public.php 36 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245
  1. <?php
  2. class Handler_Public extends Handler {
  3. private function generate_syndicated_feed($owner_uid, $feed, $is_cat,
  4. $limit, $offset, $search,
  5. $view_mode = false, $format = 'atom', $order = false, $orig_guid = false, $start_ts = false) {
  6. require_once "lib/MiniTemplator.class.php";
  7. $note_style = "background-color : #fff7d5;
  8. border-width : 1px; ".
  9. "padding : 5px; border-style : dashed; border-color : #e7d796;".
  10. "margin-bottom : 1em; color : #9a8c59;";
  11. if (!$limit) $limit = 60;
  12. $date_sort_field = "date_entered DESC, updated DESC";
  13. if ($feed == -2 && !$is_cat) {
  14. $date_sort_field = "last_published DESC";
  15. } else if ($feed == -1 && !$is_cat) {
  16. $date_sort_field = "last_marked DESC";
  17. }
  18. switch ($order) {
  19. case "title":
  20. $date_sort_field = "ttrss_entries.title, date_entered, updated";
  21. break;
  22. case "date_reverse":
  23. $date_sort_field = "date_entered, updated";
  24. break;
  25. case "feed_dates":
  26. $date_sort_field = "updated DESC";
  27. break;
  28. }
  29. $params = array(
  30. "owner_uid" => $owner_uid,
  31. "feed" => $feed,
  32. "limit" => $limit,
  33. "view_mode" => $view_mode,
  34. "cat_view" => $is_cat,
  35. "search" => $search,
  36. "override_order" => $date_sort_field,
  37. "include_children" => true,
  38. "ignore_vfeed_group" => true,
  39. "offset" => $offset,
  40. "start_ts" => $start_ts
  41. );
  42. if (!$is_cat && is_numeric($feed) && $feed < PLUGIN_FEED_BASE_INDEX && $feed > LABEL_BASE_INDEX) {
  43. $user_plugins = get_pref("_ENABLED_PLUGINS", $owner_uid);
  44. $tmppluginhost = new PluginHost();
  45. $tmppluginhost->load(PLUGINS, PluginHost::KIND_ALL);
  46. $tmppluginhost->load($user_plugins, PluginHost::KIND_USER, $owner_uid);
  47. $tmppluginhost->load_data();
  48. $handler = $tmppluginhost->get_feed_handler(
  49. PluginHost::feed_to_pfeed_id($feed));
  50. if ($handler) {
  51. $qfh_ret = $handler->get_headlines(PluginHost::feed_to_pfeed_id($feed),
  52. $options);
  53. }
  54. } else {
  55. $qfh_ret = Feeds::queryFeedHeadlines($params);
  56. }
  57. $result = $qfh_ret[0];
  58. $feed_title = htmlspecialchars($qfh_ret[1]);
  59. $feed_site_url = $qfh_ret[2];
  60. /* $last_error = $qfh_ret[3]; */
  61. $feed_self_url = get_self_url_prefix() .
  62. "/public.php?op=rss&id=$feed&key=" .
  63. get_feed_access_key($feed, false, $owner_uid);
  64. if (!$feed_site_url) $feed_site_url = get_self_url_prefix();
  65. if ($format == 'atom') {
  66. $tpl = new MiniTemplator;
  67. $tpl->readTemplateFromFile("templates/generated_feed.txt");
  68. $tpl->setVariable('FEED_TITLE', $feed_title, true);
  69. $tpl->setVariable('VERSION', VERSION, true);
  70. $tpl->setVariable('FEED_URL', htmlspecialchars($feed_self_url), true);
  71. $tpl->setVariable('SELF_URL', htmlspecialchars(get_self_url_prefix()), true);
  72. while ($line = $result->fetch()) {
  73. $line["content_preview"] = sanitize(truncate_string(strip_tags($line["content"]), 100, '...'));
  74. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) {
  75. $line = $p->hook_query_headlines($line);
  76. }
  77. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_EXPORT_FEED) as $p) {
  78. $line = $p->hook_article_export_feed($line, $feed, $is_cat);
  79. }
  80. $tpl->setVariable('ARTICLE_ID',
  81. htmlspecialchars($orig_guid ? $line['link'] :
  82. $this->make_article_tag_uri($line['id'], $line['date_entered'])), true);
  83. $tpl->setVariable('ARTICLE_LINK', htmlspecialchars($line['link']), true);
  84. $tpl->setVariable('ARTICLE_TITLE', htmlspecialchars($line['title']), true);
  85. $tpl->setVariable('ARTICLE_EXCERPT', $line["content_preview"], true);
  86. $content = sanitize($line["content"], false, $owner_uid,
  87. $feed_site_url, false, $line["id"]);
  88. if ($line['note']) {
  89. $content = "<div style=\"$note_style\">Article note: " . $line['note'] . "</div>" .
