ttrss/backend.php

<?php
	set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .
		get_include_path());

	/* remove ill effects of magic quotes */

	if (get_magic_quotes_gpc()) {
		function stripslashes_deep($value) {
			$value = is_array($value) ?
				array_map('stripslashes_deep', $value) : stripslashes($value);
				return $value;
		}

		$_POST = array_map('stripslashes_deep', $_POST);
		$_GET = array_map('stripslashes_deep', $_GET);
		$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
		$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
	}

	$op = $_REQUEST["op"];
	@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];

	if (!$method)
		$method = 'index';
	else
		$method = strtolower($method);

	/* Public calls compatibility shim */

	$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",
		"fbexport", "logout", "pubsub");

	if (array_search($op, $public_calls) !== false) {
		header("Location: public.php?" . $_SERVER['QUERY_STRING']);
		return;
	}

	@$csrf_token = $_REQUEST['csrf_token'];

	require_once "autoload.php";
	require_once "sessions.php";
	require_once "functions.php";
	require_once "config.php";
	require_once "db.php";
	require_once "db-prefs.php";

	startup_gettext();

	$script_started = microtime(true);

	if (!init_plugins()) return;

	header("Content-Type: text/json; charset=utf-8");

	if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {
		ob_start("ob_gzhandler");
	}

	if (SINGLE_USER_MODE) {
		authenticate_user( "admin", null);
	}

	if ($_SESSION["uid"]) {
		if (!validate_session()) {
			header("Content-Type: text/json");
			print error_json(6);
			return;
		}
		load_user_plugins( $_SESSION["uid"]);
	}

	$purge_intervals = array(
		0  => __("Use default"),
		-1 => __("Never purge"),
		5  => __("1 week old"),
		14 => __("2 weeks old"),
		31 => __("1 month old"),
		60 => __("2 months old"),
		90 => __("3 months old"));

	$update_intervals = array(
		0   => __("Default interval"),
		-1  => __("Disable updates"),
		15  => __("15 minutes"),
		30  => __("30 minutes"),
		60  => __("Hourly"),
		240 => __("4 hours"),
		720 => __("12 hours"),
		1440 => __("Daily"),
		10080 => __("Weekly"));

	$update_intervals_nodefault = array(
		-1  => __("Disable updates"),
		15  => __("15 minutes"),
		30  => __("30 minutes"),
		60  => __("Hourly"),
		240 => __("4 hours"),
		720 => __("12 hours"),
		1440 => __("Daily"),
		10080 => __("Weekly"));

	$access_level_names = array(
		0 => __("User"),
		5 => __("Power User"),
		10 => __("Administrator"));

	$op = str_replace("-", "_", $op);

	$override = PluginHost::getInstance()->lookup_handler($op, $method);

	if (class_exists($op) || $override) {

		if ($override) {
			$handler = $override;
		} else {
			$handler = new $op($_REQUEST);
		}

		if ($handler && implements_interface($handler, 'IHandler')) {
			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
				if ($handler->before($method)) {
					if ($method && method_exists($handler, $method)) {
						$handler->$method();
					} else {
						if (method_exists($handler, "catchall")) {
							$handler->catchall($method);
						}
					}
					$handler->after();
					return;
				} else {
					header("Content-Type: text/json");
					print error_json(6);
					return;
				}
			} else {
				header("Content-Type: text/json");
				print error_json(6);
				return;
			}
		}
	}

	header("Content-Type: text/json");
	print error_json(13);

?>
change short php tags to long ones 2006-08-19 07:04:45 +00:00			`<?php`
modify include path order (closes #514) 2012-12-09 09:41:22 +00:00			`set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .`
			`get_include_path());`
overall directory tree cleanup 2011-12-11 19:59:25 +00:00
disable magic quotes if needed 2007-05-19 13:47:37 +00:00			`/* remove ill effects of magic quotes */`

make sure magic quote workaround actually works 2010-09-07 09:22:10 +00:00			`if (get_magic_quotes_gpc()) {`
use better magic quotes removal fix 2010-09-04 07:59:33 +00:00			`function stripslashes_deep($value) {`
backend/view: use JSON instead of XML; backend: output session invalid error using JSON 2011-03-18 09:46:22 +00:00			`$value = is_array($value) ?`
use better magic quotes removal fix 2010-09-04 07:59:33 +00:00			`array_map('stripslashes_deep', $value) : stripslashes($value);`
			`return $value;`
			`}`

