summaryrefslogtreecommitdiffstats
path: root/web/html/account.php
AgeCommit message (Collapse)AuthorFilesLines
2013-02-10Add database wrapper class and new connection methodcanyonknight1-1/+1
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30Replace permission check code with can_edit_account()canyonknight1-5/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight1-3/+8
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Overhaul ability to edit own accountcanyonknight1-25/+9
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer1-7/+7
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-06acctfuncs.inc.php: Move XHTML to account_details.php templatecanyonknight1-3/+1
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML out of the display_account_info function that echoes the code, and moves it to the new account_details.php template file. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06account.php: Pull out DB codecanyonknight1-34/+10
* Move DB code in account.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface * Consolidate redudant SQL statements from DisplayAccount and AccountInfo * Consolidation also adds ability to edit accounts based on username Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Overhaul account pages to match archwebcanyonknight1-3/+1
* Use CSS from archweb * General clean-up of XHTML formatting Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer1-1/+1
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-5/+7
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Support canonical links to accountsLukas Fleischer1-1/+5
Addresses FS#9582 and FS#21600. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Add field for PGP key in profile informationLukas Fleischer1-6/+7
This is handy for verifying the PGP key of new Trusted Users. Also, this could potentially used as a basis to allow signed package uploads in the future. Implements FS#29028. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Show last voted date on account details pageDan McGee1-1/+1
We already show it in the account listing page as well, so we should show it here too. Also use a standard date format; we weren't using this non-punctuated format anywhere else. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-2/+2
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-13Remove "New Package Notify" option from user account settings.Lukas Fleischer1-4/+4
Do this in preparation for the upcoming notification script removal. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in account pagesDan McGee1-18/+20
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2009-08-11Use include_once where applicableDan McGee1-1/+1
All of these are sourcing function libraries so we don't need to include them more than once. Things that insert actual HTML into the output were left calling include(). Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-19Use new conglomerated translation files.Loui Chang1-3/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-12-21Introduce function include_lang for translations.Loui Chang1-6/+7
This includes only the requested language for each page and makes top level language include files obsolete. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-06-17Remove all vim mode lines. Add HACKING file.Loui Chang1-1/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-03-23Put login into its own function.Loui Chang1-1/+1
Utilise login form template. Also cleaned up a couple notices. Signed-off-by: Loui Chang <louipc.ist@gmail.com> Signed-off-by: Simo Leone <simo@archlinux.org>
2008-01-20Support for verbose page titlesCallan Barrett1-1/+1
Verbose page titles again Adds support for more verbose page titles based on current page and action by user and removes sort by options from search form as they're obsolete by column links. Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
2007-10-02Fixed version strings.tardo1-1/+1
Added AUR_VERSION to config file, so now we should only need to change one location. KISS ftw. Signed-off-by: tardo <tardo@nagi-fanboi.net>
2007-09-24More changes to page styles.eliott1-0/+7
2007-09-20patch from eliott to convert all <? to <?phppjmattal1-1/+1
2007-09-20- Applied a patch from Loui to fix session removal.swiergot1-1/+1
- Replaced all occurences of mysql_escape_string() with mysql_real_escape_string().
2006-08-08added dsa's header include patchpjmattal1-0/+3
2006-08-01added dsa's "My Packages" patchpjmattal1-0/+1
2005-06-10Added Simo's patch for #2579, adding user info pagepjmattal1-2/+21
also modified it slightly so that we no longer look at AURMaintainerUID for maintainer
2005-04-23Fix user existence checks; whacks bug#2585simo1-2/+2
2005-01-25started working on package delete supporteric1-1/+1
2004-09-10continuing with pkgsubmit, added vim instructions to php fileseric1-1/+1
2004-06-24getting closer to printing package search results - also fixed some XHTML stufferic1-3/+3
2004-06-23account adding/editing is workingeric1-5/+57
2004-06-22pulled out account functions into separate include fileeric1-367/+29
2004-06-21working on the accounts stufferic1-3/+403
2004-06-20finished the login/logout/session stufferic1-4/+2
2004-06-19finished tweaking language selectioneric1-0/+18