- 08 Aug, 2015 2 commits
-
-
Don't print messages (and the account form) in process_account_form() anymore, but return them to the caller. When updating accounts, this function will be called before the headers are written. If a username has been changed by process_account_form(), the headers now show the updated username from the database in the 'My Account' link. Clicking on it immediately after changing a username will no longer lead to a non-existing URL. Signed-off-by:
Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by:
Lukas Fleischer <lfleischer@archlinux.org>
-
This fixes a bug where the new user name input by the user was invalid, causing the account deletion link and the form action to be wrong. Signed-off-by:
-
- 27 Jun, 2015 2 commits
-
-
Lukas Fleischer authored
Attaching more than one SSH public key to the same account is useful, e.g. if one uses different machines to access the AUR SSH interface. Multiple keys can now be specified by adding multiple lines to the text area on the account edit form. Implements FS#45469. Signed-off-by:
Leonidas Spyropoulos <artafinde@gmail.com>
-
Lukas Fleischer authored
Until now, we used the same unit to register and edit accounts. Split these features into separate source files for clarity. This also allows us to redirect to the home page when a logged-in user tries to access the registration page. Signed-off-by:
-
- 09 Jun, 2015 1 commit
-
-
Lukas Fleischer authored
Remove the _delete and _disown suffixes from HTTP POST confirmation parameters. Signed-off-by:
-
- 31 May, 2015 1 commit
-
-
Lukas Fleischer authored
Now that we have a short explanation on how we use the SSH public key, we can show that field on the registration page. Signed-off-by:
-
- 04 Feb, 2015 1 commit
-
-
Lukas Fleischer authored
Rename the project to help differentiate between the software providing access to the Arch User Repository and the collection of source packages itself. Signed-off-by:Lukas Fleischer <archlinux@cryptocrack.de>
-
- 27 Dec, 2014 1 commit
-
-
Lukas Fleischer authored
Users can now add an SSH public key on the account edit page. This will later be used to authenticate users via SSH. Signed-off-by:
-
- 13 Dec, 2014 1 commit
-
-
Lukas Fleischer authored
Suggested-by:
Florian Pritz <bluewind@xinu.at>
Signed-off-by:
-
- 29 Jul, 2014 1 commit
-
-
Lukas Fleischer authored
Pass the right parameters to display_account_form() and process_account_form() when showing/processing the registration form. Fixes a regression introduced in 03c6304e (Rework permission handling, 2014-07-15). Reported-by:
Karthik K <hashken.distro@gmail.com> Signed-off-by:
-
- 25 Jul, 2014 1 commit
-
-
Lukas Fleischer authored
Users can now delete their own accounts by clicking a link in the account edit form and confirming the deletion on a follow-up page. Signed-off-by:
-
- 15 Jul, 2014 1 commit
-
-
Lukas Fleischer authored
Add a new function has_credential() that checks whether the currently logged in user is allowed to perform a given action. Moving all permission handling to this central place makes adding new user groups and adjusting permissions much more convenient. Signed-off-by:
-
- 27 Aug, 2013 1 commit
-
-
Lukas Fleischer authored
Instead of defaulting to Català (which is the first entry in the list of supported languages), choose whatever language the unregistered user is browsing the AUR in. Fixes FS#34825. Suggested-by:
canyonknight <canyonknight@gmail.com> Signed-off-by:
-
- 22 Aug, 2013 1 commit
-
-
Lukas Fleischer authored
This adds a field to the users table and corresponding fields to the account edit and display forms that allow for setting an (in-)activity status. This might turn out to be useful if a user is on vacation and can not respond to update/orphan/deletion requests. Signed-off-by:
-
- 24 Apr, 2013 1 commit
-
-
canyonknight authored
The search_accounts_form() wrapper function doesn't have any arguments and only makes it unclear what is happening within account.php Signed-off-by:
-
- 19 Mar, 2013 1 commit
-
-
Lukas Fleischer authored
Remove the password field from the account creation form and always send a password reset request via e-mail instead. This ensures that only users with valid e-mail addresses are able to login. Signed-off-by:
-
- 10 Feb, 2013 3 commits
-
-
Lukas Fleischer authored
We used a mixture of account type IDs and account type descriptions on the account edit page. This resulted in the account type field always defaulting to "Normal user" after an invalid form had been submitted. Consistently use account type IDs to avoid this. Signed-off-by: -
canyonknight authored
Since all database related functions will establish a connection when needed, there is no need to pre-emptively try and establish a database connection. Signed-off-by:
-
canyonknight authored
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by:
-
- 30 Jan, 2013 1 commit
-
-
canyonknight authored
Signed-off-by:
-
- 29 Nov, 2012 1 commit
-
-
canyonknight authored
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by:
-
- 17 Sep, 2012 1 commit
-
-
canyonknight authored
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by:
-
- 06 Jul, 2012 4 commits
-
-
canyonknight authored
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML out of the display_account_info function that echoes the code, and moves it to the new account_details.php template file. Signed-off-by:
-
canyonknight authored
* Move DB code in account.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface * Consolidate redudant SQL statements from DisplayAccount and AccountInfo * Consolidation also adds ability to edit accounts based on username Signed-off-by:
-
canyonknight authored
* Use CSS from archweb * General clean-up of XHTML formatting Signed-off-by:
-
Lukas Fleischer authored
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by:
-
- 24 Jun, 2012 1 commit
-
-
canyonknight authored
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by:
-
- 24 Mar, 2012 2 commits
-
-
Lukas Fleischer authored
Addresses FS#9582 and FS#21600. Signed-off-by: -
Lukas Fleischer authored
This is handy for verifying the PGP key of new Trusted Users. Also, this could potentially used as a basis to allow signed package uploads in the future. Implements FS#29028. Signed-off-by:
-
- 25 Oct, 2011 1 commit
-
-
Lukas Fleischer authored
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by:
-
- 24 Oct, 2011 2 commits
-
-
Lukas Fleischer authored
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: -
Dan McGee authored
We already show it in the account listing page as well, so we should show it here too. Also use a standard date format; we weren't using this non-punctuated format anywhere else. Signed-off-by:
Dan McGee <dan@archlinux.org> Signed-off-by:
-
- 22 Jun, 2011 1 commit
-
-
elij authored
Lukas: Add note to "UPGRADING". Signed-off-by:
-
- 13 Apr, 2011 1 commit
-
-
Lukas Fleischer authored
Do this in preparation for the upcoming notification script removal. Signed-off-by:
-
- 04 Mar, 2011 1 commit
-
-
Dan McGee authored
Signed-off-by:
-
- 11 Aug, 2009 1 commit
-
-
Dan McGee authored
All of these are sourcing function libraries so we don't need to include them more than once. Things that insert actual HTML into the output were left calling include(). Signed-off-by:
Loui Chang <louipc.ist@gmail.com>
-
- 19 Jan, 2009 1 commit
-
-
Loui Chang authored
Signed-off-by:
-
- 21 Dec, 2008 1 commit
-
-
Loui Chang authored
This includes only the requested language for each page and makes top level language include files obsolete. Signed-off-by:
-
- 17 Jun, 2008 1 commit
-
-
Loui Chang authored
Signed-off-by:
-
- 23 Mar, 2008 1 commit
-
-
Loui Chang authored
Utilise login form template. Also cleaned up a couple notices. Signed-off-by:
Simo Leone <simo@archlinux.org>
-
