public.php 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230
  1. <?php
  2. class Handler_Public extends Handler {
  3. private function generate_syndicated_feed($owner_uid, $feed, $is_cat,
  4. $limit, $offset, $search,
  5. $view_mode = false, $format = 'atom', $order = false, $orig_guid = false, $start_ts = false) {
  6. require_once "lib/MiniTemplator.class.php";
  7. $note_style = "background-color : #fff7d5;
  8. border-width : 1px; ".
  9. "padding : 5px; border-style : dashed; border-color : #e7d796;".
  10. "margin-bottom : 1em; color : #9a8c59;";
  11. if (!$limit) $limit = 60;
  12. $date_sort_field = "date_entered DESC, updated DESC";
  13. if ($feed == -2 && !$is_cat) {
  14. $date_sort_field = "last_published DESC";
  15. } else if ($feed == -1 && !$is_cat) {
  16. $date_sort_field = "last_marked DESC";
  17. }
  18. switch ($order) {
  19. case "title":
  20. $date_sort_field = "ttrss_entries.title, date_entered, updated";
  21. break;
  22. case "date_reverse":
  23. $date_sort_field = "date_entered, updated";
  24. break;
  25. case "feed_dates":
  26. $date_sort_field = "updated DESC";
  27. break;
  28. }
  29. $params = array(
  30. "owner_uid" => $owner_uid,
  31. "feed" => $feed,
  32. "limit" => $limit,
  33. "view_mode" => $view_mode,
  34. "cat_view" => $is_cat,
  35. "search" => $search,
  36. "override_order" => $date_sort_field,
  37. "include_children" => true,
  38. "ignore_vfeed_group" => true,
  39. "offset" => $offset,
  40. "start_ts" => $start_ts
  41. );
  42. if (!$is_cat && is_numeric($feed) && $feed < PLUGIN_FEED_BASE_INDEX && $feed > LABEL_BASE_INDEX) {
  43. $user_plugins = get_pref("_ENABLED_PLUGINS", $owner_uid);
  44. $tmppluginhost = new PluginHost();
  45. $tmppluginhost->load(PLUGINS, PluginHost::KIND_ALL);
  46. $tmppluginhost->load($user_plugins, PluginHost::KIND_USER, $owner_uid);
  47. $tmppluginhost->load_data();
  48. $handler = $tmppluginhost->get_feed_handler(
  49. PluginHost::feed_to_pfeed_id($feed));
  50. if ($handler) {
  51. $qfh_ret = $handler->get_headlines(PluginHost::feed_to_pfeed_id($feed),
  52. $options);
  53. }
  54. } else {
  55. $qfh_ret = Feeds::queryFeedHeadlines($params);
  56. }
  57. $result = $qfh_ret[0];
  58. $feed_title = htmlspecialchars($qfh_ret[1]);
  59. $feed_site_url = $qfh_ret[2];
  60. /* $last_error = $qfh_ret[3]; */
  61. $feed_self_url = get_self_url_prefix() .
  62. "/public.php?op=rss&id=$feed&key=" .
  63. get_feed_access_key($feed, false, $owner_uid);
  64. if (!$feed_site_url) $feed_site_url = get_self_url_prefix();
  65. if ($format == 'atom') {
  66. $tpl = new MiniTemplator;
  67. $tpl->readTemplateFromFile("templates/generated_feed.txt");
  68. $tpl->setVariable('FEED_TITLE', $feed_title, true);
  69. $tpl->setVariable('VERSION', VERSION, true);
  70. $tpl->setVariable('FEED_URL', htmlspecialchars($feed_self_url), true);
  71. $tpl->setVariable('SELF_URL', htmlspecialchars(get_self_url_prefix()), true);
  72. while ($line = $result->fetch()) {
  73. $line["content_preview"] = sanitize(truncate_string(strip_tags($line["content"]), 100, '...'));
  74. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) {
  75. $line = $p->hook_query_headlines($line);
  76. }
  77. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_EXPORT_FEED) as $p) {
  78. $line = $p->hook_article_export_feed($line, $feed, $is_cat);
  79. }
  80. $tpl->setVariable('ARTICLE_ID',
  81. htmlspecialchars($orig_guid ? $line['link'] :
  82. $this->make_article_tag_uri($line['id'], $line['date_entered'])), true);
  83. $tpl->setVariable('ARTICLE_LINK', htmlspecialchars($line['link']), true);
  84. $tpl->setVariable('ARTICLE_TITLE', htmlspecialchars($line['title']), true);
  85. $tpl->setVariable('ARTICLE_EXCERPT', $line["content_preview"], true);
  86. $content = sanitize($line["content"], false, $owner_uid,
  87. $feed_site_url, false, $line["id"]);
  88. if ($line['note']) {
  89. $content = "<div style=\"$note_style\">Article note: " . $line['note'] . "</div>" .