  90. $content;
  91. $tpl->setVariable('ARTICLE_NOTE', htmlspecialchars($line['note']), true);
  92. }
  93. $tpl->setVariable('ARTICLE_CONTENT', $content, true);
  94. $tpl->setVariable('ARTICLE_UPDATED_ATOM',
  95. date('c', strtotime($line["updated"])), true);
  96. $tpl->setVariable('ARTICLE_UPDATED_RFC822',
  97. date(DATE_RFC822, strtotime($line["updated"])), true);
  98. $tpl->setVariable('ARTICLE_AUTHOR', htmlspecialchars($line['author']), true);
  99. $tpl->setVariable('ARTICLE_SOURCE_LINK', htmlspecialchars($line['site_url'] ? $line["site_url"] : get_self_url_prefix()), true);
  100. $tpl->setVariable('ARTICLE_SOURCE_TITLE', htmlspecialchars($line['feed_title'] ? $line['feed_title'] : $feed_title), true);
  101. $tags = Article::get_article_tags($line["id"], $owner_uid);
  102. foreach ($tags as $tag) {
  103. $tpl->setVariable('ARTICLE_CATEGORY', htmlspecialchars($tag), true);
  104. $tpl->addBlock('category');
  105. }
  106. $enclosures = Article::get_article_enclosures($line["id"]);
  107. if (count($enclosures) > 0) {
  108. foreach ($enclosures as $e) {
  109. $type = htmlspecialchars($e['content_type']);
  110. $url = htmlspecialchars($e['content_url']);
  111. $length = $e['duration'] ? $e['duration'] : 1;
  112. $tpl->setVariable('ARTICLE_ENCLOSURE_URL', $url, true);
  113. $tpl->setVariable('ARTICLE_ENCLOSURE_TYPE', $type, true);
  114. $tpl->setVariable('ARTICLE_ENCLOSURE_LENGTH', $length, true);
  115. $tpl->addBlock('enclosure');
  116. }
  117. } else {
  118. $tpl->setVariable('ARTICLE_ENCLOSURE_URL', null, true);
  119. $tpl->setVariable('ARTICLE_ENCLOSURE_TYPE', null, true);
  120. $tpl->setVariable('ARTICLE_ENCLOSURE_LENGTH', null, true);
  121. }
  122. $tpl->setVariable('ARTICLE_OG_IMAGE',
  123. $this->get_article_image($enclosures, $line['content'], $feed_site_url), true);
  124. $tpl->addBlock('entry');
  125. }
  126. $tmp = "";
  127. $tpl->addBlock('feed');
  128. $tpl->generateOutputToString($tmp);
  129. if (@!clean($_REQUEST["noxml"])) {
  130. header("Content-Type: text/xml; charset=utf-8");
  131. } else {
  132. header("Content-Type: text/plain; charset=utf-8");
  133. }
  134. print $tmp;
  135. } else if ($format == 'json') {
  136. $feed = array();
  137. $feed['title'] = $feed_title;
  138. $feed['version'] = VERSION;
  139. $feed['feed_url'] = $feed_self_url;
  140. $feed['self_url'] = get_self_url_prefix();
  141. $feed['articles'] = array();
  142. while ($line = $result->fetch()) {
  143. $line["content_preview"] = sanitize(truncate_string(strip_tags($line["content_preview"]), 100, '...'));
  144. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) {
  145. $line = $p->hook_query_headlines($line, 100);
  146. }
  147. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_EXPORT_FEED) as $p) {
  148. $line = $p->hook_article_export_feed($line, $feed, $is_cat);
  149. }
  150. $article = array();
  151. $article['id'] = $line['link'];
  152. $article['link'] = $line['link'];
  153. $article['title'] = $line['title'];
  154. $article['excerpt'] = $line["content_preview"];
  155. $article['content'] = sanitize($line["content"], false, $owner_uid, $feed_site_url, false, $line["id"]);
  156. $article['updated'] = date('c', strtotime($line["updated"]));
  157. if ($line['note']) $article['note'] = $line['note'];
  158. if ($article['author']) $article['author'] = $line['author'];
  159. $tags = Article::get_article_tags($line["id"], $owner_uid);
  160. if (count($tags) > 0) {
  161. $article['tags'] = array();
  162. foreach ($tags as $tag) {
  163. array_push($article['tags'], $tag);
  164. }
  165. }
  166. $enclosures = Article::get_article_enclosures($line["id"]);
  167. if (count($enclosures) > 0) {
  168. $article['enclosures'] = array();
  169. foreach ($enclosures as $e) {
  170. $type = $e['content_type'];
  171. $url = $e['content_url'];
  172. $length = $e['duration'];
  173. array_push($article['enclosures'], array("url" => $url, "type" => $type, "length" => $length));
  174. }
  175. }
  176. array_push($feed['articles'], $article);
  177. }
  178. header("Content-Type: text/json; charset=utf-8");
  179. print json_encode($feed);
  180. } else {
  181. header("Content-Type: text/plain; charset=utf-8");
  182. print json_encode(array("error" => array("message" => "Unknown format")));
  183. }
  184. }
  185. function getUnread() {
  186. $login = clean($_REQUEST["login"]);
  187. $fresh = clean($_REQUEST["fresh"]) == "1";
  188. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
  189. $sth->execute([$login]);
  190. if ($row = $sth->fetch()) {
  191. $uid = $row["id"];
  192. print Feeds::getGlobalUnread($uid);
  193. if ($fresh) {
  194. print ";";
  195. print Feeds::getFeedArticles(-3, false, true, $uid);
