summaryrefslogtreecommitdiffstats
path: root/web/lib
AgeCommit message (Collapse)AuthorFilesLines
2015-09-12Mitigate JSONP callback vulnerabilitiesLukas Fleischer1-2/+6
The callback parameter of the RPC interface currently allows for specifying a prefix of arbitrary length of the returned result. This can be exploited by certain attacks. As a countermeasure, this patch restricts the allowed character set for the callback name to letters, digits, underscores, parenthesis and dots. It also limits the length of the name to 128 characters. Furthermore, the reflected callback name is now always prepended with "/**/", which is a common workaround to protect against attacks such as Rosetta Flash. Fixes FS#46259. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-11Allow for logging in via email addressLukas Fleischer2-1/+16
Accept both user names and email addresses in the login prompt. Suggested-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-11Remove superfluous function valid_user()Lukas Fleischer1-26/+1
This helper function was almost 100% identical to uid_from_username(). Switch to using uid_from_username(), which has a much better name and implementation, everywhere. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-11Require comments when flagging packages out-of-dateLukas Fleischer1-6/+8
Implements FS#42827. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-31Fix duplicate escaping of action linksLukas Fleischer1-7/+7
The __() helper function already escapes HTML special characters. Do not escape them again in html_action_*(). Fixes FS#45780. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-30Allow users to unflag packages they flagged themselvesLukas Fleischer2-2/+3
Sometimes, a user accidentally flags a package out-of-date. Allow users to unflag packages that they flagged themselves, thereby providing a way to undo these actions. Implements FS#46145. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-30Remember user ID when flagging package basesLukas Fleischer1-2/+2
Add a new FlaggerUID field to the database and use it to store the user ID of the account who recently flagged a package out-of-date. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-17Do not allow empty commentsMarcel Korpel1-0/+10
Fixes FS#45870. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-11rpc: msearch: Give orphans on empty maintainer argumentJohannes Löthberg1-2/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08aurjson.class.php: Add missing PHPDocLukas Fleischer1-0/+17
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08aurjson.class.php: Add method get_comment_form()Marcel Korpel1-1/+48
This method will be used by the JavaScript comment editing and produces a form containing the comment. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Split pkg_comment_form.php so the outer box is not always includedMarcel Korpel2-2/+2
For use in the new RPC interface to edit comments, the form shouldn't always print a header. Create a new template pkg_comment_box.php that prints form and box, change template pkg_comment_form.php to only print the form. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Do not use the term "unsupported" for AUR packagesLukas Fleischer1-3/+2
We no longer use the term [unsupported] to refer to the "repository" of AUR packages. Update texts and variable names accordingly. Fixes FS#45381. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Show popularity in package base detailsLukas Fleischer2-3/+3
Fixes FS#45600. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Set correct 'My Account' link after changing usernameMarcel Korpel1-15/+16
Don't print messages (and the account form) in process_account_form() anymore, but return them to the caller. When updating accounts, this function will be called before the headers are written. If a username has been changed by process_account_form(), the headers now show the updated username from the database in the 'My Account' link. Clicking on it immediately after changing a username will no longer lead to a non-existing URL. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Use username from the database if one is provided by the userMarcel Korpel1-3/+5
This fixes a bug where the new user name input by the user was invalid, causing the account deletion link and the form action to be wrong. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Show dateline when a comment is edited or deletedMarcel Korpel1-3/+6
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Support comment editing in the backendMarcel Korpel2-1/+59
Create two new actions, do_AddComment and do_EditComment. When editing or deleting a comment, a timestamp is added. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Add comment edit icon and formMarcel Korpel3-0/+35
Show an icon next to the comment deletion icon, which leads to a comment edit form. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Port notification routines to PythonLukas Fleischer3-233/+60
Use a Python script for sending notification emails. The notification action and additional parameters are passed via command line arguments. For comment and package request notifications, the text is passed via stdin. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Expose name-only search through the RPC interfaceJohannes Löthberg1-2/+17
Fixes FS#37317. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08aurjson: Pass http_data array to all functionsJohannes Löthberg1-15/+23
This is a preparatory patch that simplifies adding more arguments to the parse functions Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Delete unused variableJohannes Löthberg1-1/+0
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Release 4.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-07-14stats.inc.php: Improve definition of "added"Lukas Fleischer1-5/+9