  90. $content;
  91. $tpl->setVariable('ARTICLE_NOTE', htmlspecialchars($line['note']), true);
  92. }
  93. $tpl->setVariable('ARTICLE_CONTENT', $content, true);
  94. $tpl->setVariable('ARTICLE_UPDATED_ATOM',
  95. date('c', strtotime($line["updated"])), true);
  96. $tpl->setVariable('ARTICLE_UPDATED_RFC822',
  97. date(DATE_RFC822, strtotime($line["updated"])), true);
  98. $tpl->setVariable('ARTICLE_AUTHOR', htmlspecialchars($line['author']), true);
  99. $tpl->setVariable('ARTICLE_SOURCE_LINK', htmlspecialchars($line['site_url'] ? $line["site_url"] : get_self_url_prefix()), true);
  100. $tpl->setVariable('ARTICLE_SOURCE_TITLE', htmlspecialchars($line['feed_title'] ? $line['feed_title'] : $feed_title), true);
  101. $tags = Article::get_article_tags($line["id"], $owner_uid);
  102. foreach ($tags as $tag) {
  103. $tpl->setVariable('ARTICLE_CATEGORY', htmlspecialchars($tag), true);
  104. $tpl->addBlock('category');
  105. }
  106. $enclosures = Article::get_article_enclosures($line["id"]);
  107. if (count($enclosures) > 0) {
  108. foreach ($enclosures as $e) {
  109. $type = htmlspecialchars($e['content_type']);
  110. $url = htmlspecialchars($e['content_url']);
  111. $length = $e['duration'] ? $e['duration'] : 1;
  112. $tpl->setVariable('ARTICLE_ENCLOSURE_URL', $url, true);
  113. $tpl->setVariable('ARTICLE_ENCLOSURE_TYPE', $type, true);
  114. $tpl->setVariable('ARTICLE_ENCLOSURE_LENGTH', $length, true);
  115. $tpl->addBlock('enclosure');
  116. }
  117. } else {
  118. $tpl->setVariable('ARTICLE_ENCLOSURE_URL', null, true);
  119. $tpl->setVariable('ARTICLE_ENCLOSURE_TYPE', null, true);
  120. $tpl->setVariable('ARTICLE_ENCLOSURE_LENGTH', null, true);
  121. }
  122. $tpl->setVariable('ARTICLE_OG_IMAGE',
  123. $this->get_article_image($enclosures, $line['content'], $feed_site_url));
  124. $tpl->addBlock('entry');
  125. }
  126. $tmp = "";
  127. $tpl->addBlock('feed');
  128. $tpl->generateOutputToString($tmp);
  129. if (@!clean($_REQUEST["noxml"])) {
  130. header("Content-Type: text/xml; charset=utf-8");
  131. } else {
  132. header("Content-Type: text/plain; charset=utf-8");
  133. }
  134. print $tmp;
  135. } else if ($format == 'json') {
  136. $feed = array();
  137. $feed['title'] = $feed_title;
  138. $feed['version'] = VERSION;
  139. $feed['feed_url'] = $feed_self_url;
  140. $feed['self_url'] = get_self_url_prefix();
  141. $feed['articles'] = array();
  142. while ($line = $result->fetch()) {
  143. $line["content_preview"] = sanitize(truncate_string(strip_tags($line["content_preview"]), 100, '...'));
  144. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_QUERY_HEADLINES) as $p) {
  145. $line = $p->hook_query_headlines($line, 100);
  146. }
  147. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_EXPORT_FEED) as $p) {
  148. $line = $p->hook_article_export_feed($line, $feed, $is_cat);
  149. }
  150. $article = array();
  151. $article['id'] = $line['link'];
  152. $article['link'] = $line['link'];
  153. $article['title'] = $line['title'];
  154. $article['excerpt'] = $line["content_preview"];
  155. $article['content'] = sanitize($line["content"], false, $owner_uid, $feed_site_url, false, $line["id"]);
  156. $article['updated'] = date('c', strtotime($line["updated"]));
  157. if ($line['note']) $article['note'] = $line['note'];
  158. if ($article['author']) $article['author'] = $line['author'];
  159. $tags = Article::get_article_tags($line["id"], $owner_uid);
  160. if (count($tags) > 0) {
  161. $article['tags'] = array();
  162. foreach ($tags as $tag) {
  163. array_push($article['tags'], $tag);
  164. }
  165. }
  166. $enclosures = Article::get_article_enclosures($line["id"]);
  167. if (count($enclosures) > 0) {
  168. $article['enclosures'] = array();
  169. foreach ($enclosures as $e) {
  170. $type = $e['content_type'];
  171. $url = $e['content_url'];
  172. $length = $e['duration'];
  173. array_push($article['enclosures'], array("url" => $url, "type" => $type, "length" => $length));
  174. }
  175. }
  176. array_push($feed['articles'], $article);
  177. }
  178. header("Content-Type: text/json; charset=utf-8");
  179. print json_encode($feed);
  180. } else {
  181. header("Content-Type: text/plain; charset=utf-8");
  182. print json_encode(array("error" => array("message" => "Unknown format")));
  183. }
  184. }
  185. function getUnread() {
  186. $login = clean($_REQUEST["login"]);
  187. $fresh = clean($_REQUEST["fresh"]) == "1";
  188. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
  189. $sth->execute([$login]);
  190. if ($row = $sth->fetch()) {
  191. $uid = $row["id"];
  192. print Feeds::getGlobalUnread($uid);
  193. if ($fresh) {
  194. print ";";
