diff options
Diffstat (limited to 'app/Controllers')
| -rw-r--r-- | app/Controllers/authController.php | 23 | ||||
| -rwxr-xr-x | app/Controllers/configureController.php | 119 | ||||
| -rwxr-xr-x | app/Controllers/feedController.php | 196 | ||||
| -rw-r--r-- | app/Controllers/importExportController.php | 9 | ||||
| -rwxr-xr-x | app/Controllers/indexController.php | 4 | ||||
| -rwxr-xr-x | app/Controllers/javascriptController.php | 9 | ||||
| -rw-r--r-- | app/Controllers/subscriptionController.php | 6 | ||||
| -rw-r--r-- | app/Controllers/updateController.php | 7 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 79 |
9 files changed, 289 insertions, 163 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 937c0759d..f58b008de 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -123,8 +123,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $conf = get_user_configuration($username); if (is_null($conf)) { - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); + return; } $ok = FreshRSS_FormAuth::checkCredentials( @@ -151,8 +151,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { ' user=' . $username . ', nonce=' . $nonce . ', c=' . $challenge); - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } } elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) { $username = Minz_Request::param('u', ''); @@ -184,8 +183,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { array('c' => 'index', 'a' => 'index')); } else { Minz_Log::warning('Unsafe password mismatch for user ' . $username); - Minz_Request::bad(_t('feedback.auth.login.invalid'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } } } @@ -253,7 +251,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { FreshRSS_Auth::giveAccess(); invalidateHttpCache(); } else { - Minz_Log::error($reason); + Minz_Log::warning($reason); $res = array(); $res['status'] = 'failure'; @@ -346,4 +344,15 @@ class FreshRSS_auth_Controller extends Minz_ActionController { } } } + + /** + * This action gives possibility to a user to create an account. + */ + public function registerAction() { + if (max_registrations_reached()) { + Minz_Error::error(403); + } + + Minz_View::prependTitle(_t('gen.auth.registration.title') . ' · '); + } } diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index 38ccd2b2d..d0f0bd68b 100755 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -112,6 +112,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { FreshRSS_Context::$user_conf->sticky_post = Minz_Request::param('sticky_post', false); FreshRSS_Context::$user_conf->reading_confirm = Minz_Request::param('reading_confirm', false); FreshRSS_Context::$user_conf->auto_remove_article = Minz_Request::param('auto_remove_article', false); + FreshRSS_Context::$user_conf->mark_updated_article_unread = Minz_Request::param('mark_updated_article_unread', false); FreshRSS_Context::$user_conf->sort_order = Minz_Request::param('sort_order', 'DESC'); FreshRSS_Context::$user_conf->mark_when = array( 'article' => Minz_Request::param('mark_open_article', false), @@ -241,13 +242,16 @@ class FreshRSS_configure_Controller extends Minz_ActionController { * checking if categories and feeds are still in use. */ public function queriesAction() { + $category_dao = new FreshRSS_CategoryDAO(); + $feed_dao = FreshRSS_Factory::createFeedDao(); if (Minz_Request::isPost()) { - $queries = Minz_Request::param('queries', array()); + $params = Minz_Request::param('queries', array()); - foreach ($queries as $key => $query) { + foreach ($params as $key => $query) { if (!$query['name']) { $query['name'] = _t('conf.query.number', $key + 1); } + $queries[] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao); } FreshRSS_Context::$user_conf->queries = $queries; FreshRSS_Context::$user_conf->save(); @@ -255,62 +259,9 @@ class FreshRSS_configure_Controller extends Minz_ActionController { Minz_Request::good(_t('feedback.conf.updated'), array('c' => 'configure', 'a' => 'queries')); } else { - $this->view->query_get = array(); - $cat_dao = new FreshRSS_CategoryDAO(); - $feed_dao = FreshRSS_Factory::createFeedDao(); + $this->view->queries = array(); foreach (FreshRSS_Context::$user_conf->queries as $key => $query) { - if (!isset($query['get'])) { - continue; - } - - switch ($query['get'][0]) { - case 'c': - $category = $cat_dao->searchById(substr($query['get'], 2)); - - $deprecated = true; - $cat_name = ''; - if ($category) { - $cat_name = $category->name(); - $deprecated = false; - } - - $this->view->query_get[$key] = array( - 'type' => 'category', - 'name' => $cat_name, - 'deprecated' => $deprecated, - ); - break; - case 'f': - $feed = $feed_dao->searchById(substr($query['get'], 2)); - - $deprecated = true; - $feed_name = ''; - if ($feed) { - $feed_name = $feed->name(); - $deprecated = false; - } - - $this->view->query_get[$key] = array( - 'type' => 'feed', - 'name' => $feed_name, - 'deprecated' => $deprecated, - ); - break; - case 's': - $this->view->query_get[$key] = array( - 'type' => 'favorite', - 'name' => 'favorite', - 'deprecated' => false, - ); - break; - case 'a': - $this->view->query_get[$key] = array( - 'type' => 'all', - 'name' => 'all', - 'deprecated' => false, - ); - break; - } + $this->view->queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao); } } @@ -325,20 +276,56 @@ class FreshRSS_configure_Controller extends Minz_ActionController { * lean data. */ public function addQueryAction() { - $whitelist = array('get', 'order', 'name', 'search', 'state'); - $queries = FreshRSS_Context::$user_conf->queries; - $query = Minz_Request::params(); - $query['name'] = _t('conf.query.number', count($queries) + 1); - foreach ($query as $key => $value) { - if (!in_array($key, $whitelist)) { - unset($query[$key]); - } + $category_dao = new FreshRSS_CategoryDAO(); + $feed_dao = FreshRSS_Factory::createFeedDao(); + $queries = array(); + foreach (FreshRSS_Context::$user_conf->queries as $key => $query) { + $queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao); } - $queries[] = $query; + $params = Minz_Request::params(); + $params['url'] = Minz_Url::display(array('params' => $params)); + $params['name'] = _t('conf.query.number', count($queries) + 1); + $queries[] = new FreshRSS_UserQuery($params, $feed_dao, $category_dao); + FreshRSS_Context::$user_conf->queries = $queries; FreshRSS_Context::$user_conf->save(); Minz_Request::good(_t('feedback.conf.query_created', $query['name']), array('c' => 'configure', 'a' => 'queries')); } + + /** + * This action handles the system configuration page. + * + * It displays the system configuration page. + * If this action is reach through a POST request, it stores all new + * configuration values then sends a notification to the user. + * + * The options available on the page are: + * - user limit (default: 1) + * - user category limit (default: 16384) + * - user feed limit (default: 16384) + */ + public function systemAction() { + if (!FreshRSS_Auth::hasAccess('admin')) { + Minz_Error::error(403); + } + if (Minz_Request::isPost()) { + $limits = FreshRSS_Context::$system_conf->limits; + $limits['max_registrations'] = Minz_Request::param('max-registrations', 1); + $limits['max_feeds'] = Minz_Request::param('max-feeds', 16384); + $limits['max_categories'] = Minz_Request::param('max-categories', 16384); + FreshRSS_Context::$system_conf->limits = $limits; + FreshRSS_Context::$system_conf->title = Minz_Request::param('instance-name', 'FreshRSS'); + FreshRSS_Context::$system_conf->auto_update_url = Minz_Request::param('auto-update-url', false); + FreshRSS_Context::$system_conf->save(); + + invalidateHttpCache(); + + Minz_Session::_param('notification', array( + 'type' => 'good', + 'content' => _t('feedback.conf.updated') + )); + } + } } diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php index 6f544d834..4ec661115 100755 --- a/app/Controllers/feedController.php +++ b/app/Controllers/feedController.php @@ -98,10 +98,10 @@ class FreshRSS_feed_Controller extends Minz_ActionController { // HTTP information are useful if feed is protected behind a // HTTP authentication - $user = Minz_Request::param('http_user'); - $pass = Minz_Request::param('http_pass'); + $user = trim(Minz_Request::param('http_user', '')); + $pass = Minz_Request::param('http_pass', ''); $http_auth = ''; - if ($user != '' || $pass != '') { + if ($user != '' && $pass != '') { //TODO: Sanitize $http_auth = $user . ':' . $pass; } @@ -145,8 +145,8 @@ class FreshRSS_feed_Controller extends Minz_ActionController { // Call the extension hook $name = $feed->name(); $feed = Minz_ExtensionManager::callHook('feed_before_insert', $feed); - if (is_null($feed)) { - Minz_Request::bad(_t('feed_not_added', $name), $url_redirect); + if ($feed === null) { + Minz_Request::bad(_t('feedback.sub.feed.not_added', $name), $url_redirect); } $values = array( @@ -168,6 +168,7 @@ class FreshRSS_feed_Controller extends Minz_ActionController { // Ok, feed has been added in database. Now we have to refresh entries. $feed->_id($id); $feed->faviconPrepare(); + //$feed->pubSubHubbubPrepare(); //TODO: prepare PubSubHubbub already when adding the feed $is_read = FreshRSS_Context::$user_conf->mark_when['reception'] ? 1 : 0; @@ -181,7 +182,6 @@ class FreshRSS_feed_Controller extends Minz_ActionController { // Use a shared statement and a transaction to improve a LOT the // performances. - $prepared_statement = $entryDAO->addEntryPrepare(); $feedDAO->beginTransaction(); foreach ($entries as $entry) { // Entries are added without any verification. @@ -190,13 +190,13 @@ class FreshRSS_feed_Controller extends Minz_ActionController { $entry->_isRead($is_read); $entry = Minz_ExtensionManager::callHook('entry_before_insert', $entry); - if (is_null($entry)) { + if ($entry === null) { // An extension has returned a null value, there is nothing to insert. continue; } $values = $entry->toArray(); - $entryDAO->addEntry($values, $prepared_statement); + $entryDAO->addEntry($values); } $feedDAO->updateLastUpdate($feed->id()); $feedDAO->commit(); @@ -262,12 +262,13 @@ class FreshRSS_feed_Controller extends Minz_ActionController { * This action actualizes entries from one or several feeds. * * Parameters are: - * - id (default: false) + * - id (default: false): Feed ID + * - url (default: false): Feed URL * - force (default: false) - * If id is not specified, all the feeds are actualized. But if force is + * If id and url are not specified, all the feeds are actualized. But if force is * false, process stops at 10 feeds to avoid time execution problem. */ - public function actualizeAction() { + public function actualizeAction($simplePiePush = null) { @set_time_limit(300); $feedDAO = FreshRSS_Factory::createFeedDao(); @@ -275,14 +276,15 @@ class FreshRSS_feed_Controller extends Minz_ActionController { Minz_Session::_param('actualize_feeds', false); $id = Minz_Request::param('id'); + $url = Minz_Request::param('url'); $force = Minz_Request::param('force'); // Create a list of feeds to actualize. // If id is set and valid, corresponding feed is added to the list but // alone in order to automatize further process. $feeds = array(); - if ($id) { - $feed = $feedDAO->searchById($id); + if ($id || $url) { + $feed = $id ? $feedDAO->searchById($id) : $feedDAO->searchByUrl($url); if ($feed) { $feeds[] = $feed; } @@ -294,25 +296,41 @@ class FreshRSS_feed_Controller extends Minz_ActionController { $nb_month_old = max(FreshRSS_Context::$user_conf->old_entries, 1); $date_min = time() - (3600 * 24 * 30 * $nb_month_old); + // PubSubHubbub support + $pubsubhubbubEnabledGeneral = FreshRSS_Context::$system_conf->pubsubhubbub_enabled; + $pshbMinAge = time() - (3600 * 24); //TODO: Make a configuration. + $updated_feeds = 0; $is_read = FreshRSS_Context::$user_conf->mark_when['reception'] ? 1 : 0; foreach ($feeds as $feed) { + $url = $feed->url(); //For detection of HTTP 301 + + $pubSubHubbubEnabled = $pubsubhubbubEnabledGeneral && $feed->pubSubHubbubEnabled(); + if ((!$simplePiePush) && (!$id) && $pubSubHubbubEnabled && ($feed->lastUpdate() > $pshbMinAge)) { + //$text = 'Skip pull of feed using PubSubHubbub: ' . $url; + //Minz_Log::debug($text); + //file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); + continue; //When PubSubHubbub is used, do not pull refresh so often + } + if (!