Re: [aur-dev] [PATCH 8/8] Move support/schema/ to schema/
On Thu, Feb 6, 2014 at 1:42 PM, Lukas Fleischer archli...@cryptocrack.de wrote: There aren't any other subdirectories in support/. Reduce the nesting depth by moving schema/ to the top-level source directory. Signed-off-by: Lukas Fleischer archli...@cryptocrack.de --- INSTALL| 4 +- schema/aur-schema.sql | 228 +++ schema/gendummydata.py | 302 + schema/reloadtestdb.sh | 29 support/schema/aur-schema.sql | 228 --- support/schema/gendummydata.py | 302 - support/schema/reloadtestdb.sh | 29 7 files changed, 561 insertions(+), 561 deletions(-) create mode 100644 schema/aur-schema.sql create mode 100755 schema/gendummydata.py create mode 100755 schema/reloadtestdb.sh delete mode 100644 support/schema/aur-schema.sql delete mode 100755 support/schema/gendummydata.py delete mode 100755 support/schema/reloadtestdb.sh For patches where files are moved like this can you use `git format-patch -M`? It makes it easier to figure out what has actually changed in the files being renamed. This is especially true for this patch as you can't even reply due to the mailman size limitation. snip
Re: [aur-dev] [PATCH] Add support for anonymous comments
On Tue, Feb 4, 2014 at 12:54 PM, Lukas Fleischer archli...@cryptocrack.de wrote: This allows for removing users without also removing the corresponding comments. Instead, all comments from deleted users will be displayed as Anonymous comment. Signed-off-by: Lukas Fleischer archli...@cryptocrack.de --- I'm less than favorable towards this change. There is no built-in method of deleting AUR accounts, so we know that all account deletions will be done by someone consciously removing accounts in the database. So as of right now these Anonymous comments will only be created by the explicit action of the AUR maintainer. In this case the explicit action that was being proposed is the deletion of the accounts that haven't been used for 500 days. So the comments that would be effected by this change must be at a minimum 500 days old. Do we really believe that the majority of these old comments are still useful? What is really gained by deleting these accounts if we are making an extra effort with this patch to retain the comments associated with them? UPGRADING | 17 + support/schema/aur-schema.sql | 4 ++-- web/lib/pkgfuncs.inc.php | 10 +- web/template/pkg_comments.php | 10 +- 4 files changed, 33 insertions(+), 8 deletions(-) diff --git a/UPGRADING b/UPGRADING index 9a0f44d..9736ef0 100644 --- a/UPGRADING +++ b/UPGRADING @@ -1,6 +1,23 @@ Upgrading = +From 2.3.1 to 3.0.0 +--- + +1. Drop the user ID foreign key from the PackageComments table: + +`ALTER TABLE PackageComments DROP FOREIGN KEY PackageComments_ibfk_1;` should +work in most cases. Otherwise, check the output of `SHOW CREATE TABLE +PackageComments;` and use the foreign key name shown there. + +2. Add support for anonymous comments: + + +ALTER TABLE PackageComments + MODIFY UsersID INTEGER UNSIGNED NULL DEFAULT NULL, + ADD FOREIGN KEY (UsersID) REFERENCES Users(ID) ON DELETE SET NULL; + + From 2.2.0 to 2.3.0 --- diff --git a/support/schema/aur-schema.sql b/support/schema/aur-schema.sql index 25e828e..c01701c 100644 --- a/support/schema/aur-schema.sql +++ b/support/schema/aur-schema.sql @@ -161,14 +161,14 @@ CREATE UNIQUE INDEX VoteUsersIDPackageID ON PackageVotes (UsersID, PackageID); CREATE TABLE PackageComments ( ID BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, PackageID INTEGER UNSIGNED NOT NULL, - UsersID INTEGER UNSIGNED NOT NULL, + UsersID INTEGER UNSIGNED NULL DEFAULT NULL, Comments TEXT NOT NULL DEFAULT '', CommentTS BIGINT UNSIGNED NOT NULL DEFAULT 0, DelUsersID INTEGER UNSIGNED NULL DEFAULT NULL, PRIMARY KEY (ID), INDEX (UsersID), INDEX (PackageID), - FOREIGN KEY (UsersID) REFERENCES Users(ID) ON DELETE CASCADE, + FOREIGN KEY (UsersID) REFERENCES Users(ID) ON SET NULL, Should be: FOREIGN KEY (UsersID) REFERENCES Users(ID) ON DELETE SET NULL, FOREIGN KEY (DelUsersID) REFERENCES Users(ID) ON DELETE CASCADE, FOREIGN KEY (PackageID) REFERENCES Packages(ID) ON DELETE CASCADE ) ENGINE = InnoDB; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index c1a64f7..80165c9 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -208,11 +208,11 @@ function package_comments($pkgid) { if ($pkgid 0) { $dbh = DB::connect(); $q = SELECT PackageComments.ID, UserName, UsersID, Comments, CommentTS ; - $q.= FROM PackageComments, Users ; - $q.= WHERE PackageComments.UsersID = Users.ID; - $q.= AND PackageID = . $pkgid; - $q.= AND DelUsersID IS NULL; # only display non-deleted comments - $q.= ORDER BY CommentTS DESC; + $q.= FROM PackageComments LEFT JOIN Users ; + $q.= ON PackageComments.UsersID = Users.ID ; + $q.= WHERE PackageID = . $pkgid . ; + $q.= AND DelUsersID IS NULL ; # only display non-deleted comments + $q.= ORDER BY CommentTS DESC; if (!isset($_GET['comments'])) { $q.= LIMIT 10; diff --git a/web/template/pkg_comments.php b/web/template/pkg_comments.php index 2ed6420..88e739e 100644 --- a/web/template/pkg_comments.php +++ b/web/template/pkg_comments.php @@ -10,7 +10,7 @@ $pkgname = $row['Name']; /h3 ?php while (list($indx, $row) = each($comments)): ? - ?php if ($SID): + ?php if ($row['UserName'] $SID): $row['UserName'] = a href=\ . get_user_uri($row['UserName']) . \{$row['UserName']}/a; endif; ? h4 @@ -22,10 +22,18 @@ $pkgname = $row['Name']; input type=hidden name=token value=?= htmlspecialchars($_COOKIE['AURSID']) ? /
[aur-dev] [PATCH v2] account_details.php: Add link to edit a user's account
This improves the ability to edit a user's account directly through UI features rather than manually appending 'edit' to the URL or searching for the account and selecting edit. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/css/aur.css | 5 + web/template/account_details.php | 9 ++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/web/html/css/aur.css b/web/html/css/aur.css index a8fb009..b78ce3e 100644 --- a/web/html/css/aur.css +++ b/web/html/css/aur.css @@ -33,3 +33,8 @@ text-decoration: underline; color: #666; } + +.arch-bio-entry ul { + list-style: none; + padding: 0; +} diff --git a/web/template/account_details.php b/web/template/account_details.php index 02ed32b..680a52e 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -51,9 +51,12 @@ /tr tr thLinks:/th - td - a href=?= get_uri('/packages/'); ??K=?= $row['Username'] ?amp;SeB=m?= __(View this user's packages) ?/a - /td + tdul + lia href=?= get_uri('/packages/'); ??K=?= $row['Username'] ?amp;SeB=m?= __(View this user's packages) ?/a/li + ?php if (can_edit_account($atype, $row, uid_from_sid($_COOKIE['AURSID']))): ? + lia href=?= get_user_uri($row['Username']); ?edit?= __(Edit this user's account) ?/a/li + ?php endif; ? + /ul/td /tr /table /td -- 1.8.5.3
Re: [aur-dev] [PATCH] account_details.php: Add link to edit a user's account
On Mon, Jan 20, 2014 at 9:39 AM, Lukas Fleischer archli...@cryptocrack.de wrote: On Mon, 20 Jan 2014 at 02:29:33, canyonknight wrote: This improves the ability to edit a user's account directly through UI features rather than manually appending 'edit' to the URL or searching for the account and selecting edit. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/account_details.php | 4 1 file changed, 4 insertions(+) diff --git a/web/template/account_details.php b/web/template/account_details.php index 02ed32b..1f10bc1 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -53,6 +53,10 @@ thLinks:/th td a href=?= get_uri('/packages/'); ??K=?= $row['Username'] ?amp;SeB=m?= __(View this user's packages) ?/a + ?php if (can_edit_account($atype, $row, uid_from_sid($_COOKIE['AURSID']))): ? + br / + a href=?= get_user_uri($row['Username']); ?edit?= __(Edit this user's account) ?/a + ?php endif; ? Yes, this is useful. Do we want an unordered list instead of links separated by newlines here? The downside of converting this into a list is that most users will only see one item. So maybe use a ul/ul with list-style-type: none;? Sounds like a good compromise. I'll re-submit. /td /tr /table -- 1.8.5.3
[aur-dev] [PATCH] Further optimize voters.php to only need the package name
* Extends changes in 81d4cc13dcae2f159ed937d4ce41e1df7d3c82b0 * Modify getvotes() to use the package name rather than package ID * Rename getvotes() to votes_for_pkgname() for clarity with new changes * Modify routing framework and links to now use package names for voters.php Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/index.php | 2 +- web/html/voters.php | 4 ++-- web/lib/pkgfuncs.inc.php | 11 ++- web/template/pkg_details.php | 2 +- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/web/html/index.php b/web/html/index.php index ccc94d2..542d594 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -56,7 +56,7 @@ if (!empty($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { include('pkgmerge.php'); return; case voters: - $_GET['ID'] = pkgid_from_name($tokens[2]); + $_GET['N'] = $tokens[2]; include('voters.php'); return; default: diff --git a/web/html/voters.php b/web/html/voters.php index 42fe2b5..9a0bdd3 100644 --- a/web/html/voters.php +++ b/web/html/voters.php @@ -4,8 +4,8 @@ include_once('aur.inc.php'); include_once('pkgfuncs.inc.php'); $SID = $_COOKIE['AURSID']; -$pkgname = pkgname_from_id(intval($_GET['ID']); -$votes = getvotes($pkgid); +$pkgname = htmlspecialchars($_GET['N']); +$votes = votes_for_pkgname($pkgname); $atype = account_from_sid($SID); html_header(__(Voters)); diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index a4deee6..870f55a 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -1075,16 +1075,17 @@ function pkg_vote ($atype, $ids, $action=true) { /** * Get all usernames and IDs that voted for a specific package * - * @param string $pkgid The package ID to get all votes for + * @param string $pkgname The name of the package to retrieve votes for * * @return array User IDs and usernames that voted for a specific package */ -function getvotes($pkgid) { +function votes_for_pkgname($pkgname) { $dbh = DB::connect(); - $q = SELECT UsersID,Username FROM PackageVotes ; - $q.= LEFT JOIN Users on (UsersID = ID) ; - $q.= WHERE PackageID = . $dbh-quote($pkgid) . ; + $q = SELECT UsersID,Username,Name FROM PackageVotes ; + $q.= LEFT JOIN Users on (UsersID = Users.ID) ; + $q.= LEFT JOIN Packages on (PackageID = Packages.ID) ; + $q.= WHERE Name = . $dbh-quote($pkgname) . ; $q.= ORDER BY Username; $result = $dbh-query($q); diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index bc20a22..bd08282 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -194,7 +194,7 @@ if ($row[MaintainerUID]): ?php if ($USE_VIRTUAL_URLS): ? tda href=?= get_pkg_uri($row['Name']); ?voters/?= $votes ?/a/td ?php else: ? - tda href=?= get_uri('/voters/'); ??ID=?= $pkgid ??= $votes ?/a/td + tda href=?= get_uri('/voters/'); ??N=?= htmlspecialchars($row['Name'], ENT_QUOTES) ??= $votes ?/a/td ?php endif; ? ?php else: ? td?= $votes ?/td -- 1.8.5.3
[aur-dev] [PATCH] voters.php: Remove extra call to pkgname_from_id()
No need to store package ID and call pkgname_from_id() twice when the end goal is the package name. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/voters.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/web/html/voters.php b/web/html/voters.php index 9cedeef..42fe2b5 100644 --- a/web/html/voters.php +++ b/web/html/voters.php @@ -4,8 +4,7 @@ include_once('aur.inc.php'); include_once('pkgfuncs.inc.php'); $SID = $_COOKIE['AURSID']; - -$pkgid = intval($_GET['ID']); +$pkgname = pkgname_from_id(intval($_GET['ID']); $votes = getvotes($pkgid); $atype = account_from_sid($SID); @@ -15,7 +14,7 @@ if ($atype == 'Trusted User' || $atype== 'Developer'): ? div class=box - h2Votes for a href=?= get_pkg_uri(pkgname_from_id($pkgid)); ??= pkgname_from_id($pkgid) ?/a/h2 + h2Votes for a href=?= get_pkg_uri($pkgname); ??= $pkgname ?/a/h2 div class=boxbody ul ?php while (list($indx, $row) = each($votes)): ? -- 1.8.5.3
[aur-dev] [PATCH] account_details.php: Add link to edit a user's account
This improves the ability to edit a user's account directly through UI features rather than manually appending 'edit' to the URL or searching for the account and selecting edit. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/account_details.php | 4 1 file changed, 4 insertions(+) diff --git a/web/template/account_details.php b/web/template/account_details.php index 02ed32b..1f10bc1 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -53,6 +53,10 @@ thLinks:/th td a href=?= get_uri('/packages/'); ??K=?= $row['Username'] ?amp;SeB=m?= __(View this user's packages) ?/a + ?php if (can_edit_account($atype, $row, uid_from_sid($_COOKIE['AURSID']))): ? + br / + a href=?= get_user_uri($row['Username']); ?edit?= __(Edit this user's account) ?/a + ?php endif; ? /td /tr /table -- 1.8.5.3
[aur-dev] [PATCH] acctfuncs.inc.php: Allow translation of missing strings
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index fe748a2..52eb551 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -425,7 +425,7 @@ function try_login() { $userID = valid_user($_REQUEST['user']); if ( user_suspended($userID) ) { - $login_error = Account Suspended.; + $login_error = __('Account suspended'); } elseif ( $userID isset($_REQUEST['passwd']) valid_passwd($userID, $_REQUEST['passwd']) ) { @@ -490,7 +490,7 @@ function try_login() { } else { - $login_error = Error trying to generate session id.; + $login_error = __('An error occurred trying to generate a user session.'); } } elseif (passwd_is_empty($userID)) { $login_error = __('Your password has been reset. ' . -- 1.8.5.3
Re: [aur-dev] [PATCH] don't treat colon as part of package dependency name
On Mon, Nov 25, 2013 at 7:14 AM, Daniel Albers dan...@lbe.rs wrote: Dependencies can have a description appended, separated by a colon. Don't treat this colon as part of the dependency name. I know that optdepends often have the dependency name followed by a colon and a description of the package. I don't recall ever seeing a package description within the depends array... Signed-off-by: Daniel Albers dan...@lbe.rs --- web/html/pkgsubmit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index d2fe512..305acc7 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -421,7 +421,7 @@ if ($uid): } if (!empty($depends)) { foreach ($depends as $dep) { - $deppkgname = preg_replace(/(|=|=|=|).*/, , $dep); + $deppkgname = preg_replace(/(|=|=|=||:).*/, , $dep); $depcondition = str_replace($deppkgname, , $dep); if ($deppkgname == ) { -- 1.8.4.2
Re: [aur-dev] URL redirect should be set to the merged package
On Fri, Oct 25, 2013 at 8:06 AM, 郑文辉(Techlive Zheng) techlivezh...@gmail.com wrote: Currently, if a package gets merged into another package, the URL link to the merged package will say 404, this should not happen, instead, a redirection should be made to the package that was merged into. If a new package with the same name as the merged package is uploaded again, then, the redirection will be removed. Which means, there should be a record of the merging activities. When a package is being queried, if the package exists then just return it, if not, check the merging records for the latest merging record, and redirect the page to the new package. Please add feature requests to the bug tracker [1]. [1] https://bugs.archlinux.org/index.php?project=2
Re: [aur-dev] [PATCH 1/7] Allow for setting an account's inactivity status
On Mon, Aug 5, 2013 at 4:10 AM, Lukas Fleischer archli...@cryptocrack.de wrote: This adds a field to the users table and corresponding fields to the account edit and display forms that allow for setting an (in-)activity status. This might turn out to be useful if a user is on vacation and can not respond to update/orphan/deletion requests. It will also be used for automated participation calculation later. Signed-off-by: Lukas Fleischer archli...@cryptocrack.de --- UPGRADING | 9 + support/schema/aur-schema.sql | 1 + web/html/account.php | 5 +++-- web/lib/acctfuncs.inc.php | 28 ++-- web/template/account_details.php | 6 ++ web/template/account_edit_form.php | 5 + 6 files changed, 46 insertions(+), 8 deletions(-) diff --git a/UPGRADING b/UPGRADING index a04471f..d8527e3 100644 --- a/UPGRADING +++ b/UPGRADING @@ -1,6 +1,15 @@ Upgrading = +From 2.2.0 to 2.3.0 +--- + +1. Add an inactivity time stamp to the Users table: + + +ALTER TABLE Users ADD COLUMN InactivityTS BIGINT NOT NULL DEFAULT 0; + + From 2.1.0 to 2.2.0 --- diff --git a/support/schema/aur-schema.sql b/support/schema/aur-schema.sql index 0d04f12..68db93f 100644 --- a/support/schema/aur-schema.sql +++ b/support/schema/aur-schema.sql @@ -35,6 +35,7 @@ CREATE TABLE Users ( LastVoted BIGINT UNSIGNED NOT NULL DEFAULT 0, LastLogin BIGINT UNSIGNED NOT NULL DEFAULT 0, LastLoginIPAddress INTEGER UNSIGNED NOT NULL DEFAULT 0, + InactivityTS BIGINT UNSIGNED NOT NULL DEFAULT 0, PRIMARY KEY (ID), UNIQUE (Username), UNIQUE (Email), diff --git a/web/html/account.php b/web/html/account.php index 4af3043..79b5eeb 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -52,7 +52,8 @@ if (isset($_COOKIE[AURSID])) { display_account_form($atype, UpdateAccount, $row[Username], $row[AccountTypeID], $row[Suspended], $row[Email], , , $row[RealName], $row[LangPreference], - $row[IRCNick], $row[PGPKey], $row[ID]); + $row[IRCNick], $row[PGPKey], + $row[InactivityTS] ? 1 : 0, $row[ID]); } else { print __(You do not have permission to edit this account.); } @@ -81,7 +82,7 @@ if (isset($_COOKIE[AURSID])) { in_request(U), in_request(T), in_request(S), in_request(E), in_request(P), in_request(C), in_request(R), in_request(L), in_request(I), - in_request(K), in_request(ID)); + in_request(K), in_request(J), in_request(ID)); } } else { if ($atype == Trusted User || $atype == Developer) { diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 1deeac5..7602ec2 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -54,12 +54,13 @@ function html_format_pgp_fingerprint($fingerprint) { * @param string $L The language preference of the displayed user * @param string $I The IRC nickname of the displayed user * @param string $K The PGP key fingerprint of the displayed user + * @param string $J The inactivity status of the displayed user * @param string $UID The user ID of the displayed user * * @return void */ function display_account_form($UTYPE,$A,$U=,$T=,$S=, - $E=,$P=,$C=,$R=,$L=,$I=,$K=,$UID=0) { + $E=,$P=,$C=,$R=,$L=,$I=,$K=,$J=, $UID=0) { global $SUPPORTED_LANGS; include(account_edit_form.php); @@ -83,12 +84,13 @@ function display_account_form($UTYPE,$A,$U=,$T=,$S=, * @param string $L The language preference of the user * @param string $I The IRC nickname of the user * @param string $K The PGP fingerprint of the user + * @param string $J The inactivity status of the user * @param string $UID The user ID of the modified account * * @return string|void Return void if successful, otherwise return error */ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, - $P=,$C=,$R=,$L=,$I=,$K=,$UID=0) { + $P=,$C=,$R=,$L=,$I=,$K=,$J=,$UID=0) { # error check and process request for a new/modified account global $SUPPORTED_LANGS, $AUR_LOCATION; @@ -185,7 +187,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, if ($error) { print ul class='errorlist'li.$error./li/ul\n;
Re: [aur-dev] Notification System Overhaul
On Tue, May 7, 2013 at 10:19 PM, 郑文辉(Techlive Zheng) techlivezh...@gmail.com wrote: On more thing, there should be a in-reply-to field in each message's header, these fieldes should be the same for the some message thread to make gmail like system properly thread them. Can you add a feature request on the bugtracker [1]? I don't want to lose track of that request. Thanks, Jason [1] https://bugs.archlinux.org/index/proj2
[aur-dev] [PATCH] Remove superfluous search wrapper function
The search_accounts_form() wrapper function doesn't have any arguments and only makes it unclear what is happening within account.php Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/account.php | 2 +- web/lib/acctfuncs.inc.php | 10 -- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 50d376f..4af3043 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -88,7 +88,7 @@ if (isset($_COOKIE[AURSID])) { # display the search page if they're a TU/dev # print __(Use this form to search existing accounts.).br /\n; - search_accounts_form(); + include('search_accounts_form.php'); } else { print __(You are not allowed to access this area.); diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 28f9f93..1deeac5 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -277,16 +277,6 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, } /** - * Include the search accounts form - * - * @return void - */ -function search_accounts_form() { - include(search_accounts_form.php); - return; -} - -/** * Display the search results page * * @param string $UTYPE User type of the account accessing the form -- 1.8.2.1
[aur-dev] [PATCH] Add PackagerUID column to Packages table
