From 97acbaf190ff84b4cc5b01192f14d9ee384d6327 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 10 Sep 2012 19:01:06 +0400 Subject: [PATCH] login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet --- backend.php | 8 +- classes/handler.php | 1 + classes/handler/public.php | 252 ++++++++++++++++++++++++++++++++++--- classes/pref/feeds.php | 105 ---------------- include/functions.php | 43 +++++-- include/login_form.php | 34 +++-- mobile/login_form.php | 6 +- 7 files changed, 299 insertions(+), 150 deletions(-) diff --git a/backend.php b/backend.php index 8e6ff6ce..87b0945b 100644 --- a/backend.php +++ b/backend.php @@ -65,7 +65,7 @@ // TODO remove and handle within Handlers - if (!($_SESSION["uid"] && validate_session($link))) { + /* if (!($_SESSION["uid"] && validate_session($link))) { if ($op == 'pref-feeds' && $method == 'add') { header("Content-Type: text/html"); login_sequence($link); @@ -75,7 +75,7 @@ print json_encode(array("error" => array("code" => 6))); } return; - } + } */ $purge_intervals = array( 0 => __("Use default"), @@ -143,6 +143,10 @@ } $handler->after(); return; + } else { + header("Content-Type: text/plain"); + print json_encode(array("error" => array("code" => 6))); + return; } } else { header("Content-Type: text/plain"); diff --git a/classes/handler.php b/classes/handler.php index 9d6c99e0..e00b36aa 100644 --- a/classes/handler.php +++ b/classes/handler.php @@ -19,5 +19,6 @@ class Handler { function after() { return true; } + } ?> diff --git a/classes/handler/public.php b/classes/handler/public.php index aff04597..c06121d0 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -195,27 +195,22 @@ class Handler_Public extends Handler { function getProfiles() { $login = db_escape_string($_REQUEST["login"]); - $password = db_escape_string($_REQUEST["password"]); - if (authenticate_user($this->link, $login, $password)) { - $result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles - WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY title"); + $result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users + WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title"); - print ""; - print ""; + print ""; - while ($line = db_fetch_assoc($result)) { - $id = $line["id"]; - $title = $line["title"]; - - print ""; - } + while ($line = db_fetch_assoc($result)) { + $id = $line["id"]; + $title = $line["title"]; - print ""; - - $_SESSION = array(); + print ""; } + + print ""; } function pubsub() { @@ -447,5 +442,232 @@ class Handler_Public extends Handler { } } + function login() { + + print_r($_REQUEST); + + $_SESSION["prefs_cache"] = array(); + + if (!SINGLE_USER_MODE) { + + $login = db_escape_string($_POST["login"]); + $password = $_POST["password"]; + $remember_me = $_POST["remember_me"]; + + if (authenticate_user($this->link, $login, $password)) { + $_POST["password"] = ""; + + $_SESSION["language"] = $_POST["language"]; + $_SESSION["ref_schema_version"] = get_schema_version($this->link, true); + $_SESSION["bw_limit"] = !!$_POST["bw_limit"]; + + if ($_POST["profile"]) { + + $profile = db_escape_string($_POST["profile"]); + + $result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles + WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]); + + if (db_num_rows($result) != 0) { + $_SESSION["profile"] = $profile; + $_SESSION["prefs_cache"] = array(); + } + } + } else { + $_SESSION["login_error_msg"] = __("Incorrect username or password"); + } + + if ($_REQUEST['return']) { + header("Location: " . $_REQUEST['return']); + } else { + header("Location: " . SELF_URL_PATH); + } + } + } + + function subscribe() { + if ($_SESSION["uid"]) { + + $feed_url = db_escape_string(trim($_REQUEST["feed_url"])); + + header('Content-Type: text/html; charset=utf-8'); + print " + + Tiny Tiny RSS + + + + + \"Tiny +

".__("Subscribe to feed...")."