$feed->lock()) { Minz_Log::notice('Feed already being actualized: ' . $feed->url()); continue; } try { - // Load entries - $feed->load(false); + if ($simplePiePush) { + $feed->loadEntries($simplePiePush); //Used by PubSubHubbub + } else { + $feed->load(false); + } } catch (FreshRSS_Feed_Exception $e) { - Minz_Log::notice($e->getMessage()); - $feedDAO->updateLastUpdate($feed->id(), 1); + Minz_Log::warning($e->getMessage()); + $feedDAO->updateLastUpdate($feed->id(), true); $feed->unlock(); continue; } - $url = $feed->url(); $feed_history = $feed->keepHistory(); if ($feed_history == -2) { // TODO: -2 must be a constant! @@ -323,49 +341,74 @@ class FreshRSS_feed_Controller extends Minz_ActionController { // We want chronological order and SimplePie uses reverse order. $entries = array_reverse($feed->entries()); if (count($entries) > 0) { - // For this feed, check last n entry GUIDs already in database. - $existing_guids = array_fill_keys($entryDAO->listLastGuidsByFeed( - $feed->id(), count($entries) + 10 - ), 1); - $use_declared_date = empty($existing_guids); + $newGuids = array(); + foreach ($entries as $entry) { + $newGuids[] = $entry->guid(); + } + // For this feed, check existing GUIDs already in database. + $existingHashForGuids = $entryDAO->listHashForFeedGuids($feed->id(), $newGuids); + unset($newGuids); + $oldGuids = array(); // Add entries in database if possible. - $prepared_statement = $entryDAO->addEntryPrepare(); - $feedDAO->beginTransaction(); foreach ($entries as $entry) { $entry_date = $entry->date(true); - if (isset($existing_guids[$entry->guid()]) || - ($feed_history == 0 && $entry_date < $date_min)) { - // This entry already exists in DB or should not be added - // considering configuration and date. - continue; + if (isset($existingHashForGuids[$entry->guid()])) { + $existingHash = $existingHashForGuids[$entry->guid()]; + if (strcasecmp($existingHash, $entry->hash()) === 0 || $existingHash === '00000000000000000000000000000000') { + //This entry already exists and is unchanged. TODO: Remove the test with the zero'ed hash in FreshRSS v1.3 + $oldGuids[] = $entry->guid(); + } else { //This entry already exists but has been updated + Minz_Log::debug('Entry with GUID `' . $entry->guid() . '` updated in feed ' . $feed->id() . + ', old hash ' . $existingHash . ', new hash ' . $entry->hash()); + //TODO: Make an updated/is_read policy by feed, in addition to the global one. + $entry->_isRead(FreshRSS_Context::$user_conf->mark_updated_article_unread ? false : null); //Change is_read according to policy. + if (!$entryDAO->hasTransaction()) { + $entryDAO->beginTransaction(); + } + $entryDAO->updateEntry($entry->toArray()); + } + } elseif ($feed_history == 0 && $entry_date < $date_min) { + // This entry should not be added considering configuration and date. + $oldGuids[] = $entry->guid(); + } else { + if ($entry_date < $date_min) { + $id = min(time(), $entry_date) . uSecString(); + $entry->_isRead(true); //Old article that was not in database. Probably an error, so mark as read + } else { + $id = uTimeString(); + $entry->_isRead($is_read); + } + $entry->_id($id); + + $entry = Minz_ExtensionManager::callHook('entry_before_insert', $entry); + if ($entry === null) { + // An extension has returned a null value, there is nothing to insert. + continue; + } + + if ($pubSubHubbubEnabled && !$simplePiePush) { //We use push, but have discovered an article by pull! + $text = 'An article was discovered by pull although we use PubSubHubbub!: Feed ' . $url . ' GUID ' . $entry->guid(); + file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); + Minz_Log::warning($text); + $pubSubHubbubEnabled = false; + $feed->pubSubHubbubError(true); + } + + if (!$entryDAO->hasTransaction()) { + $entryDAO->beginTransaction(); + } + $entryDAO->addEntry($entry->toArray()); } - - $id = uTimeString(); - if ($use_declared_date || $entry_date < $date_min) { - // Use declared date at first import. - $id = min(time(), $entry_date) . uSecString(); - } - - $entry->_id($id); - $entry->_isRead($is_read); - - $entry = Minz_ExtensionManager::callHook('entry_before_insert', $entry); - if (is_null($entry)) { - // An extension has returned a null value, there is nothing to insert. - continue; - } - - $values = $entry->toArray(); - $entryDAO->addEntry($values, $prepared_statement); } + $entryDAO->updateLastSeen($feed->id(), $oldGuids); } if ($feed_history >= 0 && rand(0, 30) === 1) { // TODO: move this function in web cron when available (see entry::purge) // Remove old entries once in 30. - if (!