Пример #1
0
/**
 * Determine if a user has the permission to perform a given action
 *
 * @param int $credential The type of action to peform
 * @param array $approved_users A user whitelist for this query
 *
 * @return bool Return true if the user has the permission, false if not
 */
function has_credential($credential, $approved_users = array())
{
    if (!isset($_COOKIE['AURSID'])) {
        return false;
    }
    $uid = uid_from_sid($_COOKIE['AURSID']);
    if (in_array($uid, $approved_users)) {
        return true;
    }
    $atype = account_from_sid($_COOKIE['AURSID']);
    switch ($credential) {
        case CRED_PKGBASE_FLAG:
        case CRED_PKGBASE_NOTIFY:
        case CRED_PKGBASE_VOTE:
        case CRED_PKGREQ_FILE:
            return $atype == 'User' || $atype == 'Trusted User' || $atype == 'Developer' || $atype == 'Trusted User & Developer';
        case CRED_ACCOUNT_CHANGE_TYPE:
        case CRED_ACCOUNT_EDIT:
        case CRED_ACCOUNT_LAST_LOGIN:
        case CRED_ACCOUNT_SEARCH:
        case CRED_COMMENT_DELETE:
        case CRED_COMMENT_VIEW_DELETED:
        case CRED_COMMENT_EDIT:
        case CRED_PKGBASE_ADOPT:
        case CRED_PKGBASE_SET_KEYWORDS:
        case CRED_PKGBASE_DELETE:
        case CRED_PKGBASE_EDIT_COMAINTAINERS:
        case CRED_PKGBASE_DISOWN:
        case CRED_PKGBASE_LIST_VOTERS:
        case CRED_PKGBASE_UNFLAG:
        case CRED_PKGREQ_CLOSE:
        case CRED_PKGREQ_LIST:
            return $atype == 'Trusted User' || $atype == 'Developer' || $atype == 'Trusted User & Developer';
        case CRED_TU_ADD_VOTE:
        case CRED_TU_LIST_VOTES:
        case CRED_TU_VOTE:
            return $atype == 'Trusted User' || $atype == 'Trusted User & Developer';
        case CRED_ACCOUNT_EDIT_DEV:
            return $atype == 'Developer' || $atype == 'Trusted User & Developer';
    }
    return false;
}
Пример #2
0
/**
 * Process information given to new/edit account form
 *
 * @global array $SUPPORTED_LANGS Languages that are supported by the AUR
 * @param string $TYPE Either "edit" for editing or "new" for registering an account
 * @param string $A Form to use, either UpdateAccount or NewAccount
 * @param string $U The username for the account
 * @param string $T The account type for the user
 * @param string $S Whether or not the account is suspended
 * @param string $E The e-mail address for the user
 * @param string $H Whether or not the e-mail address should be hidden
 * @param string $P The password for the user
 * @param string $C The confirmed password for the user
 * @param string $R The real name of the user
 * @param string $L The language preference of the user
 * @param string $I The IRC nickname of the user
 * @param string $K The PGP fingerprint of the user
 * @param string $PK The list of public SSH keys
 * @param string $J The inactivity status of the user
 * @param string $UID The user ID of the modified account
 * @param string $N The username as present in the database
 *
 * @return array Boolean indicating success and message to be printed
 */
function process_account_form($TYPE, $A, $U = "", $T = "", $S = "", $E = "", $H = "", $P = "", $C = "", $R = "", $L = "", $I = "", $K = "", $PK = "", $J = "", $UID = 0, $N = "")
{
    global $SUPPORTED_LANGS;
    $error = '';
    $message = '';
    if (is_ipbanned()) {
        $error = __('Account registration has been disabled ' . 'for your IP address, probably due ' . 'to sustained spam attacks. Sorry for the ' . 'inconvenience.');
    }
    $dbh = DB::connect();
    if (isset($_COOKIE['AURSID'])) {
        $editor_user = uid_from_sid($_COOKIE['AURSID']);
    } else {
        $editor_user = null;
    }
