Merge remote-tracking branch 'FreshRSS/master' into dev

1 files changed, 77 insertions, 51 deletions

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 752b14e31..e4caf23d1 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -1,48 +1,84 @@
 <?php
 
 class FreshRSS extends Minz_FrontController {
+	/**
+	 * Initialize the different FreshRSS / Minz components.
+	 *
+	 * PLEASE DON'T CHANGE THE ORDER OF INITIALIZATIONS UNLESS YOU KNOW WHAT
+	 * YOU DO!!
+	 *
+	 * Here is the list of components:
+	 * - Create a configuration setter and register it to system conf
+	 * - Init extension manager and enable system extensions (has to be done asap)
+	 * - Init authentication system
+	 * - Init user configuration (need auth system)
+	 * - Init FreshRSS context (need user conf)
+	 * - Init i18n (need context)
+	 * - Init sharing system (need user conf and i18n)
+	 * - Init generic styles and scripts (need user conf)
+	 * - Init notifications
+	 * - Enable user extensions (need all the other initializations)
+	 */
 	public function init() {
 		if (!isset($_SESSION)) {
 			Minz_Session::init('FreshRSS');
 		}
 
-		// Need to be called just after session init because it initializes
-		// current user.
-		FreshRSS_Auth::init();
+		// Register the configuration setter for the system configuration
+		$configuration_setter = new FreshRSS_ConfigurationSetter();
+		$system_conf = Minz_Configuration::get('system');
+		$system_conf->_configurationSetter($configuration_setter);
+
+		// Load list of extensions and enable the "system" ones.
+		Minz_ExtensionManager::init();
+
+		// Auth has to be initialized before using currentUser session parameter
+		// because it's this part which create this parameter.
+		self::initAuth();
+
+		// Then, register the user configuration and use the configuration setter
+		// created above.
+		$current_user = Minz_Session::param('currentUser', '_');
+		Minz_Configuration::register('user',
+		                             join_path(USERS_PATH, $current_user, 'config.php'),
+		                             join_path(USERS_PATH, '_', 'config.default.php'),
+		                             $configuration_setter);
+
+		// Finish to initialize the other FreshRSS / Minz components.
+		FreshRSS_Context::init();
+		self::initI18n();
+		self::loadNotifications();
+		// Enable extensions for the current (logged) user.
+		if (FreshRSS_Auth::hasAccess() || $system_conf->allow_anonymous) {
+			$ext_list = FreshRSS_Context::$user_conf->extensions_enabled;
+			Minz_ExtensionManager::enableByList($ext_list);
+		}
+	}
 
-		if (Minz_Request::isPost() && !is_referer_from_same_domain()) {
+	private static function initAuth() {
+		FreshRSS_Auth::init();
+		if (Minz_Request::isPost() && !(is_referer_from_same_domain() && FreshRSS_Auth::isCsrfOk())) {
 			// Basic protection against XSRF attacks
 			FreshRSS_Auth::removeAccess();
 			$http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
+			Minz_Translate::init('en');	//TODO: Better choice of fallback language
 			Minz_Error::error(
 				403,
 				array('error' => array(
-					_t('access_denied'),
+					_t('feedback.access.denied'),
 					' [HTTP_REFERER=' . htmlspecialchars($http_referer) . ']'
 				))
 			);
 		}
-
-		// Load context and configuration.
-		FreshRSS_Context::init();
-
-		$this->loadParamsView();
-		$this->loadStylesAndScripts();
-		$this->loadNotifications();
-		$this->loadExtensions();
 	}
 
-	private function loadParamsView() {
-		// TODO: outputs should be different actions.
-		$output = Minz_Request::param('output', '');
-		if (($output === '') || ($output !== 'normal' && $output !== 'rss' && $output !== 'reader' && $output !== 'global')) {
-			$output = FreshRSS_Context::$conf->view_mode;
-			Minz_Request::_param('output', $output);
-		}
+	private static function initI18n() {
+		Minz_Session::_param('language', FreshRSS_Context::$user_conf->language);
+		Minz_Translate::init(FreshRSS_Context::$user_conf->language);
 	}
 
-	private function loadStylesAndScripts() {
-		$theme = FreshRSS_Themes::load(FreshRSS_Context::$conf->theme);
+	public static function loadStylesAndScripts() {
+		$theme = FreshRSS_Themes::load(FreshRSS_Context::$user_conf->theme);
 		if ($theme) {
 			foreach($theme['files'] as $file) {
 				if ($file[0] === '_') {
@@ -53,26 +89,18 @@ class FreshRSS extends Minz_FrontController {
 					$filename = $file;
 				}
 				$filetime = @filemtime(PUBLIC_PATH . '/themes/' . $theme_id . '/' . $filename);
-				Minz_View::appendStyle(Minz_Url::display(
-					'/themes/' . $theme_id . '/' . $filename . '?' . $filetime
-				));
+				$url = '/themes/' . $theme_id . '/' . $filename . '?' . $filetime;
+				header('Link: <' . Minz_Url::display($url, '', 'root') . '>;rel=preload', false);	//HTTP2
+				Minz_View::appendStyle(Minz_Url::display($url));
 			}
 		}
 
 		Minz_View::appendScript(Minz_Url::display('/scripts/jquery.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/jquery.min.js')));
 		Minz_View::appendScript(Minz_Url::display('/scripts/shortcut.js?' . @filemtime(PUBLIC_PATH . '/scripts/shortcut.js')));
 		Minz_View::appendScript(Minz_Url::display('/scripts/main.js?' . @filemtime(PUBLIC_PATH . '/scripts/main.js')));
-
-		if (Minz_Configuration::authType() === 'persona') {
-			// TODO move it in a plugin
-			// Needed for login AND logout with Persona.
-			Minz_View::appendScript('https://login.persona.org/include.js');
-			$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/persona.js');
-			Minz_View::appendScript(Minz_Url::display('/scripts/persona.js?' . $file_mtime));
-		}
 	}
 
-	private function loadNotifications() {
+	private static function loadNotifications() {
 		$notif = Minz_Session::param('notification');
 		if ($notif) {
 			Minz_View::_param('notification', $notif);
@@ -80,23 +108,21 @@ class FreshRSS extends Minz_FrontController {
 		}
 	}
 
-	private function loadExtensions() {
-		$extensionPath = FRESHRSS_PATH . '/extensions/';
-		//TODO: Add a preference to load only user-selected extensions
-		foreach (scandir($extensionPath) as $key => $extension) {
-			if (ctype_alpha($extension)) {
-				$mtime = @filemtime($extensionPath . $extension . '/style.css');
-				if ($mtime !== false) {
-					Minz_View::appendStyle(Minz_Url::display('/ext.php?c&amp;e=' . $extension . '&amp;' . $mtime));
-				}
-				$mtime = @filemtime($extensionPath . $extension . '/script.js');
-				if ($mtime !== false) {
-					Minz_View::appendScript(Minz_Url::display('/ext.php?j&amp;e=' . $extension . '&amp;' . $mtime));
-				}
-				if (file_exists($extensionPath . $extension . '/module.php')) {
-					//TODO: include
-				} 
-			}
+	public static function preLayout() {
+		switch (Minz_Request::controllerName()) {
+			case 'index':
+				header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *");
+				break;
+			case 'stats':
+				header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+				break;
+			default:
+				header("Content-Security-Policy: default-src 'self'");
+				break;
 		}
+		header("X-Content-Type-Options: nosniff");
+
+		FreshRSS_Share::load(join_path(DATA_PATH, 'shares.php'));
+		self::loadStylesAndScripts();
 	}
 }