  195. print Feeds::getFeedArticles(-3, false, true, $uid);
  196. }
  197. } else {
  198. print "-1;User not found";
  199. }
  200. }
  201. function getProfiles() {
  202. $login = clean($_REQUEST["login"]);
  203. $rv = [];
  204. if ($login) {
  205. $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
  206. WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
  207. $sth->execute([$login]);
  208. $rv = [ [ "value" => 0, "label" => __("Default profile") ] ];
  209. while ($line = $sth->fetch()) {
  210. $id = $line["id"];
  211. $title = $line["title"];
  212. array_push($rv, [ "label" => $title, "value" => $id ]);
  213. }
  214. }
  215. print json_encode($rv);
  216. }
  217. function logout() {
  218. logout_user();
  219. header("Location: index.php");
  220. }
  221. function share() {
  222. $uuid = clean($_REQUEST["key"]);
  223. $sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
  224. uuid = ?");
  225. $sth->execute([$uuid]);
  226. if ($row = $sth->fetch()) {
  227. header("Content-Type: text/html");
  228. $id = $row["ref_id"];
  229. $owner_uid = $row["owner_uid"];
  230. print $this->format_article($id, $owner_uid);
  231. } else {
  232. header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
  233. print "Article not found.";
  234. }
  235. }
  236. private function get_article_image($enclosures, $content, $site_url) {
  237. $og_image = false;
  238. foreach ($enclosures as $enc) {
  239. if (strpos($enc["content_type"], "image/") !== FALSE) {
  240. $og_image = $enc["content_url"];
  241. break;
  242. }
  243. }
  244. if (!$og_image) {
  245. $tmpdoc = new DOMDocument();
  246. if (@$tmpdoc->loadHTML(mb_substr($content, 0, 131070))) {
  247. $tmpxpath = new DOMXPath($tmpdoc);
  248. $first_img = $tmpxpath->query("//img")->item(0);
  249. if ($first_img) {
  250. $og_image = $first_img->getAttribute("src");
  251. }
  252. }
  253. }
  254. return rewrite_relative_url($site_url, $og_image);
  255. }
  256. private function format_article($id, $owner_uid) {
  257. $pdo = Db::pdo();
  258. $sth = $pdo->prepare("SELECT id,title,link,content,feed_id,comments,int_id,lang,
  259. ".SUBSTRING_FOR_DATE."(updated,1,16) as updated,
  260. (SELECT site_url FROM ttrss_feeds WHERE id = feed_id) as site_url,
  261. (SELECT title FROM ttrss_feeds WHERE id = feed_id) as feed_title,
  262. (SELECT hide_images FROM ttrss_feeds WHERE id = feed_id) as hide_images,
  263. (SELECT always_display_enclosures FROM ttrss_feeds WHERE id = feed_id) as always_display_enclosures,
  264. num_comments,
  265. tag_cache,
  266. author,
  267. guid,
  268. orig_feed_id,
  269. note
  270. FROM ttrss_entries,ttrss_user_entries
  271. WHERE id = ? AND ref_id = id AND owner_uid = ?");
  272. $sth->execute([$id, $owner_uid]);
  273. $rv = '';
  274. if ($line = $sth->fetch()) {
  275. $line["tags"] = Article::get_article_tags($id, $owner_uid, $line["tag_cache"]);
  276. unset($line["tag_cache"]);
  277. $line["content"] = sanitize($line["content"],
  278. $line['hide_images'],
  279. $owner_uid, $line["site_url"], false, $line["id"]);
  280. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_RENDER_ARTICLE) as $p) {
  281. $line = $p->hook_render_article($line);
  282. }
  283. $line['content'] = rewrite_cached_urls($line['content']);
  284. $num_comments = (int) $line["num_comments"];
  285. $entry_comments = "";
  286. if ($num_comments > 0) {
  287. if ($line["comments"]) {
  288. $comments_url = htmlspecialchars($line["comments"]);
  289. } else {
  290. $comments_url = htmlspecialchars($line["link"]);
  291. }
  292. $entry_comments = "<a class=\"comments\"
  293. target='_blank' rel=\"noopener noreferrer\" href=\"$comments_url\">$num_comments ".
  294. _ngettext("comment", "comments", $num_comments)."</a>";
  295. } else {
  296. if ($line["comments"] && $line["link"] != $line["comments"]) {
  297. $entry_comments = "<a class=\"comments\" target='_blank' rel=\"noopener noreferrer\" href=\"".
  298. htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
  299. }
  300. }
  301. $enclosures = Article::get_article_enclosures($line["id"]);
  302. header("Content-Type: text/html");
  303. $rv .= "<!DOCTYPE html>
  304. <html><head>
  305. <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  306. <title>".$line["title"]."</title>".
  307. stylesheet_tag("css/default.css")."
  308. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  309. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">";
  310. $rv .= "<meta property=\"og:title\" content=\"".htmlspecialchars($line["title"])."\"/>\n";
  311. $rv .= "<meta property=\"og:site_name\" content=\"".htmlspecialchars($line["feed_title"])."\"/>\n";
  312. $rv .= "<meta property=\"og:description\" content=\"".
