From 8801fb017ccd6e2c052ab449eed3ee1eb5b7e982 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 8 Nov 2010 13:11:56 +0300 Subject: replace old-style published feed with universal secretkey-based approach used for all feeds; do not allow user/pass handling in generated feed urls; bump schema --- backend.php | 32 ++++---------- functions.js | 45 +++++++++++++++++++ functions.php | 100 ++++++++++++++++++++++++++++++++---------- modules/backend-rpc.php | 33 +++++++------- modules/popup-dialog.php | 60 +++++++++++++------------ modules/pref-feeds.php | 12 ++--- prefs.js | 37 ---------------- sanity_check.php | 2 +- schema/ttrss_schema_mysql.sql | 10 ++++- schema/ttrss_schema_pgsql.sql | 9 +++- schema/versions/mysql/69.sql | 12 +++++ schema/versions/pgsql/69.sql | 11 +++++ 12 files changed, 226 insertions(+), 137 deletions(-) create mode 100644 schema/versions/mysql/69.sql create mode 100644 schema/versions/pgsql/69.sql diff --git a/backend.php b/backend.php index 761fc0dc0..9951366cd 100644 --- a/backend.php +++ b/backend.php @@ -466,31 +466,10 @@ module_pref_feed_browser($link); break; // pref-feed-browser - case "publish": - $key = db_escape_string($_REQUEST["key"]); - $limit = (int)db_escape_string($_REQUEST["limit"]); - - $result = db_query($link, "SELECT login, owner_uid - FROM ttrss_user_prefs, ttrss_users WHERE - pref_name = '_PREFS_PUBLISH_KEY' AND - value = '$key' AND - ttrss_users.id = owner_uid"); - - if (db_num_rows($result) == 1) { - $owner = db_fetch_result($result, 0, "owner_uid"); - $login = db_fetch_result($result, 0, "login"); - - generate_syndicated_feed($link, $owner, -2, false, $limit); - - } else { - print "User not found"; - } - break; // publish - case "rss": $feed = db_escape_string($_REQUEST["id"]); $user = db_escape_string($_REQUEST["user"]); - $pass = db_escape_string($_REQUEST["pass"]); + $key = db_escape_string($_REQUEST["key"]); $is_cat = $_REQUEST["is_cat"] != false; $limit = (int)db_escape_string($_REQUEST["limit"]); @@ -503,8 +482,13 @@ authenticate_user($link, "admin", null); } - if (!$_SESSION["uid"] && $user && $pass) { - authenticate_user($link, $user, $pass); + if ($key && !$_SESSION["uid"]) { + $result = db_query($link, "SELECT owner_uid FROM + ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'"); + + if (db_num_rows($result) == 1) + $_SESSION["uid"] = db_fetch_result($result, 0, "owner_uid"); + } if ($_SESSION["uid"] || http_authenticate_user($link)) { diff --git a/functions.js b/functions.js index f3ae1965e..f3756051f 100644 --- a/functions.js +++ b/functions.js @@ -2216,3 +2216,48 @@ function quickAddCat(select) { exception_error("quickAddCat", e); } } + +function genUrlChangeKey(feed, is_cat) { + + try { + var ok = confirm(__("Generate new syndication address for this feed?")); + + if (ok) { + + notify_progress("Trying to change address...", true); + + var query = "?op=rpc&subop=regenFeedKey&id=" + param_escape(feed) + + "&is_cat=" + param_escape(is_cat); + + new Ajax.Request("backend.php", { + parameters: query, + onComplete: function(transport) { + var new_link = transport.responseXML.getElementsByTagName("link")[0]; + + var e = $('gen_feed_url'); + + if (new_link) { + + new_link = new_link.firstChild.nodeValue; + + e.innerHTML = e.innerHTML.replace(/\&key=.