Replace the default hash function used for storing passwords by
password_hash() which internally uses bcrypt. Legacy MD5 hashes are
still supported and are immediately converted to the new format when a
user logs in.
Since big parts of the authentication system needed to be rewritten in
this context, this patch also includes some simplification and
refactoring of all code related to password checking and resetting.
Fixes FS#52297.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In addition to logging the last login date and IP address on the web
interface, store the time stamp and IP address of the last SSH login in
the database.
This simplifies user banning if one of the new SSH interface features,
such as the voting mechanism implemented in 7ee2fdd (git-serve: Add
support for (un-)voting, 2017-01-23), is abused.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Currently, aurweb displays all dates and times in UTC time. This patch
adds a capability for each logged in user to set their preferred
timezone.
Implements FS#48729.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
According to RFC 7230, URLs can be up too 8000 characters long. Resize
all URL fields accordingly.
Also, add a test to verify that URLs with more than 8000 characters are
rejected by the update hook.
Reported-by: Andreas Linz <klingt.net@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
* Remove test accounts.
* Create indices using CREATE INDEX.
* Always use INTEGER UNSIGNED for IDs.
* Always use BIGINT UNSIGNED for timestamps.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
The language code for Latin American Spanish is es_419, which is longer
than the 5 characters previously allowed.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Commits 6ec4a35 (Send notifications when changing ownership, 2016-02-21)
and e3670ef (Add a homepage field to accounts, 2016-06-02) forgot to
change some usages of display_account_form() and process_account_form()
to account for the new parameter. The former also forgot to add the new
column to the database schema.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Directly store the information contained in $_SERVER['REMOTE_ADDR']
instead of using ip2long() which does not support IPv6 addresses. Note
that the LastLoginIPAddress field is designed to be used by the
administrator on rare occasions only (e.g. to fight spam) and is not
displayed anywhere.
Fixes FS#48557.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Introduce a new notification option to receive notifications when a new
commit is pushed to a package repository.
Implements FS#30109.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Add a configuration option to the account edit page that allows for
globally enabling/disabling package base comment notifications.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
As a preparatory step to adding support for package notifications on
events other than comments, rename the database table accordingly.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Makes FlaggerComments a TEXT field to be more consistent with package
comments.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Instead of modifying EditedTS when a comment is deleted, use a separate
field DelTS. Use this field to determine whether a comment has been
deleted, instead of checking DelUsersID which might be unset when the
corresponding user is deleted.
Fixes FS#47362.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Using unique indexes on VARCHAR fields with a character count of more
than 255 produces an error in MySQL with InnoDB tables and UTF-8
encoding.
Also, as per https://www.rfc-editor.org/errata_search.php?eid=1690, the
maximum length for email addresses is limited to 254 characters.
Fixes FS#47038.
Signed-off-by: Stefan Auditor <stefan.auditor@erdfisch.de>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
According to RFC 3696 (and the associated errata), an email address can
be up to 256 characters long. Change the database field and the length
limit on all input fields accordingly.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Maintain a list of virtual provisions of packages from the official
binary package repositories. The list can be updated using the aurblup
script, e.g. via a cronjob.
This allows for adding proper links to package dependencies: If an AUR
package depends on a package from the official repositories (or on a
name provided by a package from the official repositories), add a link
to the corresponding archweb package details page. If an AUR package
depends on another AUR package (or on a name provided by another AUR
package), add a link to the corresponding aurweb package details page.
Otherwise, just display the name and do not add a link at all.
Fixes FS#46549.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Add a new FlaggerUID field to the database and use it to store the user
ID of the account who recently flagged a package out-of-date.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Create two new actions, do_AddComment and do_EditComment. When editing
or deleting a comment, a timestamp is added.
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Attaching more than one SSH public key to the same account is useful,
e.g. if one uses different machines to access the AUR SSH interface.
Multiple keys can now be specified by adding multiple lines to the text
area on the account edit form.
Implements FS#45469.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Acked-by: Leonidas Spyropoulos <artafinde@gmail.com>
The url and pkgdesc PKGBUILD variables are optional, so they should be
in the AUR as well.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
By default, aurweb is cloned into the aurweb directory nowadays.
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Even if we only display two digits after the decimal point, storing more
digits internally allows us to order the search results more accurately.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Remove package base categories. Instead, users can now specify up to
twenty custom keywords that are taken into consideration when searching.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Create a new field Popularity in the PackageBases table. The field is
updated by the popupdate script and reflects the popularity of a
package. Popularity is the sum of all votes with each vote being
weighted with a factor of 0.98 per day since its creation.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In addition to saving the list of package co-maintainers, also save
their order. This makes it possible to define a "primary" co-maintainer.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This allows for having multiple co-maintainers for AUR packages.
Co-maintainers have push access to the package base Git repository but
are not allowed to change the package base category, disown the package
or modify the list of co-maintainers. The primary maintainer of an AUR
package can edit the list of co-maintainers from the Package Actions
box.
Implements FS#17911.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Users can now add an SSH public key on the account edit page. This will
later be used to authenticate users via SSH.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The number of columns in the SQLs doesn't match the number of rows,
so an error like below occurs:
ERROR 1136 (21S01) at line 50929: Column count doesn't match value count
at row 1
Signed-off-by: Shinya Yamaoka <contact@mail.libmacro.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
As a follow-up to 4d7da95 (Add support for architecture-specific fields,
2014-08-10), handle architecture-specific source fields as well.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This adds support for architecture-specific dependencies and relations.
Support for this has recently been added to makepkg, see commit 2b556d8
(PKGBUILD: handle arch specific attributes, 2014-07-25) in the pacman
repository for details.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This adds a new "Merge" category to the list of available request types
and also adds a new "Merge into" field that is hidden via JavaScript
when "Deletion" or "Orphan" is selected.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This allows Trusted Users to close package requests via the request
list. Also, entries are now sorted such that open requests are shown
before closed requests.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add a new entry to the package actions box that allows for filing
deletion and orphan requests. When choosing that action, the user is
redirected to a new page that allows for selecting a request type and
entering a comment. When submitting the request, a new entry in the
request database is created and an email is sent to a configurable
mailing list (defaults to aur-general).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Several fields turned out to be too small (e.g. when long package
versions are used in VCS packages). Since the type of all affected
fields is VARCHAR, there is no reason to keep them as small as possible.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Store the last packager in addition to storing the submitter and the
maintainer of a package. This allows for checking who last updated a
package, even if the package has been disowned.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
