Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Previously the website was connected to the database with a "database
owner" user, which has far too many permissions. Now there's a special
vndb_site user with only the necessary permissions. The primary
reason to do this is to decrease the impact if the site process is
compromised. E.g. it's now no longer possible to delete or modify old
entry revisions. An attacker can still do a lot of damage, however.
Additionally (and this was the main reason to implement this change in
the first place), the user sessions, passwords and email data is now not
easily accessible anymore. Hopefully, the new user management
abstractions will prevent email and password dumps in case of an SQL
injection or RCE vulnerability in the site code. Of course, this only
works if my implementation is fully correct and there's no privilige
escalation vulnerability somewhere.
Furthermore, changing your password now invalidates any existing
sessions, and the password reset function is disabled for 'usermods'
(because usermods can list email addresses from the database, and the
password reset function could still allow an attacker to gain access to
anyone's account).
I also changed the format of the password reset tokens, as they totally
don't need to be salted.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The names of the staff were fetched from the existing VN entry, so any
newly added staff were not present in that list, and would thus not
show up when the form validation failed.
This fix makes sure to always fetch the required data from the database.
|
|
|
|
This is a generalization of the search improvements made in
7da2edeaa0f6cf7794f4f8f68960497dc1be893c and
92235222dba4e5d0c7713d53ef12e0f10e371b83
And has been applied to the dropdown searches for producers, staff, tags
and traits.
For all those searches, exact matches are listed first, followed by
prefix matches, and then substring matches. Relevance is currently only
based on the primary name/title and ignores aliases (except for staff).
This is fixable, but not trivial, and I'm not sure it's all that useful.
|
|
Reduces page load time of the trait index from 200ms to 20ms. Also
provides a slight improvement for other tag/trait tree views.
|
|
|
|
- Exact match is now case-insensitive
- Main staff search supports exact match with =-prefix
- On VN edit dropdown: exact matches are sorted before other matches
- VN edit dropdown now also displays original name
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Fix mouse-over text of language flag on homepage
- Capitalize release types in edit form
- Use plural form of character roles on VN page listing
|
|
|
|
|
|
...unless I missed something.
|
|
Most of these replacements were automated. This ended up being less
work than I had anticipated.
I also fixed a few minor bugs along the way, but probably introduced
more than I fixed.
|
|
With some related edits in other parts of the code, mostly due to
interface changes to htmlRevision() and htmlFormError().
Trivial replacements were automated by a super awesome script.
|
|
|
|
|
|
This has been mostly automated.
|
|
I definitely needed the Tie::IxHash thing for these.
|
|
This removes the reliance on sort() to provide meaningful ordering (the
keys aren't always good for ordering) and removes the 'order' hack used
for (vn|prod)_relations.
|
|
Now that graphviz knows the actual strings, it has a better opportunity
to create better graphs.
(Most of them still look messy tho)
|
|
|
|
|
|
|
|
TODO: Intern strings again to simplify the code.
The immediate effect of this commit is that starting the util/vndb.pl
script and generating the JS file is much faster now and that vndb.pl
uses less memory. Translations have already been disabled on the main
VNDB for a week now.
|
|
|
|
|
|
This fixes two things:
- It's not possible to create two accounts with the same mail address
with different case (although the user+xyz@domain trick still works).
- The password reset form is now case-insensitive as well. Some people
had problems with the case-sensitive behavior in the past.
|
|
|
|
|
|
The API IP address doesn't change often, but we don't want months of
downtime when it does.
|
|
Newer versions of DBD::Pg do this automatically.
|
|
Fixes https://vndb.org/t950.210
|