*$/, + "&key=" + new_link); + + e.href = e.href.replace(/\&key=.*$/, + "&key=" + new_link); + + new Effect.Highlight(e); + + notify(''); + + } else { + notify_error("Could not change feed URL."); + } + } }); + } + } catch (e) { + exception_error("genUrlChangeKey", e); + } + return false; +} + diff --git a/functions.php b/functions.php index c81026ae4..059e968af 100644 --- a/functions.php +++ b/functions.php @@ -4203,12 +4203,19 @@ $search_q = ""; } - $rss_link = "backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q"; + $rss_link = htmlspecialchars(get_self_url_prefix() . + "/backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q"); + + #print " + # + # "; print " - + onclick=\"displayDlg('generatedFeed', '$feed_id:$is_cat:$rss_link')\"> "; print ""; @@ -5110,9 +5117,9 @@ $vgroup_last_feed = $vgr_last_feed; - if ($feed == -2) { +/* if ($feed == -2) { $feed_site_url = article_publish_url($link); - } + } */ /// STOP ////////////////////////////////////////////////////////////////////////////////// @@ -5730,15 +5737,10 @@ return $tag; } - function generate_publish_key() { - return sha1(uniqid(rand(), true)); - } - - function article_publish_url($link) { + function get_self_url_prefix() { $url_path = ""; - - + if ($_SERVER['HTTPS'] != "on") { $url_path = "http://"; } else { @@ -5746,22 +5748,13 @@ } $url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); - $url_path .= "/backend.php?op=publish&key=" . - get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]); return $url_path; - } - function opml_publish_url($link){ - $url_path = ""; - - if ($_SERVER['HTTPS'] != "on") { - $url_path = "http://"; - } else { - $url_path = "https://"; - } + } + function opml_publish_url($link){ - $url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); + $url_path = get_self_url_prefix(); $url_path .= "/opml.php?op=publish&key=" . get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]); @@ -6368,6 +6361,13 @@ if (db_affected_rows($link, $result) != 0 && $caption) { + /* Remove access key for the label */ + + $ext_id = -11 - $id; + + db_query($link, "DELETE FROM ttrss_access_keys WHERE + feed_id = '$ext_id' AND owner_uid = $owner_uid"); + /* Disable filters that reference label being removed */ db_query($link, "UPDATE ttrss_filters SET @@ -6559,6 +6559,11 @@ orig_feed_id = '$id' WHERE feed_id = '$id' AND marked = true AND owner_uid = $owner_uid"); + /* Remove access key for the feed */ + + db_query($link, "DELETE FROM ttrss_access_keys WHERE + feed_id = '$id' AND owner_uid = $owner_uid"); + /* remove the feed */ db_query($link, "DELETE FROM ttrss_feeds @@ -6899,4 +6904,51 @@ if (!in_array($email, $_SESSION['stored_emails'])) array_push($_SESSION['stored_emails'], $email); } + + function update_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) { + if (!