summaryrefslogtreecommitdiffstats
path: root/web
AgeCommit message (Collapse)AuthorFilesLines
2018-05-12Add newline after accept link for orphan requestsLukas Fleischer1-3/+1
Fixes a regression introduced in 0ffa067 (Use a link to accept orphan requests, 2018-05-10). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing dollar signLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-12confparser.inc.php: Add missing semicolonLukas Fleischer1-1/+1
Fixes a regression introduced in 97c5bce (config: allow reading both the defaults file and the modified config, 2018-04-15). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-11Use a link to accept orphan requestsEli Schwartz1-5/+1
Currently, a form is used instead of a link. This forwards to a confirmation page, and currently drops the "via" parameter in the process. As a result, accepted orphan requests usually show: Request #XXXXXX has been accepted automatically by the Arch User Repository package request system: The user YYYYYYY disowned the package. This is wrong, and should show (will show, if you manually add it or use the close button instead of the accept button): Request #XXXXXX has been rejected by YYYYYYY [1]: Fixes FS#56606. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-05-10Update copyright year in the cgit footer templateEli Schwartz1-1/+1
Four years just passed in the blink of an eye :) Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-04-22config: allow reading both the defaults file and the modified configEli Schwartz1-1/+11
In the process, rename config.proto to config.defaults (because that is what it is now). Also use dict.get('key', default_value) when querying os.environ, rather than an if block, as it is more pythonic/readable/concise, and reduces the number of dict lookups. This change allows aurweb configuration to be done via either: - copying config.defaults to config and modifying values - creating a new config only containing modified values, next to a config.defaults containing unmodified values The motivation for this change is to enable ansible configuration in our flagship deployment by storing only changed values, and deferring to config.defaults otherwise. A side benefit is, it is easier to see what has changed by inspecting only the site configuration file. If a config.defaults file does not exist next to $AUR_CONFIG or in $AUR_CONFIG_DEFAULTS, it is ignored and *all* values are expected to live in the modified config file. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-21Handle empty resultset getting recent 10 packagesnodivbyzero1-3/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-20Terminate execution if config file is missingnodivbyzero1-1/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Update cache code to INI style configurationJelle van der Waa1-7/+3
Change the defines to config_get and add one cache option and one option to define memcache_servers. Mention the required dependency to get memcached working in the INSTALL file. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-03-10Remove unused variable $dbh in pkgbase_display_detailsJelle van der Waa1-2/+0
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24RPC: Allow to search packages by "*depends" fieldsBaptiste Jonglez1-2/+19
It is now possible to search for packages that depend on a given package, for instance: /rpc/?v=5&type=search&by=depends&arg=ocaml It is similarly possible to match on "makedepends", "checkdepends" and "optdepends". Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add capability for co-maintainers to disown packagesMark Weiman4-6/+24
Implements FS#53832. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Add rate limit support to APIFlorian Pritz1-0/+86
This allows us to prevent users from hammering the API every few seconds to check if any of their packages were updated. Real world users check as often as every 5 or 10 seconds. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2018-02-24Remove disjunction in pkg_providers queryFlorian Pritz1-2/+4
For some reason, running the SELECT .. WHERE .. OR .. query takes e.g. 58ms on a randomly generated db for some dependency name. Splitting the OR into two dedicated queries and UNIONing the result takes only 0.42ms. On the Arch Linux installation, searching for the providers of e.g. mongodb takes >=110ms when not cached by the query cache. The new query takes <1ms even when not cached. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-23Fix regression that stopped maintainers from pinning commentsEli Schwartz1-1/+1
In commit 8c98db0b82cc85a4498589e5d60299fefd93b421 support was added for package co-maintainers to pin comments in addition to maintainers. Due to a typo, the SQL query was reset halfway through and only added the co-maintainer IDs to the list of allowed users. Fixes FS#56783. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Add route for /users.gzLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Allow setting an empty home pageLukas Fleischer1-1/+1
Since commit 4efba18 (Only allow valid HTTP(s) URLs as home page, 2017-11-05), the home page field in the account settings must be a valid URL. However, this new check prevents from leaving the field empty. Keep the check in place but skip it if the home page field is left empty. Fixes FS#56550. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-12-03Release 4.6.0v4.6.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-28Sync CSS with archwebLukas Fleischer3-7/+48
This partially fixes FS#56472. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-07Fix sorting order when clicking table headingsLukas Fleischer1-1/+1
A bug introduced in commit 7d7e079 (Hide the table sorting links on the dashboard, 2017-02-04) resulted in multiple clicks on a table heading in the package search results table no longer having any effect, instead of changing the sorting order. Fix this by removing erroneous spaces from the GET parameters in the search URL. Fixes FS#56261. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-06Allow package co-maintainers to pin commentsLukas Fleischer1-6/+13
Implements FS#56255. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05login.php: Escape quotes in the referer fieldLukas Fleischer1-1/+1