  313. htmlspecialchars(truncate_string(strip_tags($line["content"]), 500, "..."))."\"/>\n";
  314. $rv .= "</head>";
  315. $og_image = $this->get_article_image($enclosures, $line['content'], $line["site_url"]);
  316. if ($og_image) {
  317. $rv .= "<meta property=\"og:image\" content=\"" . htmlspecialchars($og_image) . "\"/>";
  318. }
  319. $rv .= "<body class='flat ttrss_utility ttrss_zoom'>";
  320. $rv .= "<div class='post post-$id'>";
  321. /* header */
  322. $rv .= "<div class='header'>";
  323. $rv .= "<div class='row'>"; # row
  324. //$entry_author = $line["author"] ? " - " . $line["author"] : "";
  325. $parsed_updated = make_local_datetime($line["updated"], true,
  326. $owner_uid, true);
  327. if ($line["link"]) {
  328. $rv .= "<div class='title'><a target='_blank' rel='noopener noreferrer'
  329. title=\"".htmlspecialchars($line['title'])."\"
  330. href=\"" .htmlspecialchars($line["link"]) . "\">" . $line["title"] . "</a></div>";
  331. } else {
  332. $rv .= "<div class='title'>" . $line["title"] . "</div>";
  333. }
  334. $rv .= "<div class='date'>$parsed_updated<br/></div>";
  335. $rv .= "</div>"; # row
  336. $rv .= "<div class='row'>"; # row
  337. /* left buttons */
  338. $rv .= "<div class='buttons left'>";
  339. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_LEFT_BUTTON) as $p) {
  340. $rv .= $p->hook_article_left_button($line);
  341. }
  342. $rv .= "</div>";
  343. /* comments */
  344. $rv .= "<div class='comments'>$entry_comments</div>";
  345. $rv .= "<div class='author'>".$line['author']."</div>";
  346. /* tags */
  347. $tags_str = Article::format_tags_string($line["tags"], $id);
  348. $rv .= "<i class='material-icons'>label_outline</i><div>";
  349. $tags_str = strip_tags($tags_str);
  350. $rv .= "<span id=\"ATSTR-$id\">$tags_str</span>";
  351. $rv .= "</div>";
  352. /* buttons */
  353. $rv .= "<div class='buttons right'>";
  354. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_ARTICLE_BUTTON) as $p) {
  355. $rv .= $p->hook_article_button($line);
  356. }
  357. $rv .= "</div>";
  358. $rv .= "</div>"; # row
  359. $rv .= "</div>"; # header
  360. /* content */
  361. $lang = $line['lang'] ? $line['lang'] : "en";
  362. $rv .= "<div class=\"content\" lang=\"$lang\">";
  363. /* content body */
  364. $rv .= $line["content"];
  365. /* $rv .= Article::format_article_enclosures($id,
  366. $line["always_display_enclosures"],
  367. $line["content"],
  368. $line["hide_images"]); */
  369. $rv .= "</div>"; # content
  370. $rv .= "</div>"; # post
  371. }
  372. foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_FORMAT_ARTICLE) as $p) {
  373. $rv = $p->hook_format_article($rv, $line, true);
  374. }
  375. return $rv;
  376. }
  377. function rss() {
  378. $feed = clean($_REQUEST["id"]);
  379. $key = clean($_REQUEST["key"]);
  380. $is_cat = clean($_REQUEST["is_cat"]);
  381. $limit = (int)clean($_REQUEST["limit"]);
  382. $offset = (int)clean($_REQUEST["offset"]);
  383. $search = clean($_REQUEST["q"]);
  384. $view_mode = clean($_REQUEST["view-mode"]);
  385. $order = clean($_REQUEST["order"]);
  386. $start_ts = clean($_REQUEST["ts"]);
  387. $format = clean($_REQUEST['format']);
  388. $orig_guid = clean($_REQUEST["orig_guid"]);
  389. if (!$format) $format = 'atom';
  390. if (SINGLE_USER_MODE) {
  391. authenticate_user("admin", null);
  392. }
  393. $owner_id = false;
  394. if ($key) {
  395. $sth = $this->pdo->prepare("SELECT owner_uid FROM
  396. ttrss_access_keys WHERE access_key = ? AND feed_id = ?");
  397. $sth->execute([$key, $feed]);
  398. if ($row = $sth->fetch())
  399. $owner_id = $row["owner_uid"];
  400. }
  401. if ($owner_id) {
  402. $this->generate_syndicated_feed($owner_id, $feed, $is_cat, $limit,
  403. $offset, $search, $view_mode, $format, $order, $orig_guid, $start_ts);
  404. } else {
  405. header('HTTP/1.1 403 Forbidden');
  406. }
  407. }
  408. function updateTask() {
  409. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_UPDATE_TASK, "hook_update_task", false);
  410. }
  411. function housekeepingTask() {
  412. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_HOUSE_KEEPING, "hook_house_keeping", false);
  413. }
  414. function globalUpdateFeeds() {
  415. RPC::updaterandomfeed_real();
  416. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_UPDATE_TASK, "hook_update_task", false);
  417. }
  418. function sharepopup() {
  419. if (SINGLE_USER_MODE) {
  420. login_sequence();
  421. }
  422. header('Content-Type: text/html; charset=utf-8');
