Add a package ID parameter to pkg_change_category() instead of relying
on the "ID" or "N" GET parameters.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Setting GET parameters manually is bad style and causes some strange
side effects when using virtual URLs and mkurl().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is more user-friendly than supporting package IDs only and can be
used as a basis to support direct links to AUR packages in places where
links are computer-produced (e.g. Wiki templates).
Addresses FS#21600 and FS#28839.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Merge all comments and votes of deleted packages into another package if
the "Merge with" field is used. Duplicate votes (votes from a user who
already voted on the target package or voted on more than one of the
deleted packages) are discarded.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We trusted the values we pulled out of the IDs array and never coerced
them to integers, passing them to the backend unescaped and uncasted.
Ensure they are treated as integers only and validate the resulting
value is > 0.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
All of these are sourcing function libraries so we don't need to include
them more than once. Things that insert actual HTML into the output were
left calling include().
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Also changed it around a little bit so it's not tied down the search results function
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
This includes only the requested language for each page and
makes top level language include files obsolete.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Just displays message at the top of the page of what happened (errors or not) and goes back to the same page
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Package functions use a normal array of pkgids now and packages.php has been changed to accomodate for it
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Also modify the way notification is done. Instead of toggling
notification, users can explicitly notify or unnotify.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
This (should) get rid of anything to do with the unused column AURMaintainerUID
in the scripts and schema files
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Signed-off-by: Simo Leone <simo@archlinux.org>
It was broken and hardly used. It's just as easy
to add short print statements or logging if
some debugging output is needed.
Signed-off-by: Simo Leone <simo@archlinux.org>
Moves the action bar down to the bottom right of the search results and turns it
into a drop-down selection box.
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Signed-off-by: Simo Leone <simo@archlinux.org>
Cleans up links on front page, adds a TU link to the header to the voting
application, fixes some titles and styling for logged in text
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Verbose page titles again
Adds support for more verbose page titles based on current
page and action by user and removes sort by options from
search form as they're obsolete by column links.
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
This is a patch that fixes a lot of little things:
* We no longer have pkgsearch or pkgdetails link functions and all
references to them are gone, that's what a back button is for and if
we really need it we can come up with something better
* No longer have do_Details variable, this means links on the package
search are simply ?ID=foo
* On the pkgdetails pages when there are either no deps, deps by,
sources or comments for a package the list for each will display
"None" instead of nothing at all (ruining the layout)
* Fixed a bug where if a package had no sources or no deps
pkgsubmit.php would submit an empty one
* Translation of the word "Search'" has been changed to "Search"
Most of these relate to each other.
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Adds a column to search results showing if a package has comment
notification enabled and adds support for toggling notify for
multiple packages from search
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
This is to add support for either devs or TUs to disown packages
whether they own them or not. I know of countless times where I or
another TU have been asked to orphan packages for someone and end up
having to adopt the package first and then disown it, this gets really
tedious for more than one package. As far as I can tell there's no
other way to disown packages you don't own and if there is at least
this is a more obvious way, pretty sure I didn't leave anything out in
the patch.
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Simo's original commit text:
The idea of safe flagging is unclear, poorly named, misunderstood,
and not even used. At the time this patch was created, less than
a third of the packages in unsupported were flagged safe, and less
than a tenth of users knew how to interpret it.
The safe flag has been replaced by a disclaimer on the main page.
