diff options
author | Andrew Dolgov <[email protected]> | 2007-03-01 10:43:54 +0100 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2007-03-01 10:43:54 +0100 |
commit | 01a87dff9efecf9070b652f59a52e55bd2db1906 (patch) | |
tree | cdb2be616dfae0a8b8c8a1e9f31bf167ba84e6f7 | |
parent | 81596c6612ed98ea2d648300e28bbe1661d97165 (diff) |
rework login process, drop http auth
-rw-r--r-- | backend.php | 4 | ||||
-rw-r--r-- | config.php-dist | 8 | ||||
-rw-r--r-- | functions.js | 27 | ||||
-rw-r--r-- | functions.php | 73 | ||||
-rw-r--r-- | login.php | 165 | ||||
-rw-r--r-- | login_form.php | 73 | ||||
-rw-r--r-- | logout.php | 42 | ||||
-rw-r--r-- | mobile/tt-rss.php | 2 | ||||
-rw-r--r-- | modules/backend-rpc.php | 6 | ||||
-rw-r--r-- | opml.php | 1 | ||||
-rw-r--r-- | prefs.php | 6 | ||||
-rw-r--r-- | tt-rss.php | 6 | ||||
-rw-r--r-- | update.php | 3 | ||||
-rw-r--r-- | utils/stats.php | 3 |
14 files changed, 133 insertions, 286 deletions
diff --git a/backend.php b/backend.php index 4aaec48ad..b4eeaf5e0 100644 --- a/backend.php +++ b/backend.php @@ -51,9 +51,9 @@ <p>Error: Not logged in.</p> <script type=\"text/javascript\"> if (parent.window != 'undefined') { - parent.window.location = \"login.php\"; + parent.window.location = \"tt-rss.php\"; } else { - window.location = \"login.php\"; + window.location = \"tt-rss.php\"; } </script> </body></html> diff --git a/config.php-dist b/config.php-dist index 21725abc9..bbf45869a 100644 --- a/config.php-dist +++ b/config.php-dist @@ -27,9 +27,6 @@ define('ICONS_URL', "icons"); // Local and URL path to the directory, where feed favicons are stored. - define('USE_HTTP_AUTH', false); - // Use HTTP Basic authentication instead of login form. Has some problems. - define('SINGLE_USER_MODE', true); // Operate in single user mode, disables all functionality related to // multiple users. @@ -69,9 +66,6 @@ define('GLOBAL_ENABLE_LABELS', false); // Labels are a security risk, so this option can globally disable them for all users. - define('ENABLE_LOGIN_SSL', false); - // Redirect to SSL url for login - define('MAIL_RESET_PASS', true); // Send mail to user on password reset @@ -147,7 +141,7 @@ // If update daemon and update_feeds should send digests // Disable if you prefer querying special URL (see wiki) - define('CONFIG_VERSION', 5); + define('CONFIG_VERSION', 6); // Expected config version. Please update this option in config.php // if necessary (after migrating all new options from this file). diff --git a/functions.js b/functions.js index 292612919..88d750b6b 100644 --- a/functions.js +++ b/functions.js @@ -52,6 +52,17 @@ function xmlhttp_ready(obj) { return obj.readyState == 4 || obj.readyState == 0 || !obj.readyState; } +function logout_callback() { + var container = document.getElementById('notify'); + if (xmlhttp.readyState == 4) { + try { + window.location.reload(true); + } catch (e) { + exception_error("logout_callback", e); + } + } +} + function notify_callback() { var container = document.getElementById('notify'); if (xmlhttp.readyState == 4) { @@ -1527,7 +1538,7 @@ function fatalError(code, message) { try { if (code == 6) { - window.location.href = "login.php?rt=none"; + //window.location.href = "login.php?rt=none"; } else if (code == 5) { window.location.href = "update.php"; } else { @@ -1605,3 +1616,17 @@ function filterDlgCheckAction(sender) { function explainError(code) { return displayDlg("explainError", code); } + +function logoutUser() { + try { + if (xmlhttp_ready(xmlhttp_rpc)) { + xmlhttp_rpc.open("GET", "backend.php?op=rpc&subop=logout", true); + xmlhttp_rpc.onreadystatechange=logout_callback; + xmlhttp_rpc.send(null); + } else { + printLockingError(); + } + } catch (e) { + exception_error("logoutUser", e); + } +} diff --git a/functions.php b/functions.php index 244c41682..170696352 100644 --- a/functions.php +++ b/functions.php @@ -1159,22 +1159,6 @@ return preg_replace('/\/[^\/]*$/', "", $_SERVER["REQUEST_URI"]); } - function get_login_redirect() { - $server = $_SERVER["SERVER_NAME"]; - - if (ENABLE_LOGIN_SSL) { - $protocol = "https"; - } else { - $protocol = "http"; - } - - $url_path = get_script_urlpath(); - - $redirect_uri = "$protocol://$server$url_path/login.php"; - - return $redirect_uri; - } - function validate_session($link) { if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) { if ($_SESSION["ip_address"]) { @@ -1186,17 +1170,6 @@ return true; } - function basic_nosid_redirect_check() { - if (!SINGLE_USER_MODE) { - if (!