  196. }
  197. } else {
  198. print "-1;User not found";
  199. }
  200. }
  201. function getProfiles() {
  202. $login = clean($_REQUEST["login"]);
  203. $rv = [];
  204. if ($login) {
  205. $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
  206. WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
  207. $sth->execute([$login]);
  208. $rv = [ [ "value" => 0, "label" => __("Default profile") ] ];
  209. while ($line = $sth->fetch()) {
  210. $id = $line["id"];
  211. $title = $line["title"];
  212. array_push($rv, [ "label" => $title, "value" => $id ]);
  213. }
  214. }
  215. print json_encode($rv);
  216. }
  217. function logout() {
  218. logout_user();
  219. header("Location: index.php");
  220. }
  221. function share() {
  222. $uuid = clean($_REQUEST["key"]);
  223. $sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
  224. uuid = ?");
  225. $sth->execute([$uuid]);
  226. if ($row = $sth->fetch()) {
  227. header("Content-Type: text/html");
  228. $id = $row["ref_id"];
  229. $owner_uid = $row["owner_uid"];
  230. print $this->format_article($id, $owner_uid);
  231. } else {
  232. header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
  233. print "Article not found.";
  234. }
  235. }
  236. private function get_article_image($enclosures, $content, $site_url) {
  237. $og_image = false;
  238. foreach ($enclosures as $enc) {
  239. if (strpos($enc["content_type"], "image/") !== FALSE) {
  240. return rewrite_relative_url($site_url, $enc["content_url"]);
  241. }
  242. }
  243. if (!$og_image) {
  244. $tmpdoc = new DOMDocument();
  245. if (@$tmpdoc->loadHTML(mb_substr($content, 0, 131070))) {
  246. $tmpxpath = new DOMXPath($tmpdoc);
  247. $imgs = $tmpxpath->query("//img");
  248. foreach ($imgs as $img) {
  249. $src = $img->getAttribute("src");
  250. if (mb_strpos($src, "data:") !== 0)
  251. return rewrite_relative_url($site_url, $src);
  252. }
  253. }
  254. }
  255. return false;
  256. }
  257. private function format_article($id, $owner_uid) {
  258. $pdo = Db::pdo();
  259. $sth = $pdo->prepare("SELECT id,title,link,content,feed_id,comments,int_id,lang,
  260. ".SUBSTRING_FOR_DATE."(updated,1,16) as updated,
  261. (SELECT site_url FROM ttrss_feeds WHERE id = feed_id) as site_url,
  262. (SELECT title FROM ttrss_feeds WHERE id = feed_id) as feed_title,
  263. (SELECT hide_images FROM ttrss_feeds WHERE id = feed_id) as hide_images,
  264. (SELECT always_display_enclosures FROM ttrss_feeds WHERE id = feed_id) as always_display_enclosures,
  265. num_comments,
  266. tag_cache,
  267. author,
  268. guid,
  269. orig_feed_id,
  270. note
  271. FROM ttrss_entries,ttrss_user_entries
  272. WHERE id = ? AND ref_id = id AND owner_uid = ?");
  273. $sth->execute([$id, $owner_uid]);
  274. $rv = '';
  275. if ($line = $sth->fetch()) {
  276. $line["tags"] = Article::get_article_tags($id, $owner_uid, $line["tag_cache"]);
  277. unset($line["tag_cache"]);
  278. $line["content"] = sanitize($line["content"],
  279. $line['hide_images'],
  280. $owner_uid, $line["site_url"], false, $line["id"]);
  281. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE) as $p) {
  282. $line = $p->hook_render_article($line);
  283. }
  284. $line['content'] = rewrite_cached_urls($line['content']);
  285. $num_comments = (int) $line["num_comments"];
  286. $entry_comments = "";
  287. if ($num_comments > 0) {
  288. if ($line["comments"]) {
  289. $comments_url = htmlspecialchars($line["comments"]);
  290. } else {
  291. $comments_url = htmlspecialchars($line["link"]);
  292. }
  293. $entry_comments = "<a class=\"comments\"
  294. target='_blank' rel=\"noopener noreferrer\" href=\"$comments_url\">$num_comments ".
  295. _ngettext("comment", "comments", $num_comments)."</a>";
  296. } else {
  297. if ($line["comments"] && $line["link"] != $line["comments"]) {
  298. $entry_comments = "<a class=\"comments\" target='_blank' rel=\"noopener noreferrer\" href=\"".
  299. htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
  300. }
  301. }
  302. $enclosures = Article::get_article_enclosures($line["id"]);
  303. header("Content-Type: text/html");
  304. $rv .= "<!DOCTYPE html>
  305. <html><head>
  306. <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  307. <title>".$line["title"]."</title>".
  308. stylesheet_tag("css/default.css")."
  309. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  310. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">";
  311. $rv .= "<meta property=\"og:title\" content=\"".htmlspecialchars($line["title"])."\"/>\n";
  312. $rv .= "<meta property=\"og:site_name\" content=\"".htmlspecialchars($line["feed_title"])."\"/>\n";
  313. $rv .= "<meta property=\"og:description\" content=\"".