"; + + $rc = subscribe_to_feed($this->link, $feed_url); + + switch ($rc['code']) { + case 0: + print_warning(T_sprintf("Already subscribed to %s.", $feed_url)); + break; + case 1: + print_notice(T_sprintf("Subscribed to %s.", $feed_url)); + break; + case 2: + print_error(T_sprintf("Could not subscribe to %s.", $feed_url)); + break; + case 3: + print_error(T_sprintf("No feeds found in %s.", $feed_url)); + break; + case 4: + print_notice(__("Multiple feed URLs found.")); + $feed_urls = get_feeds_from_html($feed_url); + break; + case 5: + print_error(T_sprintf("Could not subscribe to %s.
Can't download the Feed URL.", $feed_url)); + break; + } + + if ($feed_urls) { + + print "
"; + print ""; + + print ""; + + print "
"; + } + + $tp_uri = get_self_url_prefix() . "/prefs.php"; + $tt_uri = get_self_url_prefix(); + + if ($rc['code'] <= 2){ + $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE + feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); + + $feed_id = db_fetch_result($result, 0, "id"); + } else { + $feed_id = 0; + } + print "

"; + + if ($feed_id) { + print "

+ + + + +
"; + } + + print "
+ +

"; + + print ""; + + } else { + render_login_form($this->link); + } + } + + function subscribe2() { + $feed_url = db_escape_string(trim($_REQUEST["feed_url"])); + $cat_id = db_escape_string($_REQUEST["cat_id"]); + $from = db_escape_string($_REQUEST["from"]); + + /* only read authentication information from POST */ + + $auth_login = db_escape_string(trim($_POST["auth_login"])); + $auth_pass = db_escape_string(trim($_POST["auth_pass"])); + + $rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass); + + switch ($rc) { + case 1: + print_notice(T_sprintf("Subscribed to %s.", $feed_url)); + break; + case 2: + print_error(T_sprintf("Could not subscribe to %s.", $feed_url)); + break; + case 3: + print_error(T_sprintf("No feeds found in %s.", $feed_url)); + break; + case 0: + print_warning(T_sprintf("Already subscribed to %s.", $feed_url)); + break; + case 4: + print_notice(__("Multiple feed URLs found.")); + + $feed_urls = get_feeds_from_html($feed_url); + break; + case 5: + print_error(T_sprintf("Could not subscribe to %s.
Can't download the Feed URL.", $feed_url)); + break; + } + + if ($feed_urls) { + print "
"; + print ""; + print ""; + print ""; + + print ""; + print "
"; + } + + $tp_uri = get_self_url_prefix() . "/prefs.php"; + $tt_uri = get_self_url_prefix(); + + if ($rc <= 2){ + $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE + feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); + + $feed_id = db_fetch_result($result, 0, "id"); + } else { + $feed_id = 0; + } + + print "

"; + + if ($feed_id) { + print "

+ + + + +
"; + } + + print "
+ +

"; + + print ""; + } + + function index() { + header("Content-Type: text/plain"); + print json_encode(array("error" => array("code" => 7))); + } + } ?> diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index d6bb94eb..a1177f2d 100644 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -1168,111 +1168,6 @@ class Pref_Feeds extends Handler_Protected { } - function add() { - $feed_url = db_escape_string(trim($_REQUEST["feed_url"])); - $cat_id = db_escape_string($_REQUEST["cat_id"]); - $p_from = db_escape_string($_REQUEST["from"]); - - /* only read authentication information from POST */ - - $auth_login = db_escape_string(trim($_POST["auth_login"])); - $auth_pass = db_escape_string(trim($_POST["auth_pass"])); - - if ($p_from != 'tt-rss') { - header('Content-Type: text/html; charset=utf-8'); - print " - - Tiny Tiny RSS - - - - - \"Tiny -

Subscribe to feed...

"; - } - - $rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass); - - switch ($rc) { - case 1: - print_notice(T_sprintf("Subscribed to %s.", $feed_url)); - break; - case 2: - print_error(T_sprintf("Could not subscribe to %s.", $feed_url)); - break; - case 3: - print_error(T_sprintf("No feeds found in %s.", $feed_url)); - break; - case 0: - print_warning(T_sprintf("Already subscribed to %s.", $feed_url)); - break; - case 4: - print_notice(__("Multiple feed URLs found.")); - - $feed_urls = get_feeds_from_html($feed_url); - break; - case 5: - print_error(T_sprintf("Could not subscribe to %s.
Can't download the Feed URL.", $feed_url)); - break; - } - - if ($p_from != 'tt-rss') { - - if ($feed_urls) { - - print "
"; - print ""; - print ""; - print ""; - - print ""; - - print "
"; - } - - $tp_uri = get_self_url_prefix() . "/prefs.php"; - $tt_uri = get_self_url_prefix(); - - if ($rc <= 2){ - $result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE - feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]); - - $feed_id = db_fetch_result($result, 0, "id"); - } else { - $feed_id = 0; - } - print "

