]> git.wh0rd.org Git - tt-rss.git/commitdiff
login system fixes
authorAndrew Dolgov <fox@fakecake.org>
Mon, 10 Sep 2012 15:01:06 +0000 (19:01 +0400)
committerAndrew Dolgov <fox@fakecake.org>
Mon, 10 Sep 2012 15:01:06 +0000 (19:01 +0400)
remove old-style session checking from backend.php
move outside subscription endpoint to public.php, change subscription
bookmarklet

backend.php
classes/handler.php
classes/handler/public.php
classes/pref/feeds.php
include/functions.php
include/login_form.php
mobile/login_form.php

index 8e6ff6ced4ff3fa60c9cbfc4641d332643117be3..87b0945b117c10d41f6ff938f60b739356e169a7 100644 (file)
@@ -65,7 +65,7 @@
 
        // TODO remove and handle within Handlers
 
-       if (!($_SESSION["uid"] && validate_session($link))) {
+       /* if (!($_SESSION["uid"] && validate_session($link))) {
                if ($op == 'pref-feeds' && $method == 'add') {
                        header("Content-Type: text/html");
                        login_sequence($link);
@@ -75,7 +75,7 @@
                        print json_encode(array("error" => array("code" => 6)));
                }
                return;
-       }
+       } */
 
        $purge_intervals = array(
                0  => __("Use default"),
                                        }
                                        $handler->after();
                                        return;
+                               } else {
+                                       header("Content-Type: text/plain");
+                                       print json_encode(array("error" => array("code" => 6)));
+                                       return;
                                }
                        } else {
                                header("Content-Type: text/plain");
index 9d6c99e0da27162f8166bf2fb072599746ee29a7..e00b36aa34994a981fdb3706fc91ffdda37a8dca 100644 (file)
@@ -19,5 +19,6 @@ class Handler {
        function after() {
                return true;
        }
+
 }
 ?>
index aff04597da9c4e01d785f29941c35363e7af51d3..c06121d02b8e85872996a628e35d6e6378a7a9d1 100644 (file)
@@ -195,27 +195,22 @@ class Handler_Public extends Handler {
 
        function getProfiles() {
                $login = db_escape_string($_REQUEST["login"]);
-               $password = db_escape_string($_REQUEST["password"]);
 
-               if (authenticate_user($this->link, $login, $password)) {
-                       $result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles
-                               WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY title");
+               $result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users
+                       WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title");
 
-                       print "<select style='width: 100%' name='profile'>";
+               print "<select style='width: 100%' name='profile'>";
 
-                       print "<option value='0'>" . __("Default profile") . "</option>";
+               print "<option value='0'>" . __("Default profile") . "</option>";
 
-                       while ($line = db_fetch_assoc($result)) {
-                               $id = $line["id"];
-                               $title = $line["title"];
-
-                               print "<option value='$id'>$title</option>";
-                       }
+               while ($line = db_fetch_assoc($result)) {
+                       $id = $line["id"];
+                       $title = $line["title"];
 
-                       print "</select>";
-
-                       $_SESSION = array();
+                       print "<option value='$id'>$title</option>";
                }
+
+               print "</select>";
        }
 
        function pubsub() {
@@ -447,5 +442,232 @@ class Handler_Public extends Handler {
                }
        }
 