  314. htmlspecialchars(truncate_string(strip_tags($line["content"]), 500, "..."))."\"/>\n";
  315. $rv .= "</head>";
  316. $og_image = $this->get_article_image($enclosures, $line['content'], $line["site_url"]);
  317. if ($og_image) {
  318. $rv .= "<meta property=\"og:image\" content=\"" . htmlspecialchars($og_image) . "\"/>";
  319. }
  320. $rv .= "<body class='flat ttrss_utility ttrss_zoom'>";
  321. $rv .= "<div class='post post-$id'>";
  322. /* header */
  323. $rv .= "<div class='header'>";
  324. $rv .= "<div class='row'>"; # row
  325. //$entry_author = $line["author"] ? " - " . $line["author"] : "";
  326. $parsed_updated = make_local_datetime($line["updated"], true,
  327. $owner_uid, true);
  328. if ($line["link"]) {
  329. $rv .= "<div class='title'><a target='_blank' rel='noopener noreferrer'
  330. title=\"".htmlspecialchars($line['title'])."\"
  331. href=\"" .htmlspecialchars($line["link"]) . "\">" . $line["title"] . "</a></div>";
  332. } else {
  333. $rv .= "<div class='title'>" . $line["title"] . "</div>";
  334. }
  335. $rv .= "<div class='date'>$parsed_updated<br/></div>";
  336. $rv .= "</div>"; # row
  337. $rv .= "<div class='row'>"; # row
  338. /* left buttons */
  339. $rv .= "<div class='buttons left'>";
  340. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_LEFT_BUTTON) as $p) {
  341. $rv .= $p->hook_article_left_button($line);
  342. }
  343. $rv .= "</div>";
  344. /* comments */
  345. $rv .= "<div class='comments'>$entry_comments</div>";
  346. $rv .= "<div class='author'>".$line['author']."</div>";
  347. /* tags */
  348. $tags_str = Article::format_tags_string($line["tags"], $id);
  349. $rv .= "<i class='material-icons'>label_outline</i><div>";
  350. $tags_str = strip_tags($tags_str);
  351. $rv .= "<span id=\"ATSTR-$id\">$tags_str</span>";
  352. $rv .= "</div>";
  353. /* buttons */
  354. $rv .= "<div class='buttons right'>";
  355. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_BUTTON) as $p) {
  356. $rv .= $p->hook_article_button($line);
  357. }
  358. $rv .= "</div>";
  359. $rv .= "</div>"; # row
  360. $rv .= "</div>"; # header
  361. /* content */
  362. $lang = $line['lang'] ? $line['lang'] : "en";
  363. $rv .= "<div class=\"content\" lang=\"$lang\">";
  364. /* content body */
  365. $rv .= $line["content"];
  366. $rv .= Article::format_article_enclosures($id,
  367. $line["always_display_enclosures"],
  368. $line["content"],
  369. $line["hide_images"]);
  370. $rv .= "</div>"; # content
  371. $rv .= "</div>"; # post
  372. }
  373. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_FORMAT_ARTICLE) as $p) {
  374. $rv = $p->hook_format_article($rv, $line, true);
  375. }
  376. return $rv;
  377. }
  378. function rss() {
  379. $feed = clean($_REQUEST["id"]);
  380. $key = clean($_REQUEST["key"]);
  381. $is_cat = clean($_REQUEST["is_cat"]);
  382. $limit = (int)clean($_REQUEST["limit"]);
  383. $offset = (int)clean($_REQUEST["offset"]);
  384. $search = clean($_REQUEST["q"]);
  385. $view_mode = clean($_REQUEST["view-mode"]);
  386. $order = clean($_REQUEST["order"]);
  387. $start_ts = clean($_REQUEST["ts"]);
  388. $format = clean($_REQUEST['format']);
  389. $orig_guid = clean($_REQUEST["orig_guid"]);
  390. if (!$format) $format = 'atom';
  391. if (SINGLE_USER_MODE) {
  392. authenticate_user("admin", null);
  393. }
  394. $owner_id = false;
  395. if ($key) {
  396. $sth = $this->pdo->prepare("SELECT owner_uid FROM
  397. ttrss_access_keys WHERE access_key = ? AND feed_id = ?");
  398. $sth->execute([$key, $feed]);
  399. if ($row = $sth->fetch())
  400. $owner_id = $row["owner_uid"];
  401. }
  402. if ($owner_id) {
  403. $this->generate_syndicated_feed($owner_id, $feed, $is_cat, $limit,
  404. $offset, $search, $view_mode, $format, $order, $orig_guid, $start_ts);
  405. } else {
  406. header('HTTP/1.1 403 Forbidden');
  407. }
  408. }
  409. function updateTask() {
  410. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_UPDATE_TASK, "hook_update_task", false);
  411. }
  412. function housekeepingTask() {
  413. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_HOUSE_KEEPING, "hook_house_keeping", false);
  414. }
  415. function globalUpdateFeeds() {
  416. RPC::updaterandomfeed_real();
  417. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_UPDATE_TASK, "hook_update_task", false);
  418. }
  419. function sharepopup() {
  420. if (SINGLE_USER_MODE) {
  421. login_sequence();
  422. }
  423. header('Content-Type: text/html; charset=utf-8');