  423. print "<html><head><title>Tiny Tiny RSS</title>
  424. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  425. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">";
  426. echo stylesheet_tag("css/default.css");
  427. echo javascript_tag("lib/prototype.js");
  428. echo javascript_tag("lib/scriptaculous/scriptaculous.js?load=effects,controls");
  429. print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  430. </head><body id='sharepopup' class='ttrss_utility'>";
  431. $action = clean($_REQUEST["action"]);
  432. if ($_SESSION["uid"]) {
  433. if ($action == 'share') {
  434. $title = strip_tags(clean($_REQUEST["title"]));
  435. $url = strip_tags(clean($_REQUEST["url"]));
  436. $content = strip_tags(clean($_REQUEST["content"]));
  437. $labels = strip_tags(clean($_REQUEST["labels"]));
  438. Article::create_published_article($title, $url, $content, $labels,
  439. $_SESSION["uid"]);
  440. print "<script type='text/javascript'>";
  441. print "window.close();";
  442. print "</script>";
  443. } else {
  444. $title = htmlspecialchars(clean($_REQUEST["title"]));
  445. $url = htmlspecialchars(clean($_REQUEST["url"]));
  446. ?>
  447. <table height='100%' width='100%' class="panel"><tr><td colspan='2'>
  448. <h1><?php echo __("Share with Tiny Tiny RSS") ?></h1>
  449. </td></tr>
  450. <form id='share_form' name='share_form'>
  451. <input type="hidden" name="op" value="sharepopup">
  452. <input type="hidden" name="action" value="share">
  453. <tr><td align='right'><?php echo __("Title:") ?></td>
  454. <td width='80%'><input name='title' value="<?php echo $title ?>"></td></tr>
  455. <tr><td align='right'><?php echo __("URL:") ?></td>
  456. <td><input name='url' value="<?php echo $url ?>"></td></tr>
  457. <tr><td align='right'><?php echo __("Content:") ?></td>
  458. <td><input name='content' value=""></td></tr>
  459. <tr><td align='right'><?php echo __("Labels:") ?></td>
  460. <td><input name='labels' id="labels_value"
  461. placeholder='Alpha, Beta, Gamma' value="">
  462. </td></tr>
  463. <tr><td>
  464. <div class="autocomplete" id="labels_choices"
  465. style="display : block"></div></td></tr>
  466. <script type='text/javascript'>document.forms[0].title.focus();</script>
  467. <script type='text/javascript'>
  468. new Ajax.Autocompleter('labels_value', 'labels_choices',
  469. "backend.php?op=rpc&method=completeLabels",
  470. { tokens: ',', paramName: "search" });
  471. </script>
  472. <tr><td colspan='2'>
  473. <div style='float : right' class='insensitive-small'>
  474. <?php echo __("Shared article will appear in the Published feed.") ?>
  475. </div>
  476. <button type="submit"><?php echo __('Share') ?></button>
  477. <button onclick="return window.close()"><?php echo __('Cancel') ?></button>
  478. </td>
  479. </form>
  480. </td></tr></table>
  481. </body></html>
  482. <?php
  483. }
  484. } else {
  485. $return = urlencode($_SERVER["REQUEST_URI"])
  486. ?>
  487. <form action="public.php?return=<?php echo $return ?>"
  488. method="POST" id="loginForm" name="loginForm">
  489. <input type="hidden" name="op" value="login">
  490. <table height='100%' width='100%'><tr><td colspan='2'>
  491. <h1><?php echo __("Not logged in") ?></h1></td></tr>
  492. <tr><td align="right"><?php echo __("Login:") ?></td>
  493. <td align="right"><input name="login"
  494. value="<?php echo $_SESSION["fake_login"] ?>"></td></tr>
  495. <tr><td align="right"><?php echo __("Password:") ?></td>
  496. <td align="right"><input type="password" name="password"
  497. value="<?php echo $_SESSION["fake_password"] ?>"></td></tr>
  498. <tr><td colspan='2'>
  499. <button type="submit">
  500. <?php echo __('Log in') ?></button>
  501. <button onclick="return window.close()">
  502. <?php echo __('Cancel') ?></button>
  503. </td></tr>
  504. </table>
  505. </form>
  506. <?php
  507. }
  508. }
  509. function login() {
  510. if (!SINGLE_USER_MODE) {
  511. $login = clean($_POST["login"]);
  512. $password = clean($_POST["password"]);
  513. $remember_me = clean($_POST["remember_me"]);
  514. if ($remember_me) {
  515. session_set_cookie_params(SESSION_COOKIE_LIFETIME);
  516. } else {
  517. session_set_cookie_params(0);
  518. }
  519. if (authenticate_user($login, $password)) {
  520. $_POST["password"] = "";
  521. if (get_schema_version() >= 120) {
  522. $_SESSION["language"] = get_pref("USER_LANGUAGE", $_SESSION["uid"]);
  523. }
  524. $_SESSION["ref_schema_version"] = get_schema_version(true);
  525. $_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]);