The last packager is not currently saved despite there being many instances of the last packager being different than either the submitter or the maintainer. Signed-off-by: canyonknight canyonkni...@gmail.com --- UPGRADING | 10 ++ support/schema/aur-schema.sql | 4 +++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/UPGRADING b/UPGRADING index a04471f..a003e9b 100644 --- a/UPGRADING +++ b/UPGRADING @@ -1,6 +1,16 @@ Upgrading = +From 2.2.0 to 2.3.0 +--- + +1. Add new last packager column to Packages table: + + +ALTER TABLE Packages ADD COLUMN PackagerUID INT(10) UNSIGNED NULL DEFAULT NULL; +ALTER TABLE Packages ADD FOREIGN KEY (PackagerUID) REFERENCES Users(ID) ON DELETE SET NULL; + + From 2.1.0 to 2.2.0 --- diff --git a/support/schema/aur-schema.sql b/support/schema/aur-schema.sql index 0d04f12..c797970 100644 --- a/support/schema/aur-schema.sql +++ b/support/schema/aur-schema.sql @@ -106,6 +106,7 @@ CREATE TABLE Packages ( ModifiedTS BIGINT UNSIGNED NOT NULL, SubmitterUID INTEGER UNSIGNED NULL DEFAULT NULL, -- who submitted it? MaintainerUID INTEGER UNSIGNED NULL DEFAULT NULL,-- User + PackagerUID INTEGER UNSIGNED NULL DEFAULT NULL, PRIMARY KEY (ID), UNIQUE (Name), INDEX (CategoryID), @@ -115,7 +116,8 @@ CREATE TABLE Packages ( FOREIGN KEY (CategoryID) REFERENCES PackageCategories(ID) ON DELETE NO ACTION, -- deleting a user will cause packages to be orphaned, not deleted FOREIGN KEY (SubmitterUID) REFERENCES Users(ID) ON DELETE SET NULL, - FOREIGN KEY (MaintainerUID) REFERENCES Users(ID) ON DELETE SET NULL + FOREIGN KEY (MaintainerUID) REFERENCES Users(ID) ON DELETE SET NULL, + FOREIGN KEY (PackagerUID) REFERENCES Users(ID) ON DELETE SET NULL ) ENGINE = InnoDB; -- 1.8.2.1
[aur-dev] [PATCH] Display user's IP address on their user profile page
The IP address is only visible to Trusted Users and Developers. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/account_details.php | 8 1 file changed, 8 insertions(+) diff --git a/web/template/account_details.php b/web/template/account_details.php index fdebfb3..9f7e578 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -43,6 +43,14 @@ ?= $row[LastVoted] ? date(Y-m-d, $row[LastVoted]) : __(Never); ? /td /tr + + ?php if ($atype == Trusted User || $atype == Developer): ? + tr + th?= __(Last Login IP Address) . : ?/th + td?= long2ip($row[LastLoginIPAddress]); ?/td + /tr + ?php endif; ? + tr thLinks:/th td -- 1.8.2
[aur-dev] [PATCH 1/2] Add Bans table to database schema
The Bans table creates a DB structure for the ability to ban IP addresses. It takes an IP address converted by ip2long(). It can easily be extended for other features such as time limits (for temporary bans). The table will eventually be able to be populated directly through the web interface by Trusted Users and Developers. Signed-off-by: canyonknight canyonkni...@gmail.com --- UPGRADING | 11 +++ support/schema/aur-schema.sql | 9 + 2 files changed, 20 insertions(+) diff --git a/UPGRADING b/UPGRADING index 9c05467..7d13c43 100644 --- a/UPGRADING +++ b/UPGRADING @@ -11,6 +11,17 @@ ALTER TABLE Users ADD COLUMN LastLoginIPAddress INTEGER UNSIGNED NOT NULL DEFAULT 0; +2. Add a new Bans table: + + +CREATE TABLE Bans ( + ID INTEGER UNSIGNED NOT NULL AUTO_INCREMENT, + IPAddress INTEGER UNSIGNED NOT NULL DEFAULT 0, + PRIMARY KEY (ID), + UNIQUE (IPAddress) +) ENGINE = InnoDB; + + From 2.0.0 to 2.1.0 --- diff --git a/support/schema/aur-schema.sql b/support/schema/aur-schema.sql index fab40d6..2d268fa 100644 --- a/support/schema/aur-schema.sql +++ b/support/schema/aur-schema.sql @@ -213,3 +213,12 @@ CREATE TABLE IF NOT EXISTS TU_Votes ( FOREIGN KEY (VoteID) REFERENCES TU_VoteInfo(ID) ON DELETE CASCADE, FOREIGN KEY (UserID) REFERENCES Users(ID) ON DELETE CASCADE ) ENGINE = InnoDB; + +-- Malicious user banning +-- +CREATE TABLE Bans ( + ID INTEGER UNSIGNED NOT NULL AUTO_INCREMENT, + IPAddress INTEGER UNSIGNED NOT NULL DEFAULT 0, + PRIMARY KEY (ID), + UNIQUE (IPAddress) +) ENGINE = InnoDB; -- 1.8.2
[aur-dev] [PATCH 2/2] Implement IP banning for user registration and user login
Adds a new is_ipbanned() function to determine whether the user attempting to login or register for an account has their IP address listed in the Bans table. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 35 ++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 21cc6c2..aa4c70b 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -93,6 +93,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, # error check and process request for a new/modified account global $SUPPORTED_LANGS, $AUR_LOCATION; + $error = ''; + + if (is_ipbanned()) { + $error = __('Account registration has been disabled ' . + 'for your IP address, probably due ' . + 'to sustained spam attacks. Sorry for the ' . + 'inconvenience.'); + } + $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { @@ -102,7 +111,6 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, $editor_user = null; } - $error = ; if (empty($E) || empty($U)) { $error = __(Missing a required field.); } @@ -400,6 +408,13 @@ function try_login() { $userID = null; if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) { + if (is_ipbanned()) { + $login_error = __('The login form is currently disabled ' . + 'for your IP address, probably due ' . + 'to sustained spam attacks. Sorry for the ' . + 'inconvenience.'); + return array('SID' = '', 'error' = $login_error); + } $dbh = DB::connect(); $userID = valid_user($_REQUEST['user']); @@ -480,6 +495,24 @@ function try_login() { } /** + * Determine if the user is using a banned IP address + * + * @return bool True if IP address is banned, otherwise false + */ +function is_ipbanned() { + $dbh = DB::connect(); + + $q = SELECT * FROM Bans WHERE IPAddress = . $dbh-quote(ip2long($_SERVER['REMOTE_ADDR'])); + $result = $dbh-query($q); + + if ($result-fetchColumn()) { + return true; + } else { + return false; + } +} + +/** * Validate a username against a collection of rules * * The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter -- 1.8.2
Re: [aur-dev] AUR 2.1.0 released
On Mon, Mar 18, 2013 at 5:10 PM, Dave Reisner d...@falconindy.com wrote: On Mon, Mar 18, 2013 at 08:18:19PM +0100, Lukas Fleischer wrote: Changes since 2.0.1: * Typeahead suggest for packages. * Fix account editing and hijacking vulnerability. * Fix account privilege escalation vulnerability. * Clear a user's active sessions following account suspension. * Several translation fixes/updates. * pkgsubmit.php: Parse .AURINFO metadata. .AURINFO files can now be included in source packages to overwrite specific PKGBUILD fields. .AURINFO files are parsed line by line. The syntax for each line is key = value, where key is any of the following field names: * pkgname I'll file a proper bug report if it really turns out to be the AUR's fault (when I get some more time to play), but my 60 second test drive of this makes me believe that overriding the pkgname fails silently on the upload if you specify a pkgname which already exists (and which isn't the package you're uploading). Quickly tried this on my local setup. Uploaded a source package named foo, then tried to upload a bar source package with pkgname set in .AURINFO to foo and received the error message: You are not allowed to overwrite the foo package. Might be a burp issue or some sort of strange edge case. I'm only testing this from burp, so grain of salt and all that... d * pkgver * pkgdesc * url * license * depend Multiple depend lines can be specified to add multiple dependencies. You can check the Git log [1] for a complete list of commits. The official Arch Linux AUR setup [2] has already been upgraded! [1] https://projects.archlinux.org/aur.git/log/?id=v2.1.0 [2] https://aur.archlinux.org/
Re: [aur-dev] Data left behind from a deleted package
On Sat, Mar 2, 2013 at 4:33 AM, Connor Behan connor.be...@gmail.com wrote: When I recently looked through the AUR source, it seemed to me that when a package is deleted, a record is only removed from the `Packages` table and that there is data for the corresponding package still in `CommentNotify`, `PackageComments`, `PackageContents`, `PackageSources` and `PackageVotes`. Does this orphan data get deleted by another mechanism I haven't seen? If not, could I send patches that do a better job of cleaning it up? Foreign key constraints in the database schema should take care of removing the relevant data from the other tables when a record is removed from the `Packages` table. Regards, Jason
Re: [aur-dev] cookies + suspended account
On Thu, Feb 28, 2013 at 6:30 PM, Alexander Griesbaum agr...@gmail.com wrote: On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace danielwall...@gtmanfred.com wrote: Hello, I have been having to deal with some idiot who is pissed off in the aur for some reason. He keeps marking all my packages out of date. And somehow he is able to continually do this even after I have suspended his account. I am not sure if this is because of the cookie still working and him still being logged in. Would it be possible to add captchas to flag packages out of date, or to make it so that suspending an account kills the cookie? Maybe I missed something... I want to get back to the fact, that the user could flag packages after he was suspended. In January, canyonknight committed a patch for this specific problem[1]: A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Yes, that patch should immediately suspend a user account. There hasn't been a new AUR release since that was committed, so I don't believe it was applied to the official AUR setup. I tested this locally and I can confirm that the suspended user was immediately logged out. Maybe you should file a bug report and we should do some tests here? Thanks for confirming that my patch works! Regards, Jason
Re: [aur-dev] cookies + suspended account
On Wed, Feb 27, 2013 at 5:26 PM, Alexander Rødseth rods...@gmail.com wrote: Hi, 2013/2/27 Angel Velásquez an...@archlinux.org: For solving the problem right now -quick and dirty-, we just have to add a validation (tsk tsk anyone who wants to sum contributions can code this silly patch), if the user is suspended don't let him flag the package and actually redirect him to the logout page (to kill those cookies). Wouldn't he/she/they be able to just register more accounts and continue flagging packages this way? Yes, a malicious user would be able to evade suspension by registering new accounts. In my opinion, those situations call for IP banning.
Re: [aur-dev] [PATCH] Remove aurblup configuration file parser
On Thu, Feb 14, 2013 at 7:02 PM, Lukas Fleischer archli...@cryptocrack.de wrote: Drop the (very bad) PHP parser and allow for passing all necessary configuration via command line parameters. Also, add a convenience wrapper written in PHP that parses the configuration file and subsequently calls aurblup with correct command line options. Signed-off-by: Lukas Fleischer archli...@cryptocrack.de --- scripts/aurblup/aurblup-wrapper | 17 +++ scripts/aurblup/aurblup.c | 108 +++- 2 files changed, 58 insertions(+), 67 deletions(-) create mode 100755 scripts/aurblup/aurblup-wrapper diff --git a/scripts/aurblup/aurblup-wrapper b/scripts/aurblup/aurblup-wrapper new file mode 100755 index 000..b056030 --- /dev/null +++ b/scripts/aurblup/aurblup-wrapper @@ -0,0 +1,17 @@ +#!/usr/bin/php +?php +$dir = $argv[1]; + +if (empty($dir)) { + echo Please specify AUR directory.\n; + exit; +} + +set_include_path(get_include_path() . PATH_SEPARATOR . $dir/lib); +include(config.inc.php); + +exec($dir . /../scripts/aurblup/aurblup . + -S /var/run/mysqld/mysqld.sock . + -u . escapeshellarg(AUR_db_user) . . + -p . escapeshellarg(AUR_db_pass) . . + -D . escapeshellarg(AUR_db_name)); diff --git a/scripts/aurblup/aurblup.c b/scripts/aurblup/aurblup.c index 3236554..be398f8 100644 --- a/scripts/aurblup/aurblup.c +++ b/scripts/aurblup/aurblup.c @@ -5,6 +5,7 @@ */ #include alpm.h +#include getopt.h #include mysql.h #include stdio.h #include string.h @@ -22,15 +23,15 @@ static void blacklist_remove(const char *); static void blacklist_sync(alpm_list_t *, alpm_list_t *); static alpm_list_t *dblist_get_pkglist(alpm_list_t *); static alpm_list_t *dblist_create(void); -static void read_config(const char *); +static int parse_options(int, char **); static void init(void); static void cleanup(void); -static char *mysql_host = NULL; +static char *mysql_host = localhost; static char *mysql_socket = NULL; -static char *mysql_user = NULL; -static char *mysql_passwd = NULL; -static char *mysql_db = NULL; +static char *mysql_user = aur; +static char *mysql_passwd = aur; +static char *mysql_db = AUR; static MYSQL *c; @@ -208,65 +209,42 @@ dblist_create(void) return dblist; } -static void -read_config(const char *fn) +static int parse_options(int argc, char **argv) { - FILE *fp; - char line[128]; - char **t, **u, *p, *q; - - if (!(fp = fopen(fn, r))) -die(failed to open AUR config file (\%s\)\n, fn); - - while (fgets(line, sizeof(line), fp)) { -u = NULL; -if (strstr(line, CONFIG_KEY_HOST)) { - t = mysql_host; - u = mysql_socket; -} -else if (strstr(line, CONFIG_KEY_USER)) - t = mysql_user; -else if (strstr(line, CONFIG_KEY_PASSWD)) - t = mysql_passwd; -else if (strstr(line, CONFIG_KEY_DB)) CONFIG_KEY_* can all be removed from config.h.proto - t = mysql_db; -else - t = NULL; - -if (t) { - strtok(line, \); - strtok(NULL, \); - strtok(NULL, \); - p = strtok(NULL, \); - - if (u) { -p = strtok(p, :); -q = strtok(NULL, :); - } - else q = NULL; - - if (p !*t) { -*t = malloc(strlen(p) + 1); -strncpy(*t, p, strlen(p) + 1); - } - - if (q !*u) { -*u = malloc(strlen(q) + 1); -strncpy(*u, q, strlen(q) + 1); - } + int opt; + + static const struct option opts[] = { +{ mysql-host, required_argument, 0, 'h' }, +{ mysql-socket, required_argument, 0, 'S' }, +{ mysql-user, required_argument, 0, 'u' }, +{ mysql-passwd, required_argument, 0, 'p' }, +{ mysql-db, required_argument, 0, 'D' }, +{ 0, 0, 0, 0 } + }; + + while((opt = getopt_long(argc, argv, h:S:u:p:D:, opts, NULL)) != -1) { +switch(opt) { + case 'h': +mysql_host = optarg; +break;; + case 'S': +mysql_socket = optarg; +break;; + case 'u': +mysql_user = optarg; +break;; + case 'p': +mysql_passwd = optarg; +break;; + case 'D': +mysql_db = optarg; +break;; + default: +return 0; } } - fclose(fp); - - if (!mysql_host) -die(MySQL host setting not found in AUR config file\n); - if (!mysql_user) -die(MySQL user setting not found in AUR config file\n); - if (!mysql_passwd) -die(MySQL password setting not found in AUR config file\n); - if (!mysql_db) -die(MySQL database setting not found in AUR config file\n); + return 1; } static void @@ -288,12 +266,6 @@ init(void) static void cleanup(void) { - free(mysql_host); - free(mysql_socket); - free(mysql_user); - free(mysql_passwd); - free(mysql_db); - alpm_release(handle); mysql_close(c); mysql_library_end();
Re: [aur-dev] [PATCH 1/5] Add database wrapper class and new connection method
On Sun, Feb 3, 2013 at 11:26 AM, canyonknight canyonkni...@gmail.com wrote: Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/account.php | 2 +- web/html/home.php | 2 +- web/html/logout.php| 2 +- web/html/pkgsubmit.php | 2 +- web/lib/DB.class.php | 28 ++ web/lib/acctfuncs.inc.php | 48 +++ web/lib/aur.inc.php| 49 +++ web/lib/aurjson.class.php | 2 +- web/lib/pkgfuncs.inc.php | 72 +++--- web/lib/translator.inc.php | 2 +- 10 files changed, 110 insertions(+), 99 deletions(-) create mode 100644 web/lib/DB.class.php diff --git a/web/html/account.php b/web/html/account.php index 2133734..7cd0263 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -20,7 +20,7 @@ $action = in_request(Action); if (isset($_COOKIE[AURSID])) { # visitor is logged in # - $dbh = db_connect(); + $dbh = DB::connect(); $atype = account_from_sid($_COOKIE[AURSID]); if ($action == SearchAccounts) { diff --git a/web/html/home.php b/web/html/home.php index 0b51d55..a10ebf0 100644 --- a/web/html/home.php +++ b/web/html/home.php @@ -10,7 +10,7 @@ include_once('stats.inc.php'); html_header( __(Home) ); -$dbh = db_connect(); +$dbh = DB::connect(); ? diff --git a/web/html/logout.php b/web/html/logout.php index 3d059e7..2d8bebc 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -11,7 +11,7 @@ include_once(acctfuncs.inc.php); # access AUR common functions # if (isset($_COOKIE[AURSID])) { if (!isset($dbh)) { - $dbh = db_connect(); + $dbh = DB::connect(); } delete_session_id($_COOKIE[AURSID], $dbh); # setting expiration to 1 means '1 second after midnight January 1, 1970' diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 5dd58af..78fceac 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -356,7 +356,7 @@ if ($uid): # Update the backend database if (!$error) { - $dbh = db_connect(); + $dbh = DB::connect(); begin_atomic_commit($dbh); $pdata = pkgdetails_by_pkgname($new_pkgbuild['pkgname'], $dbh); diff --git a/web/lib/DB.class.php b/web/lib/DB.class.php new file mode 100644 index 000..0975989 --- /dev/null +++ b/web/lib/DB.class.php @@ -0,0 +1,28 @@ +?php + +class DB { + + /** +* A database object +*/ + private static $dbh = null; + + /** +* Return an already existing database object or newly instantiated object +* +* @return \PDO A database connection using PDO +*/ + public static function connect() { + if (self::$dbh === null) { + try { + self::$dbh = new PDO(AUR_db_DSN_prefix . : . AUR_db_host + . ;dbname= . AUR_db_name, AUR_db_user, AUR_db_pass); + self::$dbh-exec(SET NAMES 'utf8' COLLATE 'utf8_general_ci';); + } catch (PDOException $e) { + die('Error - Could not connect to AUR database'); + } + } + + return self::$dbh; + } +} diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 3759c63..1e25f62 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -95,7 +95,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, global $SUPPORTED_LANGS; if (!$dbh) { - $dbh = db_connect(); + $dbh = DB::connect(); } if(isset($_COOKIE['AURSID'])) { @@ -301,7 +301,7 @@ function search_results_page($UTYPE,$O=0,$SB=,$U=,$T=, $search_vars = array(); if (!$dbh) { - $dbh = db_connect(); + $dbh = DB::connect(); } $q = SELECT Users.*, AccountTypes.AccountType ; @@ -367,7 +367,7 @@ function search_results_page($UTYPE,$O=0,$SB=,$U=,$T=, $q.= LIMIT . $HITS_PER_PAGE . OFFSET . $OFFSET; if (!$dbh) { - $dbh = db_connect(); + $dbh = DB::connect(); } $result = $dbh-query($q); @@ -398,7 +398,7 @@ function try_login($dbh=NULL) { if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) { if (!$dbh) { - $dbh = db_connect
[aur-dev] [PATCH 0/5] Database connection overhaul
Hello all, I recently noticed in my SQL logs that multiple database connections will be started over the course of a page loading. Past commits have relied on passing the handle as an argument to avoid that. The problem is many functions don't get a handle passed to them and there is a large amount of boilerplate code. This patch series will basically fully implement the same functionality as passing DB handles as arguments but with a lot less code and not mucking up function args. Due to the fact that some of these patches are quite large they may get eaten by the list, so as always they will be available on my working branch. canyonknight (5): Add database wrapper class and new connection method Remove unnecessary database connection parameter from all functions Remove documentation references to database parameter Remove checks before calling connection method Remove unneeded database connection calls web/html/account.php | 1 - web/html/home.php | 8 +- web/html/logout.php| 7 +- web/html/pkgsubmit.php | 23 ++-- web/lib/DB.class.php | 28 + web/lib/acctfuncs.inc.php | 179 + web/lib/aur.inc.php| 131 ++--- web/lib/aurjson.class.php | 2 +- web/lib/cachefuncs.inc.php | 3 +- web/lib/pkgfuncs.inc.php | 276 +++-- web/lib/stats.inc.php | 33 +++--- web/lib/translator.inc.php | 6 +- 12 files changed, 239 insertions(+), 458 deletions(-) create mode 100644 web/lib/DB.class.php -- 1.8.1.2
[aur-dev] [PATCH 2/5] Remove unnecessary database connection parameter from all functions
All functions now have a database connection method that will use the same database connection. This imitates the functionality of passing a database connection as an argument and makes it redundant. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/home.php | 6 +-- web/html/logout.php| 4 +- web/html/pkgsubmit.php | 22 - web/lib/acctfuncs.inc.php | 58 web/lib/aur.inc.php| 34 +++--- web/lib/cachefuncs.inc.php | 3 +- web/lib/pkgfuncs.inc.php | 108 ++--- web/lib/stats.inc.php | 28 ++-- web/lib/translator.inc.php | 2 +- 9 files changed, 133 insertions(+), 132 deletions(-) diff --git a/web/html/home.php b/web/html/home.php index a10ebf0..8fccc7f 100644 --- a/web/html/home.php +++ b/web/html/home.php @@ -80,7 +80,7 @@ $dbh = DB::connect(); td class=pkg-name ?php $userid = uid_from_sid($_COOKIE[AURSID]); - user_table($userid, $dbh); + user_table($userid); ? /td /tr @@ -100,10 +100,10 @@ $dbh = DB::connect(); /form /div div id=pkg-updates class=widget box - ?php updates_table($dbh); ? + ?php updates_table(); ? /div div id=pkg-stats class=widget box - ?php general_stats_table($dbh); ? + ?php general_stats_table(); ? /div /div diff --git a/web/html/logout.php b/web/html/logout.php index 2d8bebc..6c98290 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -13,11 +13,11 @@ if (isset($_COOKIE[AURSID])) { if (!isset($dbh)) { $dbh = DB::connect(); } - delete_session_id($_COOKIE[AURSID], $dbh); + delete_session_id($_COOKIE[AURSID]); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie(AURSID, , 1, /, null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); - clear_expired_sessions($dbh); + clear_expired_sessions(); } header('Location: /'); diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 78fceac..12203c4 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -357,9 +357,9 @@ if ($uid): # Update the backend database if (!$error) { $dbh = DB::connect(); - begin_atomic_commit($dbh); + begin_atomic_commit(); - $pdata = pkgdetails_by_pkgname($new_pkgbuild['pkgname'], $dbh); + $pdata = pkgdetails_by_pkgname($new_pkgbuild['pkgname']); # Check the category to use, 1 meaning none (or keep category for # existing packages). @@ -380,8 +380,8 @@ if ($uid): $packageID = $pdata[ID]; # Flush out old data that will be replaced with new data - remove_pkg_deps($packageID, $dbh); - remove_pkg_sources($packageID, $dbh); + remove_pkg_deps($packageID); + remove_pkg_sources($packageID); # If a new category was chosen, change it to that if ($category_id 1) { @@ -389,11 +389,11 @@ if ($uid): } # Update package data - update_pkgdetails($new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], $uid, $packageID, $dbh); + update_pkgdetails($new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], $uid, $packageID); } else { # This is a brand new package - new_pkgdetails($new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, $category_id, $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], $uid, $dbh); - $packageID = last_insert_id($dbh); + new_pkgdetails($new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, $category_id, $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], $uid); + $packageID = last_insert_id(); } @@ -410,7 +410,7 @@ if ($uid): else if ($deppkgname