  424. print "<html><head><title>Tiny Tiny RSS</title>
  425. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  426. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">";
  427. echo stylesheet_tag("css/default.css");
  428. echo javascript_tag("lib/prototype.js");
  429. echo javascript_tag("lib/scriptaculous/scriptaculous.js?load=effects,controls");
  430. print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  431. </head><body id='sharepopup' class='ttrss_utility'>";
  432. $action = clean($_REQUEST["action"]);
  433. if ($_SESSION["uid"]) {
  434. if ($action == 'share') {
  435. $title = strip_tags(clean($_REQUEST["title"]));
  436. $url = strip_tags(clean($_REQUEST["url"]));
  437. $content = strip_tags(clean($_REQUEST["content"]));
  438. $labels = strip_tags(clean($_REQUEST["labels"]));
  439. Article::create_published_article($title, $url, $content, $labels,
  440. $_SESSION["uid"]);
  441. print "<script type='text/javascript'>";
  442. print "window.close();";
  443. print "</script>";
  444. } else {
  445. $title = htmlspecialchars(clean($_REQUEST["title"]));
  446. $url = htmlspecialchars(clean($_REQUEST["url"]));
  447. ?>
  448. <table height='100%' width='100%' class="panel"><tr><td colspan='2'>
  449. <h1><?php echo __("Share with Tiny Tiny RSS") ?></h1>
  450. </td></tr>
  451. <form id='share_form' name='share_form'>
  452. <input type="hidden" name="op" value="sharepopup">
  453. <input type="hidden" name="action" value="share">
  454. <tr><td align='right'><?php echo __("Title:") ?></td>
  455. <td width='80%'><input name='title' value="<?php echo $title ?>"></td></tr>
  456. <tr><td align='right'><?php echo __("URL:") ?></td>
  457. <td><input name='url' value="<?php echo $url ?>"></td></tr>
  458. <tr><td align='right'><?php echo __("Content:") ?></td>
  459. <td><input name='content' value=""></td></tr>
  460. <tr><td align='right'><?php echo __("Labels:") ?></td>
  461. <td><input name='labels' id="labels_value"
  462. placeholder='Alpha, Beta, Gamma' value="">
  463. </td></tr>
  464. <tr><td>
  465. <div class="autocomplete" id="labels_choices"
  466. style="display : block"></div></td></tr>
  467. <script type='text/javascript'>document.forms[0].title.focus();</script>
  468. <script type='text/javascript'>
  469. new Ajax.Autocompleter('labels_value', 'labels_choices',
  470. "backend.php?op=rpc&method=completeLabels",
  471. { tokens: ',', paramName: "search" });
  472. </script>
  473. <tr><td colspan='2'>
  474. <div style='float : right' class='insensitive-small'>
  475. <?php echo __("Shared article will appear in the Published feed.") ?>
  476. </div>
  477. <button type="submit"><?php echo __('Share') ?></button>
  478. <button onclick="return window.close()"><?php echo __('Cancel') ?></button>
  479. </td>
  480. </form>
  481. </td></tr></table>
  482. </body></html>
  483. <?php
  484. }
  485. } else {
  486. $return = urlencode($_SERVER["REQUEST_URI"])
  487. ?>
  488. <form action="public.php?return=<?php echo $return ?>"
  489. method="POST" id="loginForm" name="loginForm">
  490. <input type="hidden" name="op" value="login">
  491. <table height='100%' width='100%'><tr><td colspan='2'>
  492. <h1><?php echo __("Not logged in") ?></h1></td></tr>
  493. <tr><td align="right"><?php echo __("Login:") ?></td>
  494. <td align="right"><input name="login"
  495. value="<?php echo $_SESSION["fake_login"] ?>"></td></tr>
  496. <tr><td align="right"><?php echo __("Password:") ?></td>
  497. <td align="right"><input type="password" name="password"
  498. value="<?php echo $_SESSION["fake_password"] ?>"></td></tr>
  499. <tr><td colspan='2'>
  500. <button type="submit">
  501. <?php echo __('Log in') ?></button>
  502. <button onclick="return window.close()">
  503. <?php echo __('Cancel') ?></button>
  504. </td></tr>
  505. </table>
  506. </form>
  507. <?php
  508. }
  509. }
  510. function login() {
  511. if (!SINGLE_USER_MODE) {
  512. $login = clean($_POST["login"]);
  513. $password = clean($_POST["password"]);
  514. $remember_me = clean($_POST["remember_me"]);
  515. if ($remember_me) {
  516. session_set_cookie_params(SESSION_COOKIE_LIFETIME);
  517. } else {
  518. session_set_cookie_params(0);
  519. }
  520. if (authenticate_user($login, $password)) {
  521. $_POST["password"] = "";
  522. if (get_schema_version() >= 120) {
  523. $_SESSION["language"] = get_pref("USER_LANGUAGE", $_SESSION["uid"]);
  524. }
  525. $_SESSION["ref_schema_version"] = get_schema_version(true);