+       function login() {
+
+               print_r($_REQUEST);
+
+               $_SESSION["prefs_cache"] = array();
+
+               if (!SINGLE_USER_MODE) {
+
+                       $login = db_escape_string($_POST["login"]);
+                       $password = $_POST["password"];
+                       $remember_me = $_POST["remember_me"];
+
+                       if (authenticate_user($this->link, $login, $password)) {
+                               $_POST["password"] = "";
+
+                               $_SESSION["language"] = $_POST["language"];
+                               $_SESSION["ref_schema_version"] = get_schema_version($this->link, true);
+                               $_SESSION["bw_limit"] = !!$_POST["bw_limit"];
+
+                               if ($_POST["profile"]) {
+
+                                       $profile = db_escape_string($_POST["profile"]);
+
+                                       $result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles
+                                               WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]);
+
+                                       if (db_num_rows($result) != 0) {
+                                               $_SESSION["profile"] = $profile;
+                                               $_SESSION["prefs_cache"] = array();
+                                       }
+                               }
+                       } else {
+                               $_SESSION["login_error_msg"] = __("Incorrect username or password");
+                       }
+
+                       if ($_REQUEST['return']) {
+                               header("Location: " . $_REQUEST['return']);
+                       } else {
+                               header("Location: " . SELF_URL_PATH);
+                       }
+               }
+       }
+
+       function subscribe() {
+               if ($_SESSION["uid"]) {
+
+                       $feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
+
+                       header('Content-Type: text/html; charset=utf-8');
+                       print "<html>
+                               <head>
+                                       <title>Tiny Tiny RSS</title>
+                                       <link rel=\"stylesheet\" type=\"text/css\" href=\"utility.css\">
+                                       <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
+                               </head>
+                               <body>
+                               <img class=\"floatingLogo\" src=\"images/logo_wide.png\"
+                                       alt=\"Tiny Tiny RSS\"/>
+                                       <h1>".__("Subscribe to feed...")."</h1>";
+
+                       $rc = subscribe_to_feed($this->link, $feed_url);
+
+                       switch ($rc['code']) {
+                       case 0:
+                               print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
+                               break;
+                       case 1:
+                               print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
+                               break;
+                       case 2:
+                               print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
+                               break;
+                       case 3:
+                               print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
+                               break;
+                       case 4:
+                               print_notice(__("Multiple feed URLs found."));
+                               $feed_urls = get_feeds_from_html($feed_url);
+                               break;
+                       case 5:
+                               print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
+                               break;
+                       }
+
+                       if ($feed_urls) {
+
+                               print "<form action=\"public.php\">";
+                               print "<input type=\"hidden\" name=\"op\" value=\"subscribe\">";
+
+                               print "<select name=\"feed_url\">";
+
+                               foreach ($feed_urls as $url => $name) {
+                                       $url = htmlspecialchars($url);
+                                       $name = htmlspecialchars($name);
+
+                                       print "<option value=\"$url\">$name</option>";
+                               }
+
+                               print "<input type=\"submit\" value=\"".__("Subscribe to selected feed").
+                                       "\">";
+
+                               print "</form>";
+                       }
+
+                       $tp_uri = get_self_url_prefix() . "/prefs.php";
+                       $tt_uri = get_self_url_prefix();
+
+                       if ($rc['code'] <= 2){
+                               $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
+                                       feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
+
+                               $feed_id = db_fetch_result($result, 0, "id");
+                       } else {
+                               $feed_id = 0;
+                       }
+                       print "<p>";
+
+                       if ($feed_id) {
+                               print "<form method=\"GET\" style='display: inline'
+                                       action=\"$tp_uri\">
+                                       <input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
+                                       <input type=\"hidden\" name=\"method\" value=\"editFeed\">
+                                       <input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
+                                       <input type=\"submit\" value=\"".__("Edit subscription options")."\">
+                                       </form>";
+                       }
+
+                       print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
+                               <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
+                               </form></p>";
+
+                       print "</body></html>";
+
+               } else {
+                       render_login_form($this->link);
+               }
+       }
+
+       function subscribe2() {
+               $feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
+               $cat_id = db_escape_string($_REQUEST["cat_id"]);
+               $from = db_escape_string($_REQUEST["from"]);
+
+               /* only read authentication information from POST */
+
+               $auth_login = db_escape_string(trim($_POST["auth_login"]));
+               $auth_pass = db_escape_string(trim($_POST["auth_pass"]));
+
+               $rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);
+
+               switch ($rc) {
+               case 1:
+                       print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
+                       break;
+               case 2:
+                       print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
+                       break;
+               case 3:
+                       print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
+                       break;
+               case 0:
+                       print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
+                       break;
+               case 4:
+                       print_notice(__("Multiple feed URLs found."));
+
+                       $feed_urls = get_feeds_from_html($feed_url);
+                       break;
+               case 5:
+                       print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
+                       break;
+               }
+
+               if ($feed_urls) {
+                       print "<form action=\"backend.php\">";
+                       print "<input type=\"hidden\" name=\"op\" value=\"pref-feeds\">";
+                       print "<input type=\"hidden\" name=\"quiet\" value=\"1\">";
+                       print "<input type=\"hidden\" name=\"method\" value=\"add\">";
+
+                       print "<select name=\"feed_url\">";
+
+                       foreach ($feed_urls as $url => $name) {
+                               $url = htmlspecialchars($url);
+                               $name = htmlspecialchars($name);
+                               print "<option value=\"$url\">$name</option>";
+                       }
+
+                       print "<input type=\"submit\" value=\"".__("Subscribe to selected feed")."\">";
+                       print "</form>";
+               }
+
+               $tp_uri = get_self_url_prefix() . "/prefs.php";
+               $tt_uri = get_self_url_prefix();
+
+               if ($rc <= 2){
+                       $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
+                               feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
+
+                       $feed_id = db_fetch_result($result, 0, "id");
+               } else {
+                       $feed_id = 0;
+               }
+
+               print "<p>";
+
+               if ($feed_id) {
+                       print "<form method=\"GET\" style='display: inline'
+                               action=\"$tp_uri\">
+                               <input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
+                               <input type=\"hidden\" name=\"method\" value=\"editFeed\">
+                               <input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
+                               <input type=\"submit\" value=\"".__("Edit subscription options")."\">
+                               </form>";
+               }
+
+               print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
+                       <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
+                       </form></p>";
+
+               print "</body></html>";
+       }
+
+       function index() {
+               header("Content-Type: text/plain");
+               print json_encode(array("error" => array("code" => 7)));
+       }
+
 }
 ?>
index d6bb94ebe2158e38e14ba35ba4e4ccb8777b5929..a1177f2dd8c3ba848a14bbd089e28383568887af 100644 (file)
@@ -1168,111 +1168,6 @@ class Pref_Feeds extends Handler_Protected {
 