  526. if (clean($_POST["profile"])) {
  527. $profile = (int) clean($_POST["profile"]);
  528. $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
  529. WHERE id = ? AND owner_uid = ?");
  530. $sth->execute([$profile, $_SESSION['uid']]);
  531. if ($sth->fetch()) {
  532. $_SESSION["profile"] = $profile;
  533. } else {
  534. $_SESSION["profile"] = null;
  535. }
  536. }
  537. } else {
  538. // start an empty session to deliver login error message
  539. @session_start();
  540. if (!isset($_SESSION["login_error_msg"]))
  541. $_SESSION["login_error_msg"] = __("Incorrect username or password");
  542. user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
  543. }
  544. if (clean($_REQUEST['return'])) {
  545. header("Location: " . clean($_REQUEST['return']));
  546. } else {
  547. header("Location: " . get_self_url_prefix());
  548. }
  549. }
  550. }
  551. /* function subtest() {
  552. header("Content-type: text/plain; charset=utf-8");
  553. $url = clean($_REQUEST["url"]);
  554. print "$url\n\n";
  555. print_r(get_feeds_from_html($url, fetch_file_contents($url)));
  556. } */
  557. function subscribe() {
  558. if (SINGLE_USER_MODE) {
  559. login_sequence();
  560. }
  561. if ($_SESSION["uid"]) {
  562. $feed_url = trim(clean($_REQUEST["feed_url"]));
  563. header('Content-Type: text/html; charset=utf-8');
  564. print "<html>
  565. <head>
  566. <title>Tiny Tiny RSS</title>";
  567. print stylesheet_tag("css/default.css");
  568. print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  569. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  570. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">
  571. </head>
  572. <body class='claro ttrss_utility'>
  573. <img class=\"floatingLogo\" src=\"images/logo_small.png\"
  574. alt=\"Tiny Tiny RSS\"/>
  575. <h1>".__("Subscribe to feed...")."</h1><div class='content'>";
  576. $rc = Feeds::subscribe_to_feed($feed_url);
  577. switch ($rc['code']) {
  578. case 0:
  579. print_warning(T_sprintf("Already subscribed to <b>%s</b>.", $feed_url));
  580. break;
  581. case 1:
  582. print_notice(T_sprintf("Subscribed to <b>%s</b>.", $feed_url));
  583. break;
  584. case 2:
  585. print_error(T_sprintf("Could not subscribe to <b>%s</b>.", $feed_url));
  586. break;
  587. case 3:
  588. print_error(T_sprintf("No feeds found in <b>%s</b>.", $feed_url));
  589. break;
  590. case 4:
  591. print_notice(__("Multiple feed URLs found."));
  592. $feed_urls = $rc["feeds"];
  593. break;
  594. case 5:
  595. print_error(T_sprintf("Could not subscribe to <b>%s</b>.<br>Can't download the Feed URL.", $feed_url));
  596. break;
  597. }
  598. if ($feed_urls) {
  599. print "<form action=\"public.php\">";
  600. print "<input type=\"hidden\" name=\"op\" value=\"subscribe\">";
  601. print "<select name=\"feed_url\">";
  602. foreach ($feed_urls as $url => $name) {
  603. $url = htmlspecialchars($url);
  604. $name = htmlspecialchars($name);
  605. print "<option value=\"$url\">$name</option>";
  606. }
  607. print "<input type=\"submit\" value=\"".__("Subscribe to selected feed").
  608. "\">";
  609. print "</form>";
  610. }
  611. $tp_uri = get_self_url_prefix() . "/prefs.php";
  612. $tt_uri = get_self_url_prefix();
  613. if ($rc['code'] <= 2){
  614. $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
  615. feed_url = ? AND owner_uid = ?");
  616. $sth->execute([$feed_url, $_SESSION['uid']]);
  617. $row = $sth->fetch();
  618. $feed_id = $row["id"];
  619. } else {
  620. $feed_id = 0;
  621. }
  622. print "<p>";
  623. if ($feed_id) {
  624. print "<form method=\"GET\" style='display: inline'
  625. action=\"$tp_uri\">
  626. <input type=\"hidden\" name=\"tab\" value=\"feedConfig\">
  627. <input type=\"hidden\" name=\"method\" value=\"editFeed\">
  628. <input type=\"hidden\" name=\"methodparam\" value=\"$feed_id\">
  629. <input type=\"submit\" value=\"".__("Edit subscription options")."\">
  630. </form>";
  631. }
  632. print "<form style='display: inline' method=\"GET\" action=\"$tt_uri\">
  633. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  634. </form></p>";
  635. print "</div></body></html>";
  636. } else {
  637. render_login_form();
  638. }
  639. }
  640. function index() {
  641. header("Content-Type: text/plain");
  642. print error_json(13);
  643. }
  644. function forgotpass() {
  645. startup_gettext();
  646. @$hash = clean($_REQUEST["hash"]);
  647. header('Content-Type: text/html; charset=utf-8');
  648. print "<html><head><title>Tiny Tiny RSS</title>