$feedDAO->hasTransaction()) { - $feedDAO->beginTransaction(); + if (!$entryDAO->hasTransaction()) { + $entryDAO->beginTransaction(); } $nb = $feedDAO->cleanOldEntries($feed->id(), @@ -377,18 +420,37 @@ class FreshRSS_feed_Controller extends Minz_ActionController { } } - $feedDAO->updateLastUpdate($feed->id(), 0, $feedDAO->hasTransaction()); - if ($feedDAO->hasTransaction()) { - $feedDAO->commit(); + $feedDAO->updateLastUpdate($feed->id(), 0, $entryDAO->hasTransaction()); + if ($entryDAO->hasTransaction()) { + $entryDAO->commit(); } - if ($feed->url() !== $url) { - // HTTP 301 Moved Permanently + if ($feed->hubUrl() && $feed->selfUrl()) { //selfUrl has priority for PubSubHubbub + if ($feed->selfUrl() !== $url) { //https://code.google.com/p/pubsubhubbub/wiki/MovingFeedsOrChangingHubs + $selfUrl = checkUrl($feed->selfUrl()); + if ($selfUrl) { + Minz_Log::debug('PubSubHubbub unsubscribe ' . $feed->url()); + if (!$feed->pubSubHubbubSubscribe(false)) { //Unsubscribe + Minz_Log::warning('Error while PubSubHubbub unsubscribing from ' . $feed->url()); + } + $feed->_url($selfUrl, false); + Minz_Log::notice('Feed ' . $url . ' canonical address moved to ' . $feed->url()); + $feedDAO->updateFeed($feed->id(), array('url' => $feed->url())); + } + } + } + elseif ($feed->url() !== $url) { // HTTP 301 Moved Permanently Minz_Log::notice('Feed ' . $url . ' moved permanently to ' . $feed->url()); $feedDAO->updateFeed($feed->id(), array('url' => $feed->url())); } $feed->faviconPrepare(); + if ($pubsubhubbubEnabledGeneral && $feed->pubSubHubbubPrepare()) { + Minz_Log::notice('PubSubHubbub subscribe ' . $feed->url()); + if (!$feed->pubSubHubbubSubscribe(true)) { //Subscribe + Minz_Log::warning('Error while PubSubHubbub subscribing to ' . $feed->url()); + } + } $feed->unlock(); $updated_feeds++; unset($feed); @@ -411,20 +473,20 @@ class FreshRSS_feed_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); // No layout in ajax request. $this->view->_useLayout(false); - return; - } - - // Redirect to the main page with correct notification. - if ($updated_feeds === 1) { - $feed = reset($feeds); - Minz_Request::good(_t('feedback.sub.feed.actualized', $feed->name()), array( - 'params' => array('get' => 'f_' . $feed->id()) - )); - } elseif ($updated_feeds > 1) { - Minz_Request::good(_t('feedback.sub.feed.n_actualized', $updated_feeds), array()); } else { - Minz_Request::good(_t('feedback.sub.feed.no_refresh'), array()); + // Redirect to the main page with correct notification. + if ($updated_feeds === 1) { + $feed = reset($feeds); + Minz_Request::good(_t('feedback.sub.feed.actualized', $feed->name()), array( + 'params' => array('get' => 'f_' . $feed->id()) + )); + } elseif ($updated_feeds > 1) { + Minz_Request::good(_t('feedback.sub.feed.n_actualized', $updated_feeds), array()); + } else { + Minz_Request::good(_t('feedback.sub.feed.no_refresh'), array()); + } } + return $updated_feeds; } /** diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php index 589777b2a..60e467255 100644 --- a/app/Controllers/importExportController.php +++ b/app/Controllers/importExportController.php @@ -47,7 +47,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $status_file = $file['error']; if ($status_file !== 0) { - Minz_Log::error('File cannot be uploaded. Error code: ' . $status_file); + Minz_Log::warning('File cannot be uploaded. Error code: ' . $status_file); Minz_Request::bad(_t('feedback.import_export.file_cannot_be_uploaded'), array('c' => 'importExport', 'a' => 'index')); } @@ -69,7 +69,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { if (!is_resource($zip)) { // zip_open cannot open file: something is wrong - Minz_Log::error('Zip archive cannot be imported. Error code: ' . $zip); + Minz_Log::warning('Zip archive cannot be imported. Error code: ' . $zip); Minz_Request::bad(_t('feedback.import_export.zip_error'), array('c' => 'importExport', 'a' => 'index')); } @@ -77,7 +77,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { while (($zipfile = zip_read($zip)) !