Replace special characters in the referer GET parameter using htmlspecialchars() before inserting it into the login form fields to prevent from XSS attacks. Fixes FS#55286. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Only allow valid HTTP(s) URLs as home pageLukas Fleischer2-0/+24
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Set X-Frame-Options to DENY for all pagesLukas Fleischer1-0/+1
Do not allow to render aurweb pages in a frame to protect against clickjacking. Fixes FS#56168. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Point out that the user name is public when registeringLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-08-01Unset PackagerUID before deleting an accountLukas Fleischer1-1/+1
When removing an account, remove the user from all last packager fields before deletion to make sure that no package bases are deleted, even if propagation constraints are missing. Fixes FS#53956. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer4-0/+148
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer19-47/+2
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Fix the comment collapse featureLukas Fleischer2-18/+21
In commit 4abde89 (Use JavaScript to collapse long comments, 2017-04-19), support for collapsing/expanding long comments was added. This was broken by the recent Markdown support since comments no longer live inside a single HTML paragraph. Fix this by wrapping each comment in another div container. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-24Rerender package comments after editingLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-23Render comments when storing them in the databaseLukas Fleischer2-4/+40
Instead of converting package comments from plain text to HTML code when they are displayed, do the conversion when the comment is posted and store the rendered result in the database. The conversion itself is done by a Python script which uses Bleach for sanitizing the text. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-20Use JavaScript to collapse long commentsLukas Fleischer3-6/+36
Instead of using CSS to limit the height of package comments as implemented in 7b13203 (Limit comment height to 15 lines, 2016-03-12), use JavaScript to collapse long comments and add a link to expand them. Clicking the same link twice results in the corresponding comment being collapsed again. If JavaScript is disabled, the full comments are shown (without any possibility to collapse or expand). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-19Store dependency descriptions in a separate columnLukas Fleischer2-26/+9
Split optional dependency descriptions from dependency names before storing them in the database and use a separate column to store the descriptions. This allows us to simplify and optimize the SQL queries in pkg_dependencies() as well as pkg_required(). Suggested-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check return value of get_extended_fields()Lukas Fleischer1-1/+4
Make sure that the get_extended_fields() invocation succeeded before merging regular and extended fields in process_query(). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in db_cache_value()Lukas Fleischer1-0/+3
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in search_results_page()Lukas Fleischer1-2/+5
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Also, make sure that the results array is always initialized, even if the result set is empty. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-18Check query return value in pkgbase_user_notify()Lukas Fleischer1-4/+3
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-09Release 4.5.1v4.5.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-04index.php: Remove routes for dropped imagesLukas Fleischer1-3/+0
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-03-02account_delete.php: Fix variable nameLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28pkgbase.php: Fix PHP noticeLukas Fleischer1-3/+2
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28pkgbase.php: Squelch PHP warningLukas Fleischer1-13/+19
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-28account.php: Always initialize $successLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27Squelch warning in pkgbase_vote()Lukas Fleischer1-13/+17
Do not trigger a PHP warning if there are no votes to be added or removed. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27flag_comment.php: Hide comment for unflagged packagesLukas Fleischer1-0/+2
Only show the comment paragraph if the package base is actually flagged out-of-date. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27Remove bogus if-statement from pkgbase_delete()Lukas Fleischer1-9/+7
The variable $action is always undefined in pkgbase_delete() which makes the if-statement always true and triggers a warning whenever a package base is removed. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27Fix SQL query to retrieve language settingLukas Fleischer1-3/+5
In commit e171f6f (Migrate all DB code to use PDO, 2012-08-08), PDOStatement::fetchAll() was introduced as a drop-in replacement for mysql_fetch_array(). However, PDOStatement::fetchAll() returns a list of all results while mysql_fetch_array() returns a single result only. Instead of adding the missing indirection, simplify the code by using PDO::fetchColumn(). Also add some safeguards to prevent warnings if the result set returned by the query is empty. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27Fix warning with invalid time zoneLukas Fleischer1-0/+3
The SQL query retrieving the time zone from the database may return an empty result set if the session timeout was reached. Handle such cases gracefully by leaving the timezone variable unset. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27Fix more warnings occurring with unset SSH keysLukas Fleischer1-2/+8
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-27pkgflag.php: Remove stray variableLukas Fleischer1-1/+1
Drop the fragment part of the redirection code which is an artifact of the original code copy-pasted in commit ca954fe (Do not redirect when showing errors during flagging, 2015-10-21). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>