summaryrefslogtreecommitdiffstats
path: root/web
AgeCommit message (Collapse)AuthorFilesLines
2021-05-03dos2unix a file with Windows linebreaks that editors and human reviewers hateEli Schwartz1-1542/+1542
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2021-03-30Resolve SQL Error when deleting an accountJelle van der Waa1-1/+1
The account deletion code tries to remove user from PackageNotifications using the wrong column UsersID to identify the user by id. In the PackagePackageNotifications table the foreign key is called UserID. In the future ideally this would be unified into UserID for all tables. Closes: #12 Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Use jsDelivr instead of Google CDN for jqueryFelix Yan4-4/+4
jsdelivr is another free CDN service for open source projects. The main motivation for this change is that it is the only one that works fairly well across the globe. The Google CDN service is known to be hardly accessible in mainland China, unfortunately. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20RSS: Decrease cache time and increase item countJustin Kromlinger1-2/+2
I think after 10-15 years we might want to adjust those values. With a 30min cache and 20 items per creation I would bet some new AUR packages might be swept under the carpet. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20RSS: Always provide a GUIDJustin Kromlinger1-0/+1
https://validator.w3.org/feed/docs/warning/MissingGuid.html Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20RSS: Make sure image title matches channel titleJustin Kromlinger1-1/+1
https://validator.w3.org/feed/docs/warning/ImageTitleDoesntMatch.html Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20RSS: Set proper content type headerJustin Kromlinger1-0/+2
https://validator.w3.org/feed/docs/warning/UnexpectedContentType.html Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20RSS: Add atom self linkJustin Kromlinger1-1/+2
https://validator.w3.org/feed/docs/warning/MissingAtomSelfLink.html Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Fix WHERE clause for keyword search queries with empty keywordsJakub Klinkovský1-5/+5
When the keyword parameter is empty, the AND clause has to be omitted, otherwise we get an SQL syntax error: ... WHERE PackageBases.PackagerUID IS NOT NULL AND () ... This got broken in commit 9e30013aa4fc6ce3a3c9f6f83a6fe789c1fc2456 Author: Kevin Morris <kevr.gtalk@gmail.com> Date: Sun Jul 5 18:19:06 2020 -0700 Support conjunctive keyword search in RPC interface Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Redirect to referer after SSO loginFrédéric Mangano-Tarumi1-6/+12
Introduce a `redirect` query argument to SSO login endpoints so that users are redirected to the page they were originally on when they clicked the Login link. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Remove the per-user session limitFrédéric Mangano-Tarumi1-15/+0
This feature was originally introduced by f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898 <https://bugs.archlinux.org/task/12898>. As of today, it is broken because of the `q.SessionID IS NULL` condition in the WHERE clause, which can’t be true because SessionID is not nullable. As a consequence, the session limit was not applied. The fact the absence of the session limit hasn’t caused any issue so far, and hadn’t even been noticed, suggests the feature is unneeded. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Stop redirecting stderr with proc_openFrédéric Mangano-Tarumi2-4/+0
Error outputs were piped to a temporary buffer that wasn’t read by anyone, making debugging hard because errors were completely silenced. By not explicitly redirecting stderr on proc_open, the subprocess inherits its parent stderr. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Support conjunctive keyword search in RPC interfaceKevin Morris2-24/+39
Newly supported API Version 6 modifies `type=search` for _by_ type `name-desc`: it now behaves the same as `name-desc` search through the https://aur.archlinux.org/packages/ search page. Search for packages containing the literal keyword `blah blah` AND `haha`: https://aur.archlinux.org/rpc/?v=6&type=search&arg="blah blah"%20haha Search for packages containing the literal keyword `abc 123`: https://aur.archlinux.org/rpc/?v=6&type=search&arg="abc 123" The following example searches for packages that contain `blah` AND `abc`: https://aur.archlinux.org/rpc/?v=6&type=search&arg=blah%20abc The legacy method still searches for packages that contain `blah abc`: https://aur.archlinux.org/rpc/?v=5&type=search&arg=blah%20abc https://aur.archlinux.org/rpc/?v=5&type=search&arg=blah%20abc API Version 6 is currently only considered during a `search` of `name-desc`. Note: This change was written as a solution to https://bugs.archlinux.org/task/49133. PS: + Some spacing issues fixed in comments. Signed-off-by: Kevin Morris <kevr.gtalk@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20Implement SSO logoutFrédéric Mangano-Tarumi1-1/+13
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20SSO: Add an SSO option in the login pageFrédéric Mangano-Tarumi1-0/+3
We’ll probably change the whole login page in the future, but this makes development easier. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20rewrite query to support both mysql/sqliteEli Schwartz1-9/+5
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20prevent running mysql-specific query in sqliteEli Schwartz1-1/+3
We usually guard such queries and have both mysql and sqlite branches. But I have not implemented the sqlite branch. Given sqlite is typically used for local dev setups, the fact that "users with more than the configured max simultaneous logins" can avoid getting some logins annulled is probably not a huge risk. And this always *used* to fail on sqlite, silently. Now, in php 8, it raises PDOException, which prevents running the test server Document this as a FIXME for now, until someone reimplements the query for sqlite. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2021-02-20fix broken SQL query that always failedEli Schwartz1-1/+1
Due to missing whitespace at the end of strings during joining, we ended up with the query fragment "DelTS IS NULLAND NOT PinnedTS" which should be "DelTS IS NULL AND NOT PinnedTS" So the check for pinned comments > 5 likely always failed. In php 7, a completely broken query that raises exceptions in the database engine was silently ignored... in php 8, it raises Uncaught PDOException: SQLSTATE[HY000]: General error: 1 near "PinnedTS": syntax error in <file> and aborts the page building. End result: users with permission to pin comments cannot see any comments, or indeed page content below the first comment header Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-09-05pkg_search_page: Limit number of results on package searchMorten Linderud1-4/+3