        }
 
-       function add() {
-               $feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
-               $cat_id = db_escape_string($_REQUEST["cat_id"]);
-               $p_from = db_escape_string($_REQUEST["from"]);
-
-               /* only read authentication information from POST */
-
-               $auth_login = db_escape_string(trim($_POST["auth_login"]));
-               $auth_pass = db_escape_string(trim($_POST["auth_pass"]));
-
-               if ($p_from != 'tt-rss') {
-                       header('Content-Type: text/html; charset=utf-8');
-                       print "<html>
-                               <head>
-                                       <title>Tiny Tiny RSS</title>
-                                       <link rel=\"stylesheet\" type=\"text/css\" href=\"utility.css\">
-                                       <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
-                               </head>
-                               <body>
-                               <img class=\"floatingLogo\" src=\"images/logo_wide.png\"
-                                       alt=\"Tiny Tiny RSS\"/>
-                               <h1>Subscribe to feed...</h1>";
-               }
-
-               $rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);
-
-               switch ($rc) {
-               case 1:
-                       print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
-                       break;
-               case 2:
-                       print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
-                       break;
-               case 3:
-                       print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
-                       break;
-               case 0:
-                       print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
-                       break;
-               case 4:
-                       print_notice(__("Multiple feed URLs found."));
-
-                       $feed_urls = get_feeds_from_html($feed_url);
-                       break;
-               case 5:
-                       print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
-                       break;
-               }
-
-               if ($p_from != 'tt-rss') {
-
-                       if ($feed_urls) {
-
-                               print "<form action=\"backend.php\">";
-                               print "<input type=\"hidden\" name=\"op\" value=\"pref-feeds\">";
-                               print "<input type=\"hidden\" name=\"quiet\" value=\"1\">";
-                               print "<input type=\"hidden\" name=\"method\" value=\"add\">";
-
-                               print "<select name=\"feed_url\">";
-
-                               foreach ($feed_urls as $url => $name) {
-                                       $url = htmlspecialchars($url);
-                                       $name = htmlspecialchars($name);
-
-                                       print "<option value=\"$url\">$name</option>";
-                               }
-
-                               print "<input type=\"submit\" value=\"".__("Subscribe to selected feed").
-                                       "\">";
-
-                               print "</form>";
-                       }
-
-                       $tp_uri = get_self_url_prefix() . "/prefs.php";
-                       $tt_uri = get_self_url_prefix();
-
-                       if ($rc <= 2){
-                               $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
-                                       feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
-
-                               $feed_id = db_fetch_result($result, 0, "id");
-                       } else {
-                               $feed_id = 0;
-                       }
-                       print "<p>";
-
-                       if ($feed_id) {
-                               print "<form method=\"GET\" style='display: inline'
-                                       action=\"$tp_uri\">
-                                       <input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
-                                       <input type=\"hidden\" name=\"method\" value=\"editFeed\">
-                                       <input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
-                                       <input type=\"submit\" value=\"".__("Edit subscription options")."\">
-                                       </form>";
-                       }
-
-                       print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
-                               <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
-                               </form></p>";
-
-                       print "</body></html>";
-                       return;
-               }
-       }
-
        function categorize() {
                $ids = split(",", db_escape_string($_REQUEST["ids"]));
 
