login system fixes

remove old-style session checking from backend.php
move outside subscription endpoint to public.php, change subscription
bookmarklet
This commit is contained in:
Andrew Dolgov 2012-09-10 19:01:06 +04:00
parent c3d2cda86d
commit 97acbaf190
7 changed files with 299 additions and 150 deletions

View File

@ -65,7 +65,7 @@
// TODO remove and handle within Handlers // TODO remove and handle within Handlers
if (!($_SESSION["uid"] && validate_session($link))) { /* if (!($_SESSION["uid"] && validate_session($link))) {
if ($op == 'pref-feeds' && $method == 'add') { if ($op == 'pref-feeds' && $method == 'add') {
header("Content-Type: text/html"); header("Content-Type: text/html");
login_sequence($link); login_sequence($link);
@ -75,7 +75,7 @@
print json_encode(array("error" => array("code" => 6))); print json_encode(array("error" => array("code" => 6)));
} }
return; return;
} } */
$purge_intervals = array( $purge_intervals = array(
0 => __("Use default"), 0 => __("Use default"),
@ -143,6 +143,10 @@
} }
$handler->after(); $handler->after();
return; return;
} else {
header("Content-Type: text/plain");
print json_encode(array("error" => array("code" => 6)));
return;
} }
} else { } else {
header("Content-Type: text/plain"); header("Content-Type: text/plain");

View File

@ -19,5 +19,6 @@ class Handler {
function after() { function after() {
return true; return true;
} }
} }
?> ?>