$_COOKIE[get_session_cookie_name()]) { - $redirect_uri = get_login_redirect(); - $return_to = preg_replace('/.*?\//', '', $_SERVER["REQUEST_URI"]); - header("Location: $redirect_uri?rt=$return_to"); - exit; - } - } - } - function login_sequence($link) { if (!SINGLE_USER_MODE) { @@ -1210,38 +1183,26 @@ if (!validate_session($link)) { logout_user(); - $redirect_uri = get_login_redirect(); - $return_to = preg_replace('/.*?\//', '', $_SERVER["REQUEST_URI"]); - header("Location: $redirect_uri?rt=$return_to"); + render_login_form($link); exit; } - if (!USE_HTTP_AUTH) { - if (!$_SESSION["uid"]) { - $redirect_uri = get_login_redirect(); - $return_to = preg_replace('/.*?\//', '', $_SERVER["REQUEST_URI"]); - header("Location: $redirect_uri?rt=$return_to"); - exit; - } - } else { - if (!$_SESSION["uid"]) { - if (!$_SERVER["PHP_AUTH_USER"]) { + $login_action = $_POST["login_action"]; - header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"'); - header('HTTP/1.0 401 Unauthorized'); - exit; - - } else { - $auth_result = authenticate_user($link, - $_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]); + # try to authenticate user if called from login form + if ($login_action == "do_login") { + $login = $_POST["login"]; + $password = $_POST["password"]; - if (!$auth_result) { - header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"'); - header('HTTP/1.0 401 Unauthorized'); - exit; - } - } - } + if (authenticate_user($link, $login, $password)) { + $_POST["password"] = ""; + return; + } + } + + if (!$_SESSION["uid"]) { + render_login_form($link); + exit; } } else { return authenticate_user($link, "admin", null); @@ -3180,4 +3141,8 @@ return true; } + function render_login_form($link) { + require_once "login_form.php"; + } + ?> diff --git a/login.php b/login.php deleted file mode 100644 index 3609622f8..000000000 --- a/login.php +++ /dev/null @@ -1,165 +0,0 @@ -<?php -// require_once "sessions.php"; - - require_once "sanity_check.php"; - require_once "version.php"; - require_once "config.php"; - require_once "functions.php"; - - $error_msg = ""; - - $url_path = get_script_urlpath(); - $return_to = $_REQUEST["rt"]; - - if (ENABLE_LOGIN_SSL) { - $redirect_base = "https://" . $_SERVER["SERVER_NAME"] . $url_path; - } else { - $redirect_base = "http://" . $_SERVER["SERVER_NAME"] . $url_path; - } - - if (SINGLE_USER_MODE && $return_to != "none") { - header("Location: $redirect_base/tt-rss.php"); - exit; - } - - $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); - - $login = $_POST["login"]; - $password = $_POST["password"]; - $action = $_POST["action"]; - - if ($_COOKIE[get_session_cookie_name()] && $return_to != "none") { - require_once "sessions.php"; - if ($_SESSION["uid"]) { - initialize_user_prefs($link, $_SESSION["uid"]); - header("Location: $redirect_base/tt-rss.php"); - exit; - } - } - - if ($login && $password) { - - if ($_POST["remember_me"]) { - session_set_cookie_params(SESSION_COOKIE_LIFETIME_REMEMBER); - } else { - session_set_cookie_params(SESSION_COOKIE_LIFETIME); - } - - require_once "sessions.php"; - - if (authenticate_user($link, $login, $password)) { - initialize_user_prefs($link, $_SESSION["uid"]); - - if ($_POST["remember_me"]) { - $_SESSION["cookie_lifetime"] = time() + SESSION_COOKIE_LIFETIME_REMEMBER; - } else { - $_SESSION["cookie_lifetime"] = time() + SESSION_COOKIE_LIFETIME; - } - - setcookie("ttrss_cltime", $_SESSION["cookie_lifetime"], - $_SESSION["cookie_lifetime"]); - - if (!$return_to) { - $return_to = "tt-rss.php"; - } - header("Location: $redirect_base/$return_to"); - exit; - } else { - $error_msg = "Error: Unable to authenticate user. Please check login and password."; - } - } else if ($action) { - $error_msg = "Error: Either login or password is blank."; - } - -?> -<html> -<head> - <title>Tiny Tiny RSS : Login</title> - <link rel="stylesheet" type="text/css" href="tt-rss.css"> - <link rel="shortcut icon" type="image/png" href="images/favicon.png"> - <!