diff options
author | Andrew Dolgov <[email protected]> | 2010-11-08 13:11:56 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2010-11-08 13:15:00 +0300 |
commit | 8801fb017ccd6e2c052ab449eed3ee1eb5b7e982 (patch) | |
tree | 97ce0dfd050cb22fc999c546bb9a9b8ce5277e89 | |
parent | 811bea05221c3704037eaba860a70f42eb45994b (diff) |
replace old-style published feed with universal secretkey-based approach used for all feeds; do not allow user/pass handling in generated feed urls; bump schema
-rw-r--r-- | backend.php | 32 | ||||
-rw-r--r-- | functions.js | 45 | ||||
-rw-r--r-- | functions.php | 100 | ||||
-rw-r--r-- | modules/backend-rpc.php | 33 | ||||
-rw-r--r-- | modules/popup-dialog.php | 60 | ||||
-rw-r--r-- | modules/pref-feeds.php | 12 | ||||
-rw-r--r-- | prefs.js | 37 | ||||
-rw-r--r-- | sanity_check.php | 2 | ||||
-rw-r--r-- | schema/ttrss_schema_mysql.sql | 10 | ||||
-rw-r--r-- | schema/ttrss_schema_pgsql.sql | 9 | ||||
-rw-r--r-- | schema/versions/mysql/69.sql | 12 | ||||
-rw-r--r-- | schema/versions/pgsql/69.sql | 11 |
12 files changed, 226 insertions, 137 deletions
diff --git a/backend.php b/backend.php index 761fc0dc0..9951366cd 100644 --- a/backend.php +++ b/backend.php @@ -466,31 +466,10 @@ module_pref_feed_browser($link); break; // pref-feed-browser - case "publish": - $key = db_escape_string($_REQUEST["key"]); - $limit = (int)db_escape_string($_REQUEST["limit"]); - - $result = db_query($link, "SELECT login, owner_uid - FROM ttrss_user_prefs, ttrss_users WHERE - pref_name = '_PREFS_PUBLISH_KEY' AND - value = '$key' AND - ttrss_users.id = owner_uid"); - - if (db_num_rows($result) == 1) { - $owner = db_fetch_result($result, 0, "owner_uid"); - $login = db_fetch_result($result, 0, "login"); - - generate_syndicated_feed($link, $owner, -2, false, $limit); - - } else { - print "<error>User not found</error>"; - } - break; // publish - case "rss": $feed = db_escape_string($_REQUEST["id"]); $user = db_escape_string($_REQUEST["user"]); - $pass = db_escape_string($_REQUEST["pass"]); + $key = db_escape_string($_REQUEST["key"]); $is_cat = $_REQUEST["is_cat"] != false; $limit = (int)db_escape_string($_REQUEST["limit"]); @@ -503,8 +482,13 @@ authenticate_user($link, "admin", null); } - if (!$_SESSION["uid"] && $user && $pass) { - authenticate_user($link, $user, $pass); + if ($key && !$_SESSION["uid"]) { + $result = db_query($link, "SELECT owner_uid FROM + ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'"); + + if (db_num_rows($result) == 1) + $_SESSION["uid"] = db_fetch_result($result, 0, "owner_uid"); + } if ($_SESSION["uid"] || http_authenticate_user($link)) { diff --git a/functions.js b/functions.js index f3ae1965e..f3756051f 100644 --- a/functions.js +++ b/functions.js @@ -2216,3 +2216,48 @@ function quickAddCat(select) { exception_error("quickAddCat", e); } } + +function genUrlChangeKey(feed, is_cat) { + + try { + var ok = confirm(__("Generate new syndication address for this feed?")); + + if (ok) { + + notify_progress("Trying to change address...", true); + + var query = "?op=rpc&subop=regenFeedKey&id=" + param_escape(feed) + + "&is_cat=" + param_escape(is_cat); + + new Ajax.Request("backend.php", { + parameters: query, + onComplete: function(transport) { + var new_link = transport.responseXML.getElementsByTagName("link")[0]; + + var e = $('gen_feed_url'); + + if (new_link) { + + new_link = new_link.firstChild.nodeValue; + + e.innerHTML = e.innerHTML.replace(/\&key=.*$/, + "&key=" + new_link); + + e.href = e.href.replace(/\&key=.*$/, + "&key=" + new_link); + + new Effect.Highlight(e); + + notify(''); + + } else { + notify_error("Could not change feed URL."); + } + } }); + } + } catch (e) { + exception_error("genUrlChangeKey", e); + } + return false; +} + diff --git a/functions.php b/functions.php index c81026ae4..059e968af 100644 --- a/functions.php +++ b/functions.php @@ -4203,12 +4203,19 @@ $search_q = ""; } - $rss_link = "backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q"; + $rss_link = htmlspecialchars(get_self_url_prefix() . + "/backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q"); + + #print " + # <a target=\"_blank\" + # title=\"".