"; - - if ($feed_id) { - print "

- - - - -
"; - } - - print "
- -

"; - - print ""; - return; - } - } - function categorize() { $ids = split(",", db_escape_string($_REQUEST["ids"])); diff --git a/include/functions.php b/include/functions.php index 729cb262..73c2f6d5 100644 --- a/include/functions.php +++ b/include/functions.php @@ -815,7 +815,35 @@ return true; } - function login_sequence($link, $mobile = false) { + function login_sequence($link, $login_form = 0) { + if (SINGLE_USER_MODE) { + return authenticate_user($link, "admin", null); + } else { + if (!$_SESSION["uid"] || !validate_session($link)) { + + if (AUTH_AUTO_LOGIN && authenticate_user($link, null, null)) { + $_SESSION["ref_schema_version"] = get_schema_version($link, true); + } else { + authenticate_user($link, null, null, true); + } + + if (!$_SESSION["uid"]) render_login_form($link, $login_form); + + } else { + /* bump login timestamp */ + db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . + $_SESSION["uid"]); + + if ($_SESSION["language"] && SESSION_COOKIE_LIFETIME > 0) { + setcookie("ttrss_lang", $_SESSION["language"], + time() + SESSION_COOKIE_LIFETIME); + } + } + } + } + + + /* function login_sequence($link, $mobile = false) { $_SESSION["prefs_cache"] = array(); if (!SINGLE_USER_MODE) { @@ -872,7 +900,7 @@ exit; } } else { - /* bump login timestamp */ + // bump login timestamp db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . $_SESSION["uid"]); @@ -888,7 +916,7 @@ } else { return authenticate_user($link, "admin", null); } - } + } */ function truncate_string($str, $max_len, $suffix = '…') { if (mb_strlen($str, "utf-8") > $max_len - 3) { @@ -3148,17 +3176,16 @@ return true; } - function render_login_form($link, $mobile = 0) { - switch ($mobile) { + function render_login_form($link, $form_id = 0) { + switch ($form_id) { case 0: require_once "login_form.php"; break; case 1: require_once "mobile/login_form.php"; break; - case 2: - require_once "mobile/classic/login_form.php"; } + exit; } // from http://developer.apple.com/internet/safari/faq.html @@ -3588,7 +3615,7 @@ //$url_path = ($_SERVER['HTTPS'] != "on" ? 'http://' : 'https://') . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH); $url_path = get_self_url_prefix() . - "/backend.php?op=pref-feeds&quiet=1&method=add&feed_url=%s"; + "/public.php?op=subscribe&feed_url=%s"; return $url_path; } // function add_feed_url diff --git a/include/login_form.php b/include/login_form.php index abe73f84..5060f8c1 100644 --- a/include/login_form.php +++ b/include/login_form.php @@ -32,21 +32,22 @@ function init() { } document.forms["loginForm"].login.focus(); + + fetchProfiles(); } function fetchProfiles() { try { - var params = Form.serialize('loginForm'); - var query = "?op=getProfiles&" + params; + var query = "?op=getProfiles&login=" + param_escape(document.forms["loginForm"].login.value); if (query) { new Ajax.Request("public.php", { parameters: query, - onComplete: function(transport) { - if (transport.responseText.match("select")) { - $('profile_box').innerHTML = transport.responseText; - } - } }); + onComplete: function(transport) { + if (transport.responseText.match("select")) { + $('profile_box').innerHTML = transport.responseText; + } + } }); } } catch (e) { @@ -113,8 +114,12 @@ function validateLoginForm(f) { }); -
- + + + + + @@ -130,11 +135,10 @@ function validateLoginForm(f) {
- -
">
">
@@ -151,11 +155,6 @@ function validateLoginForm(f) {
@@ -164,9 +163,6 @@ function validateLoginForm(f) { - -
diff --git a/mobile/login_form.php b/mobile/login_form.php index ad5e35ce..48f7cc5a 100644 --- a/mobile/login_form.php +++ b/mobile/login_form.php @@ -28,7 +28,11 @@ function do_login() { - + " + method="post"> + +
-- 2.39.5