[aur-dev] [PATCH 3/5] Remove documentation references to database parameter
--- web/lib/acctfuncs.inc.php | 24 web/lib/aur.inc.php | 18 -- web/lib/pkgfuncs.inc.php | 24 web/lib/stats.inc.php | 5 - 4 files changed, 71 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index fe13b49..e982849 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -84,7 +84,6 @@ function display_account_form($UTYPE,$A,$U=,$T=,$S=, * @param string $I The IRC nickname of the user * @param string $K The PGP fingerprint of the user * @param string $UID The user ID of the modified account - * @param \PDO $dbh An already established database connection * * @return string|void Return void if successful, otherwise return error */ @@ -282,7 +281,6 @@ function search_accounts_form() { * @param string $R The real name search criteria * @param string $I The IRC nickname search criteria * @param string $K The PGP key fingerprint search criteria - * @param \PDO $dbh An already established database connection * * @return void */ @@ -385,7 +383,6 @@ function search_results_page($UTYPE,$O=0,$SB=,$U=,$T=, * * @global int $MAX_SESSIONS_PER_USER Maximum sessions a single user may have open * @global int $PERSISTENT_COOKIE_TIMEOUT Time until cookie expires - * @param \PDO $dbh An already established database connection * * @return array Session ID for user, error message if applicable */ @@ -514,7 +511,6 @@ function valid_username($user) { * Determine if a username exists in the database * * @param string $user Username to check in the database - * @param \PDO $dbh An already established database connection * * @return string|void Return user ID if in database, otherwise void */ @@ -543,7 +539,6 @@ function valid_user($user) { * Determine if a user already has a proposal open about themselves * * @param string $user Username to checkout for open proposal - * @param \PDO $dbh An already established database connection * * @return bool True if there is an open proposal about the user, otherwise false */ @@ -569,7 +564,6 @@ function open_user_proposals($user) { * @param string $user The use the vote is about * @param int $votelength The length of time for the vote to last * @param string $submitteruid The user ID of the individual who submitted the proposal - * @param \PDO $dbh An already established database connection * * @return void */ @@ -590,7 +584,6 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid) { * * @param string $resetkey A password reset key to be stored in database * @param string $uid The user ID to store the reset key for - * @param \PDO $dbh An already established database connection * * @return void */ @@ -611,7 +604,6 @@ function create_resetkey($resetkey, $uid) { * @param string $salt New salt for the user's password * @param string $resetkey Code e-mailed to a user to reset a password * @param string $email E-mail address of the user resetting their password - * @param \PDO $dbh An already established database connection * * @return string|void Redirect page if successful, otherwise return error message */ @@ -656,7 +648,6 @@ function good_passwd($passwd) { * * @param string $userID The user ID to check the password against * @param string $passwd The password the visitor sent - * @param \PDO $dbh An already established database connection * * @return bool True if password was correct and properly salted, otherwise false */ @@ -718,7 +709,6 @@ function valid_pgp_fingerprint($fingerprint) { * Determine if the user account has been suspended * * @param string $id The ID of user to check if suspended - * @param \PDO $dbh An already established database connection * * @return bool True if the user is suspended, otherwise false */ @@ -744,7 +734,6 @@ function user_suspended($id) { * Delete a specified user account from the database * * @param int $id The user ID of the account to be deleted - * @param \PDO $dbh An already established database connection * * @return void */ @@ -761,7 +750,6 @@ function user_delete($id) { * Determine if a user is either a Trusted User or Developer * * @param string $id The ID of the user to check if privileged - * @param \PDO $dbh An already established database connection * * @return int|string Return 0 if un-privileged, 2 if Trusted User, 3 if Developer */ @@ -785,7 +773,6 @@ function user_is_privileged($id) { * Remove the session from the database on logout * * @param string $sid User's session ID - * @param \PDO $dbh An already established database connection * * @return void */ @@ -802,7 +789,6 @@ function delete_session_id($sid) { * Remove all sessions belonging to a particular user * * @param int $uid ID of user to remove all sessions for - * @param \PDO $dbh An already established database connection * * @return void */ @@ -819,7 +805,6 @@
[aur-dev] [PATCH 4/5] Remove checks before calling connection method
Large amount of boilerplate code that checks if a database connection exists is useless now that the new connection method automatically does the same check. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/logout.php| 4 +- web/lib/acctfuncs.inc.php | 97 -- web/lib/aur.inc.php| 60 +-- web/lib/pkgfuncs.inc.php | 144 - web/lib/translator.inc.php | 4 +- 5 files changed, 77 insertions(+), 232 deletions(-) diff --git a/web/html/logout.php b/web/html/logout.php index 6c98290..3958c25 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -10,9 +10,7 @@ include_once(acctfuncs.inc.php); # access AUR common functions # sending any HTML output. # if (isset($_COOKIE[AURSID])) { - if (!isset($dbh)) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); delete_session_id($_COOKIE[AURSID]); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie(AURSID, , 1, /, null, !empty($_SERVER['HTTPS']), true); diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index e982849..9c0998a 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -93,9 +93,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, # error check and process request for a new/modified account global $SUPPORTED_LANGS; - if (!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { $editor_user = uid_from_sid($_COOKIE['AURSID']); @@ -298,9 +296,7 @@ function search_results_page($UTYPE,$O=0,$SB=,$U=,$T=, } $search_vars = array(); - if (!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $q = SELECT Users.*, AccountTypes.AccountType ; $q.= FROM Users, AccountTypes ; @@ -364,9 +360,7 @@ function search_results_page($UTYPE,$O=0,$SB=,$U=,$T=, $search_vars[] = SB; $q.= LIMIT . $HITS_PER_PAGE . OFFSET . $OFFSET; - if (!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $result = $dbh-query($q); @@ -394,9 +388,7 @@ function try_login() { $userID = null; if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) { - if (!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $userID = valid_user($_REQUEST['user']); if ( user_suspended($userID) ) { @@ -517,9 +509,7 @@ function valid_username($user) { function valid_user($user) { /* if ( $user = valid_username($user) ) { */ - if(!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); if ( $user ) { $q = SELECT ID FROM Users ; @@ -543,9 +533,7 @@ function valid_user($user) { * @return bool True if there is an open proposal about the user, otherwise false */ function open_user_proposals($user) { - if(!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $q = SELECT * FROM TU_VoteInfo WHERE User = . $dbh-quote($user) . ; $q.= AND End UNIX_TIMESTAMP(); $result = $dbh-query($q); @@ -568,9 +556,7 @@ function open_user_proposals($user) { * @return void */ function add_tu_proposal($agenda, $user, $votelength, $submitteruid) { - if(!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $q = INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ; $q.= ( . $dbh-quote($agenda) . , . $dbh-quote($user) . , ; @@ -588,9 +574,7 @@ function add_tu_proposal($agenda, $user, $votelength, $submitteruid) { * @return void */ function create_resetkey($resetkey, $uid) { - if(!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $q = UPDATE Users ; $q.= SET ResetKey = ' . $resetkey . ' ; $q.= WHERE ID = . $uid; @@ -608,9 +592,7 @@ function create_resetkey($resetkey, $uid) { * @return string|void Redirect page if successful, otherwise return error message */ function password_reset($hash, $salt, $resetkey, $email) { - if(!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); $q = UPDATE Users ; $q.= SET Passwd = '$hash', ; $q.= Salt = '$salt', ; @@ -652,9 +634,7 @@ function good_passwd($passwd) { * @return bool True if password was correct and properly salted, otherwise false */ function valid_passwd($userID, $passwd) { - if (!$dbh) { - $dbh = DB::connect(); - } + $dbh = DB::connect(); if ( strlen($passwd) 0 ) { # get salt for this user $salt
[aur-dev] [PATCH 5/5] Remove unneeded database connection calls
Since all database related functions will establish a connection when needed, there is no need to pre-emptively try and establish a database connection. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/account.php | 1 - web/html/home.php | 2 -- web/html/logout.php| 1 - web/html/pkgsubmit.php | 1 - 4 files changed, 5 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 7cd0263..c367914 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -20,7 +20,6 @@ $action = in_request(Action); if (isset($_COOKIE[AURSID])) { # visitor is logged in # - $dbh = DB::connect(); $atype = account_from_sid($_COOKIE[AURSID]); if ($action == SearchAccounts) { diff --git a/web/html/home.php b/web/html/home.php index 8fccc7f..e4439d9 100644 --- a/web/html/home.php +++ b/web/html/home.php @@ -10,8 +10,6 @@ include_once('stats.inc.php'); html_header( __(Home) ); -$dbh = DB::connect(); - ? div id=content-left-wrapper diff --git a/web/html/logout.php b/web/html/logout.php index 3958c25..5e8e8f4 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -10,7 +10,6 @@ include_once(acctfuncs.inc.php); # access AUR common functions # sending any HTML output. # if (isset($_COOKIE[AURSID])) { - $dbh = DB::connect(); delete_session_id($_COOKIE[AURSID]); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie(AURSID, , 1, /, null, !empty($_SERVER['HTTPS']), true); diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 12203c4..fefb31e 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -356,7 +356,6 @@ if ($uid): # Update the backend database if (!$error) { - $dbh = DB::connect(); begin_atomic_commit(); $pdata = pkgdetails_by_pkgname($new_pkgbuild['pkgname']); -- 1.8.1.2
[aur-dev] [PATCH] acctfuncs.inc.php: Change return type of valid_username function
The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index a41659e..cdf4af6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -480,12 +480,12 @@ function try_login($dbh=NULL) { * * The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter * or equal to USERNAME_MAX_LEN. It must start and end with either a letter or - * a number. It can contain one period, hypen, or underscore. Returns username - * if it meets all of those rules. + * a number. It can contain one period, hypen, or underscore. Returns boolean + * of whether name is valid. * * @param string $user Username to validate * - * @return string|void Return username if it meets criteria, otherwise void + * @return bool True if username meets criteria, otherwise false */ function valid_username($user) { if (!empty($user)) { @@ -500,13 +500,12 @@ function valid_username($user) { # contain only letters and numbers, # and at most has one dash, period, or underscore if ( preg_match(/^[a-z0-9]+[.\-_]?[a-z0-9]+$/, $user) ) { - #All is good return the username - return $user; + return true; } } } - return; + return false; } /** -- 1.8.1.1
[aur-dev] [PATCH] Replace permission check code with can_edit_account()
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/account.php | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index cccdd76..2133734 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -48,11 +48,8 @@ if (isset($_COOKIE[AURSID])) { if (empty($row)) { print __(Could not retrieve information for the specified user.); } else { - # double check to make sure logged in user can edit this account - # - if ($atype == Developer || ($atype == Trusted User - $row[AccountType] != Developer) || - ($row[ID] == uid_from_sid($_COOKIE[AURSID]))) { + /* Verify user has permission to edit the account */ + if (can_edit_account($atype, $row, uid_from_sid($_COOKIE[AURSID]))) { display_account_form($atype, UpdateAccount, $row[Username], $row[AccountType], $row[Suspended], $row[Email], , , $row[RealName], $row[LangPreference], -- 1.8.1.1
[aur-dev] [PATCH] Clear a user's active sessions following account suspension
A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 19 +++ 1 file changed, 19 insertions(+) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index cdf4af6..b2bf03b 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -229,6 +229,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, $q.= , AccountTypeID = .intval($T); } if ($S) { + /* Ensure suspended users can't keep an active session */ + delete_user_sessions($UID, $dbh); $q.= , Suspended = 1; } else { $q.= , Suspended = 0; @@ -797,6 +799,23 @@ function delete_session_id($sid, $dbh=NULL) { } /** + * Remove all sessions belonging to a particular user + * + * @param int $uid ID of user to remove all sessions for + * @param \PDO $dbh An already established database connection + * + * @return void + */ +function delete_user_sessions($uid, $dbh=NULL) { + if (!$dbh) { + $dbh = db_connect(); + } + + $q = DELETE FROM Sessions WHERE UsersID = . intval($uid); + $dbh-exec($q); +} + +/** * Remove sessions from the database that have exceed the timeout * * @global int $LOGIN_TIMEOUT Time until session expires -- 1.8.1.1
[aur-dev] [PATCH 4/4] acctfuncs.inc.php: Change wording of account editing message
An error message is printed when the number of affected rows is 0 for an edited account. A count of 0 doesn't imply an error, only that no changes were made in the database. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2bf03b..96fd9f6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -248,7 +248,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, $q.= WHERE ID = .intval($UID); $result = $dbh-exec($q); if (!$result) { - print __(Error trying to modify account, %s%s%s., + print __(No changes were made to the account, %s%s%s., strong, htmlspecialchars($U,ENT_QUOTES), /strong); } else { print __(The account, %s%s%s, has been successfully modified., -- 1.8.1.1
[aur-dev] [PATCH] pkg_details.php: Add missing translatable string
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_details.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index b5d8a9f..0973448 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -137,7 +137,7 @@ if ($row[SubmitterUID]): td?= htmlspecialchars($submitter) ?/td ?php endif; ? ?php else: ? - tdNone/td + td?= __('None') ?/td ?php endif; ? /tr tr @@ -155,7 +155,7 @@ if ($row[MaintainerUID]): td?= htmlspecialchars($maintainer) ?/td ?php endif; ? ?php else: ? - tdNone/td + td?= __('None') ?/td ?php endif; ? /tr tr -- 1.8.1.1
[aur-dev] [PATCH] aur.inc.php: Fix PHP undefined index notice for AURSID
Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 387d81d..e02c835 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -94,7 +94,7 @@ function check_sid($dbh=NULL) { * @return bool True if the CSRF token is the same as the cookie SID, otherwise false */ function check_token() { - if (isset($_POST['token'])) { + if (isset($_POST['token']) isset($_COOKIE['AURSID'])) { return ($_POST['token'] == $_COOKIE['AURSID']); } else { return false; -- 1.8.1.1
[aur-dev] [PATCH] user_table.php: Remove unused link parameter
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/stats/user_table.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/template/stats/user_table.php b/web/template/stats/user_table.php index ba6751f..284d5b9 100644 --- a/web/template/stats/user_table.php +++ b/web/template/stats/user_table.php @@ -7,7 +7,7 @@ $username = username_from_sid($_COOKIE[AURSID]); table tr td - a href=?= get_uri('/packages/'); ??SeB=mamp;L=2amp;K=?= $username; ? + a href=?= get_uri('/packages/'); ??SeB=mamp;K=?= $username; ? ?= __(Packages in unsupported); ?/a /td td?= $maintainer_unsupported_count; ?/td -- 1.8.1
[aur-dev] [PATCH] stats.inc.php: Remove unnecessary account type lookup
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/stats.inc.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php index 60973e9..cfae794 100644 --- a/web/lib/stats.inc.php +++ b/web/lib/stats.inc.php @@ -43,9 +43,6 @@ function user_table($userid, $dbh) { $flagged_outdated = db_cache_value($q, $dbh, 'user_flagged_outdated:' . $userid); - # If the user is a TU calculate the number of the packages - $atype = account_from_sid($_COOKIE[AURSID]); - include('stats/user_table.php'); } -- 1.8.1
Re: [aur-dev] [PATCH] Add description meta-element to package pages
On Sat, Jan 5, 2013 at 11:32 AM, Marcel Korpel marcel.li...@gmail.com wrote: Implements FS#33294 I like the idea of this patch. It would make search engine results for AUR packages far more sane. --- web/html/packages.php| 7 +-- web/lib/aur.inc.php | 3 ++- web/lib/pkgfuncs.inc.php | 24 web/template/header.php | 5 + 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/web/html/packages.php b/web/html/packages.php index 6182550..54386fc 100644 --- a/web/html/packages.php +++ b/web/html/packages.php @@ -20,9 +20,12 @@ if (!isset($pkgid) || !isset($pkgname)) { } } -# Set the title to the current query if required +# Set the title and description to the current query if required +$description = ; + if (isset($pkgname)) { $title = $pkgname; + $description = package_description($pkgid); } else if (!empty($_GET['K'])) { $title = __(Search Criteria) . : . $_GET['K']; } else { @@ -93,7 +96,7 @@ if (check_token()) { } } -html_header($title); +html_header($title, $description); ? ?php if ($output): ? diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 018d5c8..46ef340 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -297,13 +297,14 @@ function db_connect() { * * @return void */ -function html_header($title=) { +function html_header($title=, $description=) { global $AUR_LOCATION; global $DISABLE_HTTP_LOGIN; global $LANG; global $SUPPORTED_LANGS; $title = htmlspecialchars($title, ENT_QUOTES); + $description = htmlspecialchars($description, ENT_QUOTES); include('header.php'); return; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index c00c33d..5230947 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -432,6 +432,30 @@ function pkgname_is_blacklisted($name, $dbh=NULL) { } /** + * Get the package description + * + * @param string $id The package ID to get description for + * + * @return string The package's description + **/ +function package_description($id=0, $dbh=NULL) { + if(!$dbh) { + $dbh = db_connect(); + } + + $q = SELECT Description FROM Packages ; + $q.= WHERE ID = . intval($id); + $result = $dbh-query($q); + + if ($result) { + $row = $result-fetch(PDO::FETCH_ASSOC); + if (!empty($row)) { + return $row['Description']; + } + } +} I don't really like that this fetches the package description when there is already a query that fetches all package information, including package description. This adds an extra query to every package page despite the same data being fetched later. I do see why you did it this way since html_header() outputs even before package_details() is called, but I think it would be desirable to solve this in a way that doesn't duplicate a query. + +/** * Display the package details page * * @global string $AUR_LOCATION The AUR's URL used for notification e-mails diff --git a/web/template/header.php b/web/template/header.php index 92cb2ff..d6362a5 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -10,6 +10,11 @@ link rel='shortcut icon' href='/images/favicon.ico' / link rel='alternate' type='application/rss+xml' title='Newest Packages RSS' href='?= get_uri('/rss/'); ?' / meta http-equiv=Content-Type content=text/html; charset=UTF-8 / + ?php + if (isset($description) $description != ) { + print meta name='description' content=' . $description . ' /\n; + } + ? You can use the alternative syntax for control structures when mixing PHP with HTML. It can be easier to read: ?php if (!empty($description)): ? meta name=description content=?= $description ? / ?php endif; ? /head body div id=archnavbar class=anb-aur -- 1.8.1
