From e4ad05533f2929bc8291923a8d4bef1c8fc55675 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 02:14:56 +0000 Subject: pkg_details.php: Add missing translatable string Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/template/pkg_details.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'web') diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index b5d8a9f..0973448 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -137,7 +137,7 @@ if ($row["SubmitterUID"]): - None + @@ -155,7 +155,7 @@ if ($row["MaintainerUID"]): - None + -- cgit v1.2.3-70-g09d2 From a61d73d804d615b555fdccbec669f8e2cf84217d Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 02:18:14 +0000 Subject: aur.inc.php: Fix PHP undefined index notice for AURSID Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web') diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 387d81d..e02c835 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -94,7 +94,7 @@ function check_sid($dbh=NULL) { * @return bool True if the CSRF token is the same as the cookie SID, otherwise false */ function check_token() { - if (isset($_POST['token'])) { + if (isset($_POST['token']) && isset($_COOKIE['AURSID'])) { return ($_POST['token'] == $_COOKIE['AURSID']); } else { return false; -- cgit v1.2.3-70-g09d2 From 1fd620cc2fc93b238af6793a9970f5a79f6ed7a3 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:15:35 +0000 Subject: acctfuncs.inc.php: Change return type of valid_username function The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'web') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index a41659e..cdf4af6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -480,12 +480,12 @@ function try_login($dbh=NULL) { * * The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter * or equal to USERNAME_MAX_LEN. It must start and end with either a letter or - * a number. It can contain one period, hypen, or underscore. Returns username - * if it meets all of those rules. + * a number. It can contain one period, hypen, or underscore. Returns boolean + * of whether name is valid. * * @param string $user Username to validate * - * @return string|void Return username if it meets criteria, otherwise void + * @return bool True if username meets criteria, otherwise false */ function valid_username($user) { if (!empty($user)) { @@ -500,13 +500,12 @@ function valid_username($user) { # contain only letters and numbers, # and at most has one dash, period, or underscore if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) { - #All is good return the username - return $user; + return true; } } } - return; + return false; } /** -- cgit v1.2.3-70-g09d2 From aab6eed1387a9f73759afc22ff3219e4844a34c0 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:24:17 +0000 Subject: Replace permission check code with can_edit_account() Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/html/account.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'web') diff --git a/web/html/account.php b/web/html/account.php index cccdd76..2133734 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -48,11 +48,8 @@ if (isset($_COOKIE["AURSID"])) { if (empty($row)) { print __("Could not retrieve information for the specified user."); } else { - # double check to make sure logged in user can edit this account - # - if ($atype == "Developer" || ($atype == "Trusted User" && - $row["AccountType"] != "Developer") || - ($row["ID"] == uid_from_sid($_COOKIE["AURSID"]))) { + /* Verify user has permission to edit the account */ + if (can_edit_account($atype, $row, uid_from_sid($_COOKIE["AURSID"]))) { display_account_form($atype, "UpdateAccount", $row["Username"], $row["AccountType"], $row["Suspended"], $row["Email"], "", "", $row["RealName"], $row["LangPreference"], -- cgit v1.2.3-70-g09d2 From 150b0f9f0a5174e72a27469030135e98b2a43815 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:38:02 +0000 Subject: Clear a user's active sessions following account suspension A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'web') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index cdf4af6..002042d 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -229,6 +229,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $q.= ", AccountTypeID = ".intval($T); } if ($S) { + /* Ensure suspended users can't keep an active session */ + delete_user_sessions($UID, $dbh); $q.= ", Suspended = 1"; } else { $q.= ", Suspended = 0"; @@ -796,6 +798,23 @@ function delete_session_id($sid, $dbh=NULL) { $dbh->query($q); } +/** + * Remove all sessions belonging to a particular user + * + * @param int $uid ID of user to remove all sessions for + * @param \PDO $dbh An already established database connection + * + * @return void + */ +function delete_user_sessions($uid, $dbh=NULL) { + if (!$dbh) { + $dbh = db_connect(); + } + + $q = "DELETE FROM Sessions WHERE UsersID = " . intval($uid); + $dbh->exec($q); +} + /** * Remove sessions from the database that have exceed the timeout * -- cgit v1.2.3-70-g09d2 From 65e93f134faf9c98574a99f7f40d9f0bdb4256eb Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:41:43 +0000 Subject: acctfuncs.inc.php: Change wording of account editing message An error message is printed when the number of affected rows is 0 for an edited account. A count of 0 doesn't imply an error, only that no changes were made in the database. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 002042d..3759c63 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -248,7 +248,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $q.= " WHERE ID = ".intval($UID); $result = $dbh->exec($q); if (!$result) { - print __("Error trying to modify account, %s%s%s.", + print __("No changes were made to the account, %s%s%s.", "", htmlspecialchars($U,ENT_QUOTES), ""); } else { print __("The account, %s%s%s, has been successfully modified.", -- cgit v1.2.3-70-g09d2