The $salt variable is no longer needed as of 29a4870 (Use bcrypt to hash
passwords, 2017-02-24).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Replace the default hash function used for storing passwords by
password_hash() which internally uses bcrypt. Legacy MD5 hashes are
still supported and are immediately converted to the new format when a
user logs in.
Since big parts of the authentication system needed to be rewritten in
this context, this patch also includes some simplification and
refactoring of all code related to password checking and resetting.
Fixes FS#52297.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
All error messages in aurjson except two end with a period. Add the
missing periods to make the messages consistent.
Signed-off-by: Michael Straube <straubem@gmx.de>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Currently, each source file which is an external link (http://,
https://, ...) is a clickable link.
This commit extends the behaviour by making files from the repository
clickable as well. The link brings the user to the corresponding cgit
page.
Also, the link to the PKGBUILD is altered to make the configuration more
consistent.
Signed-off-by: Janne Heß <jannehess@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
When a user is specified, the function only returns package requests
which are either opened by the given user or affecting packages
maintained by the given user.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
As a follow-up to commit 6cb8c04 (Implement co-maintainer search,
2017-01-26), add an option to search for both maintainers and
co-maintainers at the same time.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Add a AUR_CONFIG environment variable that can be used to specify an
alternative configuration file, similar to the feature introduced in
ecbf32f (git-interface: Add AUR_CONFIG environment variable,
2016-08-03).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
* Pass search parameters using an associative array instead of $_GET.
* Add a boolean parameter to enable and disable headers/footers.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Currently, when a user edits their language setting from the edit user form,
the changes aren't reflected until the user either lets the original cookie
expire, deletes the cookie manually, or changes the language a second time via
the dropdown menu on the top of the page. This patch makes the language cookie
get updated when it is changed from the edit user form.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Currently, aurweb displays all dates and times in UTC time. This patch
adds a capability for each logged in user to set their preferred
timezone.
Implements FS#48729.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
The quote is a leftover of legacy code and was meant to be removed by
commit e171f6f (Migrate all DB code to use PDO, 2012-08-08).
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In commit baf8a22 (git-interface: Support SQLite as database backend,
2016-08-03), conf/config.proto was changed so that dsn_prefix was
changed to backend and this fixes this in web/lib/DB.class.php.
Since SQLite's dsn is different, this adds a check of which backend is
desired and will quit if MySQL or SQLite are not the backend selected.
SQLite2 may be supported, but is untested and will trigger an error if
used.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
UNIX_TIMESTAMP is not part of the SQL standard. Instead, all usage in
the web interface is changed to use PHP's time() function.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Since d4fe77a (Reorganize Git interface scripts, 2016-10-08), the key
components of the aurweb SSH interface are installed system-wide. Update
the default configuration path to point to a central location.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Before commit 9746a65 (Port notification routines to Python,
2015-06-27), notification emails for automatically closed requests
explicitly stated that the action was taken "automatically by the Arch
User Repository package request system". When porting the notification
routines to Python, this feature was overlooked and emails sent by the
new script always reported that the requester triggered the acceptance
or rejection of a request.
This patch reimplements the old behavior such that notifications no
longer look as if the requester had accepted the request himself.
Reported-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Introduce a configuration option max_depends which can be used to
specify a maximum number of (reverse) dependencies to display on the
package details pages.
Fixes FS#49059.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Remove a leftover var_dump() invocation that was introduced in commit
5fb7a74 (Replace categories with keywords, 2015-06-13).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Directly store the information contained in $_SERVER['REMOTE_ADDR']
instead of using ip2long() which does not support IPv6 addresses. Note
that the LastLoginIPAddress field is designed to be used by the
administrator on rare occasions only (e.g. to fight spam) and is not
displayed anywhere.
Fixes FS#48557.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
The IDs of packages are unique, so there is no need to group search
results by package ID.
Note that the GROUP BY statement in question was introduced in commit
3447dfc (Support versioned RPC queries, 2014-04-28) for no apparent
reason and could even lead to errors in various DBMS.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Add a new option that makes it possible to subscribe to package
ownership changes (adoption/disownment).
Fixes FS#15412.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In pkg_comments.php, the $pinned variable is used to determine whether
the template is supposed to print all comments or pinned comments only.
If the $pinned variable is unset, the top 10 comments are printed,
followed by an "All comments" link. If the $pinned variable is set, the
pinned comments are printed and the "All comments" link below the
comment listing is skipped. Thus, we need to make sure that this
variable is always unset at the time we include the template to display
all comments, even if it was empty before.
Fixes FS#48194.
Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Introduce a new notification option to receive notifications when a new
commit is pushed to a package repository.
Implements FS#30109.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Add a configuration option to the account edit page that allows for
globally enabling/disabling package base comment notifications.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
As a preparatory step to adding support for package notifications on
events other than comments, rename the database table accordingly.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
It was hard to make it consistent with the other new icons from Open
Iconic and it hadn't much use after all.
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In PHP 7, constructor methods that have the same name as the class
they are defined in are deprecated. Use __construct instead.
http://php.net/manual/en/migration70.deprecated.php
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Instead of modifying EditedTS when a comment is deleted, use a separate
field DelTS. Use this field to determine whether a comment has been
deleted, instead of checking DelUsersID which might be unset when the
corresponding user is deleted.
Fixes FS#47362.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
When performing info or multiinfo queries, one can currently either pass
package names or package IDs as parameters. As a consequence, it is
impossible to search for packages with a numeric package name because
numeric arguments are always treated as IDs. Since package IDs are not
public anymore these days, simply remove the possibility to search by ID
in revision 5 of the RPC interface.
Fixes FS#47324.
Suggested-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Directly retrieve comments from the database instead of additionally
passing them via stdin.
Fixes FS#46742.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
