Frédéric Mangano-Tarumi authored Feb 02, 2020 and Lukas Fleischer committed Feb 02, 2020

First, this gets rid of the deprecation warnings Python displayed.

Second, this fixes the case where a link contained a pair of
underscores, which used to be interpreted as an emphasis because the
linkify processor ran after the emphasis processor.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Frédéric Mangano-Tarumi authored Feb 02, 2020 and Lukas Fleischer committed Feb 02, 2020

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Frédéric Mangano-Tarumi authored Feb 02, 2020 and Lukas Fleischer committed Feb 02, 2020

When an FS#123 is part of a code block, it must not be converted into a
link. FS#123 may also appear inside an URL, in which case regular
linkifaction of URLs must take precedence.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Frédéric Mangano-Tarumi authored Feb 01, 2020 and Lukas Fleischer committed Feb 02, 2020

Fixes a few edge cases:

- URLs within code blocks used to get redundant <> added, breaking bash
  code snippets like `curl https://...`

 into `curl <https://...>`.

- Links written with markdown's <https://...> syntax also used to get an
  extra pair of brackets.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Frédéric Mangano-Tarumi authored Jan 31, 2020 and Lukas Fleischer committed Feb 02, 2020

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Frédéric Mangano-Tarumi authored Jan 30, 2020 and Lukas Fleischer committed Feb 02, 2020

Turn the git-commits markdown processor into an inline processor, which
is smart enough not to convert Git hashes contained in code blocks or
links.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Addresses FS#64983.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Support secondary email addresses that can be used to recover an account
in case access to the primary email address is lost. Reset keys for an
account are always sent to both the primary and the backup email
address.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

In addition to supporting email addresses in the reset key form, also
support user names. The reset key is then sent to the email address in
the user's profile.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Since commits daee20c6 (Require current password when setting a new one,
2020-01-30) and 8fc8898f

 (Require password when deleting an account,
2020-01-30), changing a password and deleting an account require the
current password. Extend this to all other profile changes.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Further reduce the attack surface in case of a stolen session ID.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

When changing the password of an account, instead of asking for the old
password of the account, ask for the password of the currently logged in
user. This allows privileged users to edit other accounts without
knowing their passwords.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Rollback an accidental change that sneaked into commit daee20c6

 (Require
current password when setting a new one, 2020-01-30).

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Since commit eeaa1c3a

 (Separate text from footer in notification emails,
2020-01-04), information about unsubscribing from notifications is added
in a signature block. Fix the test cases accordingly.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Since commit eeaa1c3a

 (Separate text from footer in notification emails,
2020-01-04), information about unsubscribing from notifications is added
in a signature block. However, the code to format the email body trimmed
the RFC 3676 signature delimiter, replacing "-- " by "--". Fix this by
adding a special case for signature delimiters.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Prevent from easily taking over an account by changing the password with
a stolen session ID.

Fixes FS#65325.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Stephan Springer authored Jan 04, 2020 and Lukas Fleischer committed Jan 06, 2020

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

The Git repository URLs are not meant to be visited using a web browser.
Copy the link to the clipboard instead.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

The SQLite schema is generated automatically from the main schema and
used in the test suite.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Since commit a66c7fa6

 (notify.py: Use a/an correctly when sending request
notifications, 2019-08-09), the body of notification emails sent when
filing orphan requests refers to "an orphan request" instead of "a
orphan request".

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

We support multiple database backends. Don't require Python modules for
all backends to be installed.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Verify that the update hook exists and is executable before running Git
to prevent from broken repositories when permissions are broken.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

There's no need to use permanent storage for rate limiting information;
try to keep it in memory if caching is enabled.

From experiments with our live setup, this reduces the number of
INSERT/DELETE operations per second from 15 to almost 0. Disk writes on
the server hosting the AUR are reduced by 90% (from ~3MB/s to ~300kB/s).

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Limit the display to two decimal points for packages with a popularity
of at least 0.2.

Suggested-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

The TTL for package details can be much longer than for generic values
since they never change. Note that when an update is pushed via Git, all
packages belonging to that package base are deleted and new packages are
created.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Cache more package details if the global caching mechanism is enabled.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Cache the results of the extended fields computation if the global
caching mechanism is enabled.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

The package provider and dependency queries are quite CPU-intensive and
usually yield rather small result sets. Cache these values if the global
caching mechanism is enabled.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

With the previous implementation, unlucky users could have their CAPTCHA
be invalidated by a single account creation while filling out their
account registration form.

Make this more robust by allowing up to five account registrations
before rejecting a CAPTCHA salt.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>

Add a CAPTCHA to protect against automated account creation. The CAPTCHA
changes whenever three new accounts are registered.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>