Re: [aur-dev] [PATCH] Redirect back after login
On Mon, Dec 17, 2012 at 1:10 PM, Marcel Korpel marcel.li...@gmail.com wrote: On Sun, Dec 16, 2012 at 7:12 PM, canyonknight canyonkni...@gmail.com wrote: This implementation is susceptible to HTTP header injection. Ok. You mean in the current 'Location:' line without filtering 0x0a and 0x0d? Response splitting shouldn't be an issue. PHP prevents multiple headers from being sent at once in the header() function. I was referring to the fact that it is an unsanitized $_GET variable being used as a header. It can be manipulated and could redirect to a website outside the AUR or some other clever attack. That is one of the nice things about using a $_SESSION variable in this case. The server could directly set the redirect location in a $_SESSION variable without the user being able to tamper with it. Also note the usage of $_SERVER['REQUEST_URI'] had previously been eliminated with commit 630f1cbae8473fb05e5f5af7244eccc60fe93812. If we can't trust $_SERVER['REQUEST_URI'], then how should we determine the current URL? Using $_SERVER['PATH_INFO'] and $_SERVER['QUERY_STRING']? Or are these also susceptible to manipulation? Briefly, I always thought the following could be a decent solution: - User is on a page and the route is saved as a $_SESSION variable - User navigates to login page and logs in - Login page uses the routing code to redirect to page saved in the $_SESSION variable I realize it isn't a GET parameter solution, but it is easy to do securely. The only downside is if a user has multiple tabs open, it will redirect to the last page opened. That and to implement properly it would require a bit of work. Regards, Jason
Re: [aur-dev] [PATCH] Redirect back after login
On Fri, Dec 14, 2012 at 5:51 PM, Marcel Korpel marcel.li...@gmail.com wrote: Fixes FS#32481 --- web/html/login.php| 2 +- web/lib/acctfuncs.inc.php | 8 +++- web/lib/aur.inc.php | 44 web/template/header.php | 4 ++-- 4 files changed, 54 insertions(+), 4 deletions(-) This implementation is susceptible to HTTP header injection. Also note the usage of $_SERVER['REQUEST_URI'] had previously been eliminated with commit 630f1cbae8473fb05e5f5af7244eccc60fe93812. diff --git a/web/html/login.php b/web/html/login.php index e458fec..48fda29 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -20,7 +20,7 @@ html_header('AUR ' . __(Login)); a href=?= get_uri('/logout/'); ?[?= __(Logout); ?]/a /p ?php elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) $_SERVER['HTTPS'])): ? - form method=post action=?= get_uri('/login') ? + form method=post action=?= get_uri('/login') . redirect_post() ? fieldset legend?= __('Enter login credentials') ?/legend ?php if (!empty($login_error)): ? diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 3fd23ae..ee19511 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -460,7 +460,13 @@ function try_login($dbh=NULL) { $cookie_time = 0; setcookie(AURSID, $new_sid, $cookie_time, /, null, !empty($_SERVER['HTTPS']), true); - header(Location: . get_uri('/')); + + if (isset($_GET['redirect'])) { + header(Location: . $_GET['redirect']); + } else { + header(Location: . get_uri('/')); + } + $login_error = ; } diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 018d5c8..653cf55 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -310,6 +310,50 @@ function html_header($title=) { } /** + * Add redirect URL parameter when appropriate + * @return string Query string + **/ +function redirect_string() { + global $USE_VIRTUAL_URLS; + + /* get the request URI without the optional query string */ + $uri_parts = explode('?', $_SERVER['REQUEST_URI']); + + /* remove leading slash if get_route() is used */ + if (!$USE_VIRTUAL_URLS) { + $uri_parts[0] = ltrim($uri_parts[0], '/'); + } + + /* don't add a redirect string to /login/ to prevent looping; + don't add a redirect string to / and /register/: it's useless */ + switch ($uri_parts[0]) { + case get_uri('/'): + case get_uri('/login/'): + case get_uri('/register/'): + $querystring = ''; + break; + default: + $querystring = '?redirect=' . urlencode($_SERVER[REQUEST_URI]); + } + + return htmlentities($querystring); +} + +/** + * Add redirect URL parameter to form action + * @return string Query string + **/ +function redirect_post() { + if ( isset($_GET['redirect']) ) { + $querystring = '?redirect=' . urlencode($_GET['redirect']); + } else { + $querystring = ''; + } + + return htmlentities($querystring); +} + +/** * Common AUR footer displayed on all pages * * @param string $ver The AUR version diff --git a/web/template/header.php b/web/template/header.php index 92cb2ff..e073df5 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -64,9 +64,9 @@ ?php else: ? lia href=?= get_uri('/register/'); ??= __(Register); ?/a/li ?php if ($DISABLE_HTTP_LOGIN empty($_SERVER['HTTPS'])): ? - lia href=?= $AUR_LOCATION . get_uri('/login/'); ??= __(Login); ?/a/li + lia href=?= $AUR_LOCATION . get_uri('/login/') . redirect_string(); ??= __(Login); ?/a/li ?php else: ? - lia href=?= get_uri('/login/'); ??= __(Login); ?/a/li + lia href=?= get_uri('/login/') . redirect_string(); ??= __(Login); ?/a/li ?php endif; ? ?php endif; ? /ul -- 1.8.0.2
[aur-dev] [PATCH 1/2] gendummydata.py: Remove need for fortune subprocess
Fortune calls slows down the generation of dummy data dramatically for large datasets. Read from a specified fortune file directly to avoid the need for the subprocess. Signed-off-by: canyonknight canyonkni...@gmail.com --- support/schema/gendummydata.py | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/support/schema/gendummydata.py b/support/schema/gendummydata.py index 68f58b6..f3dd8f9 100755 --- a/support/schema/gendummydata.py +++ b/support/schema/gendummydata.py @@ -14,7 +14,6 @@ import time import os import sys import io -import subprocess import logging LOG_LEVEL = logging.DEBUG # logging level. set to logging.INFO to reduce output @@ -39,7 +38,7 @@ CLOSE_PROPOSALS = 15 # number of closed trusted user proposals RANDOM_TLDS = (edu, com, org, net, tw, ru, pl, de, es) RANDOM_URL = (http://www.;, ftp://ftp.;, http://;, ftp://;) RANDOM_LOCS = (pub, release, files, downloads, src) -FORTUNE_CMD = /usr/bin/fortune +FORTUNE_FILE = /usr/share/fortune/cookie # setup logging logformat = %(levelname)s: %(message)s @@ -58,7 +57,7 @@ if not os.path.exists(SEED_FILE): # make sure comments can be created # -if not os.path.exists(FORTUNE_CMD): +if not os.path.exists(FORTUNE_FILE): log.error(Please install the 'fortune-mod' Arch package) raise SystemExit @@ -81,6 +80,8 @@ def genCategory(): return random.randrange(1,CATEGORIES_COUNT) def genUID(): return seen_users[user_keys[random.randrange(0,len(user_keys))]] +def genFortune(): + return fortunes[random.randrange(0,len(fortunes))].replace(', ) # load the words, and make sure there are enough words for users/pkgs @@ -178,6 +179,11 @@ log.debug(Number of trusted users: %d % len(trustedusers)) log.debug(Number of users: %d % (MAX_USERS-len(developers)-len(trustedusers))) log.debug(Number of packages: %d % MAX_PKGS) +log.debug(Gathering text from fortune file...) +fp = open(FORTUNE_FILE, r) +fortunes = fp.read().split(%\n) +fp.close() + # Create the package statements # log.debug(Creating SQL statements for packages.) @@ -205,11 +211,10 @@ for p in list(seen_pkgs.keys()): # num_comments = random.randrange(PKG_CMNTS[0], PKG_CMNTS[1]) for i in range(0, num_comments): - fortune = subprocess.getoutput(FORTUNE_CMD).replace(',) now = NOW + random.randrange(400, 86400*3) s = (INSERT INTO PackageComments (PackageID, UsersID, Comments, CommentTS) VALUES (%d, %d, '%s', %d);\n) - s = s % (seen_pkgs[p], genUID(), fortune, now) + s = s % (seen_pkgs[p], genUID(), genFortune(), now) out.write(s) # Cast votes @@ -271,7 +276,6 @@ for p in list(seen_pkgs.keys()): log.debug(Creating SQL statements for trusted user proposals.) count=0 for t in range(0, OPEN_PROPOSALS+CLOSE_PROPOSALS): - fortune = subprocess.getoutput(FORTUNE_CMD).replace(',) now = int(time.time()) if count CLOSE_PROPOSALS: start = now - random.randrange(3600*24*7, 3600*24*21) @@ -286,7 +290,7 @@ for t in range(0, OPEN_PROPOSALS+CLOSE_PROPOSALS): suid = trustedusers[random.randrange(0,len(trustedusers))] s = (INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES ('%s', '%s', %d, %d, %d);\n) - s = s % (fortune, user, start, end, suid) + s = s % (genFortune(), user, start, end, suid) out.write(s) count += 1 -- 1.8.0.2
Re: [aur-dev] dummy-data.sql
On Tue, Dec 11, 2012 at 9:17 AM, Marcel Korpel marcel.li...@gmail.com wrote: On Tue, Dec 11, 2012 at 1:39 PM, Marcel Korpel marcel.li...@gmail.com wrote: As FS#32986 isn't resolved yet, I can't test my typeahead-suggest script. Can someone please send me (off-list) a correct version of dummy-data.sql? I can send one later today. On a second thought, I do have a dummy-data.sql [1], but somehow it isn't executed correctly. If I do `cat dummy-data.sql | mysql -uaur -p -v AUR` I can see the SQL commands slip by, but apparently nothing is inserted to my local database AUR, as shown by a database browser (and by the empty array my completion script returns when asking for all packages starting with 'a'). Does anyone know why this happens? Yes. I only fixed the problems related to character encoding of the seed file on FS#32986 so far. So some SQL dummy data will be generated from that. I didn't yet fix the character encoding of data generated from the fortune command for you. So gendummydata.py will stop before it prints COMMIT;. Without that line the SQL data won't be inserted. All of these problems are avoided if you use a UTF-8 charset... Regards, Jason
Re: [aur-dev] [PATCH] INSTALL: Change # to $ where possible
On Wed, Dec 5, 2012 at 11:49 AM, Marcel Korpel marcel.li...@gmail.com wrote: This overrides my earlier patch 'INSTALL: Added MYUSER (needed from root)' --- For future reference, anything above this is a part of the commit message. Anything put here isn't. Since that other patch wasn't applied, the above text isn't needed. INSTALL | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/INSTALL b/INSTALL index 91aa3da..76df42b 100644 --- a/INSTALL +++ b/INSTALL @@ -57,24 +57,24 @@ Setup on Arch Linux: # mysqladmin -p create AUR - Connect to the mysql client - # mysql -uroot -p AUR + $ mysql -uroot -p AUR - Issue the following commands to the mysql client mysql GRANT ALL PRIVILEGES ON AUR.* to aur@localhost - identified by 'aur'; + - identified by 'aur'; mysql FLUSH PRIVILEGES; mysql quit - Load the schema file - # mysql -uaur -p AUR ~/aur/support/schema/aur-schema.sql + $ mysql -uaur -p AUR ~/aur/support/schema/aur-schema.sql (give password 'aur' at the prompt) - Optionally load some test data for development purposes. # pacman -S words fortune-mod - # cd ~/aur/support/schema/ - # python gendummydata.py dummy-data.sql - # bzip2 dummy-data.sql - # bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR + $ cd ~/aur/support/schema/ + $ python gendummydata.py dummy-data.sql + $ bzip2 dummy-data.sql + $ bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR (give password 'aur' at the prompt) If your test data consists of real people and real email addresses consider @@ -83,7 +83,7 @@ Setup on Arch Linux: mysql UPDATE Users SET Email = RAND() * RAND(); 7) Copy the config.inc.php.proto file to config.inc.php. Modify as needed. - # cd ~/aur/web/lib/ - # cp config.inc.php.proto config.inc.php + $ cd ~/aur/web/lib/ + $ cp config.inc.php.proto config.inc.php 8) Point your browser to http://aur -- 1.8.0.1
Re: [aur-dev] Some issues after installing AUR locally
On Thu, Dec 6, 2012 at 10:25 AM, Marcel Korpel marcel.li...@gmail.com wrote: On Wed, Dec 5, 2012 at 8:24 PM, canyonknight canyonkni...@gmail.com wrote: snip You could also just set $USE_VIRTUAL_URLS to false and navigate using the legacy pages packages.php, account.php, etc... Although I would recommend using rewriting to get a closer match of how the actual AUR behaves now. Indeed. Shouldn't this .htaccess file be included in the AUR? Or in INSTALL? No. An htaccess file shouldn't be part of the source tree. An example rewrite rule in INSTALL would probably be good. Regards, Jason
Re: [aur-dev] Some issues after installing AUR locally
On Wed, Dec 5, 2012 at 12:28 PM, Marcel Korpel marcel.li...@gmail.com wrote: Hi all, After following the instructions and giving Apache access to my home directory, I managed to go to the local AUR home page. However, apart from not having dummy data, I have some issues: Could you please open a bug report on the tracker for the dummy data generation issue [1]? It looks like unicode characters in the seed file are causing your issues. 1) There's a message above the page saying Notice: Undefined index: PATH_INFO in /home/mk/archdev/aur/web/html/index.php on line 7. I checked with a php_info() command and it's indeed not present. The URL routing backend currently needs PATH_INFO to work correctly. If it's not properly passed to PHP, you'll get this error. 2) http://aur/packages/, aur/register/, and aur/login/ are not available (though packages.php is). Should I set some option in my config files? This is connected to your first issue. I'm guessing you have $USE_VIRTUAL_URLS in web/lib/config.inc.php set to true, but aren't actually rewriting any of your URLs? Make sure you enable mod_rewrite to use that functionality. I'm not sure the exact config options in Apache, but I use the following rule in lighttpd: url.rewrite = ( ^(.*)$ = /index.php/$1 ) You could also just set $USE_VIRTUAL_URLS to false and navigate using the legacy pages packages.php, account.php, etc... Although I would recommend using rewriting to get a closer match of how the actual AUR behaves now. 3) Now http://aur and http://localhost point to the same page (the AUR home page). Is there a method to be able to point http://localhost back to /srv/http (without losing http://aur)? I'm not an expert on this but I believe you can just have another vhost. Have a VirtualHost localhost:80/VirtualHost block with all the appropriate info and DocumentRoot pointing to /srv/http instead of what aur points to. Also make sure you have NameVirtualHost set correctly. There are docs that have examples that can give you more precise information [2]. Sorry you've had some issues getting the AUR installed. Installation can be a bit tricky and the docs aren't overly explicit. Let me know if you need more help! Regards, Jason [1] https://bugs.archlinux.org/index/proj2 [2] http://httpd.apache.org/docs/2.2/vhosts/
Re: [aur-dev] [PATCH] INSTALL: Allow access to home directory
On Wed, Dec 5, 2012 at 12:05 PM, Marcel Korpel marcel.li...@gmail.com wrote: --- INSTALL | 3 +++ 1 file changed, 3 insertions(+) diff --git a/INSTALL b/INSTALL index 76df42b..d682eda 100644 --- a/INSTALL +++ b/INSTALL @@ -69,6 +69,9 @@ Setup on Arch Linux: $ mysql -uaur -p AUR ~/aur/support/schema/aur-schema.sql (give password 'aur' at the prompt) + - Allow access to home directory (otherwise you'll get a 403 Forbidden error) + $ chmod o+x $HOME + - Optionally load some test data for development purposes. # pacman -S words fortune-mod $ cd ~/aur/support/schema/ -- 1.8.0.1 Not a fan of this. It's better to just make a note for the user to check that all their permissions are setup correctly.
[aur-dev] [PATCH] Split package flagging and unflagging into separate functions
Currently, package flagging and unflagging takes place within the pkg_flag() function. A bool is set to true or false depending on the action. Create new pkg_unflag() function with sole purpose of unflagging and keep pkg_flag() in place. This split will be useful in the overhaul of the notification system. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/packages.php| 4 +-- web/lib/pkgfuncs.inc.php | 74 2 files changed, 45 insertions(+), 33 deletions(-) diff --git a/web/html/packages.php b/web/html/packages.php index 094c221..6182550 100644 --- a/web/html/packages.php +++ b/web/html/packages.php @@ -51,9 +51,9 @@ if (isset($_POST['IDs'])) { $output = ; if (check_token()) { if (current_action(do_Flag)) { - $output = pkg_flag($atype, $ids, true); + $output = pkg_flag($atype, $ids); } elseif (current_action(do_UnFlag)) { - $output = pkg_flag($atype, $ids, False); + $output = pkg_unflag($atype, $ids); } elseif (current_action(do_Adopt)) { $output = pkg_adopt($atype, $ids, true); } elseif (current_action(do_Disown)) { diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index cfdd9a7..c00c33d 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -772,33 +772,24 @@ function sanitize_ids($ids) { } /** - * Flag and un-flag packages out-of-date + * Flag package(s) as out-of-date * * @global string $AUR_LOCATION The AUR's URL used for notification e-mails * @param string $atype Account type, output of account_from_sid * @param array $ids Array of package IDs to flag/unflag - * @param bool $action true flags out-of-date, false un-flags. Flags by default * * @return string Translated success or error messages */ -function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { +function pkg_flag($atype, $ids, $dbh=NULL) { global $AUR_LOCATION; if (!$atype) { - if ($action) { - return __(You must be logged in before you can flag packages.); - } else { - return __(You must be logged in before you can unflag packages.); - } + return __(You must be logged in before you can flag packages.); } $ids = sanitize_ids($ids); if (empty($ids)) { - if ($action) { - return __(You did not select any packages to flag.); - } else { - return __(You did not select any packages to unflag.); - } + return __(You did not select any packages to flag.); } if(!$dbh) { @@ -806,25 +797,13 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { } $q = UPDATE Packages SET; - if ($action) { - $q.= OutOfDateTS = UNIX_TIMESTAMP(); - } - else { - $q.= OutOfDateTS = NULL; - } + $q.= OutOfDateTS = UNIX_TIMESTAMP(); $q.= WHERE ID IN ( . implode(,, $ids) . ); - - if (!$action ($atype != Trusted User $atype != Developer)) { - $q.= AND MaintainerUID = . uid_from_sid($_COOKIE[AURSID], $dbh); - } - - if ($action) { - $q.= AND OutOfDateTS IS NULL; - } + $q.= AND OutOfDateTS IS NULL; $affected_pkgs = $dbh-exec($q); - if ($action $affected_pkgs 0) { + if ($affected_pkgs 0) { # Notify of flagging by email $f_name = username_from_sid($_COOKIE['AURSID'], $dbh); $f_email = email_from_sid($_COOKIE['AURSID'], $dbh); @@ -846,9 +825,42 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { } } - if ($action) { - return __(The selected packages have been flagged out-of-date.); - } else { + return __(The selected packages have been flagged out-of-date.); +} + +/** + * Unflag package(s) as out-of-date + * + * @param string $atype Account type, output of account_from_sid + * @param array $ids Array of package IDs to flag/unflag + * + * @return string Translated success or error messages + */ +function pkg_unflag($atype, $ids, $dbh=NULL) { + if (!$atype) { + return __(You must be logged in before you can unflag packages.); + } + + $ids = sanitize_ids($ids); + if (empty($ids)) { + return __(You did not select any packages to unflag.); + } + + if(!$dbh) { + $dbh = db_connect(); + } + + $q = UPDATE Packages SET ; + $q.= OutOfDateTS = NULL ; + $q.= WHERE ID IN ( . implode(,, $ids) . ) ; + + if ($atype != Trusted User $atype != Developer) { + $q.= AND MaintainerUID = . uid_from_sid($_COOKIE[AURSID], $dbh); + } + + $result = $dbh-exec($q); + + if ($result
[aur-dev] [PATCH] INSTALL: Update required dummy data packages
Signed-off-by: canyonknight canyonkni...@gmail.com --- INSTALL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 1a41066..047cfc4 100644 --- a/INSTALL +++ b/INSTALL @@ -72,7 +72,7 @@ Setup on Arch Linux: (give password 'aur' at the prompt) - Optionally load some test data for development purposes. - # pacman -S words mysql-python + # pacman -S words fortune-mod # cd ~/aur/support/schema/ # python gendummydata.py dummy-data.sql # bzip2 dummy-data.sql -- 1.8.0.1
Re: [aur-dev] Subset of database for autocomplete
On Tue, Dec 4, 2012 at 8:32 AM, Marcel Korpel marcel.li...@gmail.com wrote: Hi developers, I'd like to implement a typeahead menu like it appears on the main page. In order to test my PHP script that feeds package names, I need a small subset of the AUR database (only the Packages table), say 1000 records. Can someone provide me such a subset? I usually run support/schema/reloadtestdb.sh. It loads the DB schema, generates dummy data, and loads the dummy data all in one command. Are you planning on using a JavaScript framework to implement auto-complete or some other means? Regards, Jason
[aur-dev] [PATCH] Fix account editing and hijacking vulnerability