View File

@ -195,27 +195,22 @@ class Handler_Public extends Handler {
function getProfiles() { function getProfiles() {
$login = db_escape_string($_REQUEST["login"]); $login = db_escape_string($_REQUEST["login"]);
$password = db_escape_string($_REQUEST["password"]);
if (authenticate_user($this->link, $login, $password)) { $result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles,ttrss_users
$result = db_query($this->link, "SELECT * FROM ttrss_settings_profiles WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = '$login' ORDER BY title");
WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY title");
print "<select style='width: 100%' name='profile'>"; print "<select style='width: 100%' name='profile'>";
print "<option value='0'>" . __("Default profile") . "</option>"; print "<option value='0'>" . __("Default profile") . "</option>";
while ($line = db_fetch_assoc($result)) { while ($line = db_fetch_assoc($result)) {
$id = $line["id"]; $id = $line["id"];
$title = $line["title"]; $title = $line["title"];
print "<option value='$id'>$title</option>"; print "<option value='$id'>$title</option>";
}
print "</select>";
$_SESSION = array();
} }
print "</select>";
} }
function pubsub() { function pubsub() {
@ -447,5 +442,232 @@ class Handler_Public extends Handler {
} }
} }
function login() {
print_r($_REQUEST);
$_SESSION["prefs_cache"] = array();
if (!SINGLE_USER_MODE) {
$login = db_escape_string($_POST["login"]);
$password = $_POST["password"];
$remember_me = $_POST["remember_me"];
if (authenticate_user($this->link, $login, $password)) {
$_POST["password"] = "";
$_SESSION["language"] = $_POST["language"];
$_SESSION["ref_schema_version"] = get_schema_version($this->link, true);
$_SESSION["bw_limit"] = !!$_POST["bw_limit"];
if ($_POST["profile"]) {
$profile = db_escape_string($_POST["profile"]);
$result = db_query($this->link, "SELECT id FROM ttrss_settings_profiles
WHERE id = '$profile' AND owner_uid = " . $_SESSION["uid"]);
if (db_num_rows($result) != 0) {
$_SESSION["profile"] = $profile;
$_SESSION["prefs_cache"] = array();
}
}
} else {
$_SESSION["login_error_msg"] = __("Incorrect username or password");
}
if ($_REQUEST['return']) {
header("Location: " . $_REQUEST['return']);
} else {
header("Location: " . SELF_URL_PATH);
}
}
}
function subscribe() {
if ($_SESSION["uid"]) {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
header('Content-Type: text/html; charset=utf-8');
print "<html>
<head>
<title>Tiny Tiny RSS</title>
<link rel=\"stylesheet\" type=\"text/css\" href=\"utility.css\">
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
</head>
<body>
<img class=\"floatingLogo\" src=\"images/logo_wide.png\"
alt=\"Tiny Tiny RSS\"/>
<h1>".__("Subscribe to feed...")."</h1>";
$rc = subscribe_to_feed($this->link, $feed_url);
switch ($rc['code']) {
case 0:
print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
break;
case 1:
print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
break;
case 2:
print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
break;
case 3:
print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
break;
case 4:
print_notice(__("Multiple feed URLs found."));
$feed_urls = get_feeds_from_html($feed_url);
break;
case 5:
print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
break;
}
if ($feed_urls) {
print "<form action=\"public.php\">";
print "<input type=\"hidden\" name=\"op\" value=\"subscribe\">";
print "<select name=\"feed_url\">";
foreach ($feed_urls as $url => $name) {
$url = htmlspecialchars($url);
$name = htmlspecialchars($name);
print "<option value=\"$url\">$name</option>";
}
print "<input type=\"submit\" value=\"".__("Subscribe to selected feed").
"\">";
print "</form>";
}
$tp_uri = get_self_url_prefix() . "/prefs.php";
$tt_uri = get_self_url_prefix();
if ($rc['code'] <= 2){
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
$feed_id = db_fetch_result($result, 0, "id");
} else {
$feed_id = 0;
}
print "<p>";
if ($feed_id) {
print "<form method=\"GET\" style='display: inline'
action=\"$tp_uri\">
<input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
<input type=\"hidden\" name=\"method\" value=\"editFeed\">
<input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
<input type=\"submit\" value=\"".__("Edit subscription options")."\">
</form>";
}
print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form></p>";
print "</body></html>";
} else {
render_login_form($this->link);
}
}
function subscribe2() {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$from = db_escape_string($_REQUEST["from"]);
/* only read authentication information from POST */
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
$rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);
switch ($rc) {
case 1:
print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
break;
case 2:
print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
break;
case 3:
print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
break;
case 0:
print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
break;
case 4:
print_notice(__("Multiple feed URLs found."));
$feed_urls = get_feeds_from_html($feed_url);
break;
case 5:
print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
break;
}
if ($feed_urls) {
print "<form action=\"backend.php\">";
print "<input type=\"hidden\" name=\"op\" value=\"pref-feeds\">";
print "<input type=\"hidden\" name=\"quiet\" value=\"1\">";
print "<input type=\"hidden\" name=\"method\" value=\"add\">";
print "<select name=\"feed_url\">";
foreach ($feed_urls as $url => $name) {
$url = htmlspecialchars($url);
$name = htmlspecialchars($name);
print "<option value=\"$url\">$name</option>";
}
print "<input type=\"submit\" value=\"".__("Subscribe to selected feed")."\">";
print "</form>";
}
$tp_uri = get_self_url_prefix() . "/prefs.php";
$tt_uri = get_self_url_prefix();
if ($rc <= 2){
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
$feed_id = db_fetch_result($result, 0, "id");
} else {
$feed_id = 0;
}
print "<p>";
if ($feed_id) {
print "<form method=\"GET\" style='display: inline'
action=\"$tp_uri\">
<input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
<input type=\"hidden\" name=\"method\" value=\"editFeed\">
<input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
<input type=\"submit\" value=\"".__("Edit subscription options")."\">
</form>";
}
print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form></p>";
print "</body></html>";
}
function index() {
header("Content-Type: text/plain");
print json_encode(array("error" => array("code" => 7)));
}
} }
?> ?>