--[if gte IE 5.5000]> - <script type="text/javascript" src="pngfix.js"></script> - <![endif]--> - <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> -</head> - -<body> - -<script type="text/javascript"> -function init() { - - if (arguments.callee.done) return; - arguments.callee.done = true; - - var login = document.forms["loginForm"].login; - - login.focus(); - -} -</script> - -<script type="text/javascript"> -if (document.addEventListener) { - document.addEventListener("DOMContentLoaded", init, null); -} -window.onload = init; -</script> - -<form action="login.php" method="POST" name="loginForm"> - -<table width="100%" class="loginForm2"> -<tr> - <td class="loginTop" valign="bottom" align="left"> - <img src="images/ttrss_logo_big.png" alt="Logo"> - </td> -</tr><tr> - <td align="center" valign="middle" class="loginMiddle" height="100%"> - <?php if ($error_msg) { ?> - <div class="loginError"><?php echo $error_msg ?></div> - <?php } ?> - <table> - <tr><td align="right">Login:</td> - <td align="right"><input name="login"></td></tr> - <tr><td align="right">Password:</td> - <td align="right"><input type="password" name="password"></td></tr> - <tr><td colspan="2"> - <input type="checkbox" name="remember_me" id="remember_me"> - <label for="remember_me">Remember me on this computer</label> - </td></tr> - <tr><td colspan="2" align="right" class="innerLoginCell"> - <input type="submit" class="button" value="Login"> - <input type="hidden" name="action" value="login"> - <input type="hidden" name="rt" - value="<?php if ($return_to != 'none') { echo $return_to; } ?>"> - </td></tr> - </table> - </td> -</tr><tr> - <td align="center" class="loginBottom"> - <a href="http://tt-rss.spb.ru/">Tiny Tiny RSS</a> © 2005-2007 <a href="http://bah.org.ru/">Andrew Dolgov</a> - </td> -</tr> - -</table> - -</form> - -<?php db_close($link); ?> - -<script type="text/javascript"> - /* for IE */ - function statechange() { - if (document.readyState == "interactive") init(); - } - - if (document.readyState) { - if (document.readyState == "interactive" || document.readyState == "complete") { - init(); - } else { - document.onreadystatechange = statechange; - } - } -</script> - -</body> -</html> diff --git a/login_form.php b/login_form.php new file mode 100644 index 000000000..6139b0205 --- /dev/null +++ b/login_form.php @@ -0,0 +1,73 @@ +<html> +<head> + <title>Tiny Tiny RSS : Login</title> + <link rel="stylesheet" type="text/css" href="tt-rss.css"> + <link rel="shortcut icon" type="image/png" href="images/favicon.png"> + <!--[if gte IE 5.5000]> + <script type="text/javascript" src="pngfix.js"></script> + <![endif]--> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +</head> + +<body> + +<script type="text/javascript"> +function init() { + + if (arguments.callee.done) return; + arguments.callee.done = true; + + var login = document.forms["loginForm"].login; + + login.focus(); + +} +</script> + +<script type="text/javascript"> +if (document.addEventListener) { + document.addEventListener("DOMContentLoaded", init, null); +} +window.onload = init; +</script> + +<form action="" method="POST" name="loginForm"> +<input type="hidden" name="login_action" value="do_login"> + +<table width="100%" class="loginForm2"> +<tr> + <td class="loginTop" valign="bottom" align="left"> + <img src="images/ttrss_logo_big.png" alt="Logo"> + </td> +</tr><tr> + <td align="center" valign="middle" class="loginMiddle" height="100%"> + <?php if ($error_msg) { ?> + <div class="loginError"><?php echo $error_msg ?></div> + <?php } ?> + <table> + <tr><td align="right">Login:</td> + <td align="right"><input name="login"></td></tr> + <tr><td align="right">Password:</td> + <td align="right"><input type="password" name="password"></td></tr> + <tr><td colspan="2"> + <input type="checkbox" name="remember_me" id="remember_me"> + <label for="remember_me">Remember me on this computer</label> + </td></tr> + <tr><td colspan="2" align="right" class="innerLoginCell"> + <input type="submit" class="button" value="Login"> + <input type="hidden" name="action" value="login"> + <input type="hidden" name="rt" + value="<?php if ($return_to != 'none') { echo $return_to; } ?