Age | Commit message (Collapse) | Author | Files | Lines |
|
Reported-by: Bartłomiej Piotrowski <b@bpiotrowski.pl>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Support for non-virtual URLs has been broken for a long time and is no
longer used on the official AUR setup.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Replace web/lib/config.inc.php with an INI-style configuration file.
This allows us to get rid of several globals and makes it easier to use
the same configuration file in external scripts.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
As a follow-up to 4d7da95 (Add support for architecture-specific fields,
2014-08-10), handle architecture-specific source fields as well.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This adds support for architecture-specific dependencies and relations.
Support for this has recently been added to makepkg, see commit 2b556d8
(PKGBUILD: handle arch specific attributes, 2014-07-25) in the pacman
repository for details.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Implements FS#40888.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add a new function has_credential() that checks whether the currently
logged in user is allowed to perform a given action. Moving all
permission handling to this central place makes adding new user groups
and adjusting permissions much more convenient.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
For packages with pending package requests, display the number of
requests above the "File Request" link.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add a new entry to the package actions box that allows for filing
deletion and orphan requests. When choosing that action, the user is
redirected to a new page that allows for selecting a request type and
entering a comment. When submitting the request, a new entry in the
request database is created and an email is sent to a configurable
mailing list (defaults to aur-general).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Return null instead of the string "None" in username_from_id(),
uid_from_email() and uid_from_username().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Show the specific conflicts/provides/replaces versions in the web
interface.
Implements FS#40699.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
In commit e582cfe (Collapse long dependency lists, 2014-04-18), we added
code to automatically collapse dependency and requirement lists with
more than 20 entries. Add the same functionality to source lists.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Implements FS#33153.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Store the last packager in addition to storing the submitter and the
maintainer of a package. This allows for checking who last updated a
package, even if the package has been disowned.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Call pkgbase_user_voted() and pkgbase_user_notify() using the package
base ID instead of using the package ID.
Fixes FS#40165.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Split out package licenses into two separate tables in order to support
multiple licenses per package. The code on the package details page is
adjusted accordingly.
UPGRADING contains instructions on how to convert existing licenses in
the database to the new layout.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The groups field is hidden if a package doesn't belong to any group.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This adds information from the following three fields to the package
details page:
* conflicts
* provides
* replaces
If either of these fields is empty, it is not displayed.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Collapse package dependency lists with more than 20 entries and add a
link to show the full list.
The JavaScript code for this originates from the archweb project. Note
that the full list is shown when JavaScript is disabled or unavailable.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This adds a label to makedepends, checkdepends and optdepends on the
package details page. makedepends are labelled with "(make)",
checkdepends with "(check)" and optdepends are labeled with
"(optional)", followed by the optdepend description.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now operate on package bases instead of packages. Move
all actions to the correct locations.
This also fixes some issues with comment notifications.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Extends changes in 81d4cc13dcae2f159ed937d4ce41e1df7d3c82b0
* Modify getvotes() to use the package name rather than package ID
* Rename getvotes() to votes_for_pkgname() for clarity with new changes
* Modify routing framework and links to now use package names for voters.php
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Changes adopting/disowning packages to use GET instead of POST
* Uses CSS to make form submit button look like a link
* Complements commit 3bc951e3d87eaf692a7e47cf16a28d838c7cb2bd
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement
token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add
virtual path support for package actions, 2012-07-17) partly reverted
this by injecting a valid CRSF token when virtual paths are in use.
This patch allows for keeping the virtual path feature, while
reintroducing POST forms and CRSF tokens. Actions like package flagging,
votes and notifications are no longer prone to CRSF (see FS#35437 for
details).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use forms and POST instead of GET for following actions:
* Flagging/Unflagging a package out-of-date
* Voting for a package and removing votes
* Enabling/Disabling notifications
Use CSS to make the submit buttons of these forms look like links.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package names and dep conditions can be specially crafted for an XSS
attack. Properly sanitize these variables on the package details page.
In addition, avoid including dep conditions as part of a package link.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32455.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32449.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The main site, wiki, and BBS are using HTTPS exclusively, so link
directly to the correct protocol rather than forcing a redirect.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
When virtual URLs are enabled, simpler links can be used to access
a user's account details page. Change this for both the maintainer and
submitter links.
Keeps backwards compatibility with virtual URLs being disabled.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now have a separate box on the package details page. Add
a package merge link in that box.
Link leads to a new page (pkgmerge.php) that can be used to confirm package
merging. A separate page with confirmation is used to avoid CSRFs.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now have a separate box on the package details page. Make
a package deletion link in that box.
Link leads to a new page (pkgdel.php) that can be used to confirm package
deletion. A separate page with confirmation is used to avoid CSRFs.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Reported-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Currently everyone is allowed to unflag a package as out of date. This should
be limited to only the appropriate people for a specific package.
Fixes FS#27263
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The "Required by" column already handles an empty list appropriately. Move a
</div> tag to match that behavior in the "Dependencies" column
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Link to "/packages/$pkgname/voters/" instead of using "/voters/" and a
get parameter to request a specific package by ID.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
archweb uses "<div></div>" and "<p></p>" here.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Move the flag/unflag action below the flag date.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Note that this currently only works if the virtual path feature is
enabled. If you don't use virtual paths, these will still be displayed
as buttons below the package details listing.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
When a package is requested by name, the "ID" request parameter might be
unset. Use the "ID" field of the query result instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Extend the routing front/back ends to allow for using
"/package/$pkgname/" for individual packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|