View File

@ -1168,111 +1168,6 @@ class Pref_Feeds extends Handler_Protected {
} }
function add() {
$feed_url = db_escape_string(trim($_REQUEST["feed_url"]));
$cat_id = db_escape_string($_REQUEST["cat_id"]);
$p_from = db_escape_string($_REQUEST["from"]);
/* only read authentication information from POST */
$auth_login = db_escape_string(trim($_POST["auth_login"]));
$auth_pass = db_escape_string(trim($_POST["auth_pass"]));
if ($p_from != 'tt-rss') {
header('Content-Type: text/html; charset=utf-8');
print "<html>
<head>
<title>Tiny Tiny RSS</title>
<link rel=\"stylesheet\" type=\"text/css\" href=\"utility.css\">
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
</head>
<body>
<img class=\"floatingLogo\" src=\"images/logo_wide.png\"
alt=\"Tiny Tiny RSS\"/>
<h1>Subscribe to feed...</h1>";
}
$rc = subscribe_to_feed($this->link, $feed_url, $cat_id, $auth_login, $auth_pass);
switch ($rc) {
case 1:
print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
break;
case 2:
print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
break;
case 3:
print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
break;
case 0:
print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
break;
case 4:
print_notice(__("Multiple feed URLs found."));
$feed_urls = get_feeds_from_html($feed_url);
break;
case 5:
print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
break;
}
if ($p_from != 'tt-rss') {
if ($feed_urls) {
print "<form action=\"backend.php\">";
print "<input type=\"hidden\" name=\"op\" value=\"pref-feeds\">";
print "<input type=\"hidden\" name=\"quiet\" value=\"1\">";
print "<input type=\"hidden\" name=\"method\" value=\"add\">";
print "<select name=\"feed_url\">";
foreach ($feed_urls as $url => $name) {
$url = htmlspecialchars($url);
$name = htmlspecialchars($name);
print "<option value=\"$url\">$name</option>";
}
print "<input type=\"submit\" value=\"".__("Subscribe to selected feed").
"\">";
print "</form>";
}
$tp_uri = get_self_url_prefix() . "/prefs.php";
$tt_uri = get_self_url_prefix();
if ($rc <= 2){
$result = db_query($this->link, "SELECT id FROM ttrss_feeds WHERE
feed_url = '$feed_url' AND owner_uid = " . $_SESSION["uid"]);
$feed_id = db_fetch_result($result, 0, "id");
} else {
$feed_id = 0;
}
print "<p>";
if ($feed_id) {
print "<form method=\"GET\" style='display: inline'
action=\"$tp_uri\">
<input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
<input type=\"hidden\" name=\"method\" value=\"editFeed\">
<input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
<input type=\"submit\" value=\"".__("Edit subscription options")."\">
</form>";
}
print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form></p>";
print "</body></html>";
return;
}
}
function categorize() { function categorize() {
$ids = split(",", db_escape_string($_REQUEST["ids"])); $ids = split(",", db_escape_string($_REQUEST["ids"]));

View File

@ -815,7 +815,35 @@
return true; return true;
} }
function login_sequence($link, $mobile = false) { function login_sequence($link, $login_form = 0) {
if (SINGLE_USER_MODE) {
return authenticate_user($link, "admin", null);
} else {
if (!$_SESSION["uid"] || !validate_session($link)) {
if (AUTH_AUTO_LOGIN && authenticate_user($link, null, null)) {
$_SESSION["ref_schema_version"] = get_schema_version($link, true);
} else {
authenticate_user($link, null, null, true);
}
if (!$_SESSION["uid"]) render_login_form($link, $login_form);
} else {
/* bump login timestamp */
db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " .
$_SESSION["uid"]);
if ($_SESSION["language"] && SESSION_COOKIE_LIFETIME > 0) {
setcookie("ttrss_lang", $_SESSION["language"],
time() + SESSION_COOKIE_LIFETIME);
}
}
}
}
/* function login_sequence($link, $mobile = false) {
$_SESSION["prefs_cache"] = array(); $_SESSION["prefs_cache"] = array();
if (!SINGLE_USER_MODE) { if (!SINGLE_USER_MODE) {
@ -872,7 +900,7 @@
exit; exit;
} }
} else { } else {
/* bump login timestamp */ // bump login timestamp
db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " .
$_SESSION["uid"]); $_SESSION["uid"]);
@ -888,7 +916,7 @@
} else { } else {
return authenticate_user($link, "admin", null); return authenticate_user($link, "admin", null);
} }
} } */
function truncate_string($str, $max_len, $suffix = '&hellip;') { function truncate_string($str, $max_len, $suffix = '&hellip;') {
if (mb_strlen($str, "utf-8") > $max_len - 3) { if (mb_strlen($str, "utf-8") > $max_len - 3) {
@ -3148,17 +3176,16 @@
return true; return true;
} }
function render_login_form($link, $mobile = 0) { function render_login_form($link, $form_id = 0) {
switch ($mobile) { switch ($form_id) {
case 0: case 0:
require_once "login_form.php"; require_once "login_form.php";
break; break;
case 1: case 1:
require_once "mobile/login_form.php"; require_once "mobile/login_form.php";
break; break;
case 2:
require_once "mobile/classic/login_form.php";
} }
exit;
} }
// from http://developer.apple.com/internet/safari/faq.html // from http://developer.apple.com/internet/safari/faq.html
@ -3588,7 +3615,7 @@
//$url_path = ($_SERVER['HTTPS'] != "on" ? 'http://' : 'https://') . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH); //$url_path = ($_SERVER['HTTPS'] != "on" ? 'http://' : 'https://') . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
$url_path = get_self_url_prefix() . $url_path = get_self_url_prefix() .
"/backend.php?op=pref-feeds&quiet=1&method=add&feed_url=%s"; "/public.php?op=subscribe&feed_url=%s";
return $url_path; return $url_path;
} // function add_feed_url } // function add_feed_url

