summaryrefslogtreecommitdiffstats
path: root/web/html
AgeCommit message (Collapse)AuthorFilesLines
2012-07-06pkgsubmit.php: Improve file upload error messagescanyonknight1-2/+17
* Currently, $_FILES showing a filesize of zero is interpreted as no file was uploaded, despite other errors potentially being the cause. * The $_FILES superglobal stores what the actual error was, so use it. This includes file write problems, empty uploads, partial uploads, and upload_max_filesize being exceeded. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06rss.php: Pull out DB codecanyonknight1-6/+2
* Move DB code in rss.php to new function in aur.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Pull out DB code from trusted user pagecanyonknight1-54/+14
* Move DB code in tu.php and tu.php and tu_list.php to new functions in accfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06account.php: Pull out DB codecanyonknight1-34/+10
* Move DB code in account.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface * Consolidate redudant SQL statements from DisplayAccount and AccountInfo * Consolidation also adds ability to edit accounts based on username Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Pull out DB codecanyonknight1-48/+11
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and pkgfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06passreset.php: Pull out DB codecanyonknight1-22/+3
* Move DB code in passreset.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06logout.php: Pull out DB codecanyonknight1-4/+4
* Move DB code for removing a session in logout.php to a new function in acctfuncs.inc.php * Add ability for clear_expired_sessions function to check for DB connection * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06addvote.php: Pull out DB codecanyonknight1-27/+4
* Verifying a username exists should use already present valid_user function * Create new functions in acctfuncs.inc.php with SQL queries from addvote.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06voters.php: Pull out DB codecanyonknight1-13/+2
* Create new function in pkgfuncs.inc.php with SQL queries from voters.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Move language selection to a drop-down listLukas Fleischer1-0/+3
Move all languages to a select container to save some space. Language selection is a rarely used feature, so there's no need to make this a one click option. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Move login form to a separate pageLukas Fleischer1-0/+55
Do not show the login form on every page. Move it to a separate login page and add a link to the navigation bar. Also, add a logout link for logged-in users. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06passreset.php: Overhaul to match archwebcanyonknight1-45/+42
* Switch to CSS used by archweb * General fixups in XHTML Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Overhaul account pages to match archwebcanyonknight1-3/+1
* Use CSS from archweb * General clean-up of XHTML formatting Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06addvote.php: Overhaul to match archwebcanyonknight1-23/+25
* Switch CSS over to archweb styling * General clean-up of XHTML * Set proposal box size to something more sane for a default Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Overhaul trusted user proposal page to match archwebcanyonknight1-11/+14
* Change all boxes and other CSS to match archweb * General fixups in XHTML formatting * Change results table to match color scheme everywhere else Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Refactor package submission formLukas Fleischer1-28/+24
* Adjust style to match the overall layout. * Use proper HTML tags and double quotes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06voters.php: Overhaul to match archwebcanyonknight1-15/+17
* Currently voters.php has no navigation links and/or styling. This patch adds the appropriate styling * User PHP alternative syntax for control structures * Change a variable name to more frequently used "atype" * General clean-up of XHTML Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06index.php: Overhaul to match archwebcanyonknight1-62/+103
* Switch to CSS used by archweb * Move package search to a smaller box to match the style of the main site * Add text describing mailing list and bug tracker. Eventually remove those associated nav bar links. * General clean-up of XHTML Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer5-11/+5
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06Add archweb style sheetLukas Fleischer2-0/+985
* Add "archweb.css" from the master branch of archweb. We will use this as base style sheet in the future. * Add "aur.css" for AUR-specific extensions to "archweb.css". * Remove the "archnavbar.css" link from the header template since this is included in "archweb.css". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Be consistent in PHP logical operator usagecanyonknight2-3/+3
A mix of logical operator styles are currently in use. The predominant style uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency is minor, but is easily avoided. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight5-44/+61
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-05-06web/html/packages.php: Remove duplicate codeLukas Fleischer1-14/+10
Retrieve the package ID early and merge the if-branches calling package_details(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-05-06user_table optimizationDan McGee1-2/+2
Rather than looking up by username, it makes more sense to look the stats up by user ID to reduce the number of needed joins. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Support canonical links to accountsLukas Fleischer1-1/+5
Addresses FS#9582 and FS#21600. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Support canonical links to packagesLukas Fleischer1-0/+14
This is more user-friendly than supporting package IDs only and can be used as a basis to support direct links to AUR packages in places where links are computer-produced (e.g. Wiki templates). Addresses FS#21600 and FS#28839. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Add field for PGP key in profile informationLukas Fleischer1-6/+7