__("View as RSS feed")."\" + # href=\"$rss_link\"> + # <img class=\"noborder\" src=\"images/feed-icon-12x12.png\"></a>"; print " - <a target=\"_blank\" + <a href=\"#\" title=\"".__("View as RSS feed")."\" - href=\"$rss_link\"> + onclick=\"displayDlg('generatedFeed', '$feed_id:$is_cat:$rss_link')\"> <img class=\"noborder\" src=\"images/feed-icon-12x12.png\"></a>"; print "</div>"; @@ -5110,9 +5117,9 @@ $vgroup_last_feed = $vgr_last_feed; - if ($feed == -2) { +/* if ($feed == -2) { $feed_site_url = article_publish_url($link); - } + } */ /// STOP ////////////////////////////////////////////////////////////////////////////////// @@ -5730,15 +5737,10 @@ return $tag; } - function generate_publish_key() { - return sha1(uniqid(rand(), true)); - } - - function article_publish_url($link) { + function get_self_url_prefix() { $url_path = ""; - - + if ($_SERVER['HTTPS'] != "on") { $url_path = "http://"; } else { @@ -5746,22 +5748,13 @@ } $url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); - $url_path .= "/backend.php?op=publish&key=" . - get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]); return $url_path; - } - function opml_publish_url($link){ - $url_path = ""; - - if ($_SERVER['HTTPS'] != "on") { - $url_path = "http://"; - } else { - $url_path = "https://"; - } + } + function opml_publish_url($link){ - $url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); + $url_path = get_self_url_prefix(); $url_path .= "/opml.php?op=publish&key=" . get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]); @@ -6368,6 +6361,13 @@ if (db_affected_rows($link, $result) != 0 && $caption) { + /* Remove access key for the label */ + + $ext_id = -11 - $id; + + db_query($link, "DELETE FROM ttrss_access_keys WHERE + feed_id = '$ext_id' AND owner_uid = $owner_uid"); + /* Disable filters that reference label being removed */ db_query($link, "UPDATE ttrss_filters SET @@ -6559,6 +6559,11 @@ orig_feed_id = '$id' WHERE feed_id = '$id' AND marked = true AND owner_uid = $owner_uid"); + /* Remove access key for the feed */ + + db_query($link, "DELETE FROM ttrss_access_keys WHERE + feed_id = '$id' AND owner_uid = $owner_uid"); + /* remove the feed */ db_query($link, "DELETE FROM ttrss_feeds @@ -6899,4 +6904,51 @@ if (!in_array($email, $_SESSION['stored_emails'])) array_push($_SESSION['stored_emails'], $email); } + + function update_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) { + if (!$owner_uid) $owner_uid = $_SESSION["uid"]; + + $sql_is_cat = bool_to_sql_bool($is_cat); + + $result = db_query($link, "SELECT access_key FROM ttrss_access_keys + WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat + AND owner_uid = " . $owner_uid); + + if (db_num_rows($result) == 1) { + $key = db_escape_string(sha1(uniqid(rand(), true))); + + db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key' + WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat + AND owner_uid = " . $owner_uid); + + return $key; + + } else { + return get_feed_access_key($link, $feed_id, $is_cat, $owner_uid); + } + } + + function get_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) { + + if (!$owner_uid) $owner_uid = $_SESSION["uid"]; + + $sql_is_cat = bool_to_sql_bool($is_cat); + + $result = db_query($link, "SELECT access_key FROM ttrss_access_keys + WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat + AND owner_uid = " . $owner_uid); + + if (db_num_rows($result) == 1) { + return db_fetch_result($result, 0, "access_key"); + } else { + $key = db_escape_string(sha1(uniqid(rand(), true))); + + $result = db_query($link, "INSERT INTO ttrss_access_keys + (access_key, feed_id, is_cat, owner_uid) + VALUES ('$key', '$feed_id', $sql_is_cat, '$owner_uid')"); + + return $key; + } + return false; + } ?> diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php index 4a82a888b..1bf41d299 100644 --- a/modules/backend-rpc.php +++ b/modules/backend-rpc.php @@ -464,25 +464,11 @@ return; } - if ($subop == "regenPubKey") { - - print "<rpc-reply>"; - - set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]); - - $new_link = article_publish_url($link); - - print "<link><![CDATA[$new_link]]></link>"; - - print "</rpc-reply>"; - - return; - } - if ($subop == "regenOPMLKey") { print "<rpc-reply>"; - set_pref($link, " _PREFS_OPML_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]); + set_pref($link, " _PREFS_OPML_PUBLISH_KEY", + sha1(uniqid(rand(), true)), $_SESSION["uid"]); $new_link = opml_publish_url($link); print "<link><![CDATA[$new_link]]></link>"; print "</rpc-reply>"; @@ -1119,6 +1105,21 @@ return; } + if ($subop == "regenFeedKey") { + $feed_id = db_escape_string($_REQUEST['id']); + $is_cat = (bool) db_escape_string($_REQUEST['is_cat']); + + print "<rpc-reply>"; + + $new_key = update_feed_access_key($link, $feed_id, $is_cat); + + print "<link><![CDATA[$new_key]]></link>"; + + print "</rpc-reply>"; + + return; + } + print "<rpc-reply><error>Unknown method: $subop</error></rpc-reply>"; } ?> diff --git a/modules/popup-dialog.php b/modules/popup-dialog.php index 54f4a3e61..61efd4c99 100644 --- a/modules/popup-dialog.php +++ b/modules/popup-dialog.php @@ -158,33 +158,6 @@ return; } - if ($id == "pubUrl") { - - print "<div id=\"infoBoxTitle\">".__('Published Articles')."</div>"; - print "<div class=\"infoBoxContents\">"; - - $url_path = article_publish_url($link); - - print __("Your Published articles feed URL is:"); - - print "<div class=\"tagCloudContainer\">"; - print "<a id='pub_feed_url' href='$url_path' target='_blank'>$url_path</a>"; - print "</div>"; - - print "<div align='center'>"; - - print "<button onclick=\"return pubRegenKey()\">". - __('Generate new URL')."</button> "; - - print "<input class=\"button\" - type=\"submit\" onclick=\"return closeInfoBox()\" - value=\"".__('Close this window')."\">"; - - print "</div></div>"; - - return; - } - if ($id == "pubOPMLUrl") { print "<div id=\"infoBoxTitle\">".__('Public OPML URL')."</div>"; @@ -777,6 +750,39 @@ return; } + if ($id == "generatedFeed") { + + print "<div id=\"infoBoxTitle\">".__('View as RSS')."</div>"; + print "<div class=\"infoBoxContents\">"; + + $params = explode(":", $param, 3); + $feed_id = db_escape_string($params[0]); + $is_cat = (bool) $params[1]; + + $key = get_feed_access_key($link, $feed_id, $is_cat); + + $url_path = htmlspecialchars($params[2]) . "&key=" . $key; + + print __("You can view this feed as RSS using the following URL:"); + + print "<div class=\"tagCloudContainer\">"; + print "<a id='gen_feed_url' href='$url_path' target='_blank'>$url_path</a>"; + print "</div>"; + + print "<div align='center'>"; + + print "<button onclick=\"return genUrlChangeKey('$feed_id', '$is_cat')\">". + __('Generate new URL')."</button> "; + + print "<input class=\"button\" + type=\"submit\" onclick=\"return closeInfoBox()\" + value=\"".__('Close this window')."\">"; + + print "</div></div>"; + + return; + } + print "<div id='infoBoxTitle'>Internal Error</div> <div id='infoBoxContents'> <p>Unknown dialog <b>$id</b></p> diff --git a/modules/pref-feeds.php b/modules/pref-feeds.php index 7a436cfd2..de9166fe4 100644 --- a/modules/pref-feeds.php +++ b/modules/pref-feeds.php @@ -1447,7 +1447,8 @@ __('Export OPML')."</button>"; if (!get_pref($link, "_PREFS_OPML_PUBLISH_KEY")){ - set_pref($link, "_PREFS_OPML_PUBLISH_KEY", generate_publish_key()); + set_pref($link, "_PREFS_OPML_PUBLISH_KEY", + sha1(uniqid(rand(), true))); } print "<p>".__('Your OPML can be published publicly and can be subscribed by anyone who knows the URL below.'); @@ -1489,13 +1490,12 @@ print "<h3>".__("Published articles")."</h3>"; - if (!get_pref($link, "_PREFS_PUBLISH_KEY")) { - set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key()); - } - print "<p>".__('Published articles are exported as a public RSS feed and can be subscribed by anyone who knows the URL specified below.')."</p>"; - print "<button onclick=\"return displayDlg('pubUrl')\">". + $rss_url = '-2::' . htmlspecialchars(get_self_url_prefix() . + "/backend.php?op=rss&id=-2&view-mode=all_articles");; + + print "<button onclick=\"return displayDlg('generatedFeed', '$rss_url')\">". __('Display URL')."