Instead of calling check_sid() from every single PHP script representing
a web page, add the call to aur.inc.php which is sourced by all of them.
Also, remove set_lang() calls from the scripts since these are also
already included in aur.inc.php.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Rename the project to help differentiate between the software providing
access to the Arch User Repository and the collection of source packages
itself.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add a new function has_credential() that checks whether the currently
logged in user is allowed to perform a given action. Moving all
permission handling to this central place makes adding new user groups
and adjusting permissions much more convenient.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
According to Trusted User Bylaws, TUs (and only TUs) must take part in
votes. Developers who want to take part in votes should set their account
type to 'Trusted User'.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The page this links to allows for adding an item to the list of current
votes. Move the link accordingly.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This shows a list of all Trusted Users and the vote ID of the last
proposal each of the TUs voted on. This list is sorted by vote ID.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
An ended vote details page will report a user hasn't voted even when
they have. This is a result of faulty logic that only checks if a user
has voted if the vote is still running.
Regression with commit c15441762c6f6ab4438eaf2854c0ee3146a98b30
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Move DB code in tu.php and tu.php and tu_list.php to new functions in
accfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Change all boxes and other CSS to match archweb
* General fixups in XHTML formatting
* Change results table to match color scheme everywhere else
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
A mix of logical operator styles are currently in use. The predominant style
uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency
is minor, but is easily avoided.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
make the sql query form consistent in usage by cleaning up instances
where db_query's result was not inspected before attempting to fetch row
data from the handle
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Fix a lot of invalid XHTML in the templates and actions. There might
still be some legacy code left, but this should cover most of it.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
All of these are sourcing function libraries so we don't need to include
them more than once. Things that insert actual HTML into the output were
left calling include().
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
This includes only the requested language for each page and
makes top level language include files obsolete.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Show ten votes per page instead of five.
Change the vote preview to 75 characters so entries fit better
in the table.
Remove [More] links and make the description itself a link.
Clean up a couple notices.
Send unauthorised users to index.php.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
All the strings are set up to be translated now, HTML of tu.php has been
moved to templates and the worst of it rewritten (there's no longer a
massive function in it)
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