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight canyonkni...@gmail.com Signed-off-by: Lukas Fleischer archli...@cryptocrack.de --- Already applied to maint branch and aur.archlinux.org setup. Anyone using a custom AUR setup should apply this patch. web/html/account.php | 11 --- web/lib/acctfuncs.inc.php | 29 + 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 786ae02..cccdd76 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -73,9 +73,14 @@ if (isset($_COOKIE[AURSID])) { } } elseif ($action == UpdateAccount) { - # user is submitting their modifications to an existing account - # - if (check_token()) { + $uid = uid_from_sid($_COOKIE['AURSID']); + + /* Details for account being updated */ + $acctinfo = account_details(in_request('ID'), in_request('U')); + + /* Verify user permissions and that the request is a valid POST */ + if (can_edit_account($atype, $acctinfo, $uid) check_token()) { + /* Update the details for the existing account */ process_account_form($atype, edit, UpdateAccount, in_request(U), in_request(T), in_request(S), in_request(E), in_request(P), in_request(C), diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 3fd23ae..81e06b6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) { $q = INSERT INTO TU_Votes (VoteID, UserID) VALUES ( . intval($voteid) . , . intval($uid) . ); $result = $dbh-exec($q); } + +/** + * Verify a user has the proper permissions to edit an account + * + * @param string $atype Account type of the editing user + * @param array $acctinfo User account information for edited account + * @param int $uid User ID of the editing user + * + * @return bool True if permission to edit the account, otherwise false + */ +function can_edit_account($atype, $acctinfo, $uid) { + /* Developers can edit any account */ + if ($atype == 'Developer') { + return true; + } + + /* Trusted Users can edit all accounts except Developer accounts */ + if ($atype == 'Trusted User' + $acctinfo['AccountType'] != 'Developer') { + return true; + } + + /* Users can edit only their own account */ + if ($acctinfo['ID'] == $uid) { + return true; + } + + return false; +} -- 1.8.0.1
[aur-dev] [PATCH] Fix account privilege escalation vulnerability
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their User level account to a Developer account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight canyonkni...@gmail.com Signed-off-by: Lukas Fleischer archli...@cryptocrack.de --- Already applied to maint branch and aur.archlinux.org setup. Anyone using a custom AUR setup should apply this patch. web/lib/acctfuncs.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 81e06b6..a41659e 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, $error = __(The PGP key fingerprint is invalid.); } - if ($UTYPE == Trusted User $T == 3) { - $error = __(A Trusted User cannot assign Developer status.); + if (($UTYPE == User $T 1) || ($UTYPE == Trusted User $T 2)) { + $error = __(Cannot increase account permissions.); } if (!$error !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __(Language is not currently supported.); -- 1.8.0.1
[aur-dev] [PATCH] index.php: Move voter page token check to switch control structure
Voter page token check takes place in the same way as other existing token checks. Move the check for consistency. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/index.php | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/web/html/index.php b/web/html/index.php index 3b46ab9..a197d0b 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -22,12 +22,6 @@ if (!empty($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { } if (!empty($tokens[3])) { - if ($tokens[3] == 'voters') { - $_GET['ID'] = pkgid_from_name($tokens[2]); - include('voters.php'); - return; - } - /* TODO: Remove support for legacy URIs and move these * actions to separate modules. */ switch ($tokens[3]) { @@ -55,6 +49,10 @@ if (!empty($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { case merge: include('pkgmerge.php'); return; + case voters: + $_GET['ID'] = pkgid_from_name($tokens[2]); + include('voters.php'); + return; default: header(HTTP/1.0 404 Not Found); include ./404.php; -- 1.8.0
[aur-dev] [PATCH] login.php: Properly link to logout page when already logged in
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/html/login.php b/web/html/login.php index 9b3715b..e458fec 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -17,7 +17,7 @@ html_header('AUR ' . __(Login)); ?php if (isset($_COOKIE[AURSID])): ? p ?= __(Logged-in as: %s, 'strong' . username_from_sid($_COOKIE[AURSID]) . '/strong'); ? - a href=?php get_uri('/logout/'); ?[?= __(Logout); ?]/a + a href=?= get_uri('/logout/'); ?[?= __(Logout); ?]/a /p ?php elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) $_SERVER['HTTPS'])): ? form method=post action=?= get_uri('/login') ? -- 1.8.0
[aur-dev] [PATCH] pkgfuncs.inc.php: Rework query to avoid Required by duplicates
Packages with multiple DepConditions are returned multiple times in the Required by column. Limit SQL results to distinct packages. Fixes FS#32478 Signed-off-by: canyonknight canyonkni...@gmail.com --- Ignore previous duplicates fix. This works better as an SQL fix. web/lib/pkgfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 8f84cdf..cfdd9a7 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -169,7 +169,7 @@ function package_required($name=, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = SELECT p.Name, PackageID FROM PackageDepends pd ; + $q = SELECT DISTINCT p.Name, PackageID FROM PackageDepends pd ; $q.= JOIN Packages p ON pd.PackageID = p.ID ; $q.= WHERE DepName = . $dbh-quote($name) . ; $q.= ORDER BY p.Name; -- 1.8.0
[aur-dev] [PATCH] pkgfuncs.inc.php: Avoid printing duplicates in Required by
Packages with multiple DepConditions are returned multiple times in the Required by column. Array is multi-dimensional so cannot have array_unique() run over it directly to remove duplicates. Serialize the array, remove duplicates, then unserialize the array. Fixes FS#32478 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/pkgfuncs.inc.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 8f84cdf..4beaec3 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -178,6 +178,8 @@ function package_required($name=, $dbh=NULL) { while ($row = $result-fetch(PDO::FETCH_NUM)) { $deps[] = $row; } + + $deps = array_map('unserialize', array_unique(array_map('serialize', $deps))); } return $deps; } -- 1.8.0
[aur-dev] [PATCH] pkgsubmit.php: Check that there is one directory in a tarball
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight canyonkni...@gmail.com --- The error message isn't great. But this avoids messing up the string freeze. web/html/pkgsubmit.php | 4 1 file changed, 4 insertions(+) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index efd90e1..885c44f 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -106,6 +106,10 @@ if ($uid): } } + if (!$error $dircount !== 1) { + $error = __(Error - source tarball may not contain files outside a directory.); + } + if (!$error empty($pkgbuild_raw)) { $error = __(Error trying to unpack upload - PKGBUILD does not exist.); } -- 1.8.0
[aur-dev] [PATCH v2] aurjson.class.php: Limit number of RPC results
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to an amount set within config.inc.php to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/aurjson.class.php| 22 +- web/lib/config.inc.php.proto | 4 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index fbdc711..949c34f 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -117,6 +117,7 @@ class AurJSON { } private function process_query($type, $where_condition) { +global $MAX_RPC_RESULTS; $fields = implode(',', self::$fields); $query = SELECT Users.Username as Maintainer, {$fields} . FROM Packages LEFT JOIN Users . @@ -149,6 +150,10 @@ class AurJSON { } } + if ($resultcount === $MAX_RPC_RESULTS) { + return $this-json_error('Too many package results.'); + } + return $this-json_results($type, $resultcount, $search_data); } else { @@ -191,6 +196,7 @@ class AurJSON { * @return mixed Returns an array of package matches. **/ private function search($keyword_string) { +global $MAX_RPC_RESULTS; if (strlen($keyword_string) 2) { return $this-json_error('Query arg too small'); } @@ -198,7 +204,8 @@ class AurJSON { $keyword_string = $this-dbh-quote(% . addcslashes($keyword_string, '%_') . %); $where_condition = (Name LIKE {$keyword_string} OR ; -$where_condition.= Description LIKE {$keyword_string}); +$where_condition.= Description LIKE {$keyword_string}) ; +$where_condition.= LIMIT {$MAX_RPC_RESULTS}; return $this-process_query('search', $where_condition); } @@ -227,6 +234,7 @@ class AurJSON { * @return mixed Returns an array of results containing the package data **/ private function multiinfo($pqdata) { +global $MAX_RPC_RESULTS; $args = $this-parse_multiinfo_args($pqdata); $ids = $args['ids']; $names = $args['names']; @@ -238,17 +246,19 @@ class AurJSON { $where_condition = ; if ($ids) { $ids_value = implode(',', $args['ids']); -$where_condition .= ID IN ({$ids_value}); +$where_condition .= ID IN ({$ids_value}) ; } if ($ids $names) { -$where_condition .= OR ; +$where_condition .= OR ; } if ($names) { // individual names were quoted in parse_multiinfo_args() $names_value = implode(',', $args['names']); -$where_condition .= Name IN ({$names_value}); +$where_condition .= Name IN ({$names_value}) ; } +$where_condition .= LIMIT {$MAX_RPC_RESULTS}; + return $this-process_query('multiinfo', $where_condition); } @@ -258,9 +268,11 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { +global $MAX_RPC_RESULTS; $maintainer = $this-dbh-quote($maintainer); -$where_condition = Users.Username = {$maintainer}; +$where_condition = Users.Username = {$maintainer} ; +$where_condition .= LIMIT {$MAX_RPC_RESULTS}; return $this-process_query('msearch', $where_condition); } diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index f132445..1fe7dbc 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -55,3 +55,7 @@ $AUR_LOCATION = http://localhost;; # Use virtual URLs -- to enable this feature, you also need to tell your web # server to redirect all requests to /index.php/$uri. $USE_VIRTUAL_URLS = true; + +# Maximum number of package results to return through an RPC connection. +# Avoid setting this too high and having a PHP too much memory error. +$MAX_RPC_RESULTS = 5000; -- 1.7.12.4
[aur-dev] [PATCH] aurjson.class.php: Limit number of RPC results
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to 5000 packages to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight canyonkni...@gmail.com --- It doesn't have to be 5000. That's just a safe arbitrary number I came up with during testing. web/lib/aurjson.class.php | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index fbdc711..5701697 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -149,6 +149,10 @@ class AurJSON { } } + if ($resultcount === 5000) { + return $this-json_error('Too many package results.'); + } + return $this-json_results($type, $resultcount, $search_data); } else { @@ -198,7 +202,8 @@ class AurJSON { $keyword_string = $this-dbh-quote(% . addcslashes($keyword_string, '%_') . %); $where_condition = (Name LIKE {$keyword_string} OR ; -$where_condition.= Description LIKE {$keyword_string}); +$where_condition.= Description LIKE {$keyword_string}) ; +$where_condition.= LIMIT 5000; return $this-process_query('search', $where_condition); } @@ -238,17 +243,19 @@ class AurJSON { $where_condition = ; if ($ids) { $ids_value = implode(',', $args['ids']); -$where_condition .= ID IN ({$ids_value}); +$where_condition .= ID IN ({$ids_value}) ; } if ($ids $names) { -$where_condition .= OR ; +$where_condition .= OR ; } if ($names) { // individual names were quoted in parse_multiinfo_args() $names_value = implode(',', $args['names']); -$where_condition .= Name IN ({$names_value}); +$where_condition .= Name IN ({$names_value}) ; } +$where_condition .= LIMIT 5000; + return $this-process_query('multiinfo', $where_condition); } @@ -260,7 +267,8 @@ class AurJSON { private function msearch($maintainer) { $maintainer = $this-dbh-quote($maintainer); -$where_condition = Users.Username = {$maintainer}; +$where_condition = Users.Username = {$maintainer} ; +$where_condition .= LIMIT 5000; return $this-process_query('msearch', $where_condition); } -- 1.7.12.3
[aur-dev] [PATCH 1/6] pkg_details.php: Add missing XHTML close tags
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_details.php | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index b286664..74f9257 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -117,6 +117,7 @@ if ($SID ($uid == $row[MaintainerUID] || a href=?= get_uri('/packages/'); ??C=?= $row['CategoryID'] ??= $row['Category'] ?/a ?php endif; ? /td + /tr tr th?= __('License') . ': ' ?/th td?= htmlspecialchars($license) ?/td @@ -138,6 +139,7 @@ if ($row[SubmitterUID]): ?php else: ? tdNone/td ?php endif; ? + /tr tr th?= __('Maintainer') .': ' ?/th ?php @@ -160,9 +162,9 @@ if ($row[MaintainerUID]): th?= __('Votes') . ': ' ?/th ?php if ($atype == Developer || $atype == Trusted User): ? ?php if ($USE_VIRTUAL_URLS): ? - tda href=?= get_pkg_uri($row['Name']); ?voters/?= $votes ?/a + tda href=?= get_pkg_uri($row['Name']); ?voters/?= $votes ?/a/td ?php else: ? - tda href=?= get_uri('/voters/'); ??ID=?= $pkgid ??= $votes ?/a + tda href=?= get_uri('/voters/'); ??ID=?= $pkgid ??= $votes ?/a/td ?php endif; ? ?php else: ? td?= $votes ?/td -- 1.7.12.3
[aur-dev] [PATCH 2/6] pkg_comment_form.php: Remove reference to call attribute
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_comment_form.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 903173d..da871ec 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -1,6 +1,6 @@ div id=generic-form class=box h2?= __(Add Comment); ?/h2 - form call=general-form action=?= $_SERVER['REQUEST_URI'] ? method=post + form action=?= $_SERVER['REQUEST_URI'] ? method=post fieldset ?php if (isset($_REQUEST['comment']) check_token()) { -- 1.7.12.3
[aur-dev] [PATCH 3/6] tu_list.php: Remove stray /span tags
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/tu_list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/template/tu_list.php b/web/template/tu_list.php index 566cb17..f80d2f5 100644 --- a/web/template/tu_list.php +++ b/web/template/tu_list.php @@ -25,7 +25,7 @@ ? tr class=?= $c ? td?php $row[Agenda] = htmlspecialchars(substr($row[Agenda], 0, $prev_Len)); ? - a href=?= get_uri('/tu/'); ??id=?= $row['ID'] ??= $row[Agenda] ?/a/span/span + a href=?= get_uri('/tu/'); ??id=?= $row['ID'] ??= $row[Agenda] ?/a /td td?= gmdate(Y-m-d, $row[Submitted]) ?/td td?= gmdate(Y-m-d, $row[End]) ?/td -- 1.7.12.3
[aur-dev] [PATCH 4/6] account_edit_form.php: Fix some XHTML errors
* Add /option close tags * Add VI delimiter to selected option * Add quotes to language codes Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/account_edit_form.php | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 308913d..6c39d53 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -23,23 +23,25 @@ label for=id_type?= __(Account Type) ?:/label select name=T id=id_type ?php if ($T == User): ? - option value=1 selected?= __(Normal user) ? + option value=1 selected=selected?= __(Normal user) ?/option ?php else: ? - option value=1?= __(Normal user) ? + option value=1?= __(Normal user) ?/option ?php endif; ? ?php if ($T == Trusted User): ? - option value=2 selected?= __(Trusted user) ? + option value=2 selected=selected?= __(Trusted user) ?/option ?php else: ? - option value=2?= __(Trusted user) ? + option value=2?= __(Trusted user) ?/option ?php endif; ? ?php # Only developers can make another account a developer if ($UTYPE == Developer): ? option value=3 - ?php $T == Developer ? print selected : print ; + ?php $T == Developer ? print selected=\selected\ : print ; print __(Developer).\n; ? + /option ?php endif; ? + /select /p @@ -92,9 +94,9 @@ reset($SUPPORTED_LANGS); while (list($code, $lang) = each($SUPPORTED_LANGS)) { if ($L == $code) { - print option value=.$code. selected .$lang.\n; + print option value=\.$code.\ selected=\selected\ .$lang./option.\n; } else { - print option value=.$code. .$lang.\n; + print option value=\.$code.\ .$lang./option.\n; } } ? -- 1.7.12.3
[aur-dev] [PATCH 5/6] account_details.php: Fix XHTML tags being closed incorrectly
Replace incorrect /td tags with /th tags Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/account_details.php | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/web/template/account_details.php b/web/template/account_details.php index aa18f5b..fdebfb3 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -4,11 +4,11 @@ h3?= htmlspecialchars($row[Username], ENT_QUOTES) ?/h3 table class=bio tr - th?= __(Username) . : ?/td + th?= __(Username) . : ?/th td?= $row[Username] ?/td /tr tr - th?= __(Account Type) . : ?/td + th?= __(Account Type) . : ?/th td ?php if ($row[AccountType] == User) { @@ -22,23 +22,23 @@ /td /tr tr - th?= __(Email Address) . : ?/td + th?= __(Email Address) . : ?/th tda href=mailto:?= htmlspecialchars($row[Email], ENT_QUOTES) ??= htmlspecialchars($row[Email], ENT_QUOTES) ?/a/td /tr tr - th?= __(Real Name) . : ?/td + th?= __(Real Name) . : ?/th td?= htmlspecialchars($row[RealName], ENT_QUOTES) ?/td /tr tr - th?= __(IRC Nick) . : ?/td + th?= __(IRC Nick) . : ?/th td?= htmlspecialchars($row[IRCNick], ENT_QUOTES) ?/td /tr tr - th?= __(PGP Key Fingerprint) . : ?/td + th?= __(PGP Key Fingerprint) . : ?/th td?= html_format_pgp_fingerprint($row[PGPKey]) ?/td /tr tr - th?= __(Last Voted) . : ?/td + th?= __(Last Voted) . : ?/th td ?= $row[LastVoted] ? date(Y-m-d, $row[LastVoted]) : __(Never); ? /td -- 1.7.12.3
[aur-dev] [PATCH 6/6] home.php: Fix XHTML tag errors
* Add missing p tag * Move h4 outside of a p tag * Rename an id to avoid a conflict with an already existing id Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/home.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/web/html/home.php b/web/html/home.php index f5a9afe..4d5b699 100644 --- a/web/html/home.php +++ b/web/html/home.php @@ -43,8 +43,8 @@ $dbh = db_connect(); ?= __('Remember to vote for your favourite packages!'); ? ?= __('Some packages may be provided as binaries in [community].'); ? /p - p h4?= __('Discussion') ?/h4 + p ?php echo __( 'General discussion regarding the Arch User Repository (AUR) and Trusted User structure takes place on %saur-general%s. This list can be used for package orphan requests, merge requests, and deletion requests. For discussion relating to the development of the AUR, use the %saur-dev%s mailing list.', @@ -56,6 +56,7 @@ $dbh = db_connect(); ? /p h4?= __('Bug Reporting') ?/h4 + p ?php echo __( 'If you find a bug in the AUR, please fill out a bug report on our %sbug tracker%s. Use the tracker to report bugs in the AUR %sonly%s. To report packaging bugs contact the package maintainer or leave a comment on the appropriate package page.', @@ -107,7 +108,7 @@ $dbh = db_connect(); /tr /table /div - div id=pkg-updates class=widget box + div id=pkg-stats class=widget box table tr td class=pkg-name -- 1.7.12.3
[aur-dev] [PATCH v2] pkg_comment_form.php: Remove redundant label for the comment box
Comment box already uses h2 tag. Additional label is not needed. Also remove label for form submit button. Reported-by: Dave Reisner d...@falconindy.com Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_comment_form.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 9315b0a..903173d 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -12,11 +12,9 @@ if (isset($_REQUEST['comment']) check_token()) { input type=hidden name=token value=?= htmlspecialchars($_COOKIE['AURSID']) ? / /div p - label for=id_comment?= __(Comment) . ':' ?/label textarea id=id_comment name=comment cols=80 rows=10/textarea /p p - label/label input type=submit value=?= __(Add Comment) ? / /p /fieldset -- 1.7.12.2
[aur-dev] [PATCH] pkg_comments.php: Move delete button to same line as poster info
The delete button is currently on a separate line. Change some logic to allow for the button to be on the same line as poster info. Reported-by: Dave Reisner d...@falconindy.com Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_comments.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/web/template/pkg_comments.php b/web/template/pkg_comments.php index 997b9ca..2ed6420 100644 --- a/web/template/pkg_comments.php +++ b/web/template/pkg_comments.php @@ -22,9 +22,11 @@ $pkgname = $row['Name']; input type=hidden name=token value=?= htmlspecialchars($_COOKIE['AURSID']) ? / input type=image src=/images/x.png alt=?= __('Delete comment') ? name=submit value=1 / /fieldset + ?= __('Comment by %s', $row['UserName']) ? /form - ?php endif; ? + ?php else: ? ?= __('Comment by %s', $row['UserName']) ? + ?php endif; ? /h4 p class=timestamp?= gmdate('Y-m-d H:i', $row['CommentTS']) ?/p div class=article-content -- 1.7.12.2
[aur-dev] [PATCH] Remove character limit on password length
