summaryrefslogtreecommitdiff
path: root/web/template/pkg_details.php
AgeCommit message (Collapse)Author
2013-09-08Convert adopt/disown package action link to formcanyonknight
* Changes adopting/disowning packages to use GET instead of POST * Uses CSS to make form submit button look like a link * Complements commit 3bc951e3d87eaf692a7e47cf16a28d838c7cb2bd Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-08-27Re-add CRSF tokens to most package actionsLukas Fleischer
We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add virtual path support for package actions, 2012-07-17) partly reverted this by injecting a valid CRSF token when virtual paths are in use. This patch allows for keeping the virtual path feature, while reintroducing POST forms and CRSF tokens. Actions like package flagging, votes and notifications are no longer prone to CRSF (see FS#35437 for details). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-08-27pkg_details: Convert most action links to formsLukas Fleischer
Use forms and POST instead of GET for following actions: * Flagging/Unflagging a package out-of-date * Voting for a package and removing votes * Enabling/Disabling notifications Use CSS to make the submit buttons of these forms look like links. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30pkg_details.php: Add missing translatable stringcanyonknight
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07pkg_details.php: Fix potential XSS for package names and dep conditionscanyonknight
Package names and dep conditions can be specially crafted for an XSS attack. Properly sanitize these variables on the package details page. In addition, avoid including dep conditions as part of a package link. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkg_details.php: Remove plural from the adopt/disown buttonLukas Fleischer
Fixes FS#32455. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Add missing internationalization to a few stringsLukas Fleischer
Fixes FS#32449. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Use HTTPS links everywhere for Arch sitesDan McGee
The main site, wiki, and BBS are using HTTPS exclusively, so link directly to the correct protocol rather than forcing a redirect. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_details.php: Add missing XHTML close tagscanyonknight
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-28pkg_details.php: Utilize account details virtual URLcanyonknight
When virtual URLs are enabled, simpler links can be used to access a user's account details page. Change this for both the maintainer and submitter links. Keeps backwards compatibility with virtual URLs being disabled. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-28Move package merging to a separate pagecanyonknight
Package actions now have a separate box on the package details page. Add a package merge link in that box. Link leads to a new page (pkgmerge.php) that can be used to confirm package merging. A separate page with confirmation is used to avoid CSRFs. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-28Move package deletion to a separate pagecanyonknight
Package actions now have a separate box on the package details page. Make a package deletion link in that box. Link leads to a new page (pkgdel.php) that can be used to confirm package deletion. A separate page with confirmation is used to avoid CSRFs. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Use echo shortcut syntaxLukas Fleischer
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to reduce noise in templates. Note that as of PHP 5.4.0, "<?=" is always available and no longer requires "short_open_tag" to be set. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18pkg_details.php: Hide "Adopt" button from logged out usersLukas Fleischer
Reported-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23Allow only Trusted Users, Developers, and Maintainers to unflag packagescanyonknight
Currently everyone is allowed to unflag a package as out of date. This should be limited to only the appropriate people for a specific package. Fixes FS#27263 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23pkg_details.php: Fix broken HTML for package page with no dependenciescanyonknight
The "Required by" column already handles an empty list appropriately. Move a </div> tag to match that behavior in the "Dependencies" column Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-18Use virtual paths for voters pageLukas Fleischer
Link to "/packages/$pkgname/voters/" instead of using "/voters/" and a get parameter to request a specific package by ID. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-18pkg_details.php: Remove field set in actions boxLukas Fleischer
archweb uses "<div></div>" and "<p></p>" here. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17Rearrange package actionsLukas Fleischer
Move the flag/unflag action below the flag date. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17pkg_details.php: Verbose labels for package actionsLukas Fleischer
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17Move adoption button to package actions boxLukas Fleischer
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17Move package actions to the action boxLukas Fleischer
Note that this currently only works if the virtual path feature is enabled. If you don't use virtual paths, these will still be displayed as buttons below the package details listing. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17pkg_details.php: Fix link to voters if ID is unsetLukas Fleischer
When a package is requested by name, the "ID" request parameter might be unset. Use the "ID" field of the query result instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual paths for package detailsLukas Fleischer
Extend the routing front/back ends to allow for using "/package/$pkgname/" for individual packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual path feature for linksLukas Fleischer