  526. $_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]);
  527. if (clean($_POST["profile"])) {
  528. $profile = (int) clean($_POST["profile"]);
  529. $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
  530. WHERE id = ? AND owner_uid = ?");
  531. $sth->execute([$profile, $_SESSION['uid']]);
  532. if ($sth->fetch()) {
  533. $_SESSION["profile"] = $profile;
  534. } else {
  535. $_SESSION["profile"] = null;
  536. }
  537. }
  538. } else {
  539. // start an empty session to deliver login error message
  540. @session_start();
  541. if (!isset($_SESSION["login_error_msg"]))
  542. $_SESSION["login_error_msg"] = __("Incorrect username or password");
  543. user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
  544. }
  545. if (clean($_REQUEST['return'])) {
  546. header("Location: " . clean($_REQUEST['return']));
  547. } else {
  548. header("Location: " . get_self_url_prefix());
  549. }
  550. }
  551. }
  552. /* function subtest() {
  553. header("Content-type: text/plain; charset=utf-8");
  554. $url = clean($_REQUEST["url"]);
  555. print "$url\n\n";
  556. print_r(get_feeds_from_html($url, fetch_file_contents($url)));
  557. } */
  558. function subscribe() {
  559. if (SINGLE_USER_MODE) {
  560. login_sequence();
  561. }
  562. if ($_SESSION["uid"]) {
  563. $feed_url = trim(clean($_REQUEST["feed_url"]));
  564. header('Content-Type: text/html; charset=utf-8');
  565. print "<html>
  566. <head>
  567. <title>Tiny Tiny RSS</title>";
  568. print stylesheet_tag("css/default.css");
  569. print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  570. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  571. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">
  572. </head>
  573. <body class='claro ttrss_utility'>
  574. <div class=\"container\">
  575. <h1>".__("Subscribe to feed...")."</h1><div class='content'>";
  576. $rc = Feeds::subscribe_to_feed($feed_url);
  577. switch ($rc['code']) {
  578. case 0:
  579. print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
  580. break;
  581. case 1:
  582. print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
  583. break;
  584. case 2:
  585. print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
  586. break;
  587. case 3:
  588. print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
  589. break;
  590. case 4:
  591. print_notice(__("Multiple feed URLs found."));
  592. $feed_urls = $rc["feeds"];
  593. break;
  594. case 5:
  595. print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
  596. break;
  597. }
  598. if ($feed_urls) {
  599. print "<form action=\"public.php\">";
  600. print "<input type=\"hidden\" name=\"op\" value=\"subscribe\">";
  601. print "<select name=\"feed_url\">";
  602. foreach ($feed_urls as $url => $name) {
  603. $url = htmlspecialchars($url);
  604. $name = htmlspecialchars($name);
  605. print "<option value=\"$url\">$name</option>";
  606. }
  607. print "<input type=\"submit\" value=\"".__("Subscribe to selected feed").
  608. "\">";
  609. print "</form>";
  610. }
  611. $tp_uri = get_self_url_prefix() . "/prefs.php";
  612. $tt_uri = get_self_url_prefix();
  613. if ($rc['code'] <= 2){
  614. $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
  615. feed_url = ? AND owner_uid = ?");
  616. $sth->execute([$feed_url, $_SESSION['uid']]);
  617. $row = $sth->fetch();
  618. $feed_id = $row["id"];
  619. } else {
  620. $feed_id = 0;
  621. }
  622. print "<p>";
  623. if ($feed_id) {
  624. print "<form method=\"GET\" style='display: inline'
  625. action=\"$tp_uri\">
  626. <input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
  627. <input type=\"hidden\" name=\"method\" value=\"editfeed\">
  628. <input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
  629. <input type=\"submit\" value=\"".__("Edit subscription options")."\">
  630. </form>";
  631. }
  632. print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
  633. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  634. </form></p>";
  635. print "</div></div></body></html>";
  636. } else {
  637. render_login_form();
  638. }
  639. }
  640. function index() {
  641. header("Content-Type: text/plain");
  642. print error_json(13);
  643. }
  644. function forgotpass() {
  645. startup_gettext();
  646. @$hash = clean($_REQUEST["hash"]);
  647. header('Content-Type: text/html; charset=utf-8');
  648. print "<html><head><title>Tiny Tiny RSS</title>
  649. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  650. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">";