As all new passwords are hashed and therefore stored in the database at the same length, this limitation is no longer needed. Fixes FS#31855 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/login.php | 2 +- web/html/passreset.php | 4 ++-- web/lib/config.inc.php.proto | 1 - web/template/account_edit_form.php | 4 ++-- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/web/html/login.php b/web/html/login.php index ed323f8..d5bb1e7 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -32,7 +32,7 @@ html_header('AUR ' . __(Login)); /p p label for=id_password?= __('Password') . ':'; ?/label - input id=id_password type=password name=passwd size=30 maxlength=?= PASSWD_MAX_LEN; ? / + input id=id_password type=password name=passwd size=30 / /p p input type=checkbox name=remember_me id=id_remember_me / diff --git a/web/html/passreset.php b/web/html/passreset.php index 13697b9..42dfc86 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -86,11 +86,11 @@ html_header(__(Password Reset)); /tr tr td?= __(Enter your new password:); ?/td - tdinput type=password name=password size=30 maxlength=32 //td + tdinput type=password name=password size=30 //td /tr tr td?= __(Confirm your new password:); ?/td - tdinput type=password name=confirm size=30 maxlength=32 //td + tdinput type=password name=confirm size=30 //td /tr /table br / diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index 3c7df19..f132445 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -15,7 +15,6 @@ define( URL_DIR, /packages/ ); define( USERNAME_MIN_LEN, 3 ); define( USERNAME_MAX_LEN, 16 ); define( PASSWD_MIN_LEN, 4 ); -define( PASSWD_MAX_LEN, 128 ); # Default language for displayed messages in the web interface. define(DEFAULT_LANG, en); diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 20f552a..308913d 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -60,13 +60,13 @@ p label for=id_passwd1?= __(Password) ?:/label - input type=password size=30 maxlength=32 name=P id=id_passwd1 value=?= $P ? / + input type=password size=30 name=P id=id_passwd1 value=?= $P ? / ?php if ($A != UpdateAccount): print (.__(required).); endif; ? /p p label for=id_passwd2?= __(Re-type password) ?:/label - input type=password size=30 maxlength=32 name=C id=id_passwd2 value=?= $C ? / + input type=password size=30 name=C id=id_passwd2 value=?= $C ? / ?php if ($A != UpdateAccount): print (.__(required).); endif; ? /p -- 1.7.12.2
[aur-dev] [PATCH] pkgfuncs.inc.php: Fix blacklisting functionality
An array that contains whether the package is blacklisted is being improperly used for a comparison. Use fetchColumn() to avoid the array completely and compare a value directly. Regression with e171f6f34eeacf35cf7142b4788d43e7d0978546 Fixes FS#31867 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/pkgfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 0072856..baa9aa1 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -428,7 +428,7 @@ function pkgname_is_blacklisted($name, $dbh=NULL) { $result = $dbh-query($q); if (!$result) return false; - return ($result-fetch(PDO::FETCH_NUM) 0); + return ($result-fetchColumn() 0); } /** -- 1.7.12.2
[aur-dev] [PATCH] pkgsubmit.php: Fix package version not updating
Parameters were not correct for a package update operation. Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c Fixes FS#31868 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/pkgsubmit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 09e95ca..efd90e1 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -381,7 +381,7 @@ if ($uid): } # Update package data - update_pkgdetails($packageID, $new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, , $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], , $uid, $dbh); + update_pkgdetails($new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], $uid, $packageID, $dbh); } else { # This is a brand new package new_pkgdetails($new_pkgbuild['pkgname'], $new_pkgbuild['license'], $pkg_version, $category_id, $new_pkgbuild['pkgdesc'], $new_pkgbuild['url'], $uid, $dbh); -- 1.7.12.2
[aur-dev] [PATCH] tu.php: Fix page showing a user hasn't voted when they have
An ended vote details page will report a user hasn't voted even when they have. This is a result of faulty logic that only checks if a user has voted if the vote is still running. Regression with commit c15441762c6f6ab4438eaf2854c0ee3146a98b30 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/tu.php | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/web/html/tu.php b/web/html/tu.php index 5e85e78..e2f7712 100644 --- a/web/html/tu.php +++ b/web/html/tu.php @@ -42,10 +42,13 @@ if ($atype == Trusted User || $atype == Developer) { } else if ($row['User'] == username_from_sid($_COOKIE[AURSID])) { $canvote = 0; $errorvote = __(You cannot vote in an proposal about you.); - } else if (tu_voted($row['ID'], uid_from_sid($_COOKIE[AURSID]))) { + } + if (tu_voted($row['ID'], uid_from_sid($_COOKIE[AURSID]))) { $canvote = 0; $hasvoted = 1; - $errorvote = __(You've already voted for this proposal.); + if ($isrunning) { + $errorvote = __(You've already voted for this proposal.); + } } if ($canvote == 1) { -- 1.7.12.2
[aur-dev] [PATCH] Change logo link for consistency with Archweb
Fixes FS#27669 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/header.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/template/header.php b/web/template/header.php index 3179a53..c78f1e3 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -13,7 +13,7 @@ /head body div id=archnavbar class=anb-aur - div id=archnavbarlogoh1a href=/ title=Return to the main pageArch Linux/a/h1/div + div id=archnavbarlogoh1a href=http://www.archlinux.org; title=Return to the main pageArch Linux/a/h1/div div id=archnavbarmenu ul id=archnavbarlist li id=anb-homea href=http://www.archlinux.org/; title=Arch news, packages, projects and moreHome/a/li -- 1.7.12.2
[aur-dev] [PATCH] pkg_comment_form.php: Remove redundant label for the comment box
Comment box already uses h2 tag. Additional label is not needed. Reported-by: Dave Reisner d...@falconindy.com Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_comment_form.php | 1 - 1 file changed, 1 deletion(-) diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 9315b0a..a0e7f68 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -12,7 +12,6 @@ if (isset($_REQUEST['comment']) check_token()) { input type=hidden name=token value=?= htmlspecialchars($_COOKIE['AURSID']) ? / /div p - label for=id_comment?= __(Comment) . ':' ?/label textarea id=id_comment name=comment cols=80 rows=10/textarea /p p -- 1.7.12.2
[aur-dev] [PATCH] pkgfuncs.inc.php: Document all functions using PHPDoc format
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/pkgfuncs.inc.php | 303 --- 1 file changed, 263 insertions(+), 40 deletions(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 06f348c..90b96a9 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -1,9 +1,19 @@ ?php include_once(config.inc.php); -# Make sure this visitor can delete the requested package comment -# They can delete if they were the comment submitter, or if they are a TU/Dev -# +/** + * Determine if the user can delete a specific package comment + * + * Only the comment submitter, Trusted Users, and Developers can delete + * comments. This function is used for the backend side of comment deletion. + * + * @param string $comment_id The comment ID in the database + * @param string $atype The account type of the user trying to delete a comment + * @param string|int $uid The user ID of the individual trying to delete a comment + * @param \PDO $dbh An Already establish database connection + * + * @return bool True if the user can delete the comment, otherwise false + */ function canDeleteComment($comment_id=0, $atype=, $uid=0, $dbh=NULL) { if ($atype == Trusted User || $atype == Developer) { # A TU/Dev can delete any comment @@ -26,9 +36,18 @@ function canDeleteComment($comment_id=0, $atype=, $uid=0, $dbh=NULL) { return FALSE; } -# Make sure this visitor can delete the requested package comment -# They can delete if they were the comment submitter, or if they are a TU/Dev -# +/** + * Determine if the user can delete a specific package comment using an array + * + * Only the comment submitter, Trusted Users, and Developers can delete + * comments. This function is used for the frontend side of comment deletion. + * + * @param array $comment All database information relating a specific comment + * @param string $atype The account type of the user trying to delete a comment + * @param string|int $uid The user ID of the individual trying to delete a comment + * + * @return bool True if the user can delete the comment, otherwise false + */ function canDeleteCommentArray($comment, $atype=, $uid=0) { if ($atype == Trusted User || $atype == Developer) { # A TU/Dev can delete any comment @@ -40,8 +59,16 @@ function canDeleteCommentArray($comment, $atype=, $uid=0) { return FALSE; } -# Check if the current user can submit blacklisted packages. -# +/** + * Determine if the visitor can submit blacklisted packages. + * + * Only Trusted Users and Developers can delete blacklisted packages. Packages + * are blacklisted if they are include in the official repositories. + * + * @param string $atype The account type of the user + * + * @return bool True if the user can submit blacklisted packages, otherwise false + */ function canSubmitBlacklisted($atype = ) { if ($atype == Trusted User || $atype == Developer) { # Only TUs/Devs can submit blacklisted packages. @@ -52,8 +79,13 @@ function canSubmitBlacklisted($atype = ) { } } -# grab the current list of PackageCategories -# +/** + * Get all package categories stored in the database + * + * @param \PDO An already established database connection + * + * @return array All package categories + */ function pkgCategories($dbh=NULL) { $cats = array(); if(!$dbh) { @@ -70,8 +102,14 @@ function pkgCategories($dbh=NULL) { return $cats; } -# check to see if the package name exists -# +/** + * Check to see if the package name already exists in the database + * + * @param string $name The package name to check + * @param \PDO $dbh An Already establish database connection + * + * @return string|void Package name if it already exists + */ function pkgid_from_name($name=, $dbh=NULL) { if (!$name) {return NULL;} if(!$dbh) { @@ -87,8 +125,14 @@ function pkgid_from_name($name=, $dbh=NULL) { return $row[0]; } -# grab package dependencies -# +/** + * Get package dependencies for a specific package + * + * @param int $pkgid The package to get dependencies for + * @param \PDO $dbh An Already establish database connection + * + * @return array All package dependencies for the package + */ function package_dependencies($pkgid, $dbh=NULL) { $deps = array(); $pkgid = intval($pkgid); @@ -111,6 +155,14 @@ function package_dependencies($pkgid, $dbh=NULL) { return $deps; } +/** + * Determine packages that depend on a package + * + * @param string $name The package name for the dependency search + * @param \PDO $dbh An Already establish database connection + * + * @return array All packages that depend on the specified package name + */ function package_required($name=, $dbh=NULL) { $deps = array(); if ($name != ) { @@ -130,7 +182,14 @@ function package_required($name=, $dbh=NULL) { return $deps; } -# Return the number
[aur-dev] [PATCH 1/3] Move package deletion to a separate page
Package actions now have a separate box on the package details page. Make a package deletion link in that box. Link leads to a new page (pkgdel.php) that can be used to confirm package deletion. A separate page with confirmation is used to avoid CSRFs. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/index.php | 3 +++ web/html/pkgdel.php | 45 web/template/pkg_details.php | 3 +++ 3 files changed, 51 insertions(+) create mode 100644 web/html/pkgdel.php diff --git a/web/html/index.php b/web/html/index.php index ce8fa52..3fe6338 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -43,6 +43,9 @@ if (isset($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { case unflag: $_POST['do_UnFlag'] = __('UnFlag'); break; + case delete: + include('pkgdel.php'); + return; } if (isset($_COOKIE['AURSID'])) { diff --git a/web/html/pkgdel.php b/web/html/pkgdel.php new file mode 100644 index 000..a581176 --- /dev/null +++ b/web/html/pkgdel.php @@ -0,0 +1,45 @@ +?php + +set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); + +include_once(aur.inc.php); +include_once(pkgfuncs.inc.php); + +set_lang(); +check_sid(); + +html_header(__(Package Deletion)); + +$atype = ; + +if (isset($_COOKIE[AURSID])) { + $atype = account_from_sid($_COOKIE[AURSID]); +} + +if ($atype == Trusted User || $atype == Developer): ? +div class=box + h2?php echo __('Delete Package: %s', htmlspecialchars($pkgname)) ?/h2 + p + ?php echo __('Use this form to delete the package (%s%s%s) from the AUR. ', + 'strong', htmlspecialchars($pkgname), '/strong' + ); + echo __('Deletion of a package is permanent. '); + echo __('Select the checkbox to confirm action.') ? + /p + form action=?php echo get_uri('/packages/'); ? method=post + fieldset + input type=hidden name=IDs[?php echo $pkgid ?] value=1 / + input type=hidden name=ID value=?php echo $pkgid ? / + input type=hidden name=token value=?php echo htmlspecialchars($_COOKIE['AURSID']) ? / + pinput type=checkbox name=confirm_Delete value=1 / + ?php echo __(Confirm package deletion) ?/p + pinput type=submit class=button name=do_Delete value=?php echo __(Delete) ? //p + /fieldset + /form +/div + +?php else: + print __(Only Trusted Users and Developers can delete packages.); +endif; + +html_footer(AUR_VERSION); diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index 4e9e073..dcc086b 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -54,6 +54,9 @@ $sources = package_sources($row[ID]); ?php else: ? lia href=?= get_pkg_uri($row['Name']) . 'notify/'; ??= __('Notify of new comments'); ?/a/li ?php endif; ? + ?php if ($atype == Trusted User || $atype == Developer): ? + lia href=?= get_pkg_uri($row['Name']) . 'delete/'; ??= __('Delete Package'); ?/a/li + ?php endif; ? ?php endif; ? /ul ?php if ($uid): ? -- 1.7.12.1
[aur-dev] [PATCH 2/3] Move package merging to a separate page
Package actions now have a separate box on the package details page. Add a package merge link in that box. Link leads to a new page (pkgmerge.php) that can be used to confirm package merging. A separate page with confirmation is used to avoid CSRFs. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/index.php | 3 +++ web/html/pkgmerge.php| 48 web/template/pkg_details.php | 1 + 3 files changed, 52 insertions(+) create mode 100644 web/html/pkgmerge.php diff --git a/web/html/index.php b/web/html/index.php index 3fe6338..12f79cb 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -46,6 +46,9 @@ if (isset($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { case delete: include('pkgdel.php'); return; + case merge: + include('pkgmerge.php'); + return; } if (isset($_COOKIE['AURSID'])) { diff --git a/web/html/pkgmerge.php b/web/html/pkgmerge.php new file mode 100644 index 000..687982e --- /dev/null +++ b/web/html/pkgmerge.php @@ -0,0 +1,48 @@ +?php + +set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); + +include_once(aur.inc.php); +include_once(pkgfuncs.inc.php); + +set_lang(); +check_sid(); + +html_header(__(Package Merging)); + +$atype = ; + +if (isset($_COOKIE[AURSID])) { + $atype = account_from_sid($_COOKIE[AURSID]); +} + +if ($atype == Trusted User || $atype == Developer): ? +div class=box + h2?php echo __('Merge Package: %s', htmlspecialchars($pkgname)) ?/h2 + p + ?php echo __('Use this form to merge the package (%s%s%s) into another package. ', + 'strong', htmlspecialchars($pkgname), '/strong' + ); + echo __('Once the package has been merged it cannot be reversed. '); + echo __('Enter the package name you wish to merge the package into. '); + echo __('Select the checkbox to confirm action.') ? + /p + form action=?php echo get_uri('/packages/'); ? method=post + fieldset + input type=hidden name=IDs[?php echo $pkgid ?] value=1 / + input type=hidden name=ID value=?php echo $pkgid ? / + input type=hidden name=token value=?php echo htmlspecialchars($_COOKIE['AURSID']) ? / + plabel for=merge_Into ?php echo __(Merge into:) ?/label + input type=text id=merge_Into name=merge_Into //p + pinput type=checkbox name=confirm_Delete value=1 / + ?php echo __(Confirm package merge) ?/p + pinput type=submit class=button name=do_Delete value=?php echo __(Merge) ? //p + /fieldset + /form +/div + +?php else: + print __(Only Trusted Users and Developers can merge packages.); +endif; + +html_footer(AUR_VERSION); diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index dcc086b..182722d 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -56,6 +56,7 @@ $sources = package_sources($row[ID]); ?php endif; ? ?php if ($atype == Trusted User || $atype == Developer): ? lia href=?= get_pkg_uri($row['Name']) . 'delete/'; ??= __('Delete Package'); ?/a/li + lia href=?= get_pkg_uri($row['Name']) . 'merge/'; ??= __('Merge Package'); ?/a/li ?php endif; ? ?php endif; ? /ul -- 1.7.12.1
[aur-dev] [PATCH 3/3] Deprecate actions bar when virtual URLs are used
The only buttons on the actions bar that were still used when virtual URLs are enabled were the package deletion and package merging. These now reside in separate pages, so remove the need for the actions bar when virtual URLs are enabled. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/actions_form.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/web/template/actions_form.php b/web/template/actions_form.php index 650c6c6..c5abbb3 100644 --- a/web/template/actions_form.php +++ b/web/template/actions_form.php @@ -1,4 +1,4 @@ -?php if (!$USE_VIRTUAL_URLS || $atype == Trusted User || $atype == Developer ): ? +?php if (!$USE_VIRTUAL_URLS): ? div class=box form action=?= htmlspecialchars(get_pkg_uri($row['Name']), ENT_QUOTES); ? method=post fieldset @@ -6,7 +6,6 @@ input type=hidden name=ID value=?= $row['ID'] ? / input type=hidden name=token value=?= htmlspecialchars($_COOKIE['AURSID']) ? / - ?php if (!$USE_VIRTUAL_URLS): ? ?php if (user_voted($uid, $row['ID'])): ? input type=submit class=button name=do_UnVote value=?= __(UnVote) ? / ?php else: ? @@ -25,7 +24,6 @@ ($uid == $row[MaintainerUID] || $atype == Trusted User || $atype == Developer)): ? input type=submit class=button name=do_UnFlag value=?= __(UnFlag Out-of-date) ? / ?php endif; ? - ?php endif; ? ?php if ($atype == Trusted User || $atype == Developer): ? input type=submit class=button name=do_Delete value=?= __(Delete Packages) ? / -- 1.7.12.1
[aur-dev] [PATCH] pkg_details.php: Utilize account details virtual URL
When virtual URLs are enabled, simpler links can be used to access a user's account details page. Change this for both the maintainer and submitter links. Keeps backwards compatibility with virtual URLs being disabled. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_details.php | 8 1 file changed, 8 insertions(+) diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index 182722d..b286664 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -126,8 +126,12 @@ if ($SID ($uid == $row[MaintainerUID] || ?php if ($row[SubmitterUID]): if ($SID): + if (!$USE_VIRTUAL_URLS): ? tda href=?= get_uri('/account/'); ??Action=AccountInfoamp;ID=?= htmlspecialchars($row['SubmitterUID'], ENT_QUOTES) ? title=?= __('View account information for')? ?= htmlspecialchars($submitter) ??= htmlspecialchars($submitter) ?/a/td + ?php else: ? + tda href=?= get_uri('/account/') . htmlspecialchars($submitter, ENT_QUOTES) ? title=?= __('View account information for %s', htmlspecialchars($submitter)) ??= htmlspecialchars($submitter) ?/a/td + ?php endif; ? ?php else: ? td?= htmlspecialchars($submitter) ?/td ?php endif; ? @@ -139,8 +143,12 @@ if ($row[SubmitterUID]): ?php if ($row[MaintainerUID]): if ($SID): + if (!$USE_VIRTUAL_URLS): ? tda href=?= get_uri('/account/'); ??Action=AccountInfoamp;ID=?= htmlspecialchars($row['MaintainerUID'], ENT_QUOTES) ? title=?= __('View account information for')? ?= htmlspecialchars($maintainer) ??= htmlspecialchars($maintainer) ?/a/td + ?php else: ? + tda href=?= get_uri('/account/') . htmlspecialchars($maintainer, ENT_QUOTES) ? title=?= __('View account information for %s', htmlspecialchars($maintainer)) ??= htmlspecialchars($maintainer) ?/a/td + ?php endif; ? ?php else: ? td?= htmlspecialchars($maintainer) ?/td ?php endif; ? -- 1.7.12.1
[aur-dev] [PATCH] acctfuncs.inc.php: Document all functions using PHPDoc format