    if (empty($E) || empty($U)) {
        $error = __("Missing a required field.");
    }
    if ($TYPE != "new" && !$UID) {
        $error = __("Missing User ID");
    }
    if (!$error && !valid_username($U)) {
        $length_min = config_get_int('options', 'username_min_len');
        $length_max = config_get_int('options', 'username_max_len');
        $error = __("The username is invalid.") . "<ul>\n" . "<li>" . __("It must be between %s and %s characters long", $length_min, $length_max) . "</li>" . "<li>" . __("Start and end with a letter or number") . "</li>" . "<li>" . __("Can contain only one period, underscore or hyphen.") . "</li>\n</ul>";
    }
    if (!$error && $P && $C && $P != $C) {
        $error = __("Password fields do not match.");
    }
    if (!$error && $P != '' && !good_passwd($P)) {
        $length_min = config_get_int('options', 'passwd_min_len');
        $error = __("Your password must be at least %s characters.", $length_min);
    }
    if (!$error && !valid_email($E)) {
        $error = __("The email address is invalid.");
    }
    if (!$error && $K != '' && !valid_pgp_fingerprint($K)) {
        $error = __("The PGP key fingerprint is invalid.");
    }
    if (!$error && !empty($PK)) {
        $ssh_keys = array_filter(array_map('trim', explode("\n", $PK)));
        $ssh_fingerprints = array();
        foreach ($ssh_keys as &$ssh_key) {
            if (!valid_ssh_pubkey($ssh_key)) {
                $error = __("The SSH public key is invalid.");
                break;
            }
            $ssh_fingerprint = ssh_key_fingerprint($ssh_key);
            if (!$ssh_fingerprint) {
                $error = __("The SSH public key is invalid.");
                break;
            }
            $tokens = explode(" ", $ssh_key);
            $ssh_key = $tokens[0] . " " . $tokens[1];
            $ssh_fingerprints[] = $ssh_fingerprint;
        }
        /*
         * Destroy last reference to prevent accidentally overwriting
         * an array element.
         */
        unset($ssh_key);
    }
    if (isset($_COOKIE['AURSID'])) {
        $atype = account_from_sid($_COOKIE['AURSID']);
        if ($atype == "User" && $T > 1 || $atype == "Trusted User" && $T > 2) {
            $error = __("Cannot increase account permissions.");
        }
    }
    if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
        $error = __("Language is not currently supported.");
    }
    if (!$error) {
        /*
         * Check whether the user name is available.
         * TODO: Fix race condition.
         */
        $q = "SELECT COUNT(*) AS CNT FROM Users ";
        $q .= "WHERE Username = "******"edit") {
            $q .= " AND ID != " . intval($UID);
        }
        $result = $dbh->query($q);
        $row = $result->fetch(PDO::FETCH_NUM);
        if ($row[0]) {
            $error = __("The username, %s%s%s, is already in use.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
        }
    }
    if (!$error) {
        /*
         * Check whether the e-mail address is available.
         * TODO: Fix race condition.
         */
        $q = "SELECT COUNT(*) AS CNT FROM Users ";
        $q .= "WHERE Email = " . $dbh->quote($E);
        if ($TYPE == "edit") {
            $q .= " AND ID != " . intval($UID);
        }
        $result = $dbh->query($q);
        $row = $result->fetch(PDO::FETCH_NUM);
        if ($row[0]) {
            $error = __("The address, %s%s%s, is already in use.", "<strong>", htmlspecialchars($E, ENT_QUOTES), "</strong>");
        }
    }
    if (!$error && count($ssh_keys) > 0) {
        /*
         * Check whether any of the SSH public keys is already in use.
         * TODO: Fix race condition.
