replace old-style published feed with universal secretkey-based approach used for all feeds; do not allow user/pass handling in generated feed urls; bump schema

This commit is contained in:
Andrew Dolgov 2010-11-08 13:11:56 +03:00
parent 811bea0522
commit 8801fb017c
12 changed files with 226 additions and 137 deletions

View File

@ -466,31 +466,10 @@
module_pref_feed_browser($link);
break; // pref-feed-browser
case "publish":
$key = db_escape_string($_REQUEST["key"]);
$limit = (int)db_escape_string($_REQUEST["limit"]);
$result = db_query($link, "SELECT login, owner_uid
FROM ttrss_user_prefs, ttrss_users WHERE
pref_name = '_PREFS_PUBLISH_KEY' AND
value = '$key' AND
ttrss_users.id = owner_uid");
if (db_num_rows($result) == 1) {
$owner = db_fetch_result($result, 0, "owner_uid");
$login = db_fetch_result($result, 0, "login");
generate_syndicated_feed($link, $owner, -2, false, $limit);
} else {
print "<error>User not found</error>";
}
break; // publish
case "rss":
$feed = db_escape_string($_REQUEST["id"]);
$user = db_escape_string($_REQUEST["user"]);
$pass = db_escape_string($_REQUEST["pass"]);
$key = db_escape_string($_REQUEST["key"]);
$is_cat = $_REQUEST["is_cat"] != false;
$limit = (int)db_escape_string($_REQUEST["limit"]);
@ -503,8 +482,13 @@
authenticate_user($link, "admin", null);
}
if (!$_SESSION["uid"] && $user && $pass) {
authenticate_user($link, $user, $pass);
if ($key && !$_SESSION["uid"]) {
$result = db_query($link, "SELECT owner_uid FROM
ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'");
if (db_num_rows($result) == 1)
$_SESSION["uid"] = db_fetch_result($result, 0, "owner_uid");
}
if ($_SESSION["uid"] || http_authenticate_user($link)) {

View File

@ -2216,3 +2216,48 @@ function quickAddCat(select) {
exception_error("quickAddCat", e);
}
}
function genUrlChangeKey(feed, is_cat) {
try {
var ok = confirm(__("Generate new syndication address for this feed?"));
if (ok) {
notify_progress("Trying to change address...", true);
var query = "?op=rpc&subop=regenFeedKey&id=" + param_escape(feed) +
"&is_cat=" + param_escape(is_cat);
new Ajax.Request("backend.php", {
parameters: query,
onComplete: function(transport) {
var new_link = transport.responseXML.getElementsByTagName("link")[0];
var e = $('gen_feed_url');
if (new_link) {
new_link = new_link.firstChild.nodeValue;
e.innerHTML = e.innerHTML.replace(/\&amp;key=.*$/,
"&amp;key=" + new_link);
e.href = e.href.replace(/\&amp;key=.*$/,
"&amp;key=" + new_link);
new Effect.Highlight(e);
notify('');
} else {
notify_error("Could not change feed URL.");
}
} });
}
} catch (e) {
exception_error("genUrlChangeKey", e);
}
return false;
}

