Add a new function has_credential() that checks whether the currently
logged in user is allowed to perform a given action. Moving all
permission handling to this central place makes adding new user groups
and adjusting permissions much more convenient.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Package actions now operate on package bases instead of packages. Move
all actions to the correct locations.
This also fixes some issues with comment notifications.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Move comments from the Packages table to PackageBases. Sharing comments
makes sense since they almost always refer to a source package.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This allows for removing users without also removing the corresponding
comments. Instead, all comments from deleted users will be displayed as
"Anonymous comment".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The delete button is currently on a separate line. Change some logic
to allow for the button to be on the same line as poster info.
Reported-by: Dave Reisner <d@falconindy.com>
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Avoid adding "?comments=all" more than once if the "Latest Comments"
link is clicked multiple times.
Reported-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Navigation to the "AccountInfo" page should only require a user to know the
username of the account they are looking for. Update all AUR links that use
the user info page to reflect the new URL.
Before:
AUR_URL/account/?Action=AccountInfo&U=userfoo
After:
AUR_URL/account/userfoo
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Add a missing quote to the "alt" attribute. Regression introduced in
d8b2eb4b62.
* Retrieve and store the package name before overwriting the "$row"
variable.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Fix a notice that appeared if comments were available and the package
was requested by name. See 07d3649c2d for
a similar fix for links to the voters page.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Extend the routing front/back ends to allow for using
"/package/$pkgname/" for individual packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is needed for our new URI scheme, since we will use virtual
directories, such as "/packages/" instead of "/packages.php" etc.
Having relative URIs results in incorrect paths, such as
"/packages/css/aur.css" (instead of "/css/aur.css").
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Limit PHP echoing XHTML as much as possible, and use pure XHTML
* Switch to alternative syntax in control structures for better readability of
inter-mixed XHTML
* Remove box for every comment and switch to archweb news post style
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We fixed this for the fields displayed on the package details page in
commit b5fffe9a02cd4fd3b7da66e403f02eea89c8fcad. This should fix the
remaining ones.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is more user-friendly than supporting package IDs only and can be
used as a basis to support direct links to AUR packages in places where
links are computer-produced (e.g. Wiki templates).
Addresses FS#21600 and FS#28839.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Fix a lot of invalid XHTML in the templates and actions. There might
still be some legacy code left, but this should cover most of it.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Comments are now split at link boundaries and links are converted
separately. I find this to be a much cleaner way than re-converting
comments that have already been converted using htmlspecialchars(). This
also doesn't require any callback procedure.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
It's performance improvement day today. For non-superusers, we were hitting
the database twice per comment on a package- once to get the UID, and once
to check the owner of the comment. The best part is we already knew the
owner of the comment, and we only need to get our own UID once.
For viewing a package like yaourt, this cuts a single pageview from over 700
queries to around 18, which is still not great but a pretty big improvement.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