         */
        $q = "SELECT Fingerprint FROM SSHPubKeys ";
        $q .= "WHERE Fingerprint IN (";
        $q .= implode(',', array_map(array($dbh, 'quote'), $ssh_fingerprints));
        $q .= ")";
        if ($TYPE == "edit") {
            $q .= " AND UserID != " . intval($UID);
        }
        $result = $dbh->query($q);
        $row = $result->fetch(PDO::FETCH_NUM);
        if ($row) {
            $error = __("The SSH public key, %s%s%s, is already in use.", "<strong>", htmlspecialchars($row[0], ENT_QUOTES), "</strong>");
        }
    }
    if ($error) {
        $message = "<ul class='errorlist'><li>" . $error . "</li></ul>\n";
        return array(false, $message);
    }
    if ($TYPE == "new") {
        /* Create an unprivileged user. */
        $salt = generate_salt();
        if (empty($P)) {
            $send_resetkey = true;
            $email = $E;
        } else {
            $send_resetkey = false;
            $P = salted_hash($P, $salt);
        }
        $U = $dbh->quote($U);
        $E = $dbh->quote($E);
        $P = $dbh->quote($P);
        $salt = $dbh->quote($salt);
        $R = $dbh->quote($R);
        $L = $dbh->quote($L);
        $I = $dbh->quote($I);
        $K = $dbh->quote(str_replace(" ", "", $K));
        $q = "INSERT INTO Users (AccountTypeID, Suspended, ";
        $q .= "InactivityTS, Username, Email, Passwd, Salt, ";
        $q .= "RealName, LangPreference, IRCNick, PGPKey) ";
        $q .= "VALUES (1, 0, 0, {$U}, {$E}, {$P}, {$salt}, {$R}, {$L}, ";
        $q .= "{$I}, {$K})";
        $result = $dbh->exec($q);
        if (!$result) {
            $message = __("Error trying to create account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
            return array(false, $message);
        }
        $uid = $dbh->lastInsertId();
        account_set_ssh_keys($uid, $ssh_keys, $ssh_fingerprints);
        $message = __("The account, %s%s%s, has been successfully created.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
        $message .= "<p>\n";
        if ($send_resetkey) {
            send_resetkey($email, true);
            $message .= __("A password reset key has been sent to your e-mail address.");
            $message .= "</p>\n";
        } else {
            $message .= __("Click on the Login link above to use your account.");
            $message .= "</p>\n";
        }
    } else {
        /* Modify an existing account. */
        $q = "SELECT InactivityTS FROM Users WHERE ";
        $q .= "ID = " . intval($UID);
        $result = $dbh->query($q);
        $row = $result->fetch(PDO::FETCH_NUM);
        if ($row[0] && $J) {
            $inactivity_ts = $row[0];
        } elseif ($J) {
            $inactivity_ts = time();
        } else {
            $inactivity_ts = 0;
        }
        $q = "UPDATE Users SET ";
        $q .= "Username = "******", AccountTypeID = " . intval($T);
        }
        if ($S) {
            /* Ensure suspended users can't keep an active session */
            delete_user_sessions($UID);
            $q .= ", Suspended = 1";
        } else {
            $q .= ", Suspended = 0";
        }
        $q .= ", Email = " . $dbh->quote($E);
        if ($H) {
            $q .= ", HideEmail = 1";
        } else {
            $q .= ", HideEmail = 0";
        }
        if ($P) {
            $salt = generate_salt();
            $hash = salted_hash($P, $salt);
            $q .= ", Passwd = '{$hash}', Salt = '{$salt}'";
        }
        $q .= ", RealName = " . $dbh->quote($R);
        $q .= ", LangPreference = " . $dbh->quote($L);
        $q .= ", IRCNick = " . $dbh->quote($I);
        $q .= ", PGPKey = " . $dbh->quote(str_replace(" ", "", $K));
        $q .= ", InactivityTS = " . $inactivity_ts;
        $q .= " WHERE ID = " . intval($UID);
        $result = $dbh->exec($q);
        $ssh_key_result = account_set_ssh_keys($UID, $ssh_keys, $ssh_fingerprints);
        if ($result === false || $ssh_key_result === false) {
            $message = __("No changes were made to the account, %s%s%s.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
        } else {