== false) { if (!is_resource($zipfile)) { // zip_entry() can also return an error code! - Minz_Log::error('Zip file cannot be imported. Error code: ' . $zipfile); + Minz_Log::warning('Zip file cannot be imported. Error code: ' . $zipfile); } else { $type_zipfile = $this->guessFileType(zip_entry_name($zipfile)); if ($type_file !== 'unknown') { @@ -361,7 +361,6 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { } // Then, articles are imported. - $prepared_statement = $this->entryDAO->addEntryPrepare(); $this->entryDAO->beginTransaction(); foreach ($article_object['items'] as $item) { if (!isset($article_to_feed[$item['id']])) { @@ -396,7 +395,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { } $values = $entry->toArray(); - $id = $this->entryDAO->addEntry($values, $prepared_statement); + $id = $this->entryDAO->addEntry($values); if (!$error && ($id === false)) { $error = true; diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index ddcf0b4e4..baaf99065 100755 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -137,6 +137,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { } // No layout for RSS output. + $this->view->url = empty($_SERVER['QUERY_STRING']) ? '' : '?' . $_SERVER['QUERY_STRING']; $this->view->rss_title = FreshRSS_Context::$name . ' | ' . Minz_View::title(); $this->view->_useLayout(false); header('Content-Type: application/rss+xml; charset=utf-8'); @@ -161,6 +162,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { ); FreshRSS_Context::_get(Minz_Request::param('get', 'a')); + FreshRSS_Context::$state = Minz_Request::param( 'state', FreshRSS_Context::$user_conf->default_state ); @@ -172,7 +174,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { FreshRSS_Context::$state |= FreshRSS_Entry::STATE_READ; } - FreshRSS_Context::$search = Minz_Request::param('search', ''); + FreshRSS_Context::$search = new FreshRSS_Search(Minz_Request::param('search', '')); FreshRSS_Context::$order = Minz_Request::param( 'order', FreshRSS_Context::$user_conf->sort_order ); diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 421cf6f72..e3ae3669e 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -43,7 +43,12 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { } else { Minz_Log::notice('Nonce failure due to invalid username!'); } - $this->view->nonce = ''; //Failure - $this->view->salt1 = ''; + //Failure: Return random data. + $this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST); + $alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; + for ($i = 22; $i > 0; $i--) { + $this->view->salt1 .= $alphabet[rand(0, 63)]; + } + $this->view->nonce = sha1(rand()); } } diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php index 333565faf..03d3ee15e 100644 --- a/app/Controllers/subscriptionController.php +++ b/app/Controllers/subscriptionController.php @@ -77,11 +77,11 @@ class FreshRSS_subscription_Controller extends Minz_ActionController { Minz_View::prependTitle(_t('sub.title.feed_management') . ' · ' . $this->view->feed->name() . ' · '); if (Minz_Request::isPost()) { - $user = Minz_Request::param('http_user', ''); - $pass = Minz_Request::param('http_pass', ''); + $user = trim(Minz_Request::param('http_user_feed' . $id, '')); + $pass = Minz_Request::param('http_pass_feed' . $id, ''); $httpAuth = ''; - if ($user != '' || $pass != '') { + if ($user != '' && $pass != '') { //TODO: Sanitize $httpAuth = $user . ':' . $pass; } diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php index 4797a3486..64c984b04 100644 --- a/app/Controllers/updateController.php +++ b/app/Controllers/updateController.php @@ -53,7 +53,8 @@ class FreshRSS_update_Controller extends Minz_ActionController { return; } - $c = curl_init(FRESHRSS_UPDATE_WEBSITE); + $auto_update_url = FreshRSS_Context::$system_conf->auto_update_url . '?v=' . FRESHRSS_VERSION; + $c = curl_init($auto_update_url); curl_setopt($c, CURLOPT_RETURNTRANSFER, true); curl_setopt($c, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2); @@ -63,14 +64,14 @@ class FreshRSS_update_Controller extends Minz_ActionController { curl_close($c); if ($c_status !