The current package search query is quite poorly optimized and becomes a resource hog when the offsets gets large enough. This DoSes the service. A quick fix is to just ensure we have some limit to the number of hits we return. The current hardcoding of 2500 is based on the following: * 250 hits per page max * 10 pages We can maybe consider having it lower, but it seems easier to just have this a multiple of 250 in the first iteration. Signed-off-by: Morten Linderud <morten@linderud.pw> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-04-05Fix PHP notices in the account formorigin/liveLukas Fleischer1-5/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-04-05Fix invalid session ID checkLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-03-27Release 5.0.0v5.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-27Properly escape passwords in the account edit formLukas Fleischer1-2/+2
Addresses FS#65639. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-26Fix HTML code in the account search results tableLukas Fleischer1-15/+5
Do not add an opening <tbody> tag for every row. Instead, wrap all rows in <tbody></tbody>. While at it, also simplify the code used to color the rows. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-13Fix more PHP 7.4 warningsEli Schwartz1-0/+1
The try_login() function documents it returns an array containing an 'error' key, and our only caller *only* consults the 'error' key. Then the function returns null instead of an array, if the login succeeded! I question why we bother returning the new SID if we never use it, surely we could either return the error or return default null. But, for now, I'm just going to fix it to return what it's actually supposed to, without changing the API. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-13Fix PHP 7.4 warningsEli Schwartz2-8/+24
If a db query returned NULL instead of an array, then accessing $row[0] now throws a warning. The undocumented behavior of evaluating to NULL is maintained, and we want to return NULL anyway, so add a check for the value and fall back on the default function return type. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Explain syntax/features in the comments sectionLukas Fleischer1-0/+4
Addresses FS#64983. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Explain the hide email address settingLukas Fleischer1-5/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add support for backup email addressesLukas Fleischer6-10/+32
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-02-02Add option to send reset key for a given user nameLukas Fleischer2-19/+19
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Update copyright range in the cgit footerLukas Fleischer1-1/+1
2020-01-30Require password when changing account informationLukas Fleischer4-24/+21
Since commits daee20c (Require current password when setting a new one, 2020-01-30) and 8fc8898 (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require password when deleting an accountLukas Fleischer2-6/+22
Further reduce the attack surface in case of a stolen session ID. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Verify current password against logged in userLukas Fleischer2-7/+6
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Undo accidental code additionLukas Fleischer1-1/+0
Rollback an accidental change that sneaked into commit daee20c (Require current password when setting a new one, 2020-01-30). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2020-01-30Require current password when setting a new oneLukas Fleischer4-14/+36
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-12-11Copy Git repository URL on clickLukas Fleischer2-4/+30
The Git repository URLs are not meant to be visited using a web browser. Copy the link to the clipboard instead. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-23Store timestamp and user ID when closing requestsLukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-11-02aurjson: use APCu/memcached for rate limitingLukas Fleischer1-15/+32
There's no need to use permanent storage for rate limiting information; try to keep it in memory if caching is enabled. From experiments with our live setup, this reduces the number of INSERT/DELETE operations per second from 15 to almost 0. Disk writes on the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-27Display popularity with less decimal pointsLukas Fleischer2-2/+2
Limit the display to two decimal points for packages with a popularity of at least 0.2. Suggested-by: Allan McRae <allan@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Release 4.8.0v4.8.0origin/maintLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-19Sync CSS with archwebLukas Fleischer1-8/+10
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-09Cache package requirements and sourcesLukas Fleischer1-19/+9
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Make package details cache TTL configurableLukas Fleischer2-7/+14
The TTL for package details can be much longer than for generic values since they never change. Note that when an update is pushed via Git, all packages belonging to that package base are deleted and new packages are created. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-07Cache package licenses, groups and relationsLukas Fleischer1-44/+22
Cache more package details if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06aurjson: cache extended fieldsLukas Fleischer1-13/+4
Cache the results of the extended fields computation if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-06Cache package provider and dependency informationLukas Fleischer2-29/+28
The package provider and dependency queries are quite CPU-intensive and usually yield rather small result sets. Cache these values if the global caching mechanism is enabled. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Make CAPTCHA salt invalidation more robustLukas Fleischer1-9/+23
With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-10-05Add a simple CAPTCHA to the sign up formLukas Fleischer3-4/+95
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2019-08-18Move permission for LIST_COMMENTS to dev/tu blockEli Schwartz3-3/+3
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.