add UserHelper::find_user_by_login() and rewrite some user checks to invoke it instead of going through PDO

This commit is contained in:
Andrew Dolgov 2021-02-11 10:22:27 +03:00
parent 7af8744c85
commit 09e9f34bb4
7 changed files with 51 additions and 82 deletions

View File

@ -59,35 +59,25 @@ class API extends Handler {
if (SINGLE_USER_MODE) $login = "admin"; if (SINGLE_USER_MODE) $login = "admin";
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)"); if ($uid = UserHelper::find_user_by_login($login)) {
$sth->execute([$login]); if (get_pref("ENABLE_API_ACCESS", $uid)) {
if (UserHelper::authenticate($login, $password, false, Auth_Base::AUTH_SERVICE_API)) { // try login with normal password
if ($row = $sth->fetch()) { $this->wrap(self::STATUS_OK, array("session_id" => session_id(),
$uid = $row["id"]; "api_level" => self::API_LEVEL));
} else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password
$this->wrap(self::STATUS_OK, array("session_id" => session_id(),
"api_level" => self::API_LEVEL));
} else { // else we are not logged in
user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
}
} else {
$this->wrap(self::STATUS_ERR, array("error" => "API_DISABLED"));
}
} else { } else {
$uid = 0;
}
if (!$uid) {
$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR")); $this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
return; return;
} }
if (get_pref("ENABLE_API_ACCESS", $uid)) {
if (UserHelper::authenticate($login, $password, false, Auth_Base::AUTH_SERVICE_API)) { // try login with normal password
$this->wrap(self::STATUS_OK, array("session_id" => session_id(),
"api_level" => self::API_LEVEL));
} else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password
$this->wrap(self::STATUS_OK, array("session_id" => session_id(),
"api_level" => self::API_LEVEL));
} else { // else we are not logged in
user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
}
} else {
$this->wrap(self::STATUS_ERR, array("error" => "API_DISABLED"));
}
} }
function logout() { function logout() {

View File

@ -15,13 +15,14 @@ abstract class Auth_Base extends Plugin implements IAuthModule {
// Auto-creates specified user if allowed by system configuration // Auto-creates specified user if allowed by system configuration
// Can be used instead of find_user_by_login() by external auth modules // Can be used instead of find_user_by_login() by external auth modules
function auto_create_user($login, $password = false) { function auto_create_user(string $login, $password = false) {
if ($login && defined('AUTH_AUTO_CREATE') && AUTH_AUTO_CREATE) { if ($login && defined('AUTH_AUTO_CREATE') && AUTH_AUTO_CREATE) {
$user_id = $this->find_user_by_login($login); $user_id = UserHelper::find_user_by_login($login);
if (!$password) $password = make_password();
if (!$user_id) { if (!$user_id) {
if (!$password) $password = make_password();
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true); $pwd_hash = encrypt_password($password, $salt, true);
@ -30,26 +31,18 @@ abstract class Auth_Base extends Plugin implements IAuthModule {
VALUES (LOWER(?), 0, null, NOW(), ?,?)"); VALUES (LOWER(?), 0, null, NOW(), ?,?)");
$sth->execute([$login, $pwd_hash, $salt]); $sth->execute([$login, $pwd_hash, $salt]);
return $this->find_user_by_login($login); return UserHelper::find_user_by_login($login);
} else { } else {
return $user_id; return $user_id;
} }
} }
return $this->find_user_by_login($login); return UserHelper::find_user_by_login($login);
} }
function find_user_by_login($login) { // @deprecated
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE function find_user_by_login(string $login) {
LOWER(login) = LOWER(?)"); return UserHelper::find_user_by_login($login);
$sth->execute([$login]);
if ($row = $sth->fetch()) {
return $row["id"];
} else {
return false;
}
} }
} }

View File

@ -248,19 +248,15 @@ class Handler_Public extends Handler {
$login = clean($_REQUEST["login"]); $login = clean($_REQUEST["login"]);
$fresh = clean($_REQUEST["fresh"]) == "1"; $fresh = clean($_REQUEST["fresh"]) == "1";
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)"); $uid = UserHelper::find_user_by_login($login);
$sth->execute([$login]);
if ($row = $sth->fetch()) {
$uid = $row["id"];
if ($uid) {
print Feeds::getGlobalUnread($uid); print Feeds::getGlobalUnread($uid);
if ($fresh) { if ($fresh) {
print ";"; print ";";
print Feeds::getFeedArticles(-3, false, true, $uid); print Feeds::getFeedArticles(-3, false, true, $uid);
} }
} else { } else {
print "-1;User not found"; print "-1;User not found";
} }

