Age | Commit message (Collapse) | Author | Files | Lines |
|
Closes: #8
Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
|
|
The account deletion code tries to remove user from PackageNotifications
using the wrong column UsersID to identify the user by id. In the
PackagePackageNotifications table the foreign key is called UserID. In
the future ideally this would be unified into UserID for all tables.
Closes: #12
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
jsdelivr is another free CDN service for open source projects.
The main motivation for this change is that it is the only one that works fairly
well across the globe. The Google CDN service is known to be hardly
accessible in mainland China, unfortunately.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
I think after 10-15 years we might want to adjust those values. With a
30min cache and 20 items per creation I would bet some new AUR packages
might be swept under the carpet.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
https://validator.w3.org/feed/docs/warning/MissingGuid.html
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
https://validator.w3.org/feed/docs/warning/ImageTitleDoesntMatch.html
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
https://validator.w3.org/feed/docs/warning/UnexpectedContentType.html
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
https://validator.w3.org/feed/docs/warning/MissingAtomSelfLink.html
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
When the keyword parameter is empty, the AND clause has to be omitted,
otherwise we get an SQL syntax error:
... WHERE PackageBases.PackagerUID IS NOT NULL AND () ...
This got broken in commit 9e30013aa4fc6ce3a3c9f6f83a6fe789c1fc2456
Author: Kevin Morris <kevr.gtalk@gmail.com>
Date: Sun Jul 5 18:19:06 2020 -0700
Support conjunctive keyword search in RPC interface
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Introduce a `redirect` query argument to SSO login endpoints so that
users are redirected to the page they were originally on when they
clicked the Login link.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This feature was originally introduced by
f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898
<https://bugs.archlinux.org/task/12898>.
As of today, it is broken because of the `q.SessionID IS NULL` condition
in the WHERE clause, which can’t be true because SessionID is not
nullable. As a consequence, the session limit was not applied.
The fact the absence of the session limit hasn’t caused any issue so
far, and hadn’t even been noticed, suggests the feature is unneeded.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Error outputs were piped to a temporary buffer that wasn’t read by
anyone, making debugging hard because errors were completely silenced.
By not explicitly redirecting stderr on proc_open, the subprocess
inherits its parent stderr.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Newly supported API Version 6 modifies `type=search` for _by_ type
`name-desc`: it now behaves the same as `name-desc` search through the
https://aur.archlinux.org/packages/ search page.
Search for packages containing the literal keyword `blah blah` AND `haha`:
https://aur.archlinux.org/rpc/?v=6&type=search&arg="blah blah"%20haha
Search for packages containing the literal keyword `abc 123`:
https://aur.archlinux.org/rpc/?v=6&type=search&arg="abc 123"
The following example searches for packages that contain `blah` AND `abc`:
https://aur.archlinux.org/rpc/?v=6&type=search&arg=blah%20abc
The legacy method still searches for packages that contain `blah abc`:
https://aur.archlinux.org/rpc/?v=5&type=search&arg=blah%20abc
https://aur.archlinux.org/rpc/?v=5&type=search&arg=blah%20abc
API Version 6 is currently only considered during a `search` of `name-desc`.
Note: This change was written as a solution to
https://bugs.archlinux.org/task/49133.
PS: + Some spacing issues fixed in comments.
Signed-off-by: Kevin Morris <kevr.gtalk@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
We’ll probably change the whole login page in the future, but this makes
development easier.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
We usually guard such queries and have both mysql and sqlite branches.
But I have not implemented the sqlite branch. Given sqlite is typically
used for local dev setups, the fact that "users with more than the
configured max simultaneous logins" can avoid getting some logins
annulled is probably not a huge risk.
And this always *used* to fail on sqlite, silently. Now, in php 8, it
raises PDOException, which prevents running the test server
Document this as a FIXME for now, until someone reimplements the query
for sqlite.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Due to missing whitespace at the end of strings during joining, we ended
up with the query fragment
"DelTS IS NULLAND NOT PinnedTS"
which should be
"DelTS IS NULL AND NOT PinnedTS"
So the check for pinned comments > 5 likely always failed.
In php 7, a completely broken query that raises exceptions in the
database engine was silently ignored... in php 8, it raises
Uncaught PDOException: SQLSTATE[HY000]: General error: 1 near "PinnedTS": syntax error in <file>
and aborts the page building. End result: users with permission to pin
comments cannot see any comments, or indeed page content below the first
comment header
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The current package search query is quite poorly optimized and becomes a
resource hog when the offsets gets large enough. This DoSes the service.
A quick fix is to just ensure we have some limit to the number of hits
we return. The current hardcoding of 2500 is based on the following:
* 250 hits per page max
* 10 pages
We can maybe consider having it lower, but it seems easier to just have
this a multiple of 250 in the first iteration.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Addresses FS#65639.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Do not add an opening <tbody> tag for every row. Instead, wrap all rows
in <tbody></tbody>.
While at it, also simplify the code used to color the rows.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The try_login() function documents it returns an array containing an
'error' key, and our only caller *only* consults the 'error' key. Then
the function returns null instead of an array, if the login succeeded!
I question why we bother returning the new SID if we never use it,
surely we could either return the error or return default null. But, for
now, I'm just going to fix it to return what it's actually supposed to,
without changing the API.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
If a db query returned NULL instead of an array, then accessing $row[0]
now throws a warning. The undocumented behavior of evaluating to NULL
is maintained, and we want to return NULL anyway, so add a check for the
value and fall back on the default function return type.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Addresses FS#64983.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Support secondary email addresses that can be used to recover an account
in case access to the primary email address is lost. Reset keys for an
account are always sent to both the primary and the backup email
address.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In addition to supporting email addresses in the reset key form, also
support user names. The reset key is then sent to the email address in
the user's profile.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
|
|
Since commits daee20c (Require current password when setting a new one,
2020-01-30) and 8fc8898 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Further reduce the attack surface in case of a stolen session ID.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
When changing the password of an account, instead of asking for the old
password of the account, ask for the password of the currently logged in
user. This allows privileged users to edit other accounts without
knowing their passwords.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Rollback an accidental change that sneaked into commit daee20c (Require
current password when setting a new one, 2020-01-30).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Prevent from easily taking over an account by changing the password with
a stolen session ID.
Fixes FS#65325.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The Git repository URLs are not meant to be visited using a web browser.
Copy the link to the clipboard instead.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
There's no need to use permanent storage for rate limiting information;
try to keep it in memory if caching is enabled.
From experiments with our live setup, this reduces the number of
INSERT/DELETE operations per second from 15 to almost 0. Disk writes on
the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Limit the display to two decimal points for packages with a popularity
of at least 0.2.
Suggested-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The TTL for package details can be much longer than for generic values
since they never change. Note that when an update is pushed via Git, all
packages belonging to that package base are deleted and new packages are
created.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Cache more package details if the global caching mechanism is enabled.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Cache the results of the extended fields computation if the global
caching mechanism is enabled.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
The package provider and dependency queries are quite CPU-intensive and
usually yield rather small result sets. Cache these values if the global
caching mechanism is enabled.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
With the previous implementation, unlucky users could have their CAPTCHA
be invalidated by a single account creation while filling out their
account registration form.
Make this more robust by allowing up to five account registrations
before rejecting a CAPTCHA salt.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Add a CAPTCHA to protect against automated account creation. The CAPTCHA
changes whenever three new accounts are registered.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.
In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.
|