index 729cb2625d9bfcba1127a28722e3373172a0fe97..73c2f6d5081d79e8ac4dcfbaeda9f0d9ddd1b1cf 100644 (file)
                return true;
        }
 
-       function login_sequence($link, $mobile = false) {
+       function login_sequence($link, $login_form = 0) {
+               if (SINGLE_USER_MODE) {
+                       return authenticate_user($link, "admin", null);
+               } else {
+                       if (!$_SESSION["uid"] || !validate_session($link)) {
+
+                               if (AUTH_AUTO_LOGIN && authenticate_user($link, null, null)) {
+                                   $_SESSION["ref_schema_version"] = get_schema_version($link, true);
+                               } else {
+                                        authenticate_user($link, null, null, true);
+                               }
+
+                               if (!$_SESSION["uid"]) render_login_form($link, $login_form);
+
+                       } else {
+                               /* bump login timestamp */
+                               db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " .
+                                       $_SESSION["uid"]);
+
+                               if ($_SESSION["language"] && SESSION_COOKIE_LIFETIME > 0) {
+                                       setcookie("ttrss_lang", $_SESSION["language"],
+                                               time() + SESSION_COOKIE_LIFETIME);
+                               }
+                       }
+               }
+       }
+
+
+       /* function login_sequence($link, $mobile = false) {
                $_SESSION["prefs_cache"] = array();
 
                if (!SINGLE_USER_MODE) {
                                    exit;
                                }
                        } else {
-                               /* bump login timestamp */
+                               // bump login timestamp
                                db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " .
                                        $_SESSION["uid"]);
 
                } else {
                        return authenticate_user($link, "admin", null);
                }
-       }
+       } */
 
        function truncate_string($str, $max_len, $suffix = '&hellip;') {
                if (mb_strlen($str, "utf-8") > $max_len - 3) {
                return true;
        }
 
-       function render_login_form($link, $mobile = 0) {
-               switch ($mobile) {
+       function render_login_form($link, $form_id = 0) {
+               switch ($form_id) {
                case 0:
                        require_once "login_form.php";
                        break;
                case 1:
                        require_once "mobile/login_form.php";
                        break;
-               case 2:
-                       require_once "mobile/classic/login_form.php";
                }
+               exit;
        }
 
        // from http://developer.apple.com/internet/safari/faq.html
                //$url_path = ($_SERVER['HTTPS'] != "on" ? 'http://' :  'https://') . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
 