  651. echo stylesheet_tag("lib/dijit/themes/claro/claro.css");
  652. echo stylesheet_tag("css/default.css");
  653. echo javascript_tag("lib/prototype.js");
  654. print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  655. </head><body class='claro ttrss_utility'><div class='container'>";
  656. print "<h1>".__("Password recovery")."</h1>";
  657. print "<div class='content'>";
  658. @$method = clean($_POST['method']);
  659. if ($hash) {
  660. $login = clean($_REQUEST["login"]);
  661. if ($login) {
  662. $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
  663. WHERE login = ?");
  664. $sth->execute([$login]);
  665. if ($row = $sth->fetch()) {
  666. $id = $row["id"];
  667. $resetpass_token_full = $row["resetpass_token"];
  668. list($timestamp, $resetpass_token) = explode(":", $resetpass_token_full);
  669. if ($timestamp && $resetpass_token &&
  670. $timestamp >= time() - 15*60*60 &&
  671. $resetpass_token == $hash) {
  672. $sth = $this->pdo->prepare("UPDATE ttrss_users SET resetpass_token = NULL
  673. WHERE id = ?");
  674. $sth->execute([$id]);
  675. Pref_Users::resetUserPassword($id, true);
  676. print "<p>"."Completed."."</p>";
  677. } else {
  678. print_error("Some of the information provided is missing or incorrect.");
  679. }
  680. } else {
  681. print_error("Some of the information provided is missing or incorrect.");
  682. }
  683. } else {
  684. print_error("Some of the information provided is missing or incorrect.");
  685. }
  686. print "<hr/>";
  687. print "<form method=\"GET\" action=\"index.php\">
  688. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  689. </form>";
  690. } else if (!$method) {
  691. print_notice(__("You will need to provide valid account name and email. Password reset link will be sent to your email address."));
  692. print "<form method='POST' action='public.php'>";
  693. print "<input type='hidden' name='method' value='do'>";
  694. print "<input type='hidden' name='op' value='forgotpass'>";
  695. print "<fieldset>";
  696. print "<label>".__("Login:")."</label>";
  697. print "<input class='input input-text' type='text' name='login' value='' required>";
  698. print "</fieldset>";
  699. print "<fieldset>";
  700. print "<label>".__("Email:")."</label>";
  701. print "<input class='input input-text' type='email' name='email' value='' required>";
  702. print "</fieldset>";
  703. print "<fieldset>";
  704. print "<label>".__("How much is two plus two:")."</label>";
  705. print "<input class='input input-text' type='text' name='test' value='' required>";
  706. print "</fieldset>";
  707. print "<hr/>";
  708. print "<fieldset>";
  709. print "<button type='submit'>".__("Reset password")."</button>";
  710. print "</fieldset>";
  711. print "</form>";
  712. } else if ($method == 'do') {
  713. $login = clean($_POST["login"]);
  714. $email = clean($_POST["email"]);
  715. $test = clean($_POST["test"]);
  716. if (($test != 4 && $test != 'four') || !$email || !$login) {
  717. print_error(__('Some of the required form parameters are missing or incorrect.'));
  718. print "<form method=\"GET\" action=\"public.php\">
  719. <input type=\"hidden\" name=\"op\" value=\"forgotpass\">
  720. <input type=\"submit\" value=\"".__("Go back")."\">
  721. </form>";
  722. } else {
  723. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users
  724. WHERE login = ? AND email = ?");
  725. $sth->execute([$login, $email]);
  726. if ($row = $sth->fetch()) {
  727. print_notice("Password reset instructions are being sent to your email address.");
  728. $id = $row["id"];
  729. if ($id) {
  730. $resetpass_token = sha1(get_random_bytes(128));
  731. $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token .
  732. "&login=" . urlencode($login);
  733. require_once "lib/MiniTemplator.class.php";
  734. $tpl = new MiniTemplator;
  735. $tpl->readTemplateFromFile("templates/resetpass_link_template.txt");
  736. $tpl->setVariable('LOGIN', $login);
  737. $tpl->setVariable('RESETPASS_LINK', $resetpass_link);
  738. $tpl->addBlock('message');
  739. $message = "";
  740. $tpl->generateOutputToString($message);
  741. $mailer = new Mailer();
  742. $rc = $mailer->mail(["to_name" => $login,
  743. "to_address" => $email,
  744. "subject" => __("[tt-rss] Password reset request"),
  745. "message" => $message]);
  746. if (!$rc) print_error($mailer->error());
  747. $resetpass_token_full = time() . ":" . $resetpass_token;