            $message = __("The account, %s%s%s, has been successfully modified.", "<strong>", htmlspecialchars($U, ENT_QUOTES), "</strong>");
        }
    }
    return array(true, $message);
}
Пример #3
0
# access Account specific functions
set_lang();
# this sets up the visitor's language
check_sid();
# see if they're still logged in
html_header(__('Accounts'));
# Main page processing here
#
echo "<div class=\"pgbox\">\n";
echo "  <div class=\"pgboxtitle\"><span class=\"f3\">" . __("Accounts") . "</span></div>\n";
echo "  <div class=\"pgboxbody\">\n";
if (isset($_COOKIE["AURSID"])) {
    # visitor is logged in
    #
    $dbh = db_connect();
    $atype = account_from_sid($_COOKIE["AURSID"]);
    if ($_REQUEST["Action"] == "SearchAccounts") {
        # security check
        #
        if ($atype == "Trusted User" || $atype == "Developer") {
            # the user has entered search criteria, find any matching accounts
            #
            search_results_page($atype, $_REQUEST["O"], $_REQUEST["SB"], $_REQUEST["U"], $_REQUEST["T"], $_REQUEST["S"], $_REQUEST["E"], $_REQUEST["R"], $_REQUEST["I"]);
        } else {
            # a non-privileged user is trying to access the search page
            #
            print __("You are not allowed to access this area.") . "<br />\n";
        }
    } elseif ($_REQUEST["Action"] == "DisplayAccount") {
        # the user has clicked 'edit', display the account details in a form
        #
Пример #4
0
                        break;
                    }
                    $deppkgid = create_dummy($deppkgname, $_COOKIE['AURSID']);
                    $q .= $packageID . ", " . $deppkgid . ", '" . mysql_real_escape_string($depcondition) . "')";
                    db_query($q, $dbh);
                }
                # Insert sources
                $sources = explode(" ", $new_pkgbuild['source']);
                foreach ($sources as $src) {
                    if ($src != "") {
                        $q = "INSERT INTO PackageSources (PackageID, Source) VALUES (";
                        $q .= $packageID . ", '" . mysql_real_escape_string($src) . "')";
                        db_query($q, $dbh);
                    }
                }
                pkg_notify(account_from_sid($_COOKIE["AURSID"]), array($packageID));
                header('Location: packages.php?ID=' . $packageID);
            }
        }
        chdir($_SERVER['DOCUMENT_ROOT']);
    }
    # Logic over, let's do some output
    html_header("Submit");
    ?>

<?php 
    if ($error) {
        ?>
	<p class="pkgoutput"><?php 
        print $error;
        ?>
Пример #5
0
    print __("Description");
    ?>
</span></th>
	<th style='border-bottom: #666 1px solid; vertical-align: bottom'><span class='f2'>
		<a href='?<?php 
    print mkurl('SB=m&SO=' . $SO_next);
    ?>
'><?php 
    print __("Maintainer");
    ?>
</a>
	</span></th>
</tr>

<?php 
    $atype = account_from_sid($_COOKIE['AURSID']);
    for ($i = 0; $row = mysql_fetch_assoc($result); $i++) {
        $i % 2 == 0 ? $c = "data1" : ($c = "data2");
        if ($row["OutOfDate"]) {
            $c = "outofdate";
        }
        ?>
<tr>
	<?php 
        if ($SID) {
            ?>
	<td class='<?php 
            print $c;
            ?>
'><input type='checkbox' name='IDs[<?php 
            print $row["ID"];
Пример #6
0
{
    $dbh = db_connect();
    $pkgid = mysql_real_escape_string($pkgid);
    $result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = {$pkgid} ORDER BY Username", $dbh);
    return $result;
}
$SID = $_COOKIE['AURSID'];
$pkgid = $_GET['ID'];
$votes = getvotes($pkgid);
$account = account_from_sid($SID);
if ($account == 'Trusted User' || $account == 'Developer') {
    ?>
<html>
<body>
<h3><?php 
    echo account_from_sid($SID);
    ?>
</h3>
<h2>Votes for <a href="packages.php?ID=<?php 
    echo $pkgid;
    ?>
"><?php 
    echo pkgname_from_id($pkgid);
    ?>
</a></h2>
<?php 
    while ($row = mysql_fetch_assoc($votes)) {
        $uid = $row['UsersID'];
        $username = $row['Username'];
        ?>
<a href="account.php?Action=AccountInfo&ID=<?php