			`$_POST = array_map('stripslashes_deep', $_POST);`
			`$_GET = array_map('stripslashes_deep', $_GET);`
			`$_COOKIE = array_map('stripslashes_deep', $_COOKIE);`
			`$_REQUEST = array_map('stripslashes_deep', $_REQUEST);`
disable magic quotes if needed 2007-05-19 13:47:37 +00:00			`}`

fix sharing for not logged in users 2011-10-04 10:03:16 +00:00			`$op = $_REQUEST["op"];`
add Public_Handler misc code cleanup 2011-12-13 10:49:11 +00:00			`@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];`

experimental CSRF protection 2011-12-26 08:02:52 +00:00			`if (!$method)`
			`$method = 'index';`
			`else`
			`$method = strtolower($method);`

add Public_Handler misc code cleanup 2011-12-13 10:49:11 +00:00			`/* Public calls compatibility shim */`

			`$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",`
			`"fbexport", "logout", "pubsub");`

			`if (array_search($op, $public_calls) !== false) {`
			`header("Location: public.php?" . $_SERVER['QUERY_STRING']);`
			`return;`
			`}`
fix sharing for not logged in users 2011-10-04 10:03:16 +00:00
do not generate warning on csrf_token being unassigned 2012-01-08 19:51:47 +00:00			`@$csrf_token = $_REQUEST['csrf_token'];`
experimental CSRF protection 2011-12-26 08:02:52 +00:00
more work on singleton-based DB 2013-04-17 11:36:34 +00:00			`require_once "autoload.php";`
add Public_Handler misc code cleanup 2011-12-13 10:49:11 +00:00			`require_once "sessions.php";`
modify includes to init session before translations are applied 2013-01-04 21:28:07 +00:00			`require_once "functions.php";`
provide startup config.php value checking, report at D001 2006-03-27 16:08:51 +00:00			`require_once "config.php";`
better fatal error handling by frontend (remove error.php) 2006-03-31 05:18:55 +00:00			`require_once "db.php";`
			`require_once "db-prefs.php";`
provide startup config.php value checking, report at D001 2006-03-27 16:08:51 +00:00
config: remove ENABLE_TRANSLATIONS 2011-03-18 16:25:06 +00:00			`startup_gettext();`
no-cache fixes for safari 2007-03-02 11:34:34 +00:00
replace getmicrotime() wrapper with microtime(true) (2) 2013-02-27 18:20:14 +00:00			`$script_started = microtime(true);`
login system tweaks 2007-03-02 10:48:46 +00:00
remove $link 2013-04-17 12:23:15 +00:00			`if (!init_plugins()) return;`
implement tiny-OOP routing 2011-12-12 20:20:53 +00:00
use text/json content-type in a few more places 2013-01-12 12:02:37 +00:00			`header("Content-Type: text/json; charset=utf-8");`
automatically logout user when session expires 2005-11-19 14:46:23 +00:00
only enable ob_gzhandler if it exists 2012-03-20 10:45:43 +00:00			`if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {`
backend/viewfeed: use JSON 2011-03-18 09:55:45 +00:00			`ob_start("ob_gzhandler");`
			`}`

backend: force login on init when in single user mode 2009-10-27 12:27:09 +00:00			`if (SINGLE_USER_MODE) {`
remove $link 2013-04-17 12:23:15 +00:00			`authenticate_user( "admin", null);`
backend: force login on init when in single user mode 2009-10-27 12:27:09 +00:00			`}`

experimental support for per-user plugins (bump schema) 2012-12-24 20:45:10 +00:00			`if ($_SESSION["uid"]) {`
remove $link 2013-04-17 12:23:15 +00:00			`if (!validate_session()) {`
backend: add session validation check 2013-04-11 17:39:54 +00:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 10:02:24 +00:00			`print error_json(6);`
backend: add session validation check 2013-04-11 17:39:54 +00:00			`return;`
			`}`
remove $link 2013-04-17 12:23:15 +00:00			`load_user_plugins( $_SESSION["uid"]);`
experimental support for per-user plugins (bump schema) 2012-12-24 20:45:10 +00:00			`}`

simplify update/purge interval selection 2006-03-20 14:30:51 +00:00			`$purge_intervals = array(`
change _() to __() (use php-gettext) 2007-03-05 08:45:38 +00:00			`0 => __("Use default"),`
			`-1 => __("Never purge"),`
			`5 => __("1 week old"),`
			`14 => __("2 weeks old"),`
			`31 => __("1 month old"),`
			`60 => __("2 months old"),`
			`90 => __("3 months old"));`
simplify update/purge interval selection 2006-03-20 14:30:51 +00:00
			`$update_intervals = array(`
rework feed dialog layouts 2008-08-06 07:51:28 +00:00			`0 => __("Default interval"),`
change _() to __() (use php-gettext) 2007-03-05 08:45:38 +00:00			`-1 => __("Disable updates"),`
update intervals: use less broken english for a change 2015-07-15 13:39:16 +00:00			`15 => __("15 minutes"),`
			`30 => __("30 minutes"),`
pref-prefs: show default update interval as a dropdown 2010-01-20 10:20:20 +00:00			`60 => __("Hourly"),`
update intervals: use less broken english for a change 2015-07-15 13:39:16 +00:00			`240 => __("4 hours"),`
			`720 => __("12 hours"),`
pref-prefs: show default update interval as a dropdown 2010-01-20 10:20:20 +00:00			`1440 => __("Daily"),`
			`10080 => __("Weekly"));`