  649. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  650. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">";
  651. echo stylesheet_tag("lib/dijit/themes/claro/claro.css");
  652. echo stylesheet_tag("css/default.css");
  653. echo javascript_tag("lib/prototype.js");
  654. print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
  655. </head><body class='claro ttrss_utility'>";
  656. print '<div class="floatingLogo"><img src="images/logo_small.png"></div>';
  657. print "<h1>".__("Password recovery")."</h1>";
  658. print "<div class='content'>";
  659. @$method = clean($_POST['method']);
  660. if ($hash) {
  661. $login = clean($_REQUEST["login"]);
  662. if ($login) {
  663. $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
  664. WHERE login = ?");
  665. $sth->execute([$login]);
  666. if ($row = $sth->fetch()) {
  667. $id = $row["id"];
  668. $resetpass_token_full = $row["resetpass_token"];
  669. list($timestamp, $resetpass_token) = explode(":", $resetpass_token_full);
  670. if ($timestamp && $resetpass_token &&
  671. $timestamp >= time() - 15*60*60 &&
  672. $resetpass_token == $hash) {
  673. $sth = $this->pdo->prepare("UPDATE ttrss_users SET resetpass_token = NULL
  674. WHERE id = ?");
  675. $sth->execute([$id]);
  676. Pref_Users::resetUserPassword($id, true);
  677. print "<p>"."Completed."."</p>";
  678. } else {
  679. print_error("Some of the information provided is missing or incorrect.");
  680. }
  681. } else {
  682. print_error("Some of the information provided is missing or incorrect.");
  683. }
  684. } else {
  685. print_error("Some of the information provided is missing or incorrect.");
  686. }
  687. print "<form method=\"GET\" action=\"index.php\">
  688. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  689. </form>";
  690. } else if (!$method) {
  691. print_notice(__("You will need to provide valid account name and email. A password reset link will be sent to your email address."));
  692. print "<form method='POST' action='public.php'>";
  693. print "<input type='hidden' name='method' value='do'>";
  694. print "<input type='hidden' name='op' value='forgotpass'>";
  695. print "<fieldset>";
  696. print "<label>".__("Login:")."</label>";
  697. print "<input class='input input-text' type='text' name='login' value='' required>";
  698. print "</fieldset>";
  699. print "<fieldset>";
  700. print "<label>".__("Email:")."</label>";
  701. print "<input class='input input-text' type='email' name='email' value='' required>";
  702. print "</fieldset>";
  703. print "<fieldset>";
  704. print "<label>".__("How much is two plus two:")."</label>";
  705. print "<input class='input input-text' type='text' name='test' value='' required>";
  706. print "</fieldset>";
  707. print "<p/>";
  708. print "<button type='submit'>".__("Reset password")."</button>";
  709. print "</form>";
  710. } else if ($method == 'do') {
  711. $login = clean($_POST["login"]);
  712. $email = clean($_POST["email"]);
  713. $test = clean($_POST["test"]);
  714. if (($test != 4 && $test != 'four') || !$email || !$login) {
  715. print_error(__('Some of the required form parameters are missing or incorrect.'));
  716. print "<form method=\"GET\" action=\"public.php\">
  717. <input type=\"hidden\" name=\"op\" value=\"forgotpass\">
  718. <input type=\"submit\" value=\"".__("Go back")."\">
  719. </form>";
  720. } else {
  721. print_notice("Password reset instructions are being sent to your email address.");
  722. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users
  723. WHERE login = ? AND email = ?");
  724. $sth->execute([$login, $email]);
  725. if ($row = $sth->fetch()) {
  726. $id = $row["id"];
  727. if ($id) {
  728. $resetpass_token = sha1(get_random_bytes(128));
  729. $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token .
  730. "&login=" . urlencode($login);
  731. require_once "lib/MiniTemplator.class.php";
  732. $tpl = new MiniTemplator;
  733. $tpl->readTemplateFromFile("templates/resetpass_link_template.txt");
  734. $tpl->setVariable('LOGIN', $login);
  735. $tpl->setVariable('RESETPASS_LINK', $resetpass_link);
  736. $tpl->addBlock('message');
  737. $message = "";
  738. $tpl->generateOutputToString($message);
  739. $mailer = new Mailer();
  740. $rc = $mailer->mail(["to_name" => $login,
  741. "to_address" => $email,
  742. "subject" => __("[tt-rss] Password reset request"),
  743. "message" => $message]);
  744. if (!$rc) print_error($mailer->error());
  745. $resetpass_token_full = time() . ":" . $resetpass_token;
