replace old-style published feed with universal secretkey-based approach used for all feeds; do not allow user/pass handling in generated feed urls; bump schema

1 files changed, 8 insertions, 24 deletions

diff --git a/backend.php b/backend.php
index 761fc0dc0..9951366cd 100644
--- a/backend.php
+++ b/backend.php
@@ -466,31 +466,10 @@
 			module_pref_feed_browser($link);
 		break; // pref-feed-browser
 
-		case "publish":
-			$key = db_escape_string($_REQUEST["key"]);
-			$limit = (int)db_escape_string($_REQUEST["limit"]);
-
-			$result = db_query($link, "SELECT login, owner_uid 
-				FROM ttrss_user_prefs, ttrss_users WHERE
-				pref_name = '_PREFS_PUBLISH_KEY' AND 
-				value = '$key' AND 
-				ttrss_users.id = owner_uid");
-
-			if (db_num_rows($result) == 1) {
-				$owner = db_fetch_result($result, 0, "owner_uid");
-				$login = db_fetch_result($result, 0, "login");
-
-				generate_syndicated_feed($link, $owner, -2, false, $limit);
-
-			} else {
-				print "<error>User not found</error>";
-			}
-		break; // publish
-
 		case "rss":
 			$feed = db_escape_string($_REQUEST["id"]);
 			$user = db_escape_string($_REQUEST["user"]);
-			$pass = db_escape_string($_REQUEST["pass"]);
+			$key = db_escape_string($_REQUEST["key"]);
 			$is_cat = $_REQUEST["is_cat"] != false;
 			$limit = (int)db_escape_string($_REQUEST["limit"]);
 
@@ -503,8 +482,13 @@
 				authenticate_user($link, "admin", null);
 			}
 
-			if (!$_SESSION["uid"] && $user && $pass) {
-				authenticate_user($link, $user, $pass);
+			if ($key && !$_SESSION["uid"]) {
+				$result = db_query($link, "SELECT owner_uid FROM
+					ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'");
+
+				if (db_num_rows($result) == 1)
+					$_SESSION["uid"] = db_fetch_result($result, 0, "owner_uid");
+
 			}
 
 			if ($_SESSION["uid"] || http_authenticate_user($link)) {