                $url_path = get_self_url_prefix() .
-                       "/backend.php?op=pref-feeds&quiet=1&method=add&feed_url=%s";
+                       "/public.php?op=subscribe&feed_url=%s";
                return $url_path;
        } // function add_feed_url
 
index abe73f84744cb0ee97ccbfcd116e4c7e04d9e734..5060f8c11f6ffaa4b5ab713bfe61a9d8dd3ae391 100644 (file)
@@ -32,21 +32,22 @@ function init() {
        }
 
        document.forms["loginForm"].login.focus();
+
+       fetchProfiles();
 }
 
 function fetchProfiles() {
        try {
-               var params = Form.serialize('loginForm');
-               var query = "?op=getProfiles&" + params;
+               var query = "?op=getProfiles&login=" + param_escape(document.forms["loginForm"].login.value);
 
                if (query) {
                        new Ajax.Request("public.php",  {
                                parameters: query,
-                                       onComplete: function(transport) {
-                                               if (transport.responseText.match("select")) {
-                                                       $('profile_box').innerHTML = transport.responseText;
-                                               }
-                               } });
+                               onComplete: function(transport) {
+                                       if (transport.responseText.match("select")) {
+                                               $('profile_box').innerHTML = transport.responseText;
+                                       }
+                       } });
                }
 
        } catch (e) {
@@ -113,8 +114,12 @@ function validateLoginForm(f) {
        });
 </script>
 
-<form action="" method="POST" id="loginForm" name="loginForm" onsubmit="return validateLoginForm(this)">
-<input type="hidden" name="login_action" value="do_login">
+<?php $return = urlencode($_SERVER["REQUEST_URI"]) ?>
+
+<form action="public.php?return=<?php echo $return ?>"
+       method="POST" id="loginForm" name="loginForm" onsubmit="return validateLoginForm(this)">
+
+<input type="hidden" name="op" value="login">
 
 <table class="loginForm2">
 <tr>
@@ -130,11 +135,10 @@ function validateLoginForm(f) {
                <table>
                        <tr><td align="right"><?php echo __("Login:") ?></td>
                        <td align="right"><input name="login"
-                               onchange="fetchProfiles()" onfocus="fetchProfiles()"
+                               onchange="fetchProfiles()" onfocus="fetchProfiles()" onblur="fetchProfiles()"
                                value="<?php echo $_SESSION["fake_login"] ?>"></td></tr>
                        <tr><td align="right"><?php echo __("Password:") ?></td>
                        <td align="right"><input type="password" name="password"
-                               onchange="fetchProfiles()" onfocus="fetchProfiles()"
                                value="<?php echo $_SESSION["fake_password"] ?>"></td></tr>
                        <tr><td align="right"><?php echo __("Language:") ?></td>
                        <td align="right">
@@ -151,11 +155,6 @@ function validateLoginForm(f) {
                                <option><?php echo __("Default profile") ?></option></select>
                        </td></tr>
 
-                       <!-- <tr><td colspan="2">
-                               <input type="checkbox" name="remember_me" id="remember_me">
-                               <label for="remember_me">Remember me on this computer</label>
-                       </td></tr> -->
-
                        <tr><td colspan="2" align="right" class="innerLoginCell">
 
                        <button type="submit" name='click'><?php echo __('Log in') ?></button>
@@ -164,9 +163,6 @@ function validateLoginForm(f) {
                                        <?php echo __("Create new account") ?></button>
                        <?php } ?>
 
-                               <input type="hidden" name="action" value="login">
-                               <input type="hidden" name="rt"
-                                       value="<?php if ($return_to != 'none') { echo $return_to; } ?>">
                        </td></tr>
 
                        <tr><td colspan="2" align="right" class="innerLoginCell">
index ad5e35cead5a6440bc1ec4e438cc81c3bc458323..48f7cc5adfca1cba79c1eaf5de87102c68b556ff 100644 (file)
@@ -28,7 +28,11 @@ function do_login() {
         <a class="button blueButton" onclick='do_login()'><?php echo __('Log in') ?></a>
     </div>
 
-       <form target="_self" title="Login" action="index.php" id="login" class="panel" method="post" name="login" selected="true">
+       <form target="_self" title="Login" id="login" class="panel" name="login" selected="true"
+               action="../public.php?return=<?php echo htmlspecialchars($_SERVER["REQUEST_URI"]) ?>"
+               method="post">
+
+       <input type="hidden" name="op" value="login">
 
        <fieldset>