Age | Commit message (Collapse) | Author | Files | Lines |
|
Previously the website was connected to the database with a "database
owner" user, which has far too many permissions. Now there's a special
vndb_site user with only the necessary permissions. The primary
reason to do this is to decrease the impact if the site process is
compromised. E.g. it's now no longer possible to delete or modify old
entry revisions. An attacker can still do a lot of damage, however.
Additionally (and this was the main reason to implement this change in
the first place), the user sessions, passwords and email data is now not
easily accessible anymore. Hopefully, the new user management
abstractions will prevent email and password dumps in case of an SQL
injection or RCE vulnerability in the site code. Of course, this only
works if my implementation is fully correct and there's no privilige
escalation vulnerability somewhere.
Furthermore, changing your password now invalidates any existing
sessions, and the password reset function is disabled for 'usermods'
(because usermods can list email addresses from the database, and the
password reset function could still allow an attacker to gain access to
anyone's account).
I also changed the format of the password reset tokens, as they totally
don't need to be salted.
|
|
|
|
|
|
|
|
|
|
|
|
The backend does this validation as well, but if that validation fails
it will show an unhelpful "Malformed JSON" error. This JS message should
be more helpful.
|
|
|
|
|
|
I changed the exact matching syntax of the tag search to be '='-prefixed
rather than 'name:'-prefixed, to be similar to exact staff search. But I
forgot that the JS code relied on the name-prefix.
|
|
- Exact match is now case-insensitive
- Main staff search supports exact match with =-prefix
- On VN edit dropdown: exact matches are sorted before other matches
- VN edit dropdown now also displays original name
|
|
|
|
|
|
|
|
|
|
|
|
It's rather annoying to have to click "more" only to see one or two more
lines. Let's just show everything in that case.
|
|
|
|
|
|
- Fix mouse-over text of language flag on homepage
- Capitalize release types in edit form
- Use plural form of character roles on VN page listing
|
|
|
|
|
|
...unless I missed something.
|
|
Most of these replacements were automated. This ended up being less
work than I had anticipated.
I also fixed a few minor bugs along the way, but probably introduced
more than I fixed.
|
|
With some related edits in other parts of the code, mostly due to
interface changes to htmlRevision() and htmlFormError().
Trivial replacements were automated by a super awesome script.
|
|
|
|
|
|
|
|
This has been mostly automated.
|
|
I definitely needed the Tie::IxHash thing for these.
|
|
This removes the reliance on sort() to provide meaningful ordering (the
keys aren't always good for ordering) and removes the 'order' hack used
for (vn|prod)_relations.
|
|
Now that graphviz knows the actual strings, it has a better opportunity
to create better graphs.
(Most of them still look messy tho)
|
|
|
|
|
|
TODO: Intern strings again to simplify the code.
The immediate effect of this commit is that starting the util/vndb.pl
script and generating the JS file is much faster now and that vndb.pl
uses less memory. Translations have already been disabled on the main
VNDB for a week now.
|
|
|
|
|
|
Compresses a little better. I reduced the number of iterations required
to find the optimal image size in spritegen.pl, but generating the
icons.png is *incredibly slow* when combining zopflipng with the 'slow'
option. It's possible to parallelize the calculation and use multiple
cores to speed it up, but that seems overkill.
Some icons.png compression stats:
METHOD SIZE RUNTIME
default 18103 <1sec
slow 17941 few secs
pngcrush 15385 <1sec
pngcrush+slow 15148 few mins
zopflipng 14986 few secs
zopflipng+slow 14898 ~1 hour
|
|
https://vndb.org/t2520.185
|
|
Apparently IE doesn't like it when you put a HTMLCollection object
inside a DOM value.
|
|
|
|
|
|
|
|
|
|
The comment already suggested this:
I wonder whether it's better to just ask database for character list
instead of doing this manual group/sort
So yeah, let's just do that.
|
|
|
|
The styling of the staff info can be a bit awkward at times, but it
looks slightly better than a table, IMO. I didn't really know what to do
with the the seiyuu info - it wastes a lot of screen space in its
current implementation, but I can't think of anything better at the
moment.
|
|
- Merged polls table into threads table. Not much of a
storage/performance difference, and it's a bit simpler this way.
- Merged DB::Polls into DB::Discussions. Mainly because of the above
change in DB structure.
- Add option to remove an existing poll.
- Allow preview and recast to be changed without deleting the votes
- Set preview option by default. Because personal preferences. :)
- Minor form validation differences
|
|
|
|
|