (e.g. bbs.archlinux.org) - GitHub - Disqus - Discourse This patch adopts this convention as well, by making the timestamp a link to the comment.
2018-08-06Allow paginating package commentsJohannes Löthberg2-4/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Allow listing all comments from a userJohannes Löthberg12-30/+258
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-08-06Make the locale directory configurableLukas Fleischer1-1/+2
Add a new configuration option to specify the locale directory to use. This allows the Python scripts to find the translations, even when not being run from the source code checkout. At the same time, multiple parallel aurweb setups can still use different sets of translations. Fixes FS#59278. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-09Fix regression in translating anything at allEli Schwartz1-2/+1
In commit 840ee20 (Rename translation resources from aur to aurweb, 2018-07-07) the translations file was renamed but we never actually switched to using the renamed translations. As a result, every single push to the AUR contains the following traceback: remote: Traceback (most recent call last): remote: File "/usr/bin/aurweb-notify", line 11, in <module> remote: load_entry_point('aurweb==4.7.0', 'console_scripts', 'aurweb-notify')() remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 541, in main remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 69, in send remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 56, in get_body_fmt remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/scripts/notify.py", line 192, in get_body remote: File "/usr/lib/python3.6/site-packages/aurweb-4.7.0-py3.6.egg/aurweb/l10n.py", line 14, in translate remote: File "/usr/lib/python3.6/gettext.py", line 514, in translation remote: raise OSError(ENOENT, 'No translation file found for domain', domain) remote: FileNotFoundError: [Errno 2] No translation file found for domain: 'aur' Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Release 4.7.0v4.7.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-07-07Sync CSS with archwebLukas Fleischer1-37/+6
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12Stop using each()Lukas Fleischer11-29/+29
The each() function has been deprecated as of PHP 7.2.0. Use foreach loops instead. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12Add newline after accept link for orphan requestsLukas Fleischer1-3/+1
Fixes a regression introduced in 0ffa067 (Use a link to accept orphan requests, 2018-05-10). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing dollar signLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing semicolonLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-11Use a link to accept orphan requestsEli Schwartz1-5/+1
Currently, a form is used instead of a link. This forwards to a confirmation page, and currently drops the "via" parameter in the process. As a result, accepted orphan requests usually show: Request #XXXXXX has been accepted automatically by the Arch User Repository package request system: The user YYYYYYY disowned the package. This is wrong, and should show (will show, if you manually add it or use the close button instead of the accept button): Request #XXXXXX has been rejected by YYYYYYY [1]: Fixes FS#56606. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-10Update copyright year in the cgit footer templateEli Schwartz1-1/+1
Four years just passed in the blink of an eye :) Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-22config: allow reading both the defaults file and the modified configEli Schwartz1-1/+11
In the process, rename config.proto to config.defaults (because that is what it is now). Also use dict.get('key', default_value) when querying os.environ, rather than an if block, as it is more pythonic/readable/concise, and reduces the number of dict lookups. This change allows aurweb configuration to be done via either: - copying config.defaults to config and modifying values - creating a new config only containing modified values, next to a config.defaults containing unmodified values The motivation for this change is to enable ansible configuration in our flagship deployment by storing only changed values, and deferring to config.defaults otherwise. A side benefit is, it is easier to see what has changed by inspecting only the site configuration file. If a config.defaults file does not exist next to $AUR_CONFIG or in $AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to live in the modified config file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-21Handle empty resultset getting recent 10 packagesnodivbyzero1-3/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>