Until now, a package is listed under "Packages added in the past 7 days" if it was added at most one week ago and if the last modification time matches the submission time stamp. A package is considered "updated" if it was modified at most one week ago and the modification time stamp differs from the submission time stamp. Since we are using Git to store packages now, there always is a delay between package creation (which is handled in git-serve) and last modification (which is handled by git-update). Thus, by the above definitions, almost every package is considered "updated". Since there is no reason for excluding packages that were both added and updated within the past seven days from the "Packages added in the past 7 days" counter, we can drop the check whether the last modification time matches the submission time stamp. Also, to identify packages that were actually updated, we now only count packages that were modified at least one hour after the initial submission. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-07-12use rel="nofollow" for links in commentsDaniel Micay1-1/+1
This removes the incentive for spammers to post links by asking search engines to ignore them. Signed-off-by: Daniel Micay <danielmicay@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-07-04RPC: Add decimal_fields array for floating-point fieldsJohannes Löthberg1-0/+7
Fixes FS#45537. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-29Accept SSH keys with whitespace in commentsHEADmasterLukas Fleischer1-1/+1
`ssh-keygen -l` returns more than four tokens when there is whitespace in the key comment. Fixes FS#45488. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-28Release 4.0.0-rc6Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Only print no changes message if queries failedJohannes Löthberg1-2/+2
This commit changes the messages printed when changing the accound details so that it only prints that no changes were made if either the account change SQL query or the account_set_ssh_keys call failed. Reported-by: Alexis Chotard <alexis.horgix.chotard@gmail.com> Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Fake pkgbase actions for unconfirmed usersGordian Edenhofer1-9/+19
Displaying flag, notify, vote, adopt and file request links for users which did not authenticate themselves and letting those fake buttons link to the login page. Signed-off-by: Gordian Edenhofer <gordian.edenhofer@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Add support for multiple SSH public keysLukas Fleischer1-19/+134
Attaching more than one SSH public key to the same account is useful, e.g. if one uses different machines to access the AUR SSH interface. Multiple keys can now be specified by adding multiple lines to the text area on the account edit form. Implements FS#45469. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> Acked-by: Leonidas Spyropoulos <artafinde@gmail.com>
2015-06-27Split out code to generate action linksLukas Fleischer1-0/+37
Add (and use) two new helper functions html_account_link() and html_account_form() to generate the links in the package actions box. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Move registration code to a separate unitLukas Fleischer1-1/+1
Until now, we used the same unit to register and edit accounts. Split these features into separate source files for clarity. This also allows us to redirect to the home page when a logged-in user tries to access the registration page. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Redirect at previous page after a successful loginGordian Edenhofer1-1/+6
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Add the popularity field to the RPC interfaceLukas Fleischer1-1/+13
Implements FS#45422. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Display (reverse) optional dependencies as "Required by"Lukas Fleischer1-5/+8
Also, change pkg_required() such that the returned array has the same structure as the result of pkg_dependencies(). Fixes FS#45452. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Add Arabic translationLukas Fleischer1-0/+1
Implements FS#45430. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-20Fix a warning when formatting user namesLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-20Let co-maintainers edit package keywordsJohannes Löthberg1-1/+2
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-20Let co-maintainers unflag the packageJohannes Löthberg1-1/+2
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-20Add functions for getting arrays of maintainer and co-maintainer UIDsJohannes Löthberg1-0/+35
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-19Remove can_submit_blacklisted()Lukas Fleischer2-14/+0
This function is unneeded since commit 74edb6f (Use Git repositories to store packages, 2014-06-06). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-18Release 4.0.0-rc5Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14confparser: Add function for getting the items of a sectionJohannes Löthberg1-0/+7
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14confparser: Add function for checking if config section existsJohannes Löthberg1-0/+7
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14confparser: Split loading of config into own functionJohannes Löthberg1-1/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14Show co-maintainers next to maintainers in detailsLukas Fleischer1-0/+25
Implements FS#45313. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14Refactor code for printing account linksLukas Fleischer1-2/+11
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14Replace categories with keywordsLukas Fleischer4-96/+63
Remove package base categories. Instead, users can now specify up to twenty custom keywords that are taken into consideration when searching. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>