| Age | Commit message (Collapse) | Author |
|---|
|
This adds a URL mapping library that can be used to implement virtual
paths. Also, "web/html/index.php" is moved to "web/html/home.php" and
"web/html/index.php" becomes a routing front end that maps virtual paths
to corresponding files.
To enable the virtual path feature, all requests need to be redirected
to the "index.php" routing script. If you use lighttpd, following
rewrite rule can be used:
url.rewrite = ( "^(.*)$" => "/index.php/$1" )
A similar rule can be used for Apache (using mod_rewrite).
Note that the current routing front end only works if PATH_INFO is
provided.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Conflicts:
web/html/account.php
web/html/addvote.php
web/html/pkgsubmit.php
web/lib/acctfuncs.inc.php
web/template/actions_form.php
web/template/pkg_comment_form.php
web/template/pkg_comments.php
web/template/pkg_details.php
web/template/pkg_search_results.php
web/template/tu_details.php
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes broken account suspension system.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Initialize the "$details" and "$whovoted" variables with an empty
array/string to suppress a "Undefined variable" notice if the
votes/voters list is empty.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML
out of the display_account_info function that echoes the code, and moves it
to the new account_details.php template file.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code in rss.php to new function in aur.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code in tu.php and tu.php and tu_list.php to new functions in
accfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code in account.php to new functions in acctfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
* Consolidate redudant SQL statements from DisplayAccount and AccountInfo
* Consolidation also adds ability to edit accounts based on username
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and
pkgfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code in passreset.php to new functions in acctfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code for removing a session in logout.php to a new function in
acctfuncs.inc.php
* Add ability for clear_expired_sessions function to check for DB connection
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code and e-mail code from pkg_comment_form.php to new function in
pkgfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code from pkg_search_results.php to already existing function
in pkgfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Move DB code from account_search_results.php to already existing function
in acctfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Create new functions in pkgfuncs.inc.php with SQL queries from
action_form.php
* Centralization of DB code important in a future transition to PDO interface
* Flip logic of vote and notify XHTML button to use function return rather
than a more confusing NOT (!) logical operator statement
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Verifying a username exists should use already present valid_user function
* Create new functions in acctfuncs.inc.php with SQL queries from addvote.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Create new function in pkgfuncs.inc.php with SQL queries from voters.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Do not show the login form on every page. Move it to a separate login
page and add a link to the navigation bar. Also, add a logout link for
logged-in users.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
|
|
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML
out of a function that simply echoes the code, and moves it into a more
reasonable template file in account_search_results.php
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML
out of a function that simply echoes the code, and moves it into a more
reasonable template file in account_edit_form.php
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Change search results table to use CSS from archweb with better alternating
line contrast
* Change table results header to match archweb
* General clean-up of XHTML
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
A mix of logical operator styles are currently in use. The predominant style
uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency
is minor, but is easily avoided.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This allows for getting the package names of multiple packages at once,
without having to iterate over them and making one DB query per package.
pkgname_from_id() now accepts both integer arrays and single integers
(backwards compatibility mode).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Rather than looking up by username, it makes more sense to look the
stats up by user ID to reduce the number of needed joins.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Always put the opening brace on the same line as the beginning of the
function declaration.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This is handy for verifying the PGP key of new Trusted Users. Also, this
could potentially used as a basis to allow signed package uploads in the
future.
Implements FS#29028.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
this can be used as an intermediate 'patch' util there is a validation
system in place.
the extra check is to verify that the domain part of a correctly
formatted email address is existing and in use. this will not at all
stop spammers since they can use bogus emails with valid domain parts
Lukas: Minor formatting changes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Conflicts:
UPGRADING
web/lib/config.inc.php.proto
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This one is not a specific dialect, so "nb" (Norwegian Bokmål) is the
better name to use here.
Thanks-to: Alexander Rødseth <rodseth@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This makes the difference between Portuguese (Brazil) and Portuguese
(Portugal) a bit clearer. Also, "pt_PT" is way more up to date than
"pt".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use "undisclosed-recipients: ;" when sending mass notifications (such as
comment notifications and the like. Addresses FS#28229.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Return an empty array and set the result count to zero instead.
Before:
$ curl 'http://localhost/rpc.php?type=search&arg=raboof'
{"type":"error","resultcount":0,"results":"No results found"}
After:
$ curl 'http://localhost/rpc.php?type=search&arg=raboof'
{"type":"search","resultcount":0,"results":[]}
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We already ask for the result count, but only use it as a basis for testing
query success or failure. Add the value to the JSON reply.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This should be set to something like 'http://localhost' for development
or 'https://aur.archlinux.org' in production. It ensures all links in
the site stay in the development site and there is no sudden jump from
development to production environments.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
|
|
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We already show it in the account listing page as well, so we should
show it here too.
Also use a standard date format; we weren't using this non-punctuated
format anywhere else.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This affects login the most, where we save about 4 calls to db_connect()
by passing a single handle into functions where necessary.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