</button> "; @@ -1569,43 +1569,6 @@ function feedlistToggleSLAT() { updateFeedList() } -function pubRegenKey() { - - try { - var ok = confirm(__("Replace current publishing address with a new one?")); - - if (ok) { - - notify_progress("Trying to change address...", true); - - var query = "?op=rpc&subop=regenPubKey"; - - new Ajax.Request("backend.php", { - parameters: query, - onComplete: function(transport) { - var new_link = transport.responseXML.getElementsByTagName("link")[0]; - - var e = $('pub_feed_url'); - - if (new_link) { - e.href = new_link.firstChild.nodeValue; - e.innerHTML = new_link.firstChild.nodeValue; - - new Effect.Highlight(e); - - notify(''); - - } else { - notify_error("Could not change feed URL."); - } - } }); - } - } catch (e) { - exception_error("pubRegenKey", e); - } - return false; -} - function opmlRegenKey() { try { diff --git a/sanity_check.php b/sanity_check.php index 7b9c1199c..437ac0a03 100644 --- a/sanity_check.php +++ b/sanity_check.php @@ -2,7 +2,7 @@ require_once "functions.php"; define('EXPECTED_CONFIG_VERSION', 19); - define('SCHEMA_VERSION', 68); + define('SCHEMA_VERSION', 69); if (!file_exists("config.php")) { print "<b>Fatal Error</b>: You forgot to copy diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql index bbcc729c0..33c1f3d95 100644 --- a/schema/ttrss_schema_mysql.sql +++ b/schema/ttrss_schema_mysql.sql @@ -1,6 +1,7 @@ SET NAMES utf8; SET CHARACTER SET utf8; +drop table if exists ttrss_access_keys; drop table if exists ttrss_user_labels2; drop table if exists ttrss_labels2; drop table if exists ttrss_feedbrowser_cache; @@ -241,7 +242,7 @@ create table ttrss_tags (id integer primary key auto_increment, create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8; -insert into ttrss_version values (68); +insert into ttrss_version values (69); create table ttrss_enclosures (id integer primary key auto_increment, content_url text not null, @@ -446,4 +447,11 @@ create table ttrss_user_labels2 (label_id integer not null, foreign key (article_id) references ttrss_entries(id) ON DELETE CASCADE ) TYPE=InnoDB DEFAULT CHARSET=UTF8; +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat bool not null default false, + owner_uid integer not null, + foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8; + commit; diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql index 64d00dda7..69753aa3c 100644 --- a/schema/ttrss_schema_pgsql.sql +++ b/schema/ttrss_schema_pgsql.sql @@ -1,3 +1,4 @@ +drop table ttrss_access_keys; drop table ttrss_user_labels2; drop table ttrss_labels2; drop table ttrss_feedbrowser_cache; @@ -213,7 +214,7 @@ create index ttrss_tags_owner_uid_index on ttrss_tags(owner_uid); create table ttrss_version (schema_version int not null); -insert into ttrss_version values (68); +insert into ttrss_version values (69); create table ttrss_enclosures (id serial not null primary key, content_url text not null, @@ -405,4 +406,10 @@ create table ttrss_user_labels2 ( article_id integer not null references ttrss_entries(id) ON DELETE CASCADE ); +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat boolean not null default false, + owner_uid integer not null references ttrss_users(id) on delete cascade); + commit; diff --git a/schema/versions/mysql/69.sql b/schema/versions/mysql/69.sql new file mode 100644 index 000000000..75d2dadcb --- /dev/null +++ b/schema/versions/mysql/69.sql @@ -0,0 +1,12 @@ +begin; + +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat bool not null default false, + owner_uid integer not null, + foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8; + +update ttrss_version set schema_version = 69; + +commit; diff --git a/schema/versions/pgsql/69.sql b/schema/versions/pgsql/69.sql new file mode 100644 index 000000000..cae0ff50f --- /dev/null +++ b/schema/versions/pgsql/69.sql @@ -0,0 +1,11 @@ +begin; + +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat bool not null default false, + owner_uid integer not null references ttrss_users(id) on delete cascade); + +update ttrss_version set schema_version = 69; + +commit; |