- 10 Feb, 2013 2 commits
-
-
canyonknight authored
All functions now have a database connection method that will use the same database connection. This imitates the functionality of passing a database connection as an argument and makes it redundant. Signed-off-by:
canyonknight <canyonknight@gmail.com> Signed-off-by:
Lukas Fleischer <archlinux@cryptocrack.de>
-
canyonknight authored
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by:
-
- 30 Jan, 2013 8 commits
-
-
Lukas Fleischer authored
Signed-off-by: -
Lukas Fleischer authored
-
canyonknight authored
An error message is printed when the number of affected rows is 0 for an edited account. A count of 0 doesn't imply an error, only that no changes were made in the database. Signed-off-by:
-
canyonknight authored
A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
canyonknight authored
The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by:
-
canyonknight authored
Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
- 19 Jan, 2013 8 commits
-
-
Lukas Fleischer authored
-
canyonknight authored
Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
Marcel Korpel authored
This is already done in header.php; doing this double will result in & in title element Signed-off-by: -
Marcel Korpel authored
Signed-off-by: -
Marcel Korpel authored
Signed-off-by: -
Marcel Korpel authored
Implements FS#33294 Signed-off-by: -
Marcel Korpel authored
Use Twitter Bootstrap JavaScript framework for typeahead support. Add a new "suggest" JSON method, which returns the first 20 packages that match the beginning characters of a query. canyonknight: Link format change, commit message Signed-off-by:
-
- 22 Dec, 2012 4 commits
-
-
Lukas Fleischer authored
-
Marcel Korpel authored
Supported languages are listed in their native language. Only Dutch is in English. Translate reference into Dutch. canyonknight: Commit message clarity Signed-off-by:
-
canyonknight authored
Users with certain locales are unable to generate dummy data. Enforce UTF-8 encoding. Fixes FS#32986 Signed-off-by:
-
canyonknight authored
Fortune calls slows down the generation of dummy data dramatically for large datasets. Read from a specified fortune file directly to avoid the need for the subprocess. Signed-off-by:
-
- 07 Dec, 2012 6 commits
-
-
Lukas Fleischer authored
-
canyonknight@gmail.com authored
Currently, package flagging and unflagging takes place within the pkg_flag() function. A bool is set to true or false depending on the action. Create new pkg_unflag() function with sole purpose of unflagging and keep pkg_flag() in place. This split will be useful in the overhaul of the notification system. Signed-off-by:
-
Marcel Korpel authored
Signed-off-by:
-
Marcel Korpel authored
Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
Marcel Korpel authored
Signed-off-by:
-
- 29 Nov, 2012 2 commits
-
-
canyonknight authored
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by:
-
canyonknight authored
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by:
-
- 24 Nov, 2012 2 commits
-
-
canyonknight authored
Voter page token check takes place in the same way as other existing token checks. Move the check for consistency. Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
- 15 Nov, 2012 2 commits
-
-
canyonknight authored
Signed-off-by:
-
canyonknight authored
Packages with multiple DepConditions are returned multiple times in the "Required by" column. Limit SQL results to distinct packages. Fixes FS#32478 Signed-off-by:
-
- 07 Nov, 2012 1 commit
-
-
Lukas Fleischer authored
Signed-off-by:
-
- 06 Nov, 2012 1 commit
-
-
canyonknight authored
Package names and dep conditions can be specially crafted for an XSS attack. Properly sanitize these variables on the package details page. In addition, avoid including dep conditions as part of a package link. Signed-off-by:
-
- 04 Nov, 2012 4 commits
-
-
Lukas Fleischer authored
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: -
Lukas Fleischer authored
Both get_pkg_uri() and get_user_uri() should always return root-relative URLs -- do not prepend another "/". Fixes FS#32460. Signed-off-by: -
Lukas Fleischer authored
Make sure we always return root-relative URIs in get_pkg_uri() and in get_user_uri() and prepend a slash ("/") if the virtual URL feature is disabled. Signed-off-by: -
Lukas Fleischer authored
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by:
-
