- 20 Feb, 2021 4 commits
-
-
This feature was originally introduced by f961ffd9 as a fix for FS#12898 <https://bugs.archlinux.org/task/12898 >. As of today, it is broken because of the `q.SessionID IS NULL` condition in the WHERE clause, which can’t be true because SessionID is not nullable. As a consequence, the session limit was not applied. The fact the absence of the session limit hasn’t caused any issue so far, and hadn’t even been noticed, suggests the feature is unneeded. Signed-off-by:
Lukas Fleischer <lfleischer@archlinux.org>
-
Error outputs were piped to a temporary buffer that wasn’t read by anyone, making debugging hard because errors were completely silenced. By not explicitly redirecting stderr on proc_open, the subprocess inherits its parent stderr. Signed-off-by: -
Signed-off-by:
Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: -
We usually guard such queries and have both mysql and sqlite branches. But I have not implemented the sqlite branch. Given sqlite is typically used for local dev setups, the fact that "users with more than the configured max simultaneous logins" can avoid getting some logins annulled is probably not a huge risk. And this always *used* to fail on sqlite, silently. Now, in php 8, it raises PDOException, which prevents running the test server Document this as a FIXME for now, until someone reimplements the query for sqlite. Signed-off-by:
Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by:
-
- 13 Feb, 2020 1 commit
-
-
The try_login() function documents it returns an array containing an 'error' key, and our only caller *only* consults the 'error' key. Then the function returns null instead of an array, if the login succeeded! I question why we bother returning the new SID if we never use it, surely we could either return the error or return default null. But, for now, I'm just going to fix it to return what it's actually supposed to, without changing the API. Signed-off-by:
Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by:
-
- 02 Feb, 2020 2 commits
-
-
Lukas Fleischer authored
Support secondary email addresses that can be used to recover an account in case access to the primary email address is lost. Reset keys for an account are always sent to both the primary and the backup email address. Signed-off-by: -
Lukas Fleischer authored
In addition to supporting email addresses in the reset key form, also support user names. The reset key is then sent to the email address in the user's profile. Signed-off-by:
-
- 30 Jan, 2020 4 commits
-
-
Lukas Fleischer authored
Since commits daee20c6 (Require current password when setting a new one, 2020-01-30) and 8fc8898f (Require password when deleting an account, 2020-01-30), changing a password and deleting an account require the current password. Extend this to all other profile changes. Signed-off-by:
-
Lukas Fleischer authored
When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: -
Lukas Fleischer authored
Rollback an accidental change that sneaked into commit daee20c6 (Require current password when setting a new one, 2020-01-30). Signed-off-by:
-
Lukas Fleischer authored
Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by:
-
- 05 Oct, 2019 2 commits
-
-
Lukas Fleischer authored
With the previous implementation, unlucky users could have their CAPTCHA be invalidated by a single account creation while filling out their account registration form. Make this more robust by allowing up to five account registrations before rejecting a CAPTCHA salt. Signed-off-by: -
Lukas Fleischer authored
Add a CAPTCHA to protect against automated account creation. The CAPTCHA changes whenever three new accounts are registered. Signed-off-by:
-
- 06 Aug, 2018 1 commit
-
-
Signed-off-by:
Johannes Löthberg <johannes@kyriasis.com> Signed-off-by:
-
- 03 Dec, 2017 1 commit
-
-
Lukas Fleischer authored
Since commit 4efba18f (Only allow valid HTTP(s) URLs as home page, 2017-11-05), the home page field in the account settings must be a valid URL. However, this new check prevents from leaving the field empty. Keep the check in place but skip it if the home page field is left empty. Fixes FS#56550. Signed-off-by:
-
- 05 Nov, 2017 1 commit
-
-
Lukas Fleischer authored
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by:
-
- 01 Aug, 2017 1 commit
-
-
Lukas Fleischer authored
When removing an account, remove the user from all last packager fields before deletion to make sure that no package bases are deleted, even if propagation constraints are missing. Fixes FS#53956. Signed-off-by:
-
- 30 Apr, 2017 1 commit
-
-
Lukas Fleischer authored
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by:
-
- 18 Apr, 2017 1 commit
-
-
Lukas Fleischer authored
Instead of unconditionally calling fetch on the return value of query(), error out early if the value evaluates to false. Also, make sure that the results array is always initialized, even if the result set is empty. Signed-off-by:
-
- 27 Feb, 2017 4 commits
-
-
Lukas Fleischer authored
Signed-off-by: -
Lukas Fleischer authored
Signed-off-by: -
Lukas Fleischer authored
The $salt variable is no longer needed as of 29a48708 (Use bcrypt to hash passwords, 2017-02-24). Signed-off-by:
-
Lukas Fleischer authored
Fixes a regression introduced in 608c4830 (Add user set timezones, 2017-01-20). Signed-off-by:
-
- 24 Feb, 2017 1 commit
-
-
Lukas Fleischer authored
Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in. Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting. Fixes FS#52297. Signed-off-by:
-
- 25 Jan, 2017 1 commit
-
-
Lukas Fleischer authored
Inspired by commit 32c8d0c3 (Store last login address as plain text, 2016-03-13). Signed-off-by:
-
- 20 Jan, 2017 2 commits
-
-
Currently, when a user edits their language setting from the edit user form, the changes aren't reflected until the user either lets the original cookie expire, deletes the cookie manually, or changes the language a second time via the dropdown menu on the top of the page. This patch makes the language cookie get updated when it is changed from the edit user form. Signed-off-by:
Mark Weiman <mark.weiman@markzz.com> Signed-off-by:
-
Currently, aurweb displays all dates and times in UTC time. This patch adds a capability for each logged in user to set their preferred timezone. Implements FS#48729. Signed-off-by:
-
- 10 Nov, 2016 1 commit
-
-
UNIX_TIMESTAMP is not part of the SQL standard. Instead, all usage in the web interface is changed to use PHP's time() function. Signed-off-by:
-
- 08 Jun, 2016 1 commit
-
-
Lukas Fleischer authored
Allow users to add a link to their homepage to their profile. Implements FS#22774. Signed-off-by:
-
- 13 Mar, 2016 1 commit
-
-
Lukas Fleischer authored
Directly store the information contained in $_SERVER['REMOTE_ADDR'] instead of using ip2long() which does not support IPv6 addresses. Note that the LastLoginIPAddress field is designed to be used by the administrator on rare occasions only (e.g. to fight spam) and is not displayed anywhere. Fixes FS#48557. Signed-off-by:
-
- 21 Feb, 2016 1 commit
-
-
Lukas Fleischer authored
Add a new option that makes it possible to subscribe to package ownership changes (adoption/disownment). Fixes FS#15412. Signed-off-by:
-
- 07 Feb, 2016 3 commits
-
-
Lukas Fleischer authored
Introduce a new notification option to receive notifications when a new commit is pushed to a package repository. Implements FS#30109. Signed-off-by: -
Lukas Fleischer authored
Add a configuration option to the account edit page that allows for globally enabling/disabling package base comment notifications. Signed-off-by: -
Lukas Fleischer authored
As a preparatory step to adding support for package notifications on events other than comments, rename the database table accordingly. Signed-off-by:
-
- 13 Dec, 2015 1 commit
-
-
Lukas Fleischer authored
Directly retrieve comments from the database instead of additionally passing them via stdin. Fixes FS#46742. Signed-off-by:
-
- 14 Nov, 2015 1 commit
-
-
Lukas Fleischer authored
Add a configuration option to set the path of the notification script. Signed-off-by:
-
- 20 Sep, 2015 1 commit
-
-
Implements FS#42343. Signed-off-by:
Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by:
-
- 11 Sep, 2015 2 commits
-
-
Lukas Fleischer authored
Accept both user names and email addresses in the login prompt. Suggested-by:
-
Lukas Fleischer authored
This helper function was almost 100% identical to uid_from_username(). Switch to using uid_from_username(), which has a much better name and implementation, everywhere. Signed-off-by:
-
- 08 Aug, 2015 1 commit
-
-
Don't print messages (and the account form) in process_account_form() anymore, but return them to the caller. When updating accounts, this function will be called before the headers are written. If a username has been changed by process_account_form(), the headers now show the updated username from the database in the 'My Account' link. Clicking on it immediately after changing a username will no longer lead to a non-existing URL. Signed-off-by:
-
