Add permission checks to the request feature

* Only show the request form to users that are logged in.
* Only show the close request form to Trusted Users and developers.
* Check for a valid login in pkgreq_file().

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

web/html/pkgreq.php

@@ -9,9 +9,17 @@ set_lang();
 check_sid();
 
 if (isset($base_id)) {
+	if (!has_credential(CRED_PKGREQ_FILE)) {
+		header('Location: /');
+		exit();
+	}
 	html_header(__("File Request"));
 	include('pkgreq_form.php');
 } elseif (isset($pkgreq_id)) {
+	if (!has_credential(CRED_PKGREQ_CLOSE)) {
+		header('Location: /');
+		exit();
+	}
 	html_header(__("Close Request"));
 	$pkgbase_name = pkgreq_get_pkgbase_name($pkgreq_id);
 	include('pkgreq_close_form.php');

web/lib/credentials.inc.php

@@ -18,6 +18,7 @@ define("CRED_PKGBASE_NOTIFY", 13);
 define("CRED_PKGBASE_SUBMIT_BLACKLISTED", 14);
 define("CRED_PKGBASE_UNFLAG", 15);
 define("CRED_PKGBASE_VOTE", 16);
+define("CRED_PKGREQ_FILE", 23);
 define("CRED_PKGREQ_CLOSE", 17);
 define("CRED_PKGREQ_LIST", 18);
 define("CRED_TU_ADD_VOTE", 19);
@@ -48,6 +49,7 @@ function has_credential($credential, $approved_users=array()) {
 	case CRED_PKGBASE_FLAG:
 	case CRED_PKGBASE_NOTIFY:
 	case CRED_PKGBASE_VOTE:
+	case CRED_PKGREQ_FILE:
 		return ($atype == 'User' || $atype == 'Trusted User' ||
 			$atype == 'Developer' ||
 			$atype == 'Trusted User & Developer');

web/lib/pkgreqfuncs.inc.php

@@ -91,6 +91,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) {
 	global $AUR_REQUEST_ML;
 	global $AUTO_ORPHAN_AGE;
 
+	if (!has_credential(CRED_PKGREQ_FILE)) {
+		return array(false, __("You must be logged in to file package requests."));
+	}
+
 	if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) {
 		return array(false, __("Invalid name: only lowercase letters are allowed."));
 	}