View File

@ -32,21 +32,22 @@ function init() {
} }
document.forms["loginForm"].login.focus(); document.forms["loginForm"].login.focus();
fetchProfiles();
} }
function fetchProfiles() { function fetchProfiles() {
try { try {
var params = Form.serialize('loginForm'); var query = "?op=getProfiles&login=" + param_escape(document.forms["loginForm"].login.value);
var query = "?op=getProfiles&" + params;
if (query) { if (query) {
new Ajax.Request("public.php", { new Ajax.Request("public.php", {
parameters: query, parameters: query,
onComplete: function(transport) { onComplete: function(transport) {
if (transport.responseText.match("select")) { if (transport.responseText.match("select")) {
$('profile_box').innerHTML = transport.responseText; $('profile_box').innerHTML = transport.responseText;
} }
} }); } });
} }
} catch (e) { } catch (e) {
@ -113,8 +114,12 @@ function validateLoginForm(f) {
}); });
</script> </script>
<form action="" method="POST" id="loginForm" name="loginForm" onsubmit="return validateLoginForm(this)"> <?php $return = urlencode($_SERVER["REQUEST_URI"]) ?>
<input type="hidden" name="login_action" value="do_login">
<form action="public.php?return=<?php echo $return ?>"
method="POST" id="loginForm" name="loginForm" onsubmit="return validateLoginForm(this)">
<input type="hidden" name="op" value="login">
<table class="loginForm2"> <table class="loginForm2">
<tr> <tr>
@ -130,11 +135,10 @@ function validateLoginForm(f) {
<table> <table>
<tr><td align="right"><?php echo __("Login:") ?></td> <tr><td align="right"><?php echo __("Login:") ?></td>
<td align="right"><input name="login" <td align="right"><input name="login"
onchange="fetchProfiles()" onfocus="fetchProfiles()" onchange="fetchProfiles()" onfocus="fetchProfiles()" onblur="fetchProfiles()"
value="<?php echo $_SESSION["fake_login"] ?>"></td></tr> value="<?php echo $_SESSION["fake_login"] ?>"></td></tr>
<tr><td align="right"><?php echo __("Password:") ?></td> <tr><td align="right"><?php echo __("Password:") ?></td>
<td align="right"><input type="password" name="password" <td align="right"><input type="password" name="password"
onchange="fetchProfiles()" onfocus="fetchProfiles()"
value="<?php echo $_SESSION["fake_password"] ?>"></td></tr> value="<?php echo $_SESSION["fake_password"] ?>"></td></tr>
<tr><td align="right"><?php echo __("Language:") ?></td> <tr><td align="right"><?php echo __("Language:") ?></td>
<td align="right"> <td align="right">
@ -151,11 +155,6 @@ function validateLoginForm(f) {
<option><?php echo __("Default profile") ?></option></select> <option><?php echo __("Default profile") ?></option></select>
</td></tr> </td></tr>
<!-- <tr><td colspan="2">
<input type="checkbox" name="remember_me" id="remember_me">
<label for="remember_me">Remember me on this computer</label>
</td></tr> -->
<tr><td colspan="2" align="right" class="innerLoginCell"> <tr><td colspan="2" align="right" class="innerLoginCell">
<button type="submit" name='click'><?php echo __('Log in') ?></button> <button type="submit" name='click'><?php echo __('Log in') ?></button>
@ -164,9 +163,6 @@ function validateLoginForm(f) {
<?php echo __("Create new account") ?></button> <?php echo __("Create new account") ?></button>
<?php } ?> <?php } ?>
<input type="hidden" name="action" value="login">
<input type="hidden" name="rt"
value="<?php if ($return_to != 'none') { echo $return_to; } ?>">
</td></tr> </td></tr>
<tr><td colspan="2" align="right" class="innerLoginCell"> <tr><td colspan="2" align="right" class="innerLoginCell">

View File

@ -28,7 +28,11 @@ function do_login() {
<a class="button blueButton" onclick='do_login()'><?php echo __('Log in') ?></a> <a class="button blueButton" onclick='do_login()'><?php echo __('Log in') ?></a>
</div> </div>
<form target="_self" title="Login" action="index.php" id="login" class="panel" method="post" name="login" selected="true"> <form target="_self" title="Login" id="login" class="panel" name="login" selected="true"
action="../public.php?return=<?php echo htmlspecialchars($_SERVER["REQUEST_URI"]) ?>"
method="post">
<input type="hidden" name="op" value="login">
<fieldset> <fieldset>