Use virtual paths in links (e.g. link to "/packages/" instead of "/packages.php" etc.) if the virtual path feature is enabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-09pkg_details.php: Move "<div>" tag into if-branchLukas Fleischer
The corresponding closing "</div>" tag is only printed if the if-branch is taken, which results in broken HTML code if the if-branch is skipped. Move the "<div>" tag so that either both or none of the tags are included in the generated HTML code. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-09pkg_details.php: Fix dependency linksLukas Fleischer
Remove an erroneous quote from the destination URL of links to officially supported package dependencies on archweb. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkg_details.php: Overhaul to match archwebcanyonknight
* Rearrange order of package details to a more logical order * Add widget box on right side of page that has package actions. Limited to viewing PKGBUILD, downloading tarball, and printing package flag date. Eventually should be able to support all AUR package actions. * Move "Dependencies" and "Required by" to new CSS to allow for them to be displayed as columns adjacent to one another, with one package per line. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06pkg_details.php: Use sane format for date stringsLukas Fleischer
No need to show a full RFC 2822-compliant date here. Instead, display date, hours and minutes for "Last Updated" and "First Submitted" fields and display the date only for the out-of-date time stamp. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06Be consistent in PHP logical operator usagecanyonknight
A mix of logical operator styles are currently in use. The predominant style uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency is minor, but is easily avoided. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Support canonical links to packagesLukas Fleischer
This is more user-friendly than supporting package IDs only and can be used as a basis to support direct links to AUR packages in places where links are computer-produced (e.g. Wiki templates). Addresses FS#21600 and FS#28839. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-02-19Fix some more XSS vulnerabilitiesLukas Fleischer
Escape strings properly using htmlspecialchars(). Seems like we missed these in former cleanups. Fixes FS#28515. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Add missing __() to category info in package detailsLukas Fleischer
This makes the "Category" label as well as "Change category" button on the package details page translatable. Fixes FS#25692. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Remove unnecessary atype and uid lookup from package_details()Dan McGee
These were never used in the function. Where they are used is in the pkg_details.php template, so move them closer to their actual usage so as not to confuse poor programmers such as myself. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-19urlencode() query args for main site package search (fixes FS#23774).Lukas Fleischer
There may be characters in package dependencies that are reserved within URLs (e.g. "+"). Use urlencode() to ensure those are encoded correctly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Remove Dummy Package conceptDan McGee
Instead, we just store dependencies directly in the PackageDepends table. Since we don't use this info anywhere besides the package details page, there is little value in precalculating what is in the AUR vs. what is not. An upgrade path is provided via several SQL statements in the UPGRADING document. There should be no user-visible change from this, but the DB schema gets a bit more sane and we no longer have loads of junk packages in our tables that are never shown to the end user. This should also help the MySQL query planner in several cases as we no longer have to be careful to exclude dummy packages on every query. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-15Fix main site package search URLDan McGee
I've been wanting to kill this one for a long time. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix XSS vulnerability in package search results and package details.Lukas Fleischer
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Remove dead dependency/required by link codeDan McGee
For some reason we were doing this song and dance "iterate all the known parameters" business. This is totally unnecessary, clutters the links, and was spewing errors all over the place, so kill it. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notice: requiredby arrayDan McGee
Required by query does not have a dep condition element. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix main site URLDan McGee
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-08Show submitter in package details (fixes FS#15488).Lukas Fleischer
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-01Drop PackageLocations table and referencesDan McGee
We don't need this anymore since all packages managed here are well...managed here. Rip out all of the places we were using this field, many of which depended on the magic value '2' anyway. On the display side of things, we had a column that was always showing 'unsupported' that is now gone, and you can no longer sort by this column. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-01-25Removed links to internal sources from package details.Lukas Fleischer
Tarball extraction code has been removed in commit ec0dfc27deb246ee7d7f19fd5290e499805869d2, so links to package sources contained in the source tarball itself will no longer be accessible through the AUR frontend. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-01-24Build URLs from package names (fixes FS#15308, FS#19327).Lukas Fleischer
Drop the "URLPath" field from the "Packages" table, build URLs from package names instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>