>"> + </td></tr> + </table> + </td> +</tr><tr> + <td align="center" class="loginBottom"> + <a href="http://tt-rss.spb.ru/">Tiny Tiny RSS</a> © 2005-2007 <a href="http://bah.org.ru/">Andrew Dolgov</a> + </td> +</tr> + +</table> + +</form> + diff --git a/logout.php b/logout.php deleted file mode 100644 index 249018dce..000000000 --- a/logout.php +++ /dev/null @@ -1,42 +0,0 @@ -<?php - require_once "sessions.php"; - - require_once "config.php"; - require_once "functions.php"; - - logout_user(); - - if (!USE_HTTP_AUTH) { - $url_path = get_script_urlpath(); - - if (ENABLE_LOGIN_SSL) { - $protocol = "https"; - } else { - $protocol = "http"; - } - - $redirect_base = "$protocol://" . $_SERVER["SERVER_NAME"] . $url_path; - - header("Location: $redirect_base/login.php"); - } else { ?> - - <html> - <head> - <title>Tiny Tiny RSS : Logout</title> - <link rel="stylesheet" type="text/css" href="tt-rss.css"> - <body class="logoutBody"> - <div class="logoutContent"> - - <h1><?php echo _('You have been logged out.') ?></h1> - - <p><?php echo _('<span class="logoutWarning">Warning:</span> - As there is no way to reliably clear HTTP Authentication - credentials from your browser, it is recommended for you to close - this browser window, otherwise your browser could automatically - authenticate again using previously supplied credentials, which - is a security risk.') ?></p> - - </div> - </body> - </html> -<?php } ?> diff --git a/mobile/tt-rss.php b/mobile/tt-rss.php index a52c63f81..890c1e0a1 100644 --- a/mobile/tt-rss.php +++ b/mobile/tt-rss.php @@ -3,8 +3,6 @@ require_once "functions.php"; require_once "../functions.php"; - basic_nosid_redirect_check(); - require_once "../sessions.php"; require_once "../version.php"; diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php index 212ff552e..739a43739 100644 --- a/modules/backend-rpc.php +++ b/modules/backend-rpc.php @@ -253,5 +253,11 @@ </rpc-reply>"; } + + if ($subop == "logout") { + logout_user(); + print_error_xml(6); + } + } ?> @@ -1,6 +1,5 @@ <?php require_once "sessions.php"; - require_once "sanity_check.php"; require_once "functions.php"; require_once "config.php"; @@ -1,10 +1,6 @@ <?php require_once "functions.php"; - - basic_nosid_redirect_check(); - require_once "sessions.php"; - require_once "sanity_check.php"; require_once "version.php"; require_once "config.php"; @@ -87,7 +83,7 @@ window.onload = init; <?php if (!SINGLE_USER_MODE) { ?> <div style="float : right"> <?php echo _('Hello,') ?> <b><?php echo $_SESSION["name"] ?></b> - (<a href="logout.php">Logout</a>) + (<a href="javascript:logoutUser()">Logout</a>) </div> <?php } ?> <img src="<?php echo $theme_image_path ?>images/ttrss_logo.png" alt="Tiny Tiny RSS"/> diff --git a/tt-rss.php b/tt-rss.php index 2b62c1d8a..42b1bf35b 100644 --- a/tt-rss.php +++ b/tt-rss.php @@ -1,10 +1,6 @@ <?php require_once "functions.php"; - - basic_nosid_redirect_check(); - require_once "sessions.php"; - require_once "sanity_check.php"; require_once "version.php"; require_once "config.php"; @@ -105,7 +101,7 @@ window.onload = init; <div style="float : right"> <?php if (!SINGLE_USER_MODE) { ?> <?php echo _('Hello,') ?> <b><?php echo $_SESSION["name"] ?></b> - (<a href="logout.php">Logout</a>) + (<a href="javascript:logoutUser()">Logout</a>) <?php } ?> <img id="newVersionIcon" onclick="javascript:explainError(2)" src="images/new_version.png" title="New version is available!" diff --git a/update.php b/update.php index 1e6a44b40..34357f2f2 100644 --- a/update.php +++ b/update.php @@ -18,7 +18,8 @@ $owner_uid = $_SESSION["uid"]; if ($_SESSION["access_level"] < 10) { - header("Location: login.php"); die; + print "<p>Error: your access level is insufficient to run this script.</p>"; + exit; } define('SCHEMA_VERSION', 13); diff --git a/utils/stats.php b/utils/stats.php index 5bc4355db..51dcaf59a 100644 --- a/utils/stats.php +++ b/utils/stats.php @@ -12,7 +12,8 @@ login_sequence($link); if ($_SESSION["access_level"] < 10) { - header("Location: login.php"); die; + print "<p>Error: your access level is insufficient to run this script.</p>"; + exit; } ?> |