This is handy for verifying the PGP key of new Trusted Users. Also, this could potentially used as a basis to allow signed package uploads in the future. Implements FS#29028. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-19web/html/pkgsubmit.php: Revamp tarball validationLukas Fleischer1-12/+14
* Reorder checks. * Use simple string functions instead of regular expressions. * Check for type flags before validating paths. The latter ensures we don't treat tarball keywords/flags as directories. This avoids problems with bsdtar inserting PaxHeader attributes into the archive which look something like the following to Archive_Tar: PaxHeader/xcursor-protozoa xcursor-protozoa/ xcursor-protozoa/PaxHeader/PKGBUILD xcursor-protozoa/PKGBUILD This only occurs on certain filesystems (e.g. jfs), but the tarball is by no means invalid. When extracted, it will only contain the PKGBUILD within a single subdirectory. Addresses FS#28802. Thanks-to: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-08Always set the "To:" header when sending mailLukas Fleischer1-2/+2
Use "undisclosed-recipients: ;" when sending mass notifications (such as comment notifications and the like. Addresses FS#28229. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-12-17Set the title in the Trusted User pageAndrea Scarpino1-1/+4
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02Add a new AUR_LOCATION settingDan McGee1-1/+1
This should be set to something like 'http://localhost' for development or 'https://aur.archlinux.org' in production. It ensures all links in the site stay in the development site and there is no sudden jump from development to production environments. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer6-24/+24
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer6-24/+24
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Show last voted date on account details pageDan McGee1-1/+1
We already show it in the account listing page as well, so we should show it here too. Also use a standard date format; we weren't using this non-punctuated format anywhere else. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Require DB handle for most user account functionsDan McGee1-2/+1
This affects login the most, where we save about 4 calls to db_connect() by passing a single handle into functions where necessary. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Remove a boatload of inline table stylesDan McGee3-6/+7
Replacing with CSS styles where appropriate. A previously unused CSS style is tweaked in the stylesheet to match most of what was done via non-CSS styling. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Merge branch 'maint'Lukas Fleischer1-3/+15
2011-09-05web/html/pkgsubmit.php: Deal with unset category IDLukas Fleischer1-3/+15
Do not move the package to the incoming package directory and fail to create proper database entries if some AUR upload helper doesn't provide a category. We got several failing constraints here, such as: Cannot add or update a child row: a foreign key constraint fails (`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY (`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO ACTION) Instead, default to "1" (which is "none", or "keep category" for existing packages) if no category is supplied. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Provide more examples on the RPC info pageLukas Fleischer1-2/+9
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Use "%s" instead of "%h" in format stringsLukas Fleischer3-4/+4
Use the standard string type specifier instead of "%h" in format strings. Both specifiers are treated equally in __() so we shouldn't break anything here. This also allows us to replace the hacky substitution algorithm in __() by vsprintf(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-12Use secure and httponly session cookiesLukas Fleischer1-1/+1
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Use 'true' instead of 'True' everywhereDan McGee1-3/+3
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Make package creation and update atomicDan McGee1-1/+5
Add BEGIN and COMMIT statements where it makes sense to do so. This allows the entire package creation or update process to be atomic and not be seen until it is complete. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Allow for merging deleted packages into existing onesLukas Fleischer1-2/+14
Merge all comments and votes of deleted packages into another package if the "Merge with" field is used. Duplicate votes (votes from a user who already voted on the target package or voted on more than one of the deleted packages) are discarded. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Rename package_exists() to pkgid_from_name()Lukas Fleischer1-2/+2
Describe what this function actually does: Return the ID of a package with a given name and return NULL if such a package doesn't exist. The function name is chosen in a fashion similar to other functions from "pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee1-3/+4
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-07-29Fix empty depends database insertLukas Fleischer1-11/+16
Do not try to insert a falsey value into the database in case of "depends=()". Signed-off-by: Manuel <manutortosa@chakra-project.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28Replace split() invocations with explode()Lukas Fleischer1-1/+1
Do not use split(), which has been deprecated as of PHP 5.3.0. As we don't even require regular expressions here, just use explode() instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Honor epoch field in PKGBUILD files.Slavi Pantaleev1-6/+10
The epoch field in PKGBUILD files was completely ignored until now, and the final Version field for a package consisted only of pkgver and pkgrel (example: 5.0-1) This means that rpc.php reported the version incorrectly for packages having epoch > 0. One case where this was a problem is that it confused AUR helpers wanting to examine all locally installed packages (with epoch > 0) and search the AUR for an updated version. The epoch field is taken into consideration now, and if not 0, will be prepended to the final Version field (example: 1:5.0-1) Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij10-19/+19
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>