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 351 +++--- 1 file changed, 270 insertions(+), 81 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 8c96e6f..bce00f8 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -1,6 +1,12 @@ ?php -# Helper function- retrieve request param if available, otherwise +/** + * Determine if an HTTP request variable is set + * + * @param string $name The request variable to test for + * + * @return string Return the value of the request variable, otherwise blank + */ function in_request($name) { if (isset($_REQUEST[$name])) { return $_REQUEST[$name]; @@ -8,7 +14,13 @@ function in_request($name) { return ; } -# Format PGP key fingerprint +/** + * Format the PGP key fingerprint + * + * @param string $fingerprint An unformatted PGP key fingerprint + * + * @return string PGP fingerprint with spaces every 4 characters + */ function html_format_pgp_fingerprint($fingerprint) { if (strlen($fingerprint) != 40 || !ctype_xdigit($fingerprint)) { return $fingerprint; @@ -26,49 +38,58 @@ function html_format_pgp_fingerprint($fingerprint) { substr($fingerprint, 36, 4) . , ENT_QUOTES); } -# Display the standard Account form, pass in default values if any - +/** + * Loads the account editing form, with any values that are already saved + * + * @global array $SUPPORTED_LANGS Languages that are supported by the AUR + * @param string $UTYPE User type of the account accessing the form + * @param string $A Form to use, either UpdateAccount or NewAccount + * @param string $U The username to display + * @param string $T The account type of the displayed user + * @param string $S Whether the displayed user has a suspended account + * @param string $E The e-mail address of the displayed user + * @param string $P The password value of the displayed user + * @param string $C The confirmed password value of the displayed user + * @param string $R The real name of the displayed user + * @param string $L The language preference of the displayed user + * @param string $I The IRC nickname of the displayed user + * @param string $K The PGP key fingerprint of the displayed user + * @param string $UID The user ID of the displayed user + * + * @return void + */ function display_account_form($UTYPE,$A,$U=,$T=,$S=, $E=,$P=,$C=,$R=,$L=,$I=,$K=,$UID=0) { - # UTYPE: what user type the form is being displayed for - # A: what form name to use - # U: value to display for username - # T: value to display for account type - # S: value to display for account suspended - # E: value to display for email address - # P: password value - # C: confirm password value - # R: value to display for RealName - # L: value to display for Language preference - # I: value to display for IRC nick - # N: new package notify value - # UID: Users.ID value in case form is used for editing - global $SUPPORTED_LANGS; include(account_edit_form.php); return; } # function display_account_form() - -# process form input from a new/edit account form -# +/** + * Process information given to new/edit account form + * + * @global array $SUPPORTED_LANGS Languages that are supported by the AUR + * @param string $UTYPE The account type of the user modifying the account + * @param string $TYPE Either edit for editing or new for registering an account + * @param string $A Form to use, either UpdateAccount or NewAccount + * @param string $U The username for the account + * @param string $T The account type for the user + * @param string $S Whether or not the account is suspended + * @param string $E The e-mail address for the user + * @param string $P The password for the user + * @param string $C The confirmed password for the user + * @param string $R The real name of the user + * @param string $L The language preference of the user + * @param string $I The IRC nickname of the user + * @param string $K The PGP fingerprint of the user + * @param string $UID The user ID of the modified account + * @param \PDO $dbh An already established database connection + * + * @return string|void Return void if successful, otherwise return error + */ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, $P=,$C=,$R=,$L=,$I=,$K=,$UID=0,$dbh=NULL) { - # UTYPE: The user's account type - # TYPE: either edit or new - # A: what parent form name to use - # U: value to display for username - # T: value to display for account type - # S: value to display for account suspended - # E: value to display for email address - # P: password value - # C: confirm password value - # R: value to display for RealName - # L: value to display
[aur-dev] [PATCH] stats.inc.php: Document all functions using PHPDoc format
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/stats.inc.php | 22 ++ 1 file changed, 22 insertions(+) diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php index 2c26d43..60973e9 100644 --- a/web/lib/stats.inc.php +++ b/web/lib/stats.inc.php @@ -2,6 +2,13 @@ include_once('aur.inc.php'); +/** + * Display the most recent 10 packages + * + * @param \PDO $dbh An already established database connection + * + * @return void + */ function updates_table($dbh) { $key = 'recent_updates'; if(!($newest_packages = get_cache_value($key))) { @@ -17,6 +24,14 @@ function updates_table($dbh) { include('stats/updates_table.php'); } +/** + * Display a user's statistics table + * + * @param string $userid The user ID of the person to get package statistics for + * @param \PDO $dbh An already established database connection + * + * @return void + */ function user_table($userid, $dbh) { $base_q = SELECT count(*) FROM Packages WHERE Packages.MaintainerUID = . $userid; @@ -34,6 +49,13 @@ function user_table($userid, $dbh) { include('stats/user_table.php'); } +/** + * Display the general package statistics table + * + * @param \PDO $dbh An already established database connection + * + * @return void + */ function general_stats_table($dbh) { # AUR statistics $q = SELECT count(*) FROM Packages; -- 1.7.12.1
[aur-dev] [PATCH] aur.inc.php: Document all functions using PHPDoc format
PHPDoc is a standardized format for commenting on PHP code. Using it allows for a more cohesive use of IDEs and documentation generators with the AUR code. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/aur.inc.php | 231 +++- 1 file changed, 191 insertions(+), 40 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index a23cd3e..93ae23b 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -16,8 +16,19 @@ include_once(version.inc.php); include_once(acctfuncs.inc.php); include_once(cachefuncs.inc.php); -# see if the visitor is already logged in -# +/** + * Check if a visitor is logged in + * + * Query Sessions table with supplied cookie. Determine if the cookie is valid + * or not. Unset the cookie if invalid or session timeout reached. Update the + * session timeout if it is still valid. + * + * @global array $_COOKIE User cookie values + * @global string $LOGIN_TIMEOUT Time until session times out + * @param \PDO $dbh Already established database connection + * + * @return void + */ function check_sid($dbh=NULL) { global $_COOKIE; global $LOGIN_TIMEOUT; @@ -77,8 +88,11 @@ function check_sid($dbh=NULL) { return; } -# Verify the supplied token matches the expected token for POST forms -# +/** + * Verify the supplied CSRF token matches expected token + * + * @return bool True if the CSRF token is the same as the cookie SID, otherwise false + */ function check_token() { if (isset($_POST['token'])) { return ($_POST['token'] == $_COOKIE['AURSID']); @@ -87,8 +101,13 @@ function check_token() { } } -# verify that an email address looks like it is legitimate -# +/** + * Verify a user supplied e-mail against RFC 3696 and DNS records + * + * @param string $addy E-mail address being validated in f...@example.com format + * + * @return bool True if e-mail passes validity checks, otherwise false + */ function valid_email($addy) { // check against RFC 3696 if (filter_var($addy, FILTER_VALIDATE_EMAIL) === false) { @@ -104,15 +123,23 @@ function valid_email($addy) { return true; } -# generate a (hopefully) unique session id -# +/** + * Generate a unique session ID + * + * @return string MD5 hash of the concatenated user IP, random number, and current time + */ function new_sid() { return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true)); } - -# obtain the username if given their Users.ID -# +/** + * Determine the user's username in the database using a user ID + * + * @param string $id User's ID + * @param \PDO $dbh Already established database connection + * + * @return string Username if it exists, otherwise None + */ function username_from_id($id=, $dbh=NULL) { if (!$id) { return ; @@ -130,9 +157,14 @@ function username_from_id($id=, $dbh=NULL) { return $row[0]; } - -# obtain the username if given their current SID -# +/** + * Determine the user's username in the database using a session ID + * + * @param string $sid User's session ID + * @param \PDO $dbh Already established database connection + * + * @return string Username of the visitor + */ function username_from_sid($sid=, $dbh=NULL) { if (!$sid) { return ; @@ -153,8 +185,14 @@ function username_from_sid($sid=, $dbh=NULL) { return $row[0]; } -# obtain the email address if given their current SID -# +/** + * Determine the user's e-mail address in the database using a session ID + * + * @param string $sid User's session ID + * @param \PDO $dbh Already established database connection + * + * @return string User's e-mail address as given during registration + */ function email_from_sid($sid=, $dbh=NULL) { if (!$sid) { return ; @@ -175,9 +213,14 @@ function email_from_sid($sid=, $dbh=NULL) { return $row[0]; } -# obtain the account type if given their current SID -# Return either , User, Trusted User, Developer -# +/** + * Determine the user's account type in the database using a session ID + * + * @param string $sid User's session ID + * @param \PDO $dbh Already established database connection + * + * @return string Account type of user (User, Trusted User, or Developer) + */ function account_from_sid($sid=, $dbh=NULL) { if (!$sid) { return ; @@ -199,8 +242,14 @@ function account_from_sid($sid=, $dbh=NULL) { return $row[0]; } -# obtain the Users.ID if given their current SID -# +/** + * Determine the user's ID in the database using a session ID + * + * @param string $sid User's session ID + * @param \PDO $dbh Already established database connection + * + * @return string|int The user's name, 0 on query failure + */ function uid_from_sid($sid=, $dbh=NULL) { if (!$sid) { return ; @@ -221,8 +270,11 @@ function uid_from_sid($sid=, $dbh=NULL) { return $row[0]; } -# connect to the database
[aur-dev] [PATCH] rss.php: Update links to reflect URL changes
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/rss.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/html/rss.php b/web/html/rss.php index 6f057bf..84d2205 100644 --- a/web/html/rss.php +++ b/web/html/rss.php @@ -28,7 +28,7 @@ $rss-encoding = UTF-8; $rss-title = AUR Newest Packages; $rss-description = The latest and greatest packages in the AUR; $rss-link = ${protocol}://{$host}; -$rss-syndicationURL = {$protocol}://{$host}/rss.php; +$rss-syndicationURL = {$protocol}://{$host} . get_uri('/rss/'); $image = new FeedImage(); $image-title = AUR; $image-url = {$protocol}://{$host}/images/AUR-logo-80.png; @@ -42,7 +42,7 @@ $packages = latest_pkgs(20); while (list($indx, $row) = each($packages)) { $item = new FeedItem(); $item-title = $row[Name]; - $item-link = {$protocol}://{$host}/packages.php?ID={$row[ID]}; + $item-link = {$protocol}://{$host} . get_pkg_uri($row[Name]); $item-description = $row[Description]; $item-date = intval($row[SubmittedTS]); $item-source = {$protocol}://{$host}; -- 1.7.12.1
[aur-dev] [PATCH 2/2] Remove unused pkgnotify_from_sid function
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/pkgfuncs.inc.php | 23 --- 1 file changed, 23 deletions(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index f0e64d2..8208af0 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -281,29 +281,6 @@ function pkgvotes_from_sid($sid=, $dbh=NULL) { return $pkgs; } -# array of package ids that you're being notified for -# *yoink* -# -function pkgnotify_from_sid($sid=, $dbh=NULL) { - $pkgs = array(); - if (!$sid) {return $pkgs;} - if(!$dbh) { - $dbh = db_connect(); - } - $q = SELECT PkgID ; - $q.= FROM CommentNotify, Users, Sessions ; - $q.= WHERE Users.ID = Sessions.UsersID ; - $q.= AND Users.ID = CommentNotify.UserID ; - $q.= AND Sessions.SessionID = . $dbh-quote($sid); - $result = $dbh-query($q); - if ($result) { - while ($row = $result-fetch(PDO::FETCH_NUM)) { - $pkgs[$row[0]] = 1; - } - } - return $pkgs; -} - # get name of package based on pkgid # function pkgname_from_id($pkgids, $dbh=NULL) { -- 1.7.12
[aur-dev] [PATCH] Make account registration work with recent account editing changes
The account editing form requires two different form action URLs due to the fact that the same template is shared for both account registration and account editing. Signed-off-by: canyonknight canyonkni...@gmail.com --- This patch assumes all previous patches. This should complete those changes and all account related URLs should be a lot saner now. web/template/account_edit_form.php | 4 1 file changed, 4 insertions(+) diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 9b5b1d8..b1cb749 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -1,4 +1,8 @@ +?php if ($A == UpdateAccount): ? form action=?php echo get_user_uri($U) . 'update/'; ? method=post +?php else: ? +form action=?php echo get_uri('/register/'); ? method=post +?php endif; ? fieldset input type=hidden name=Action value=?php echo $A ? / ?php if ($UID): ? -- 1.7.12
[aur-dev] [PATCH 00/13] Status Update
Hello all, I've been doing quite a bit of testing lately and have collected a few patches. Note that the PDO patch isn't present because it is too large for the mailing list. The following things still need to be fixed: - Account registration needs to be modified to work with URL rewriting - When a user is logged out they get the adopt package button on orphan package pages - View PKGBUILD and Download tarball appear to be broken by rewriting - Move delete and merge to Package Actions so that the actions bar is deprecated (maybe?) - Fix undefined notice when a logged out user navigates to a package page - The Latest Comments link appends ?comments=all to URL on every click Anything else? canyonknight (13): Migrate all DB code to use PDO Adjust user directions after registering to reflect new login page logout.php: Fix PHP undefined variable notice Add the new package icon back to the front page Use the new icon from archweb for the recent updates table Remove unused image titlelogo.png pkg_comment_form.php: Fix PHP undefined variable notice for package ID Fix account search page results routing to /account/ Use URL rewriting for user info page Use URL rewriting for user editing page Use URL rewriting for user account update page Overhaul ability to edit own account header.php: Update account editing link INSTALL | 2 +- UPGRADING | 2 + web/html/account.php| 34 +--- web/html/images/new.gif | Bin 116 - 0 bytes web/html/images/new.png | Bin 0 - 378 bytes web/html/images/titlelogo.png | Bin 4502 - 0 bytes web/html/index.php | 21 ++- web/html/logout.php | 2 +- web/html/voters.php | 2 +- web/lib/acctfuncs.inc.php | 245 + web/lib/aur.inc.php | 154 ++-- web/lib/aurjson.class.php | 26 ++- web/lib/cachefuncs.inc.php | 4 +- web/lib/config.inc.php.proto| 3 +- web/lib/pkgfuncs.inc.php| 304 +--- web/lib/routing.inc.php | 17 ++ web/lib/stats.inc.php | 4 +- web/lib/translator.inc.php | 6 +- web/template/account_edit_form.php | 2 +- web/template/account_search_results.php | 8 +- web/template/header.php | 5 +- web/template/pkg_comment_form.php | 2 +- web/template/pkg_comments.php | 2 +- web/template/search_accounts_form.php | 2 +- web/template/stats/updates_table.php| 3 + 25 files changed, 414 insertions(+), 436 deletions(-) delete mode 100644 web/html/images/new.gif create mode 100644 web/html/images/new.png delete mode 100644 web/html/images/titlelogo.png -- 1.7.12
[aur-dev] [PATCH 02/13] Adjust user directions after registering to reflect new login page
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/acctfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 54e8381..e7dcb10 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -195,7 +195,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U=,$T=,$S=,$E=, print __(The account, %s%s%s, has been successfully created., b, htmlspecialchars($U,ENT_QUOTES), /b); print p\n; - print __(Click on the Home link above to login.); + print __(Click on the Login link above to use your account.); print /p\n; } -- 1.7.12
[aur-dev] [PATCH 04/13] Add the new package icon back to the front page
This regression was introduced with d2480e8b9d3d0f946d57fa9422811cb37296b8b4. Re-implement the functionality in a cleaner way. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/stats/updates_table.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/web/template/stats/updates_table.php b/web/template/stats/updates_table.php index 4955ddc..93eb44f 100644 --- a/web/template/stats/updates_table.php +++ b/web/template/stats/updates_table.php @@ -7,6 +7,9 @@ tr td a href=?php echo get_pkg_uri($row[Name]); ??php print htmlspecialchars($row[Name]) . ' ' . htmlspecialchars($row[Version]); ?/a + ?php if ($row[ModifiedTS] === $row[SubmittedTS]): ? + img src=images/new.gif alt=New! / + ?php endif; ? /td td span?php print gmdate(Y-m-d H:i, intval($row[ModifiedTS])); ?/span -- 1.7.12
[aur-dev] [PATCH 05/13] Use the new icon from archweb for the recent updates table
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/images/new.gif | Bin 116 - 0 bytes web/html/images/new.png | Bin 0 - 378 bytes web/html/index.php | 4 ++-- web/template/stats/updates_table.php | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 web/html/images/new.gif create mode 100644 web/html/images/new.png diff --git a/web/html/images/new.gif b/web/html/images/new.gif deleted file mode 100644 index 7df4823516538c5c60c6ce442ffeaea6644156dc.. GIT binary patch literal 0 HcmV?d1 literal 116 zcmZ?wbhEHblxN^!SjYeZ|3Lu6Q2fcl$iTqJpabH7QbS;d-9vQ6z@E$Jb%$;^=Z( z{|m(CLYL4TXKx^`QL@x0gM8y=$Yzp^g1YAFDRpIm6L;qU)fN(M|?WN8K|=SDoOI M-r^e)#K2$;03sqS!vFvP diff --git a/web/html/images/new.png b/web/html/images/new.png new file mode 100644 index ..6a9bf0370708a165d3e49047c09e110e02074a53 GIT binary patch literal 378 zcmV-=0fqjFP)h;3K|Lk000e1NJLTq000mG000mO1^@s6AM^iV4XF*Lt006JZ zHwB96PbVXQnQ*UN;cVTj606}DLVr3vnZDD6+Qe|Oed2z{QJOBUz3`s;mR5;7s zlEF#Q51$RwCw?WgWe;0fi^vY%UagXRhyB(O=1wVPFJlYqlK$kNFcaSBrLFKHcpU( zVj5rP+%se7wuRup#~J3_|C@8?jsx6(aN8gV+_?~^wID=7QAmWo=P9GzK~Bj7P?xU z4^LybJ-~;P$nL)ri2Lx-f?f?uyKtX3G(76UWeycgm{0H$eX9nWr+ASHH8r~vom;o zFz$}vYpDI9TZYK7R^TnN9ELgxm?Z}9nS!RQHI8Y*b~3AE}Ik|Ynq_|_kL0z^} zg`YWG?`i*VRiHt=)+fle*{;CjiLD9r5bPAPFRr!h8+rODTKmmjte|vSwTU#7zr+ Y0SIdSJYsEaB(^b07*qoM6N$g6XKB5dZ)H literal 0 HcmV?d1 diff --git a/web/html/index.php b/web/html/index.php index df0d133..7c4eb47 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -59,8 +59,8 @@ if (isset($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { include ./$path; break; case /css/archnavbar/archlogo.gif: - case /images/new.gif: - header(Content-Type: image/gif); + case /images/new.png: + header(Content-Type: image/png); include ./$path; break; case /css/archnavbar/archlogo.png: diff --git a/web/template/stats/updates_table.php b/web/template/stats/updates_table.php index 93eb44f..e7ceec7 100644 --- a/web/template/stats/updates_table.php +++ b/web/template/stats/updates_table.php @@ -8,7 +8,7 @@ td a href=?php echo get_pkg_uri($row[Name]); ??php print htmlspecialchars($row[Name]) . ' ' . htmlspecialchars($row[Version]); ?/a ?php if ($row[ModifiedTS] === $row[SubmittedTS]): ? - img src=images/new.gif alt=New! / + img src=images/new.png alt=New! / ?php endif; ? /td td -- 1.7.12
[aur-dev] [PATCH 06/13] Remove unused image titlelogo.png