			`$update_intervals_nodefault = array(`
			`-1 => __("Disable updates"),`
update intervals: use less broken english for a change 2015-07-15 13:39:16 +00:00			`15 => __("15 minutes"),`
			`30 => __("30 minutes"),`
change _() to __() (use php-gettext) 2007-03-05 08:45:38 +00:00			`60 => __("Hourly"),`
update intervals: use less broken english for a change 2015-07-15 13:39:16 +00:00			`240 => __("4 hours"),`
			`720 => __("12 hours"),`
change _() to __() (use php-gettext) 2007-03-05 08:45:38 +00:00			`1440 => __("Daily"),`
			`10080 => __("Weekly"));`
simplify update/purge interval selection 2006-03-20 14:30:51 +00:00
user editor improved, some form parameter validation reimplemented for prototyped-forms 2006-05-20 14:26:00 +00:00			`$access_level_names = array(`
backend/view: use JSON instead of XML; backend: output session invalid error using JSON 2011-03-18 09:46:22 +00:00			`0 => __("User"),`
add new access level 5, show user's level in prefs 2008-04-04 03:46:51 +00:00			`5 => __("Power User"),`
change _() to __() (use php-gettext) 2007-03-05 08:45:38 +00:00			`10 => __("Administrator"));`
user editor improved, some form parameter validation reimplemented for prototyped-forms 2006-05-20 14:26:00 +00:00
add pref_feeds class 2011-12-13 05:29:22 +00:00			`$op = str_replace("-", "_", $op);`

make pluginhost a singleton 2013-04-18 08:27:34 +00:00			`$override = PluginHost::getInstance()->lookup_handler($op, $method);`
move update daemon code to common function, reorganize backend.php (patch from landure) 2008-01-26 05:33:59 +00:00
implement plugin routing masks, add example plugin 2012-12-23 19:05:51 +00:00			`if (class_exists($op) \|\| $override) {`

			`if ($override) {`
			`$handler = $override;`
			`} else {`
fix missing DB object when instantiated to import opml 2013-04-18 19:19:14 +00:00			`$handler = new $op($_REQUEST);`
implement plugin routing masks, add example plugin 2012-12-23 19:05:51 +00:00			`}`

			`if ($handler && implements_interface($handler, 'IHandler')) {`
experimental CSRF protection 2011-12-26 08:02:52 +00:00			`if (validate_csrf($csrf_token) \|\| $handler->csrf_ignore($method)) {`
			`if ($handler->before($method)) {`
			`if ($method && method_exists($handler, $method)) {`
			`$handler->$method();`
experimental new plugin system 2012-12-23 10:52:18 +00:00			`} else {`
			`if (method_exists($handler, "catchall")) {`
			`$handler->catchall($method);`
			`}`
experimental CSRF protection 2011-12-26 08:02:52 +00:00			`}`
			`$handler->after();`
			`return;`
login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet 2012-09-10 15:01:06 +00:00			`} else {`
use text/json content-type in a few more places 2013-01-12 12:02:37 +00:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 10:02:24 +00:00			`print error_json(6);`
login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet 2012-09-10 15:01:06 +00:00			`return;`
add tiny-OOP style backend RPC 2011-12-12 19:32:29 +00:00			`}`
experimental CSRF protection 2011-12-26 08:02:52 +00:00			`} else {`
use text/json content-type in a few more places 2013-01-12 12:02:37 +00:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 10:02:24 +00:00			`print error_json(6);`
implement tiny-OOP routing 2011-12-12 20:20:53 +00:00			`return;`
add tiny-OOP style backend RPC 2011-12-12 19:32:29 +00:00			`}`
			`}`
			`}`

use text/json content-type in a few more places 2013-01-12 12:02:37 +00:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 10:02:24 +00:00			`print error_json(13);`
add tweet button to digest, misc digest fixes; rework article tweeting to use ajax loading of needed info 2010-11-25 09:58:29 +00:00
initial mockup 2005-08-21 10:13:10 +00:00			`?>`