View File

@ -237,22 +237,14 @@ class Pref_Users extends Handler_Protected {
if (!$login) return; // no blank usernames if (!$login) return; // no blank usernames
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE if (!UserHelper::find_user_by_login($login)) {
LOWER(login) = LOWER(?)");
$sth->execute([$login]);
if (!$sth->fetch()) {
$sth = $this->pdo->prepare("INSERT INTO ttrss_users $sth = $this->pdo->prepare("INSERT INTO ttrss_users
(login,pwd_hash,access_level,last_login,created, salt) (login,pwd_hash,access_level,last_login,created, salt)
VALUES (LOWER(?), ?, 0, null, NOW(), ?)"); VALUES (LOWER(?), ?, 0, null, NOW(), ?)");
$sth->execute([$login, $pwd_hash, $salt]); $sth->execute([$login, $pwd_hash, $salt]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE if ($new_uid = UserHelper::find_user_by_login($login)) {
LOWER(login) = LOWER(?) AND pwd_hash = ?");
$sth->execute([$login, $pwd_hash]);
if ($row = $sth->fetch()) {
$new_uid = $row['id']; $new_uid = $row['id'];

View File

@ -1,8 +1,7 @@
<?php <?php
class UserHelper { class UserHelper {
static function authenticate($login, $password, $check_only = false, $service = false) { static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) {
if (!SINGLE_USER_MODE) { if (!SINGLE_USER_MODE) {
$user_id = false; $user_id = false;
$auth_module = false; $auth_module = false;
@ -71,7 +70,7 @@ class UserHelper {
} }
} }
static function load_user_plugins($owner_uid, $pluginhost = false) { static function load_user_plugins(int $owner_uid, PluginHost $pluginhost = null) {
if (!$pluginhost) $pluginhost = PluginHost::getInstance(); if (!$pluginhost) $pluginhost = PluginHost::getInstance();
@ -145,4 +144,17 @@ class UserHelper {
} }
} }
static function find_user_by_login(string $login) {
$pdo = Db::pdo();
$sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE
LOWER(login) = LOWER(?)");
$sth->execute([$login]);
if ($row = $sth->fetch()) {
return $row["id"];
}
return false;
}
} }

View File

@ -73,12 +73,8 @@
if ($action == "check") { if ($action == "check") {
header("Content-Type: application/xml"); header("Content-Type: application/xml");
$login = trim(db_escape_string( $_REQUEST['login'])); $login = clean($_REQUEST['login']);
$is_registered = UserHelper::find_user_by_login($login);
$result = db_query( "SELECT id FROM ttrss_users WHERE
LOWER(login) = LOWER('$login')");
$is_registered = db_num_rows($result) > 0;
print "<result>"; print "<result>";
@ -258,10 +254,7 @@
if ($test == "four" || $test == "4") { if ($test == "four" || $test == "4") {
$result = db_query( "SELECT id FROM ttrss_users WHERE $is_registered = UserHelper::find_user_by_login($login);
login = '$login'");
$is_registered = db_num_rows($result) > 0;
if ($is_registered) { if ($is_registered) {
print_error(__('Sorry, this username is already taken.')); print_error(__('Sorry, this username is already taken.'));
@ -279,18 +272,14 @@
(login,pwd_hash,access_level,last_login, email, created, salt) (login,pwd_hash,access_level,last_login, email, created, salt)
VALUES (LOWER('$login'), '$pwd_hash', 0, null, '$email', NOW(), '$salt')"); VALUES (LOWER('$login'), '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
$result = db_query( "SELECT id FROM ttrss_users WHERE $new_uid = UserHelper::find_user_by_login($login);
login = '$login' AND pwd_hash = '$pwd_hash'");
if (db_num_rows($result) != 1) { if (!$new_uid) {
print_error(__('Registration failed.')); print_error(__('Registration failed.'));
print "<p><form method=\"GET\" action=\"index.php\"> print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\"> <input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>"; </form>";
} else { } else {
$new_uid = db_fetch_result($result, 0, "id");
Pref_Users::initialize_user($new_uid); Pref_Users::initialize_user($new_uid);
$reg_text = "Hi!\n". $reg_text = "Hi!\n".

View File

@ -502,13 +502,10 @@
Debug::log("Exporting feeds of user $user to $filename as OPML..."); Debug::log("Exporting feeds of user $user to $filename as OPML...");
$sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)"); if ($owner_uid = UserHelper::find_user_by_login($user)) {
$sth->execute([$user]);
if ($res = $sth->fetch()) {
$opml = new OPML(""); $opml = new OPML("");
$rc = $opml->opml_export($filename, $res["id"], false, true, true); $rc = $opml->opml_export($filename, $owner_uid, false, true, true);
Debug::log($rc ? "Success." : "Failed."); Debug::log($rc ? "Success." : "Failed.");
} else { } else {