  746. $sth = $this->pdo->prepare("UPDATE ttrss_users
  747. SET resetpass_token = ?
  748. WHERE login = ? AND email = ?");
  749. $sth->execute([$resetpass_token_full, $login, $email]);
  750. //Pref_Users::resetUserPassword($id, false);
  751. print "<p>";
  752. print "<p>"."Completed."."</p>";
  753. } else {
  754. print_error("User ID not found.");
  755. }
  756. print "<form method=\"GET\" action=\"index.php\">
  757. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  758. </form>";
  759. } else {
  760. print_error(__("Sorry, login and email combination not found."));
  761. print "<form method=\"GET\" action=\"public.php\">
  762. <input type=\"hidden\" name=\"op\" value=\"forgotpass\">
  763. <input type=\"submit\" value=\"".__("Go back")."\">
  764. </form>";
  765. }
  766. }
  767. }
  768. print "</div>";
  769. print "</body>";
  770. print "</html>";
  771. }
  772. function dbupdate() {
  773. startup_gettext();
  774. if (!SINGLE_USER_MODE && $_SESSION["access_level"] < 10) {
  775. $_SESSION["login_error_msg"] = __("Your access level is insufficient to run this script.");
  776. render_login_form();
  777. exit;
  778. }
  779. ?><html>
  780. <head>
  781. <title>Database Updater</title>
  782. <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  783. <link rel="stylesheet" type="text/css" href="css/default.css"/>
  784. <link rel=\"shortcut icon\" type=\"image/png\" href=\"images/favicon.png\">
  785. <link rel=\"icon\" type=\"image/png\" sizes=\"72x72\" href=\"images/favicon-72px.png\">
  786. </head>
  787. <style type="text/css">
  788. span.ok { color : #009000; font-weight : bold; }
  789. span.err { color : #ff0000; font-weight : bold; }
  790. </style>
  791. <body class="claro ttrss_utility">
  792. <script type='text/javascript'>
  793. function confirmOP() {
  794. return confirm("Update the database?");
  795. }
  796. </script>
  797. <div class="floatingLogo"><img src="images/logo_small.png"></div>
  798. <h1><?php echo __("Database Updater") ?></h1>
  799. <div class="content">
  800. <?php
  801. @$op = clean($_REQUEST["subop"]);
  802. $updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION);
  803. if ($op == "performupdate") {
  804. if ($updater->isUpdateRequired()) {
  805. print "<h2>Performing updates</h2>";
  806. print "<h3>Updating to schema version " . SCHEMA_VERSION . "</h3>";
  807. print "<ul>";
  808. for ($i = $updater->getSchemaVersion() + 1; $i <= SCHEMA_VERSION; $i++) {
  809. print "<li>Performing update up to version $i...";
  810. $result = $updater->performUpdateTo($i, true);
  811. if (!$result) {
  812. print "<span class='err'>FAILED!</span></li></ul>";
  813. print_warning("One of the updates failed. Either retry the process or perform updates manually.");
  814. print "<p><form method=\"GET\" action=\"index.php\">
  815. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  816. </form>";
  817. return;
  818. } else {
  819. print "<span class='ok'>OK!</span></li>";
  820. }
  821. }
  822. print "</ul>";
  823. print_notice("Your Tiny Tiny RSS database is now updated to the latest version.");
  824. print "<p><form method=\"GET\" action=\"index.php\">
  825. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  826. </form>";
  827. } else {
  828. print "<h2>Your database is up to date.</h2>";
  829. print "<p><form method=\"GET\" action=\"index.php\">
  830. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  831. </form>";
  832. }
  833. } else {
  834. if ($updater->isUpdateRequired()) {
  835. print "<h2>Database update required</h2>";
  836. print_notice("<h4>".
  837. sprintf("Your Tiny Tiny RSS database needs update to the latest version: %d to %d.",
  838. $updater->getSchemaVersion(), SCHEMA_VERSION).
  839. "</h4>");
  840. print_warning("Please backup your database before proceeding.");
  841. print "<form method='POST'>
  842. <input type='hidden' name='subop' value='performupdate'>
  843. <input type='submit' onclick='return confirmOP()' value='".__("Perform updates")."'>
  844. </form>";
  845. } else {
  846. print_notice("Tiny Tiny RSS database is up to date.");
  847. print "<p><form method=\"GET\" action=\"index.php\">
  848. <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
  849. </form>";
  850. }
  851. }
  852. ?>
  853. </div>
  854. </body>
  855. </html>
  856. <?php
  857. }
  858. function cached_url() {
  859. @$req_filename = basename($_GET['hash']);
  860. // we don't need an extension to find the file, hash is a complete URL
  861. $hash = preg_replace("/\.[^\.]*$/", "", $req_filename);
  862. if ($hash) {
  863. $filename = CACHE_DIR . '/images/' . $hash;
  864. if (file_exists($filename)) {
  865. header("Content-Disposition: inline; filename=\"$req_filename\"");
  866. send_local_file($filename);
  867. } else {
  868. header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
  869. echo "File not found.";
  870. }
  871. }
  872. }
  873. private function make_article_tag_uri($id, $timestamp) {
  874. $timestamp = date("Y-m-d", strtotime($timestamp));
  875. return "tag:" . parse_url(get_self_url_prefix(), PHP_URL_HOST) . ",$timestamp:/$id";
  876. }
  877. // this should be used very carefully because this endpoint is exposed to unauthenticated users
  878. // plugin data is not loaded because there's no user context and owner_uid/session may or may not be available
  879. // in general, don't do anything user-related in here and do not modify $_SESSION
  880. public function pluginhandler() {
  881. $host = new PluginHost();
  882. $plugin = basename(clean($_REQUEST["plugin"]));
  883. $method = clean($_REQUEST["pmethod"]);
  884. $host->load($plugin, PluginHost::KIND_USER, 0);
  885. $host->load_data();
  886. $pclass = $host->get_plugin($plugin);
  887. if ($pclass) {
  888. if (method_exists($pclass, $method)) {
  889. if ($pclass->is_public_method($method)) {
  890. $pclass->$method();
  891. } else {
  892. header("Content-Type: text/json");
  893. print error_json(6);
  894. }
  895. } else {
  896. header("Content-Type: text/json");
  897. print error_json(13);
  898. }
  899. } else {
  900. header("Content-Type: text/json");
  901. print error_json(14);
  902. }
  903. }
  904. }
  905. ?>