View File

@ -4203,12 +4203,19 @@
$search_q = "";
}
$rss_link = "backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q";
$rss_link = htmlspecialchars(get_self_url_prefix() .
"/backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q");
#print "
# <a target=\"_blank\"
# title=\"".__("View as RSS feed")."\"
# href=\"$rss_link\">
# <img class=\"noborder\" src=\"images/feed-icon-12x12.png\"></a>";
print "
<a target=\"_blank\"
<a href=\"#\"
title=\"".__("View as RSS feed")."\"
href=\"$rss_link\">
onclick=\"displayDlg('generatedFeed', '$feed_id:$is_cat:$rss_link')\">
<img class=\"noborder\" src=\"images/feed-icon-12x12.png\"></a>";
print "</div>";
@ -5110,9 +5117,9 @@
$vgroup_last_feed = $vgr_last_feed;
if ($feed == -2) {
/* if ($feed == -2) {
$feed_site_url = article_publish_url($link);
}
} */
/// STOP //////////////////////////////////////////////////////////////////////////////////
@ -5730,15 +5737,10 @@
return $tag;
}
function generate_publish_key() {
return sha1(uniqid(rand(), true));
}
function article_publish_url($link) {
function get_self_url_prefix() {
$url_path = "";
if ($_SERVER['HTTPS'] != "on") {
$url_path = "http://";
} else {
@ -5746,22 +5748,13 @@
}
$url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_path .= "/backend.php?op=publish&key=" .
get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]);
return $url_path;
}
function opml_publish_url($link){
$url_path = "";
if ($_SERVER['HTTPS'] != "on") {
$url_path = "http://";
} else {
$url_path = "https://";
}
$url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_path = get_self_url_prefix();
$url_path .= "/opml.php?op=publish&key=" .
get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]);
@ -6368,6 +6361,13 @@
if (db_affected_rows($link, $result) != 0 && $caption) {
/* Remove access key for the label */
$ext_id = -11 - $id;
db_query($link, "DELETE FROM ttrss_access_keys WHERE
feed_id = '$ext_id' AND owner_uid = $owner_uid");
/* Disable filters that reference label being removed */
db_query($link, "UPDATE ttrss_filters SET
@ -6559,6 +6559,11 @@
orig_feed_id = '$id' WHERE feed_id = '$id' AND
marked = true AND owner_uid = $owner_uid");
/* Remove access key for the feed */
db_query($link, "DELETE FROM ttrss_access_keys WHERE
feed_id = '$id' AND owner_uid = $owner_uid");
/* remove the feed */
db_query($link, "DELETE FROM ttrss_feeds
@ -6899,4 +6904,51 @@
if (!in_array($email, $_SESSION['stored_emails']))
array_push($_SESSION['stored_emails'], $email);
}
function update_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) {
if (!$owner_uid) $owner_uid = $_SESSION["uid"];
$sql_is_cat = bool_to_sql_bool($is_cat);
$result = db_query($link, "SELECT access_key FROM ttrss_access_keys
WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
AND owner_uid = " . $owner_uid);
if (db_num_rows($result) == 1) {
$key = db_escape_string(sha1(uniqid(rand(), true)));
db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key'
WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
AND owner_uid = " . $owner_uid);
return $key;
} else {
return get_feed_access_key($link, $feed_id, $is_cat, $owner_uid);
}
}
function get_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) {
if (!$owner_uid) $owner_uid = $_SESSION["uid"];
$sql_is_cat = bool_to_sql_bool($is_cat);
$result = db_query($link, "SELECT access_key FROM ttrss_access_keys
WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat
AND owner_uid = " . $owner_uid);
if (db_num_rows($result) == 1) {
return db_fetch_result($result, 0, "access_key");
} else {
$key = db_escape_string(sha1(uniqid(rand(), true)));
$result = db_query($link, "INSERT INTO ttrss_access_keys
(access_key, feed_id, is_cat, owner_uid)
VALUES ('$key', '$feed_id', $sql_is_cat, '$owner_uid')");
return $key;
}
return false;
}
?>

View File

@ -464,25 +464,11 @@
return;
}
if ($subop == "regenPubKey") {
print "<rpc-reply>";
set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]);
$new_link = article_publish_url($link);
print "<link><![CDATA[$new_link]]></link>";
print "</rpc-reply>";
return;
}
if ($subop == "regenOPMLKey") {
print "<rpc-reply>";
set_pref($link, " _PREFS_OPML_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]);
set_pref($link, " _PREFS_OPML_PUBLISH_KEY",
sha1(uniqid(rand(), true)), $_SESSION["uid"]);
$new_link = opml_publish_url($link);
print "<link><![CDATA[$new_link]]></link>";
print "</rpc-reply>";
@ -1119,6 +1105,21 @@
return;
}
if ($subop == "regenFeedKey") {
$feed_id = db_escape_string($_REQUEST['id']);
$is_cat = (bool) db_escape_string($_REQUEST['is_cat']);
print "<rpc-reply>";
$new_key = update_feed_access_key($link, $feed_id, $is_cat);
print "<link><![CDATA[$new_key]]></link>";
print "</rpc-reply>";
return;
}
print "<rpc-reply><error>Unknown method: $subop</error></rpc-reply>";
}
?>

View File

@ -158,33 +158,6 @@
return;
}
if ($id == "pubUrl") {
print "<div id=\"infoBoxTitle\">".__('Published Articles')."</div>";
print "<div class=\"infoBoxContents\">";
$url_path = article_publish_url($link);
print __("Your Published articles feed URL is:");
print "<div class=\"tagCloudContainer\">";
print "<a id='pub_feed_url' href='$url_path' target='_blank'>$url_path</a>";
print "</div>";
print "<div align='center'>";
print "<button onclick=\"return pubRegenKey()\">".
__('Generate new URL')."</button> ";
print "<input class=\"button\"
type=\"submit\" onclick=\"return closeInfoBox()\"
value=\"".__('Close this window')."\">";
print "</div></div>";
return;
}
if ($id == "pubOPMLUrl") {
print "<div id=\"infoBoxTitle\">".__('Public OPML URL')."</div>";
@ -777,6 +750,39 @@
return;
}
if ($id == "generatedFeed") {
print "<div id=\"infoBoxTitle\">".__('View as RSS')."</div>";
print "<div class=\"infoBoxContents\">";
$params = explode(":", $param, 3);
$feed_id = db_escape_string($params[0]);
$is_cat = (bool) $params[1];
$key = get_feed_access_key($link, $feed_id, $is_cat);
$url_path = htmlspecialchars($params[2]) . "&key=" . $key;
print __("You can view this feed as RSS using the following URL:");
print "<div class=\"tagCloudContainer\">";
print "<a id='gen_feed_url' href='$url_path' target='_blank'>$url_path</a>";
print "</div>";
print "<div align='center'>";
print "<button onclick=\"return genUrlChangeKey('$feed_id', '$is_cat')\">".
__('Generate new URL')."</button> ";
print "<input class=\"button\"
type=\"submit\" onclick=\"return closeInfoBox()\"
value=\"".__('Close this window')."\">";
print "</div></div>";
return;
}
print "<div id='infoBoxTitle'>Internal Error</div>
<div id='infoBoxContents'>
<p>Unknown dialog <b>$id</b></p>

