[aur-dev] [PATCH 1/3] Fix the permission check in pkgbase_adopt()
Filter the affected package bases before closing any package requests. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- web/lib/pkgbasefuncs.inc.php | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 50cb47e..d10b5ad 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -579,7 +579,25 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { } } + /* Verify package ownership. */ $base_ids = sanitize_ids($base_ids); + + $q = "SELECT ID FROM PackageBases "; + $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") "; + + if ($action && !has_credential(CRED_PKGBASE_ADOPT)) { + /* Regular users may only adopt orphan packages. */ + $q.= "AND MaintainerUID IS NULL"; + } + if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) { + /* Regular users may only disown their own packages. */ + $q.= "AND MaintainerUID = " . $uid; + } + + $result = $dbh->query($q); + $base_ids = $result->fetchAll(PDO::FETCH_COLUMN, 0); + + /* Error out if the list of remaining packages is empty. */ if (empty($base_ids)) { if ($action) { return array(false, __("You did not select any packages to adopt.")); @@ -618,16 +636,6 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { $q.= "SET MaintainerUID = NULL "; } $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") "; - - if ($action && !has_credential(CRED_PKGBASE_ADOPT)) { - /* Regular users may only adopt orphan packages. */ - $q.= "AND MaintainerUID IS NULL"; - } - if (!$action && !has_credential(CRED_PKGBASE_DISOWN)) { - /* Regular users may only disown their own packages. */ - $q.= "AND MaintainerUID = " . $uid; - } - $dbh->exec($q); if ($action) { -- 2.4.1
When a user disowns a package, the co-maintainer with the highest priority automatically becomes the new maintainer. When the package is disowned by a Trusted User or a Developer, the list of co-maintainers is cleared. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- web/lib/pkgbasefuncs.inc.php | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index d10b5ad..b8da23c 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -638,6 +638,24 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { $q.= "WHERE ID IN (" . implode(",", $base_ids) . ") "; $dbh->exec($q); + /* Update package co-maintainers when disowning a package. */ + if (!$action) { + if (has_credential(CRED_PKGBASE_DISOWN)) { + foreach ($base_ids as $base_id) { + pkgbase_set_comaintainers($base_id, ""); + } + } else { + foreach ($base_ids as $base_id) { + $uids = pkgbase_get_comaintainers($base_id); + + $q = "UPDATE PackageBases "; + $q.= "SET MaintainerUID = " . $uids[0] . " "; + $q.= "WHERE ID = " . $base_id; + $dbh->exec($q); + } + } + } + if ($action) { pkgbase_notify($base_ids); return array(true, __("The selected packages have been adopted.")); -- 2.4.1
The disown link in the package actions box leads to a new page (pkgdisown.php) that can be used to confirm package disowning. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- web/html/index.php | 4 ++-- web/html/pkgdisown.php | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 web/html/pkgdisown.php diff --git a/web/html/index.php b/web/html/index.php index fad1d2f..0275d0a 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -45,8 +45,8 @@ if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { $_POST['do_Adopt'] = __('Adopt'); break; case "disown": - $_POST['do_Disown'] = __('Disown'); - break; + include('pkgdisown.php'); + return; case "vote": $_POST['do_Vote'] = __('Vote'); break; diff --git a/web/html/pkgdisown.php b/web/html/pkgdisown.php new file mode 100644 index 0000000..071a76c --- /dev/null +++ b/web/html/pkgdisown.php @@ -0,0 +1,55 @@ +<?php + +set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); + +include_once("aur.inc.php"); +include_once("pkgfuncs.inc.php"); + +set_lang(); +check_sid(); + +html_header(__("Disown Package")); + +$maintainer_uids = array(pkgbase_maintainer_uid($base_id)); +$comaintainer_uids = pkgbase_get_comaintainers($base_id); + +if (has_credential(CRED_PKGBASE_DISOWN, $maintainer_uids)): ?> +<div class="box"> + <h2><?= __('Disown Package: %s', htmlspecialchars($pkgbase_name)) ?></h2> + <p> + <?= __('Use this form to disown the package base %s%s%s which includes the following packages: ', + '<strong>', htmlspecialchars($pkgbase_name), '</strong>'); ?> + </p> + <ul> + <?php foreach(pkgbase_get_pkgnames($base_id) as $pkgname): ?