== 200) { - Minz_Log::error( + Minz_Log::warning( 'Error during update (HTTP code ' . $c_status . '): ' . $c_error ); $this->view->message = array( 'status' => 'bad', 'title' => _t('gen.short.damn'), - 'body' => _t('feedback.update.server_not_found', FRESHRSS_UPDATE_WEBSITE) + 'body' => _t('feedback.update.server_not_found', $auto_update_url) ); return; } diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index ed01b83c5..1c7d621f1 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -12,9 +12,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { * This action is called before every other action in that class. It is * the common boiler plate for every action. It is triggered by the * underlying framework. + * + * @todo clean up the access condition. */ public function firstAction() { - if (!FreshRSS_Auth::hasAccess()) { + if (!FreshRSS_Auth::hasAccess() && !( + Minz_Request::actionName() === 'create' && + !max_registrations_reached() + )) { Minz_Error::error(403); } } @@ -25,13 +30,17 @@ class FreshRSS_user_Controller extends Minz_ActionController { public function profileAction() { Minz_View::prependTitle(_t('conf.profile.title') . ' · '); + Minz_View::appendScript(Minz_Url::display( + '/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js') + )); + if (Minz_Request::isPost()) { $ok = true; - $passwordPlain = Minz_Request::param('passwordPlain', '', true); + $passwordPlain = Minz_Request::param('newPasswordPlain', '', true); if ($passwordPlain != '') { - Minz_Request::_param('passwordPlain'); //Discard plain-text password ASAP - $_POST['passwordPlain'] = ''; + Minz_Request::_param('newPasswordPlain'); //Discard plain-text password ASAP + $_POST['newPasswordPlain'] = ''; if (!function_exists('password_hash')) { include_once(LIB_PATH . '/password_compat.php'); } @@ -103,8 +112,24 @@ class FreshRSS_user_Controller extends Minz_ActionController { $this->view->size_user = $entryDAO->size(); } + /** + * This action creates a new user. + * + * Request parameters are: + * - new_user_language + * - new_user_name + * - new_user_passwordPlain + * - new_user_email + * - r (i.e. a redirection url, optional) + * + * @todo clean up this method. Idea: write a method to init a user with basic information. + * @todo handle r redirection in Minz_Request::forward directly? + */ public function createAction() { - if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { + if (Minz_Request::isPost() && ( + FreshRSS_Auth::hasAccess('admin') || + !max_registrations_reached() + )) { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); @@ -175,15 +200,37 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); } - Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + Minz_Request::forward($redirect_url, true); } + /** + * This action delete an existing user. + * + * Request parameter is: + * - username + * + * @todo clean up this method. Idea: create a User->clean() method. + */ public function deleteAction() { - if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { + $username = Minz_Request::param('username'); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + + $self_deletion = Minz_Session::param('currentUser', '_') === $username; + + if (Minz_Request::isPost() && ( + FreshRSS_Auth::hasAccess('admin') || + $self_deletion + )) { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $username = Minz_Request::param('username'); $ok = ctype_alnum($username); $user_data = join_path(DATA_PATH, 'users', $username); @@ -191,6 +238,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user } + if ($ok && $self_deletion) { + // We check the password if it's a self-destruction + $nonce = Minz_Session::param('nonce'); + $challenge = Minz_Request::param('challenge', ''); + + $ok &= FreshRSS_FormAuth::checkCredentials( + $username, FreshRSS_Context::$user_conf->passwordHash, + $nonce, $challenge + ); + } if ($ok) { $ok &= is_dir($user_data); } @@ -200,6 +257,10 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= recursive_unlink($user_data); //TODO: delete Persona file } + if ($ok && $self_deletion) { + FreshRSS_Auth::removeAccess(); + $redirect_url = array('c' => 'index', 'a' => 'index'); + } invalidateHttpCache(); $notif = array( @@ -209,6 +270,6 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); } - Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + Minz_Request::forward($redirect_url, true); } } |