  748. $sth = $this->pdo->prepare("UPDATE ttrss_users
  749. SET resetpass_token = ?
  750. WHERE login = ? AND email = ?");
  751. $sth->execute([$resetpass_token_full, $login, $email]);
  752. //Pref_Users::resetUserPassword($id, false);
  753. print "<p>";
  754. print "<p>"."Completed."."</p>";
  755. } else {
  756. print_error("User ID not found.");
  757. }
  758. print "<hr/>";
  759. print "<form method=\"GET\" action=\"index.php\">
  760. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  761. </form>";
  762. } else {
  763. print_error(__("Sorry, login and email combination not found."));
  764. print "<hr/>";
  765. print "<form method=\"GET\" action=\"public.php\">
  766. <input type=\"hidden\" name=\"op\" value=\"forgotpass\">
  767. <input type=\"submit\" value=\"".__("Go back")."\">
  768. </form>";
  769. }
  770. }
  771. }
  772. print "</div>";
  773. print "</div>";
  774. print "</body>";
  775. print "</html>";
  776. }
  777. function dbupdate() {
  778. startup_gettext();
  779. if (!SINGLE_USER_MODE && $_SESSION["access_level"] < 10) {
  780. $_SESSION["login_error_msg"] = __("Your access level is insufficient to run this script.");
  781. render_login_form();
  782. exit;
  783. }
  784. ?><html>
  785. <head>
  786. <title>Database Updater</title>
  787. <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  788. <?php echo stylesheet_tag("css/default.css") ?>
  789. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  790. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">
  791. </head>
  792. <style type="text/css">
  793. span.ok { color : #009000; font-weight : bold; }
  794. span.err { color : #ff0000; font-weight : bold; }
  795. </style>
  796. <body class="claro ttrss_utility">
  797. <script type='text/javascript'>
  798. function confirmOP() {
  799. return confirm("Update the database?");
  800. }
  801. </script>
  802. <div class="container">
  803. <h1><?php echo __("Database Updater") ?></h1>
  804. <div class="content">
  805. <?php
  806. @$op = clean($_REQUEST["subop"]);
  807. $updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION);
  808. if ($op == "performupdate") {
  809. if ($updater->isUpdateRequired()) {
  810. print "<h2>Performing updates</h2>";
  811. print "<h3>Updating to schema version " . SCHEMA_VERSION . "</h3>";
  812. print "<ul>";
  813. for ($i = $updater->getSchemaVersion() + 1; $i <= SCHEMA_VERSION; $i++) {
  814. print "<li>Performing update up to version $i...";
  815. $result = $updater->performUpdateTo($i, true);
  816. if (!$result) {
  817. print "<span class='err'>FAILED!</span></li></ul>";
  818. print_warning("One of the updates failed. Either retry the process or perform updates manually.");
  819. print "<p><form method=\"GET\" action=\"index.php\">
  820. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  821. </form>";
  822. return;
  823. } else {
  824. print "<span class='ok'>OK!</span></li>";
  825. }
  826. }
  827. print "</ul>";
  828. print_notice("Your Tiny Tiny RSS database is now updated to the latest version.");
  829. print "<hr/>";
  830. print "<p><form method=\"GET\" action=\"index.php\">
  831. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  832. </form>";
  833. } else {
  834. print "<h2>Your database is up to date.</h2>";
  835. print "<hr/>";
  836. print "<p><form method=\"GET\" action=\"index.php\">
  837. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  838. </form>";
  839. }
  840. } else {
  841. if ($updater->isUpdateRequired()) {
  842. print "<h2>Database update required</h2>";
  843. print_notice("<h4>".
  844. sprintf("Your Tiny Tiny RSS database needs update to the latest version: %d to %d.",
  845. $updater->getSchemaVersion(), SCHEMA_VERSION).
  846. "</h4>");
  847. print_warning("Please backup your database before proceeding.");
  848. print "<form method='POST'>
  849. <input type='hidden' name='subop' value='performupdate'>
  850. <input type='submit' onclick='return confirmOP()' value='".__("Perform updates")."'>
  851. </form>";
  852. } else {
  853. print_notice("Tiny Tiny RSS database is up to date.");
  854. print "<hr/>";
  855. print "<p><form method=\"GET\" action=\"index.php\">
  856. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  857. </form>";
  858. }
  859. }
  860. ?>
  861. </div>
  862. </div>
  863. </body>
  864. </html>
  865. <?php
  866. }
  867. function cached_url() {
  868. @$req_filename = basename($_GET['hash']);
  869. // we don't need an extension to find the file, hash is a complete URL
  870. $hash = preg_replace("/\.[^\.]*$/", "", $req_filename);
  871. if ($hash) {
  872. $filename = CACHE_DIR . '/images/' . $hash;
  873. if (file_exists($filename)) {
  874. header("Content-Disposition: inline; filename=\"$req_filename\"");
  875. send_local_file($filename);
  876. } else {
  877. header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
  878. echo "File not found.";
  879. }
  880. }
  881. }
  882. private function make_article_tag_uri($id, $timestamp) {
  883. $timestamp = date("Y-m-d", strtotime($timestamp));
  884. return "tag:" . parse_url(get_self_url_prefix(), PHP_URL_HOST) . ",$timestamp:/$id";
  885. }
  886. // this should be used very carefully because this endpoint is exposed to unauthenticated users
  887. // plugin data is not loaded because there's no user context and owner_uid/session may or may not be available
  888. // in general, don't do anything user-related in here and do not modify $_SESSION
  889. public function pluginhandler() {
  890. $host = new PluginHost();
  891. $plugin = basename(clean($_REQUEST["plugin"]));
  892. $method = clean($_REQUEST["pmethod"]);
  893. $host->load($plugin, PluginHost::KIND_USER, 0);
  894. $host->load_data();
  895. $pclass = $host->get_plugin($plugin);
  896. if ($pclass) {
  897. if (method_exists($pclass, $method)) {
  898. if ($pclass->is_public_method($method)) {
  899. $pclass->$method();
  900. } else {
  901. header("Content-Type: text/json");
  902. print error_json(6);
  903. }
  904. } else {
  905. header("Content-Type: text/json");
  906. print error_json(13);
  907. }
  908. } else {
  909. header("Content-Type: text/json");
  910. print error_json(14);
  911. }
  912. }
  913. }
  914. ?>