$owner_uid) $owner_uid = $_SESSION["uid"]; + + $sql_is_cat = bool_to_sql_bool($is_cat); + + $result = db_query($link, "SELECT access_key FROM ttrss_access_keys + WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat + AND owner_uid = " . $owner_uid); + + if (db_num_rows($result) == 1) { + $key = db_escape_string(sha1(uniqid(rand(), true))); + + db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key' + WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat + AND owner_uid = " . $owner_uid); + + return $key; + + } else { + return get_feed_access_key($link, $feed_id, $is_cat, $owner_uid); + } + } + + function get_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) { + + if (!$owner_uid) $owner_uid = $_SESSION["uid"]; + + $sql_is_cat = bool_to_sql_bool($is_cat); + + $result = db_query($link, "SELECT access_key FROM ttrss_access_keys + WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat + AND owner_uid = " . $owner_uid); + + if (db_num_rows($result) == 1) { + return db_fetch_result($result, 0, "access_key"); + } else { + $key = db_escape_string(sha1(uniqid(rand(), true))); + + $result = db_query($link, "INSERT INTO ttrss_access_keys + (access_key, feed_id, is_cat, owner_uid) + VALUES ('$key', '$feed_id', $sql_is_cat, '$owner_uid')"); + + return $key; + } + return false; + } ?> diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php index 4a82a888b..1bf41d299 100644 --- a/modules/backend-rpc.php +++ b/modules/backend-rpc.php @@ -464,25 +464,11 @@ return; } - if ($subop == "regenPubKey") { - - print ""; - - set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]); - - $new_link = article_publish_url($link); - - print ""; - - print ""; - - return; - } - if ($subop == "regenOPMLKey") { print ""; - set_pref($link, " _PREFS_OPML_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]); + set_pref($link, " _PREFS_OPML_PUBLISH_KEY", + sha1(uniqid(rand(), true)), $_SESSION["uid"]); $new_link = opml_publish_url($link); print ""; print ""; @@ -1119,6 +1105,21 @@ return; } + if ($subop == "regenFeedKey") { + $feed_id = db_escape_string($_REQUEST['id']); + $is_cat = (bool) db_escape_string($_REQUEST['is_cat']); + + print ""; + + $new_key = update_feed_access_key($link, $feed_id, $is_cat); + + print ""; + + print ""; + + return; + } + print "Unknown method: $subop"; } ?> diff --git a/modules/popup-dialog.php b/modules/popup-dialog.php index 54f4a3e61..61efd4c99 100644 --- a/modules/popup-dialog.php +++ b/modules/popup-dialog.php @@ -158,33 +158,6 @@ return; } - if ($id == "pubUrl") { - - print "
".__('Published Articles')."
"; - print "
"; - - $url_path = article_publish_url($link); - - print __("Your Published articles feed URL is:"); - - print "
"; - print "$url_path"; - print "
"; - - print "
"; - - print " "; - - print ""; - - print "
"; - - return; - } - if ($id == "pubOPMLUrl") { print "
".__('Public OPML URL')."
"; @@ -777,6 +750,39 @@ return; } + if ($id == "generatedFeed") { + + print "
".__('View as RSS')."
"; + print "
"; + + $params = explode(":", $param, 3); + $feed_id = db_escape_string($params[0]); + $is_cat = (bool) $params[1]; + + $key = get_feed_access_key($link, $feed_id, $is_cat); + + $url_path = htmlspecialchars($params[2]) . "&key=" . $key; + + print __("You can view this feed as RSS using the following URL:"); + + print "
"; + print "$url_path"; + print "
"; + + print "
"; + + print " "; + + print ""; + + print "
"; + + return; + } + print "
Internal Error