> + <li><?= htmlspecialchars($pkgname) ?></li> + <?php endforeach; ?> + </ul> + <p> + <?php if (count($comaintainer_uids) > 0): ?> + <?= __('By selecting the checkbox, you confirm that you want to disown the package and transfer ownership to %s%s%s.', + '<strong>', $comaintainer_uids[0], '</strong>'); ?> + <?php else: ?> + <?= __('By selecting the checkbox, you confirm that you want to disown the package.') ?> + <?php endif; ?> + </p> + <form action="<?= get_uri('/pkgbase/'); ?>" method="post"> + <fieldset> + <input type="hidden" name="IDs[<?= $base_id ?>]" value="1" /> + <input type="hidden" name="ID" value="<?= $base_id ?>" /> + <input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" /> + <?php if (isset($_GET['via'])): ?> + <input type="hidden" name="via" value="<?= intval($_GET['via']) ?>" /> + <?php endif; ?> + <p><input type="checkbox" name="confirm_Disown" value="1" /> + <?= __("Confirm to disown the package") ?></p> + <p><input type="submit" class="button" name="do_Disown" value="<?= __("Disown") ?>" /></p> + </fieldset> + </form> +</div> + +<?php else: + print __("Only Trusted Users and Developers can disown packages."); +endif; + +html_footer(AURWEB_VERSION); -- 2.4.1
The disown link in the package actions box leads to a new page (pkgdisown.php) that can be used to confirm package disowning. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- Actually check whether the confirmation checkbox was selected. web/html/index.php | 4 ++-- web/html/pkgbase.php | 9 +++++++-- web/html/pkgdisown.php | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 web/html/pkgdisown.php diff --git a/web/html/index.php b/web/html/index.php index fad1d2f..0275d0a 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -45,8 +45,8 @@ if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { $_POST['do_Adopt'] = __('Adopt'); break; case "disown": - $_POST['do_Disown'] = __('Disown'); - break; + include('pkgdisown.php'); + return; case "vote": $_POST['do_Vote'] = __('Vote'); break; diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index ef9b2c4..7c24b79 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -54,8 +54,13 @@ if (check_token()) { } elseif (current_action("do_Adopt")) { list($ret, $output) = pkgbase_adopt($ids, true, NULL); } elseif (current_action("do_Disown")) { - $via = isset($_POST['via']) ? $_POST['via'] : NULL; - list($ret, $output) = pkgbase_adopt($ids, false, $via); + if (isset($_POST['confirm_Disown'])) { + $via = isset($_POST['via']) ? $_POST['via'] : NULL; + list($ret, $output) = pkgbase_adopt($ids, false, $via); + } else { + $output = __("The selected packages have not been disowned, check the confirmation checkbox."); + $ret = false; + } } elseif (current_action("do_Vote")) { list($ret, $output) = pkgbase_vote($ids, true); } elseif (current_action("do_UnVote")) { diff --git a/web/html/pkgdisown.php b/web/html/pkgdisown.php new file mode 100644 index 0000000..071a76c --- /dev/null +++ b/web/html/pkgdisown.php @@ -0,0 +1,55 @@ +<?php + +set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); + +include_once("aur.inc.php"); +include_once("pkgfuncs.inc.php"); + +set_lang(); +check_sid(); + +html_header(__("Disown Package")); + +$maintainer_uids = array(pkgbase_maintainer_uid($base_id)); +$comaintainer_uids = pkgbase_get_comaintainers($base_id); + +if (has_credential(CRED_PKGBASE_DISOWN, $maintainer_uids)): ?> +<div class="box"> + <h2><?= __('Disown Package: %s', htmlspecialchars($pkgbase_name)) ?></h2> + <p> + <?= __('Use this form to disown the package base %s%s%s which includes the following packages: ', + '<strong>', htmlspecialchars($pkgbase_name), '</strong>'); ?> + </p> + <ul> + <?php foreach(pkgbase_get_pkgnames($base_id) as $pkgname): ?> + <li><?= htmlspecialchars($pkgname) ?></li> + <?php endforeach; ?> + </ul> + <p> + <?php if (count($comaintainer_uids) > 0): ?> + <?= __('By selecting the checkbox, you confirm that you want to disown the package and transfer ownership to %s%s%s.', + '<strong>', $comaintainer_uids[0], '</strong>'); ?> + <?php else: ?> + <?= __('By selecting the checkbox, you confirm that you want to disown the package.') ?> + <?php endif; ?> + </p> + <form action="<?= get_uri('/pkgbase/'); ?>" method="post"> + <fieldset> + <input type="hidden" name="IDs[<?= $base_id ?>]" value="1" /> + <input type="hidden" name="ID" value="<?= $base_id ?>" /> + <input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" /> + <?php if (isset($_GET['via'])): ?> + <input type="hidden" name="via" value="<?= intval($_GET['via']) ?>" /> + <?php endif; ?> + <p><input type="checkbox" name="confirm_Disown" value="1" /> + <?= __("Confirm to disown the package") ?></p> + <p><input type="submit" class="button" name="do_Disown" value="<?= __("Disown") ?>" /></p> + </fieldset> + </form> +</div> + +<?php else: + print __("Only Trusted Users and Developers can disown packages."); +endif; + +html_footer(AURWEB_VERSION); -- 2.4.1