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/images/titlelogo.png | Bin 4502 - 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 web/html/images/titlelogo.png diff --git a/web/html/images/titlelogo.png b/web/html/images/titlelogo.png deleted file mode 100644 index be7f14c79330f60391cfce0bfa772c349a663251.. GIT binary patch literal 0 HcmV?d1 literal 4502 zcmV;H5ozv;P)h;3K|Lk000e1NJLTq00CYA003tQ0{{R3fA`w?3b3#c}2nYz z;ZNWI008h%OjJcpO-=9b@0ppI8I;jFq}Zq0=TcHq#l^*Qb8~RL;*!nj-rn9ztlT4+ z)U~y*4Ebe{QiW5gl1-D-S7BTvEISu?xm%r?DzT^l-4kw)LG(((3k|((Hr9=6id4 z=H}*%jEq`ZTD`r!W@ct%w1O;t22KQLf$Z_xwev+vD;1yWjDdnVHV@gSGeX}RGl zoYkz@?=+#;|NsBz_4$g(=z78BLapAI+GO2{mtk0wBYKc)$Q2r_iMW0z25ic_y3H_ z=zYWH_xJb5@8yx-m%;7ozd*x_xD}-?iQFnb7KUzT1X=FaQ#$LR1C;cM0a000Sa zNLh0L01d1F01d1G?*_(4WbVXQnQ*UN;cVTj608L?IaK*AWNBd_Mrm?ocW-iQ zb0AGvyOAm+000mXNklZc-rlq3v;5%5`g7#fei?VE-4@3Rl!%Pj1jZ7dSj|~F*#+D z+WY_i7B$EFvDY4PjXJ|s@)iw0sUxtdb)ciEw8zZytCAlR`V{K_V!}ba+S1movB1 z;Tr`^%l$@a`FAad8HBD!h*j!$|6x+-dMm7Xa_-`AqIKc)tU%}q7?lgE=hCxB zeY2C`-7`qoZ)bF;zV9wT@EhK?2eE3a0b^`~A%B_;@cuy3A^F_RWrucNO7XvM*N z$HsfZ#4ShW=F?+SVXp$Vb8wVvGH~nNJ8J??3*1K@3%!t27~Sy-!bt{m+cf@c5r{j zcTBtZ731m{$O^VS{xHE+l~bBoz2cuizDK_YiEUeT1n6#p{)AHaF_W$15$D%QW8p zZ1(WJXidk`S}m0rb!Gl4PL6b{`e*ei=x@cQ!k`CtTWYA*sR(L#P4XwZ!z-9~AHH zGL{hUYBsxhN4!F-Dc%WqHT#%=lx|`LiN4hu{r-ocWSj?ms5ptA0NV7zis#+kX;X zZz#_rtRIZeI!}FlJxE4;~gY;Kdk34c^78JCOcvb@-R!eO#?pMZzmdx_WoKb`8Ai z4~}Gv|3Z)!je|4n$k0z}h5@wsJuWy?E8E?@mOY==?o0L5SClP7^Sng(*(;Y zLZ-98@)6Y-f?qtUElxr;_Y1nhMVivsz8{XOsds4nqMWtSrT+JG$#G||ypa~t# zd}ZA-G;mxqXqTr*czto~I12So#QVasgFDEVT@?sRlS!re7U{;ahSyl-vM|{AwF* zMUG{VkvpNmgnX7qJG9hFZj1`VoiEf8AfbK5yR(Z;u7?e7sf}c6UHPn}CVMQt zc$MTvbl?#gcVh%TgSVqPxmKF%lko1ZzXq|Ln;(b3WgouvLq}P;IrAkK6bI+r#lKC zhRe%i;CtpAYTat7#`q@4B=I^`i@%!zInU~mmCC2YHEaz9V)?VP*$;lt*1127UNxm zmqC;S)^fpA_vIHRBUhWa8~k;M38cG_qY9C;pp4CG2Y1l3cw0({Z?XggxOxNLVa}t zrIwzt8p3hM7jW65$mTd@IAp;N3AfyxkR(li9Qi?{)P49lRa6gFl%5wjtiTK_Z8n z^)_82}`{S_3e--aefAGT6oX2TV%2Q0I%k9gccfAjTeM?ptPm8(dgB@Re%g-NBT3 zwwPuMt4HU}@JG4d3wHL*$m-I^(AYeLBiBNwqFXkZ)UCR#OK3DUTaa7^zJ-@Cea zy$5(}x|zTXc;~j6_CCyjqyhJC2W*D0)a#Y0uOE-;x-)k4PD(2c5?Mp%joK%?aipJ zW@udY0Z8z6ad}#|GuPcxLw_#BdTLjwQ}H@it0Uf6xw2(LPs1(GJrW~E$xm6m47 zVakddQQW#cx@WGuTVN2%Q9;m2u2aCpU0IL^^-(@Oa@EG?L2j^7UQ4KrMeYP{+o z93jKI1MkSb+0gbdON2yt_ViSuz7!QtiIu?bPk8!yymshRxf!Mh*ZjS5p+Y%JFUa zEb;Ax0^V*0FLG_%0GHSl^}csrtHQkT$@-#2s2)QKd`Dhc;`RV5{3D^xyCa8xno zLgj|OctA?Avz^p=WUi(8`6h1qN_61UyENCxDsrFcUytidr2wm0kdSP3hzilQbBlj zIFwmmF*_^P6cXN;E`@cm(7EE-NQ{@pk-ZM5(zIZ74Q@2bOXHJ6`YPB`#pk!@SwF zV$+i%DJ48Pkk!{OIA%5puNW(7(w3@m?gckj!Gq7T-t3E87DVP4$#Qo$W4CUPoQL zuTok_grP%BR9{gmaRJN-X!mknB#HdfFus@4uf~;9Ru$gTHLq51l=~A6i7TiByZQ zL{eXY7^tOBZJ%9q)*E=P}+PEC46qT{OZQtd)AWFZg6N@P3~l!4j^izNNE+9A3TH zOK*-_!GPjjqxVyP4*2#I#78hIl}B}xk#qypcJalmZjaN;hYF^oHZ=TBhQ@l(= zyxvp5;=XCb?4s9800YEqnruqi5OJ^9tx#UALkDs5YP?zXeiyvU+IXiZFoa#kUWWJb zsfQ$hJ6JMhvRoa0V#c-9+#npJc%cbiOnqIn2+b33Msmi(V|VK2s^}!LYOq?}W$ zfpHig2XFAn)=ly5*0lSW9G3T-t|)qcgfU|e$g;u^xa?iC1edwEfL^Zwq*@m`tdx zCf*;-;KJxp;p5P$U?v^TZz|b;Fwk6onY|7;12uycr%5e`{?PNH^Cb!@2t(#mc@aD zmm^qY5?-r%(spXR{SxDl#yf=#zr5lHH!|LP2v=G%O=S5($^%i@bax{^=*##@)s8 z9Nz07=zGAVhDz|xpPrs3E2g1La%YjVd5JujfB_dQjzuCDXDkGyJ50;Va5%57?;@g ztrF#BnZ~lXBP5Bnl=@OyCEiq+hf{LqCOQ=fuYtk4JsRG97VkWc_n_h`?MzBZX=_c z8r`z?C(%N|$IvC?P0#k|BqWKl?jhgicGL7247)?4G0HQ;G0aqY?3$-*ER9JkG_; zec$aq+!Fb|;=d~xq+~UyyNP^St_-i2PEu-4nCj7kyQP_binm)2?`ttmu*%^55r=!j zxc#UW-aTpR5Iy|E8EJIe;EgXzX3`xYR%fnLir36$*loi~x(0lW)8c(fXXP^kS(1L= zrhh@Hp~bEaUIIL}oAv*2l8tQm#Aq)na3bR+7oS9Y*DSG9^NYkGb?^z(s)tg{VhAp z4b*D9jiiPIL?m*1;4CS0mWOba=ad0hLuFcOQ@X3EovX-W@91$$pvV1=GGw@V?~| z@kru6w_w6n{VcLyab1AUrWV*dNn9HN~;Plwt6QdM|mg2yGf}Jo6@K)9LMh7V!SVf zNX}-J80Piv*RTIz@qWj1%kL|@!-psH)t)%MPME|f#p{tOoPz8o32)~}c)LL$WfVAD zyO+lxa1-N2X`tL@rQ2kvyX+2!UvYS+1h1j69`~x=ZP4?SY)2JZHSl^SuE@!j@mksh z@4NH@2_aYNu~g^4Z`~zjeR|w-!_TxdcSaZ3Dk-Uh`UU^`;en#QL#q*DIT1FNlhr7 z+`Z9c)oX_LDaNZd!`icpEh2M7e2d~jf|n6^1Wmn=fiv-pHxONO6-WQ;*UV8ZDxL zqixW#;)gtJL+43(2}-tN??X$Mo*T$tqh%3?7aWLg)?@GI!!*P@dz*)NS8p!_yizh) z4F{QksUSp?kDr8O)MuU^1k28D4@%FeBV+oM7wdDTNLrDkF}#3ND_wJaVbDq~*B zwR7Duwj*s34gkLK3sTuYcblDd?xW)MPaJ{dp8M+2A6)-piX=9mo$$Z%WsZWi?- zJO5}==llJ9^Lu@ZczXoA*u^zp2#vpbXTjpVAx(#|-M=#REy)gl$NUvY|b=C1?E z!3v)UMXpYI)|^BqS)`sRbs;Z2flwcDBQoginRaX%(jU4f@%1)=QA48wtInM5iT2 zz6HFOO~I2hpI`T;qBa;|6HV}E@!-d?ROh2#cOEQQrlK*k4|?+l^dBUdcv@F}mN$ zCf#5oCC($ua(1h1Yttk`O=+ewmX!;+xuj@dItf%gyxo!{+7RC#8=rVu!PEU z)K|2#aW4gjDOV6hwNyWz5WB%@Ark{kQR9n*_bGT=13Md(ekgY#3;=t2NwqylryCP zKDe%^*28;Uf|szD_s{a2QC*?+sKSqOU}DVy`#YHK*b~7kEeK74DgO!-cRAB#Ej= zh2jBT(d9jg7I?TPfdl@5h6-v8Hjkhj-gkV_reu)D=UebF#49SEVk+wV{lDT@nJ+G z41PGW3Gl+cV@CulI%pBBYXYAH;1y*awuT!l`nu-8Mjr3-D)=2;fPi;fmI5aH4Ls5v zd2D1FeA^6_LeyMWGyRsYfWf{MawpLLIvFgtB3(!+Hg8T3h!6|3$0uoyyps*Ea;S_ z$sO4fITuvLtGeJ=AVJMhzDCOyM~Sut!b70$O%Cw_mA3?1282K-Pp7?(4hlGtE?NfI zK#})2)3e57=urvID#RIng3WELiAq8EZbcAZX+nmSY)ScmV=lsSGb+VIV1^$u!zL z*)cqdL$_TApW37#Ua;WU1s~ONJ%NUC8i1FAi;y)wgVzE^mxg#@X)Ank9m@mTZ+Lvi zhi3%nIEvR`Qi8mc-e1JR4XzL5U+*4e(N$qKUz|L0=o1($$E1Zpx
[aur-dev] [PATCH 07/13] pkg_comment_form.php: Fix PHP undefined variable notice for package ID
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_comment_form.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index 95d2cb0..fb3ebff 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -8,7 +8,7 @@ if (isset($_REQUEST['comment']) check_token()) { } ? div - input type=hidden name=ID value=?php echo intval($_REQUEST['ID']) ? / + input type=hidden name=ID value=?php echo intval($row['ID']) ? / input type=hidden name=token value=?php echo htmlspecialchars($_COOKIE['AURSID']) ? / /div p -- 1.7.12
[aur-dev] [PATCH 10/13] Use URL rewriting for user editing page
Allows for easier account editing and saner URLs. Update account editing links to use new URL. Before: AUR_URL/account/?Action=DisplayAccountU=userfoo After: AUR_URL/account/userfoo/edit Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/index.php | 10 +- web/template/account_search_results.php | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/web/html/index.php b/web/html/index.php index e6f3771..8013362 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -51,7 +51,15 @@ if (isset($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { } elseif (isset($tokens[1]) '/' . $tokens[1] == get_user_route()) { if (isset($tokens[2])) { $_REQUEST['U'] = $tokens[2]; - $_REQUEST['Action'] = AccountInfo; + + if (isset($tokens[3])) { + if ($tokens[3] == 'edit') { + $_REQUEST['Action'] = DisplayAccount; + } else { + $_REQUEST['Action'] = AccountInfo; + } + } + } include get_route('/' . $tokens[1]); } elseif (get_route($path) !== NULL) { diff --git a/web/template/account_search_results.php b/web/template/account_search_results.php index 8719928..f67cc6a 100644 --- a/web/template/account_search_results.php +++ b/web/template/account_search_results.php @@ -50,7 +50,7 @@ else: print nbsp;; else: ? - a href=?php echo get_uri('/account/'); ??Action=DisplayAccountamp;ID=?php echo $row[ID] ??php echo __(Edit) ?/a + a href=?php echo get_user_uri($row[Username]) . edit/ ??php echo __(Edit) ?/a ?php endif; ? /td /tr -- 1.7.12
[aur-dev] [PATCH 11/13] Use URL rewriting for user account update page
The UpdateAccount page displays information as to whether an account update was successful. All POST account info goes to this page, so use it with sane URLs. Before: AUR_URL/account/?Action=UpdateAccountU=userfoo After: AUR_URL/account/userfoo/update Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/index.php | 2 ++ web/template/account_edit_form.php | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/web/html/index.php b/web/html/index.php index 8013362..0e36883 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -55,6 +55,8 @@ if (isset($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { if (isset($tokens[3])) { if ($tokens[3] == 'edit') { $_REQUEST['Action'] = DisplayAccount; + } elseif ($tokens[3] == 'update') { + $_REQUEST['Action'] = UpdateAccount; } else { $_REQUEST['Action'] = AccountInfo; } diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 7da8e33..9b5b1d8 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -1,4 +1,4 @@ -form action=?php echo get_uri('/account/'); ? method=post +form action=?php echo get_user_uri($U) . 'update/'; ? method=post fieldset input type=hidden name=Action value=?php echo $A ? / ?php if ($UID): ? -- 1.7.12
[aur-dev] [PATCH 12/13] Overhaul ability to edit own account
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/account.php | 34 +- web/html/index.php| 3 ++- web/lib/acctfuncs.inc.php | 18 -- 3 files changed, 11 insertions(+), 44 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index b0906d9..786ae02 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -50,14 +50,15 @@ if (isset($_COOKIE[AURSID])) { } else { # double check to make sure logged in user can edit this account # - if ($atype == User || ($atype == Trusted User $row[AccountType] == Developer)) { - print __(You do not have permission to edit this account.); - } else { - + if ($atype == Developer || ($atype == Trusted User + $row[AccountType] != Developer) || + ($row[ID] == uid_from_sid($_COOKIE[AURSID]))) { display_account_form($atype, UpdateAccount, $row[Username], - $row[AccountType], $row[Suspended], $row[Email], - , , $row[RealName], $row[LangPreference], - $row[IRCNick], $row[PGPKey], $row[ID]); + $row[AccountType], $row[Suspended], $row[Email], + , , $row[RealName], $row[LangPreference], + $row[IRCNick], $row[PGPKey], $row[ID]); + } else { + print __(You do not have permission to edit this account.); } } @@ -89,24 +90,7 @@ if (isset($_COOKIE[AURSID])) { search_accounts_form(); } else { - # A normal user, give them the ability to edit - # their own account - # - $row = own_account_details($_COOKIE[AURSID]); - if (empty($row)) { - print __(Could not retrieve information for the specified user.); - } else { - # don't need to check if they have permissions, this is a - # normal user editing themselves. - # - print __(Use this form to update your account.); - print br /; - print __(Leave the password fields blank to keep your same password.); - display_account_form($atype, UpdateAccount, $row[Username], - $row[AccountType], $row[Suspended], $row[Email], - , , $row[RealName], $row[LangPreference], - $row[IRCNick], $row[PGPKey], $row[ID]); - } + print __(You are not allowed to access this area.); } } diff --git a/web/html/index.php b/web/html/index.php index 0e36883..70698a4 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -60,8 +60,9 @@ if (isset($tokens[1]) '/' . $tokens[1] == get_pkg_route()) { } else { $_REQUEST['Action'] = AccountInfo; } + } else { + $_REQUEST['Action'] = AccountInfo; } - } include get_route('/' . $tokens[1]); } elseif (get_route($path) !== NULL) { diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 7471d06..ed2c7c6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -719,24 +719,6 @@ function account_details($uid, $username, $dbh=NULL) { return $row; } -function own_account_details($sid, $dbh=NULL) { - if(!$dbh) { - $dbh = db_connect(); - } - $q = SELECT Users.*, AccountTypes.AccountType ; - $q.= FROM Users, AccountTypes, Sessions ; - $q.= WHERE AccountTypes.ID = Users.AccountTypeID ; - $q.= AND Users.ID = Sessions.UsersID ; - $q.= AND Sessions.SessionID = . $dbh-quote($sid); - $result = $dbh-query($q); - - if ($result) { - $row = $result-fetch(PDO::FETCH_ASSOC); - } - - return $row; -} - function tu_voted($voteid, $uid, $dbh=NULL) { if (!$dbh) { $dbh = db_connect(); -- 1.7.12
[aur-dev] [PATCH 13/13] header.php: Update account editing link
* Use AUR_URL/account/userfoo/edit format for own account editing. * Change Accounts label to My Account for regular users. * Add ability for Developers and Trusted Users to edit their account without having to use the search form first. Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/header.php | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/web/template/header.php b/web/template/header.php index 52c0ab8..2c04b58 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -55,7 +55,10 @@ ?php if (isset($_COOKIE['AURSID'])): ? lia href=?php echo get_uri('/packages/'); ??SeB=mamp;K=?php print username_from_sid($_COOKIE[AURSID]); ??php print __(My Packages); ?/a/li lia href=?php echo get_uri('/submit/'); ??php print __(Submit); ?/a/li - lia href=?php echo get_uri('/accounts/'); ??php print __(Accounts); ?/a/li + ?php if (check_user_privileges()): ? + lia href=?php echo get_uri('/accounts/') ; ??php print __(Accounts); ?/a/li + ?php endif; ? + lia href=?php echo get_user_uri(username_from_sid($_COOKIE['AURSID'])) . 'edit/'; ??php print __( My Account); ?/a/li ?php if (check_user_privileges()): ?lia href=?php echo get_uri('/tu/'); ??php print __(Trusted User); ?/a/li?php endif; ? lia href=?php echo get_uri('/logout/'); ??php print __(Logout); ?/a/li ?php else: ? -- 1.7.12
[aur-dev] [PATCH v2 4/8] Print error message when maximum DB character length is exceeded
Packages can currently be submitted with variables longer than the maximum allowed by the DB for that specific field. The string will be shortened without informing the user. This can result in unexpected oddities on submitted packages. Print error messages informing the user when the package name, URL, description, license, or version is too long. Also move the resolution of full package version (including epoch) to an earlier point in pkgsubmit.php Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/pkgsubmit.php | 35 +-- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index e87279e..5783da4 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -277,6 +277,35 @@ if ($uid): } } + # Determine the full package version with epoch + if (!$error) { + if (isset($new_pkgbuild['epoch']) (int)$new_pkgbuild['epoch'] 0) { + $pkg_version = sprintf('%d:%s-%s', $new_pkgbuild['epoch'], $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); + } else { + $pkg_version = sprintf('%s-%s', $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); + } + } + + # The DB schema imposes limitations on number of allowed characters + # Print error message when these limitations are exceeded + if (!$error) { + if (strlen($pkg_name) 64) { + $error = __(Error - Package name cannot be greater than %d characters, 64); + } + if (strlen($new_pkgbuild['url']) 255) { + $error = __(Error - Package URL cannot be greater than %d characters, 255); + } + if (strlen($new_pkgbuild['pkgdesc']) 255) { + $error = __(Error - Package description cannot be greater than %d characters, 255); + } + if (strlen($new_pkgbuild['license']) 40) { + $error = __(Error - Package license cannot be greater than %d characters, 40); + } + if (strlen($pkg_version) 32) { + $error = __(Error - Package version cannot be greater than %d characters, 32); + } + } + if (isset($pkg_name)) { $incoming_pkgdir = INCOMING_DIR . substr($pkg_name, 0, 2) . / . $pkg_name; } @@ -324,12 +353,6 @@ if ($uid): $pdata = pkgdetails_by_pkgname($new_pkgbuild['pkgname'], $dbh); - if (isset($new_pkgbuild['epoch']) (int)$new_pkgbuild['epoch'] 0) { - $pkg_version = sprintf('%d:%s-%s', $new_pkgbuild['epoch'], $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); - } else { - $pkg_version = sprintf('%s-%s', $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); - } - # Check the category to use, 1 meaning none (or keep category for # existing packages). if (isset($_POST['category'])) { -- 1.7.12
[aur-dev] [PATCH 0/8] Assorted working branch changes
Most of these patches are minor changes and fix some lingering bug reports. The final patch is a really big change that I've been testing for a while now, it brings PDO to the AUR code. It is a large change so I'd love to have more eyes look over it and maybe some people test out corner cases and parts of the web interface that I may have failed at testing. This patch series is based against Lukas' wip branch [1]. Those changes and my changes in entirety can be had from my working branch [2]. [1] http://git.cryptocrack.de/aur.git/log/?h=wip [2] https://github.com/canyonknight/aur/tree/working canyonknight (8): pkgsubmit.php: Make page friendlier for logged out users pkg_details.php: Fix broken HTML for package page with no dependencies Update docs to require Archive_Tar version greater than 1.3.7 Print error message when maximum DB character length is exceeded Allow only Trusted Users, Developers, and Maintainers to unflag packages Fix broken RSS feed link on front page Fix broken package search on front page Migrate all DB code to use PDO INSTALL | 4 +- UPGRADING | 4 + web/html/home.php | 2 +- web/html/pkgsubmit.php | 43 +++-- web/lib/acctfuncs.inc.php | 229 web/lib/aur.inc.php | 154 ++-- web/lib/aurjson.class.php | 26 ++- web/lib/cachefuncs.inc.php | 4 +- web/lib/config.inc.php.proto| 3 +- web/lib/pkgfuncs.inc.php| 306 +--- web/lib/stats.inc.php | 4 +- web/lib/translator.inc.php | 6 +- web/template/account_search_results.php | 2 +- web/template/actions_form.php | 3 +- web/template/pkg_details.php| 5 +- web/template/stats/updates_table.php| 2 +- 16 files changed, 400 insertions(+), 397 deletions(-) -- 1.7.11.4
[aur-dev] [PATCH 2/8] pkg_details.php: Fix broken HTML for package page with no dependencies
The Required by column already handles an empty list appropriately. Move a /div tag to match that behavior in the Dependencies column Signed-off-by: canyonknight canyonkni...@gmail.com --- web/template/pkg_details.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index 67cb5d1..da173ec 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -179,8 +179,8 @@ if ($row[MaintainerUID]): ?php endif; ? ?php endwhile; ? /ul - /div ?php endif; ? + /div div id=pkgreqs class=listing h3?php echo __('Required by') . ( . count($requiredby) . )?/h3 ?php if (count($requiredby) 0): ? -- 1.7.11.4
[aur-dev] [PATCH 4/8] Print error message when maximum DB character length is exceeded
Packages can currently be submitted with variables longer than the maximum allowed by the DB for that specific field. The string will be shortened without informing the user. This can result in unexpected oddities on submitted packages. Print error messages informing the user when the package name, URL, description, license, or version is too long. Also move the resolution of full package version (including epoch) to an earlier point in pkgsubmit.php Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/pkgsubmit.php | 35 +-- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index e87279e..5783da4 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -277,6 +277,35 @@ if ($uid): } } + # Determine the full package version with epoch + if (!$error) { + if (isset($new_pkgbuild['epoch']) (int)$new_pkgbuild['epoch'] 0) { + $pkg_version = sprintf('%d:%s-%s', $new_pkgbuild['epoch'], $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); + } else { + $pkg_version = sprintf('%s-%s', $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); + } + } + + # The DB schema imposes limitations on number of allowed characters + # Print error message when these limitations are exceeded + if (!$error) { + if (strlen($pkg_name) 64) { + $error = __(Error - Package name cannot be greater than %s characters, 64); + } + if (strlen($new_pkgbuild['url']) 255) { + $error = __(Error - Package URL cannot be greater than %s characters, 255); + } + if (strlen($new_pkgbuild['pkgdesc']) 255) { + $error = __(Error - Package description cannot be greater than %s characters, 255); + } + if (strlen($new_pkgbuild['license']) 40) { + $error = __(Error - Package license cannot be greater than %s characters, 40); + } + if (strlen($pkg_version) 32) { + $error = __(Error - Package version cannot be greater than %s characters, 32); + } + } + if (isset($pkg_name)) { $incoming_pkgdir = INCOMING_DIR . substr($pkg_name, 0, 2) . / . $pkg_name; } @@ -324,12 +353,6 @@ if ($uid): $pdata = pkgdetails_by_pkgname($new_pkgbuild['pkgname'], $dbh); - if (isset($new_pkgbuild['epoch']) (int)$new_pkgbuild['epoch'] 0) { - $pkg_version = sprintf('%d:%s-%s', $new_pkgbuild['epoch'], $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); - } else { - $pkg_version = sprintf('%s-%s', $new_pkgbuild['pkgver'], $new_pkgbuild['pkgrel']); - } - # Check the category to use, 1 meaning none (or keep category for # existing packages). if (isset($_POST['category'])) { -- 1.7.11.4
[aur-dev] [PATCH 5/8] Allow only Trusted Users, Developers, and Maintainers to unflag packages
Currently everyone is allowed to unflag a package as out of date. This should be limited to only the appropriate people for a specific package. Fixes FS#27263 Signed-off-by: canyonknight canyonkni...@gmail.com --- web/lib/pkgfuncs.inc.php | 4 web/template/actions_form.php | 3 ++- web/template/pkg_details.php | 3 ++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 6fad628..c592e39 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -728,6 +728,10 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { } $q.= WHERE ID IN ( . implode(,, $ids) . ); + if (!$action ($atype != Trusted User $atype != Developer)) { + $q.= AND MaintainerUID = . uid_from_sid($_COOKIE[AURSID], $dbh); + } + db_query($q, $dbh); if ($action) { diff --git a/web/template/actions_form.php b/web/template/actions_form.php index bfc0611..d687f50 100644 --- a/web/template/actions_form.php +++ b/web/template/actions_form.php @@ -21,7 +21,8 @@ ?php if ($row[OutOfDateTS] === NULL): ? input type=submit class=button name=do_Flag value=?php echo __(Flag Out-of-date) ? / - ?php else: ? + ?php elseif (($row[OutOfDateTS] !== NULL) + ($uid == $row[MaintainerUID] || $atype == Trusted User || $atype == Developer)): ? input type=submit class=button name=do_UnFlag value=?php echo __(UnFlag Out-of-date) ? / ?php endif; ? ?php endif; ? diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index da173ec..7176e10 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -40,7 +40,8 @@ $sources = package_sources($row[ID]); ?php if ($USE_VIRTUAL_URLS $uid): ? ?php if ($row[OutOfDateTS] === NULL): ? lia href=?php echo get_pkg_uri($row['Name']) . 'flag/'; ??php echo __('Flag package out-of-date'); ?/a/li - ?php else: ? + ?php elseif (($row[OutOfDateTS] !== NULL) + ($uid == $row[MaintainerUID] || $atype == Trusted User || $atype == Developer)): ? lia href=?php echo get_pkg_uri($row['Name']) . 'unflag/'; ??php echo __('Unflag package'); ?/a/li ?php endif; ? ?php if (user_voted($uid, $row['ID'])): ? -- 1.7.11.4
[aur-dev] [PATCH 7/8] Fix broken package search on front page
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/home.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/html/home.php b/web/html/home.php index df112b8..8fecfd4 100644 --- a/web/html/home.php +++ b/web/html/home.php @@ -91,7 +91,7 @@ $dbh = db_connect(); /div div id=content-right div id=pkgsearch class=widget - form id=pkgsearch-form method=get action=?php get_uri('/packages/'); ? + form id=pkgsearch-form method=get action=?php echo get_uri('/packages/'); ? fieldset label for=pkgsearch-fieldPackage Search:/label input type=hidden name=O value=0 / -- 1.7.11.4
[aur-dev] [PATCH] pkgsubmit.php: Remove stray /div tag
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/pkgsubmit.php | 1 - 1 file changed, 1 deletion(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 2fd21e6..c2a7191 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -477,7 +477,6 @@ else: endif; ? - /div /div ?php -- 1.7.11.1
[aur-dev] [PATCH] tu.php: Fix PHP notice for hasvoted variable
Signed-off-by: canyonknight canyonkni...@gmail.com --- web/html/tu.php | 1 + 1 file changed, 1 insertion(+) diff --git a/web/html/tu.php b/web/html/tu.php index 5537d3a..48cd6c1 100644 --- a/web/html/tu.php +++ b/web/html/tu.php @@ -34,6 +34,7 @@ if ($atype == Trusted User || $atype == Developer) { $whovoted = voter_list($row['ID']); $canvote = 1; + $hasvoted = 0; $errorvote = ; if ($isrunning == 0) { $canvote = 0; -- 1.7.11.1