View File

@ -1447,7 +1447,8 @@
__('Export OPML')."</button>";
if (!get_pref($link, "_PREFS_OPML_PUBLISH_KEY")){
set_pref($link, "_PREFS_OPML_PUBLISH_KEY", generate_publish_key());
set_pref($link, "_PREFS_OPML_PUBLISH_KEY",
sha1(uniqid(rand(), true)));
}
print "<p>".__('Your OPML can be published publicly and can be subscribed by anyone who knows the URL below.');
@ -1489,13 +1490,12 @@
print "<h3>".__("Published articles")."</h3>";
if (!get_pref($link, "_PREFS_PUBLISH_KEY")) {
set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key());
}
print "<p>".__('Published articles are exported as a public RSS feed and can be subscribed by anyone who knows the URL specified below.')."</p>";
print "<button onclick=\"return displayDlg('pubUrl')\">".
$rss_url = '-2::' . htmlspecialchars(get_self_url_prefix() .
"/backend.php?op=rss&id=-2&view-mode=all_articles");;
print "<button onclick=\"return displayDlg('generatedFeed', '$rss_url')\">".
__('Display URL')."</button> ";

View File

@ -1569,43 +1569,6 @@ function feedlistToggleSLAT() {
updateFeedList()
}
function pubRegenKey() {
try {
var ok = confirm(__("Replace current publishing address with a new one?"));
if (ok) {
notify_progress("Trying to change address...", true);
var query = "?op=rpc&subop=regenPubKey";
new Ajax.Request("backend.php", {
parameters: query,
onComplete: function(transport) {
var new_link = transport.responseXML.getElementsByTagName("link")[0];
var e = $('pub_feed_url');
if (new_link) {
e.href = new_link.firstChild.nodeValue;
e.innerHTML = new_link.firstChild.nodeValue;
new Effect.Highlight(e);
notify('');
} else {
notify_error("Could not change feed URL.");
}
} });
}
} catch (e) {
exception_error("pubRegenKey", e);
}
return false;
}
function opmlRegenKey() {
try {

View File

@ -2,7 +2,7 @@
require_once "functions.php";
define('EXPECTED_CONFIG_VERSION', 19);
define('SCHEMA_VERSION', 68);
define('SCHEMA_VERSION', 69);
if (!file_exists("config.php")) {
print "<b>Fatal Error</b>: You forgot to copy

View File

@ -1,6 +1,7 @@
SET NAMES utf8;
SET CHARACTER SET utf8;
drop table if exists ttrss_access_keys;
drop table if exists ttrss_user_labels2;
drop table if exists ttrss_labels2;
drop table if exists ttrss_feedbrowser_cache;
@ -241,7 +242,7 @@ create table ttrss_tags (id integer primary key auto_increment,
create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8;
insert into ttrss_version values (68);
insert into ttrss_version values (69);
create table ttrss_enclosures (id integer primary key auto_increment,
content_url text not null,
@ -446,4 +447,11 @@ create table ttrss_user_labels2 (label_id integer not null,
foreign key (article_id) references ttrss_entries(id) ON DELETE CASCADE
) TYPE=InnoDB DEFAULT CHARSET=UTF8;
create table ttrss_access_keys (id serial not null primary key,
access_key varchar(250) not null,
feed_id varchar(250) not null,
is_cat bool not null default false,
owner_uid integer not null,
foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8;
commit;

View File

@ -1,3 +1,4 @@
drop table ttrss_access_keys;
drop table ttrss_user_labels2;
drop table ttrss_labels2;
drop table ttrss_feedbrowser_cache;
@ -213,7 +214,7 @@ create index ttrss_tags_owner_uid_index on ttrss_tags(owner_uid);
create table ttrss_version (schema_version int not null);
insert into ttrss_version values (68);
insert into ttrss_version values (69);
create table ttrss_enclosures (id serial not null primary key,
content_url text not null,
@ -405,4 +406,10 @@ create table ttrss_user_labels2 (
article_id integer not null references ttrss_entries(id) ON DELETE CASCADE
);
create table ttrss_access_keys (id serial not null primary key,
access_key varchar(250) not null,
feed_id varchar(250) not null,
is_cat boolean not null default false,
owner_uid integer not null references ttrss_users(id) on delete cascade);
commit;

View File

@ -0,0 +1,12 @@
begin;
create table ttrss_access_keys (id serial not null primary key,
access_key varchar(250) not null,
feed_id varchar(250) not null,
is_cat bool not null default false,
owner_uid integer not null,
foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8;
update ttrss_version set schema_version = 69;
commit;

View File

@ -0,0 +1,11 @@
begin;
create table ttrss_access_keys (id serial not null primary key,
access_key varchar(250) not null,
feed_id varchar(250) not null,
is_cat bool not null default false,
owner_uid integer not null references ttrss_users(id) on delete cascade);
update ttrss_version set schema_version = 69;
commit;