The disown link in the package actions box leads to a new page (pkgdisown.php) that can be used to confirm package disowning. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- Do not show a bogus message about transferring ownership when disowning as a Trusted User or Developer. web/html/index.php | 4 ++-- web/html/pkgbase.php | 9 +++++++-- web/html/pkgdisown.php | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 web/html/pkgdisown.php diff --git a/web/html/index.php b/web/html/index.php index fad1d2f..0275d0a 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -45,8 +45,8 @@ if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { $_POST['do_Adopt'] = __('Adopt'); break; case "disown": - $_POST['do_Disown'] = __('Disown'); - break; + include('pkgdisown.php'); + return; case "vote": $_POST['do_Vote'] = __('Vote'); break; diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index ef9b2c4..7c24b79 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -54,8 +54,13 @@ if (check_token()) { } elseif (current_action("do_Adopt")) { list($ret, $output) = pkgbase_adopt($ids, true, NULL); } elseif (current_action("do_Disown")) { - $via = isset($_POST['via']) ? $_POST['via'] : NULL; - list($ret, $output) = pkgbase_adopt($ids, false, $via); + if (isset($_POST['confirm_Disown'])) { + $via = isset($_POST['via']) ? $_POST['via'] : NULL; + list($ret, $output) = pkgbase_adopt($ids, false, $via); + } else { + $output = __("The selected packages have not been disowned, check the confirmation checkbox."); + $ret = false; + } } elseif (current_action("do_Vote")) { list($ret, $output) = pkgbase_vote($ids, true); } elseif (current_action("do_UnVote")) { diff --git a/web/html/pkgdisown.php b/web/html/pkgdisown.php new file mode 100644 index 0000000..cf7bb41 --- /dev/null +++ b/web/html/pkgdisown.php @@ -0,0 +1,55 @@ +<?php + +set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); + +include_once("aur.inc.php"); +include_once("pkgfuncs.inc.php"); + +set_lang(); +check_sid(); + +html_header(__("Disown Package")); + +$maintainer_uids = array(pkgbase_maintainer_uid($base_id)); +$comaintainer_uids = pkgbase_get_comaintainers($base_id); + +if (has_credential(CRED_PKGBASE_DISOWN, $maintainer_uids)): ?> +<div class="box"> + <h2><?= __('Disown Package: %s', htmlspecialchars($pkgbase_name)) ?></h2> + <p> + <?= __('Use this form to disown the package base %s%s%s which includes the following packages: ', + '<strong>', htmlspecialchars($pkgbase_name), '</strong>'); ?> + </p> + <ul> + <?php foreach(pkgbase_get_pkgnames($base_id) as $pkgname): ?> + <li><?= htmlspecialchars($pkgname) ?></li> + <?php endforeach; ?> + </ul> + <p> + <?php if (count($comaintainer_uids) > 0 && !has_credential(CRED_PKGBASE_DISOWN)): ?> + <?= __('By selecting the checkbox, you confirm that you want to disown the package and transfer ownership to %s%s%s.', + '<strong>', $comaintainer_uids[0], '</strong>'); ?> + <?php else: ?> + <?= __('By selecting the checkbox, you confirm that you want to disown the package.') ?> + <?php endif; ?> + </p> + <form action="<?= get_uri('/pkgbase/'); ?>" method="post"> + <fieldset> + <input type="hidden" name="IDs[<?= $base_id ?>]" value="1" /> + <input type="hidden" name="ID" value="<?= $base_id ?>" /> + <input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" /> + <?php if (isset($_GET['via'])): ?> + <input type="hidden" name="via" value="<?= intval($_GET['via']) ?>" /> + <?php endif; ?> + <p><input type="checkbox" name="confirm_Disown" value="1" /> + <?= __("Confirm to disown the package") ?></p> + <p><input type="submit" class="button" name="do_Disown" value="<?= __("Disown") ?>" /></p> + </fieldset> + </form> +</div> + +<?php else: + print __("Only Trusted Users and Developers can disown packages."); +endif; + +html_footer(AURWEB_VERSION); -- 2.4.1
participants (1)
-
Lukas Fleischer