This commit halves MAX_USERS and MAX_PKGS, in addition
to setting OPEN_PROPOSALS to 15 and CLOSE_PROPOSALS to 50.
A few counts are now configurable via environment variable:
- MAX_USERS, default: 38000
- MAX_PKGS, default: 32000
- OPEN_PROPOSALS, default: 15
- CLOSE_PROPOSALS, default: 15
Signed-off-by: Kevin Morris <kevr@0cost.org>
As of Python updates, we are no longer considering rows with
empty salts to be legacy hashes. Update gendummydata.py to
generate salts for the legacy passwords it uses with
salt rounds = 4.
Signed-off-by: Kevin Morris <kevr@0cost.org>
As per our regex and policies, usernames should consist of
ascii alphanumeric characters and possibly (-, _ or .).
gendummydata.py was creating unicode versions of some
usernames and adding them into the DB. With our newfound
collations, this becomes a problem as it treats them as
the same.
This should have never been the case here, and so,
gendummydata.py has been patched to normalize all of its
usernames and package names.
Signed-off-by: Kevin Morris <kevr@0cost.org>
The new schema was generated with sqlacodegen and then manually adjusted
to fit schema/aur-schema.sql faithfully, both in the organisation of the
code and in the SQL generated by SQLAlchemy.
Initializing the database now requires the new tool aurweb.initdb.
References to aur-schema.sql have been updated and the old schema
dropped.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Support secondary email addresses that can be used to recover an account
in case access to the primary email address is lost. Reset keys for an
account are always sent to both the primary and the backup email
address.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This allows us to prevent users from hammering the API every few seconds
to check if any of their packages were updated. Real world users check
as often as every 5 or 10 seconds.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Use `/usr/bin/env python3` instead of `/usr/bin/python3` in the shebang
of Python scripts. This adds support for non-standard Python interpreter
paths such as the paths used in virtualenv environments.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
PackageBases.FlaggerComment and PackageComments.RenderedComment cannot
be NULL and would cause problems in the output file for sqlite users.
This patch adds empty strings ("") as values for these fields.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This allows for adding Terms of Service documents to the database that
registered users need to accept before using the AUR. A revision field
can be used to indicate whether a document was updated. If it is
increased, all users are again asked to accept the new terms.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Instead of converting package comments from plain text to HTML code when
they are displayed, do the conversion when the comment is posted and
store the rendered result in the database. The conversion itself is done
by a Python script which uses Bleach for sanitizing the text.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Split optional dependency descriptions from dependency names before
storing them in the database and use a separate column to store the
descriptions.
This allows us to simplify and optimize the SQL queries in
pkg_dependencies() as well as pkg_required().
Suggested-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
>From the mysql 5.7 breaking change page:
Columns in a PRIMARY KEY must be NOT NULL, but if declared explicitly as
NULL produced no error. Now an error occurs. For example, a statement
such as CREATE TABLE t (i INT NULL PRIMARY KEY) is rejected. The same
occurs for similar ALTER TABLE statements. (Bug #13995622, Bug #66987,
Bug #15967545, Bug #16545198)
References:
http://stackoverflow.com/a/22314073
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
When running in strict mode, mysql throws an error upon encountering
these definitions since they are not supported.
References:
https://dev.mysql.com/doc/refman/5.7/en/data-type-defaults.html
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Sqlite3 does not support the MD5 function like MySQL does, instead of the
database program hash the passwords, have Python's hashlib module do it
instead.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Allow for automatically converting the schema into a schema that works
with SQLite by running `make` from the schema/ subdirectory. Use the new
Makefile in the test suite.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Modify the schema such that it only creates the necessary tables,
indices and predefined data. This makes it easier to import the schema
into a database with a name other than "AUR".
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Replace the default hash function used for storing passwords by
password_hash() which internally uses bcrypt. Legacy MD5 hashes are
still supported and are immediately converted to the new format when a
user logs in.
Since big parts of the authentication system needed to be rewritten in
this context, this patch also includes some simplification and
refactoring of all code related to password checking and resetting.
Fixes FS#52297.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In addition to logging the last login date and IP address on the web
interface, store the time stamp and IP address of the last SSH login in
the database.
This simplifies user banning if one of the new SSH interface features,
such as the voting mechanism implemented in 7ee2fdd (git-serve: Add
support for (un-)voting, 2017-01-23), is abused.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Currently, aurweb displays all dates and times in UTC time. This patch
adds a capability for each logged in user to set their preferred
timezone.
Implements FS#48729.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
According to RFC 7230, URLs can be up too 8000 characters long. Resize
all URL fields accordingly.
Also, add a test to verify that URLs with more than 8000 characters are
rejected by the update hook.
Reported-by: Andreas Linz <klingt.net@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
* Remove test accounts.
* Create indices using CREATE INDEX.
* Always use INTEGER UNSIGNED for IDs.
* Always use BIGINT UNSIGNED for timestamps.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
The language code for Latin American Spanish is es_419, which is longer
than the 5 characters previously allowed.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Commits 6ec4a35 (Send notifications when changing ownership, 2016-02-21)
and e3670ef (Add a homepage field to accounts, 2016-06-02) forgot to
change some usages of display_account_form() and process_account_form()
to account for the new parameter. The former also forgot to add the new
column to the database schema.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Directly store the information contained in $_SERVER['REMOTE_ADDR']
instead of using ip2long() which does not support IPv6 addresses. Note
that the LastLoginIPAddress field is designed to be used by the
administrator on rare occasions only (e.g. to fight spam) and is not
displayed anywhere.
Fixes FS#48557.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Introduce a new notification option to receive notifications when a new
commit is pushed to a package repository.
Implements FS#30109.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Add a configuration option to the account edit page that allows for
globally enabling/disabling package base comment notifications.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
As a preparatory step to adding support for package notifications on
events other than comments, rename the database table accordingly.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Makes FlaggerComments a TEXT field to be more consistent with package
comments.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Instead of modifying EditedTS when a comment is deleted, use a separate
field DelTS. Use this field to determine whether a comment has been
deleted, instead of checking DelUsersID which might be unset when the
corresponding user is deleted.
Fixes FS#47362.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Using unique indexes on VARCHAR fields with a character count of more
than 255 produces an error in MySQL with InnoDB tables and UTF-8
encoding.
Also, as per https://www.rfc-editor.org/errata_search.php?eid=1690, the
maximum length for email addresses is limited to 254 characters.
Fixes FS#47038.
Signed-off-by: Stefan Auditor <stefan.auditor@erdfisch.de>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
According to RFC 3696 (and the associated errata), an email address can
be up to 256 characters long. Change the database field and the length
limit on all input fields accordingly.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Maintain a list of virtual provisions of packages from the official
binary package repositories. The list can be updated using the aurblup
script, e.g. via a cronjob.
This allows for adding proper links to package dependencies: If an AUR
package depends on a package from the official repositories (or on a
name provided by a package from the official repositories), add a link
to the corresponding archweb package details page. If an AUR package
depends on another AUR package (or on a name provided by another AUR
package), add a link to the corresponding aurweb package details page.
Otherwise, just display the name and do not add a link at all.
Fixes FS#46549.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