Unknown dialog $id

diff --git a/modules/pref-feeds.php b/modules/pref-feeds.php index 7a436cfd2..de9166fe4 100644 --- a/modules/pref-feeds.php +++ b/modules/pref-feeds.php @@ -1447,7 +1447,8 @@ __('Export OPML').""; if (!get_pref($link, "_PREFS_OPML_PUBLISH_KEY")){ - set_pref($link, "_PREFS_OPML_PUBLISH_KEY", generate_publish_key()); + set_pref($link, "_PREFS_OPML_PUBLISH_KEY", + sha1(uniqid(rand(), true))); } print "

".__('Your OPML can be published publicly and can be subscribed by anyone who knows the URL below.'); @@ -1489,13 +1490,12 @@ print "

".__("Published articles")."

"; - if (!get_pref($link, "_PREFS_PUBLISH_KEY")) { - set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key()); - } - print "

".__('Published articles are exported as a public RSS feed and can be subscribed by anyone who knows the URL specified below.')."

"; - print " "; diff --git a/prefs.js b/prefs.js index a6febd528..5ba267b77 100644 --- a/prefs.js +++ b/prefs.js @@ -1569,43 +1569,6 @@ function feedlistToggleSLAT() { updateFeedList() } -function pubRegenKey() { - - try { - var ok = confirm(__("Replace current publishing address with a new one?")); - - if (ok) { - - notify_progress("Trying to change address...", true); - - var query = "?op=rpc&subop=regenPubKey"; - - new Ajax.Request("backend.php", { - parameters: query, - onComplete: function(transport) { - var new_link = transport.responseXML.getElementsByTagName("link")[0]; - - var e = $('pub_feed_url'); - - if (new_link) { - e.href = new_link.firstChild.nodeValue; - e.innerHTML = new_link.firstChild.nodeValue; - - new Effect.Highlight(e); - - notify(''); - - } else { - notify_error("Could not change feed URL."); - } - } }); - } - } catch (e) { - exception_error("pubRegenKey", e); - } - return false; -} - function opmlRegenKey() { try { diff --git a/sanity_check.php b/sanity_check.php index 7b9c1199c..437ac0a03 100644 --- a/sanity_check.php +++ b/sanity_check.php @@ -2,7 +2,7 @@ require_once "functions.php"; define('EXPECTED_CONFIG_VERSION', 19); - define('SCHEMA_VERSION', 68); + define('SCHEMA_VERSION', 69); if (!file_exists("config.php")) { print "Fatal Error: You forgot to copy diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql index bbcc729c0..33c1f3d95 100644 --- a/schema/ttrss_schema_mysql.sql +++ b/schema/ttrss_schema_mysql.sql @@ -1,6 +1,7 @@ SET NAMES utf8; SET CHARACTER SET utf8; +drop table if exists ttrss_access_keys; drop table if exists ttrss_user_labels2; drop table if exists ttrss_labels2; drop table if exists ttrss_feedbrowser_cache; @@ -241,7 +242,7 @@ create table ttrss_tags (id integer primary key auto_increment, create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8; -insert into ttrss_version values (68); +insert into ttrss_version values (69); create table ttrss_enclosures (id integer primary key auto_increment, content_url text not null, @@ -446,4 +447,11 @@ create table ttrss_user_labels2 (label_id integer not null, foreign key (article_id) references ttrss_entries(id) ON DELETE CASCADE ) TYPE=InnoDB DEFAULT CHARSET=UTF8; +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat bool not null default false, + owner_uid integer not null, + foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8; + commit; diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql index 64d00dda7..69753aa3c 100644 --- a/schema/ttrss_schema_pgsql.sql +++ b/schema/ttrss_schema_pgsql.sql @@ -1,3 +1,4 @@ +drop table ttrss_access_keys; drop table ttrss_user_labels2; drop table ttrss_labels2; drop table ttrss_feedbrowser_cache; @@ -213,7 +214,7 @@ create index ttrss_tags_owner_uid_index on ttrss_tags(owner_uid); create table ttrss_version (schema_version int not null); -insert into ttrss_version values (68); +insert into ttrss_version values (69); create table ttrss_enclosures (id serial not null primary key, content_url text not null, @@ -405,4 +406,10 @@ create table ttrss_user_labels2 ( article_id integer not null references ttrss_entries(id) ON DELETE CASCADE ); +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat boolean not null default false, + owner_uid integer not null references ttrss_users(id) on delete cascade); + commit; diff --git a/schema/versions/mysql/69.sql b/schema/versions/mysql/69.sql new file mode 100644 index 000000000..75d2dadcb --- /dev/null +++ b/schema/versions/mysql/69.sql @@ -0,0 +1,12 @@ +begin; + +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat bool not null default false, + owner_uid integer not null, + foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8; + +update ttrss_version set schema_version = 69; + +commit; diff --git a/schema/versions/pgsql/69.sql b/schema/versions/pgsql/69.sql new file mode 100644 index 000000000..cae0ff50f --- /dev/null +++ b/schema/versions/pgsql/69.sql @@ -0,0 +1,11 @@ +begin; + +create table ttrss_access_keys (id serial not null primary key, + access_key varchar(250) not null, + feed_id varchar(250) not null, + is_cat bool not null default false, + owner_uid integer not null references ttrss_users(id) on delete cascade); + +update ttrss_version set schema_version = 69; + +commit; -- cgit v1.2.3