Found along with the previous commit to be a security hole in our
implementation. This commit resolves an issue regarding comment editing.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This addresses a severe security issue, which is omitted from this
git message for obscurity purposes.
Otherwise, it allows co-maintainers to see the keyword form when
viewing a package they co-maintain.
Closes#378
Signed-off-by: Kevin Morris <kevr@0cost.org>
This was incorrectly using the particular Package record's name
to format options.snapshot_uri in order to produce URLPath.
It should, instead, use the PackageBase record's name, which
this commit resolves.
Bug reported by thomy2000
Closes#382
Signed-off-by: Kevin Morris <kevr@0cost.org>
Redis's get() method can return None which makes an RPC request error
out:
File "/srv/http/aurweb/aurweb/ratelimit.py", line 103, in check_ratelimit
requests = int(requests.decode())
AttributeError: 'NoneType' object has no attribute 'decode'
Speeds up SSHPubKeys.PubKey searches in a larger database.
Fixed form of the original commit which was reverted,
1a7f6e1fa9
Signed-off-by: Kevin Morris <kevr@0cost.org>
This reverts commit 1a7f6e1fa9.
This commit broke account creation in some way. We'd still like to
do this, but we need to ensure it does not intrude on other facets.
Extra: We should really work out how this even passed tests; it
should not have.
Remove all extra whitespace when parsing Keywords to ensure we don't add
empty keywords in the DB.
Closes: #332
Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>
Reference from
github.com/PostHog/posthog/pull/4631/commits/341c28da0f6d33d6fb12fe443766a2d822ff0097
This fixes a deprecation warning regarding distutil's strtobool.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This patch does not include a javascript implementating, but
provides a pure HTML/HTTP method of paging through these lists.
Also fixes erroneous limiting. We now use a hardcoded limit of 20
by default.
Signed-off-by: Kevin Morris <kevr@0cost.org>
This patch brings in two new features:
- when viewing proposal listings, there is a new Statistics section,
containing the total and active number of Trusted Users found in the
database.
- when viewing a proposal directly, the number of active trusted users
assigned when the proposal was added is now displayed in the details
section.
Closes#323
Signed-off-by: Kevin Morris <kevr@0cost.org>
Previously, Python code was looking for suggestions based on
`%<keyword>%`. This was inconsistent with PHP's suggestion
implementation and cause more records to be bundled with a suggestion,
along with supplying misleading suggestions.
Closes#343
Signed-off-by: Kevin Morris <kevr@0cost.org>
A new option has been added for configuration of SMTP timeout:
- notifications.smtp-timeout
During tests, we can change this timeout to be small, so we aren't
depending on hardware-based RNG to pass the timeout.
Without a timeout, users can run into a long-running test for no
particular reason.
Signed-off-by: Kevin Morris <kevr@0cost.org>
People can change comaintainer ownership to suspended users if they
want to.
Suspended users cannot login, so there is no breach of security
here. It does make sense to allow ownership to be changed, imo.
Closes#339
Signed-off-by: Kevin Morris <kevr@0cost.org>
Somehow, many aur.al records of PackageVotes do not have a valid VoteTS
value. This migration fixes that issue by setting all null VoteTS
columns to the epoch timestamp.
Signed-off-by: Kevin Morris <kevr@0cost.org>
