replace old-style published feed with universal secretkey-based approach used for all feeds; do not allow user/pass handling in generated feed urls; bump schema

backend.php

@@ -466,31 +466,10 @@
 			module_pref_feed_browser($link);
 		break; // pref-feed-browser
 
-		case "publish":
-			$key = db_escape_string($_REQUEST["key"]);
-			$limit = (int)db_escape_string($_REQUEST["limit"]);
-
-			$result = db_query($link, "SELECT login, owner_uid 
-				FROM ttrss_user_prefs, ttrss_users WHERE
-				pref_name = '_PREFS_PUBLISH_KEY' AND 
-				value = '$key' AND 
-				ttrss_users.id = owner_uid");
-
-			if (db_num_rows($result) == 1) {
-				$owner = db_fetch_result($result, 0, "owner_uid");
-				$login = db_fetch_result($result, 0, "login");
-
-				generate_syndicated_feed($link, $owner, -2, false, $limit);
-
-			} else {
-				print "<error>User not found</error>";
-			}
-		break; // publish
-
 		case "rss":
 			$feed = db_escape_string($_REQUEST["id"]);
 			$user = db_escape_string($_REQUEST["user"]);
-			$pass = db_escape_string($_REQUEST["pass"]);
+			$key = db_escape_string($_REQUEST["key"]);
 			$is_cat = $_REQUEST["is_cat"] != false;
 			$limit = (int)db_escape_string($_REQUEST["limit"]);
 
@@ -503,8 +482,13 @@
 				authenticate_user($link, "admin", null);
 			}
 
-			if (!$_SESSION["uid"] && $user && $pass) {
-				authenticate_user($link, $user, $pass);
+			if ($key && !$_SESSION["uid"]) {
+				$result = db_query($link, "SELECT owner_uid FROM
+					ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'");
+
+				if (db_num_rows($result) == 1)
+					$_SESSION["uid"] = db_fetch_result($result, 0, "owner_uid");
+
 			}
 
 			if ($_SESSION["uid"] || http_authenticate_user($link)) {

functions.js

@@ -2216,3 +2216,48 @@ function quickAddCat(select) {
 		exception_error("quickAddCat", e);
 	}
 }
+
+function genUrlChangeKey(feed, is_cat) {
+
+	try {
+		var ok = confirm(__("Generate new syndication address for this feed?"));
+	
+		if (ok) {
+	
+			notify_progress("Trying to change address...", true);
+	
+			var query = "?op=rpc&subop=regenFeedKey&id=" + param_escape(feed) + 
+				"&is_cat=" + param_escape(is_cat);
+
+			new Ajax.Request("backend.php", {
+				parameters: query,
+				onComplete: function(transport) {
+						var new_link = transport.responseXML.getElementsByTagName("link")[0];
+	
+						var e = $('gen_feed_url');
+	
+						if (new_link) {
+							
+							new_link = new_link.firstChild.nodeValue;
+
+							e.innerHTML = e.innerHTML.replace(/\&key=.*$/, 
+								"&key=" + new_link);
+
+							e.href = e.href.replace(/\&key=.*$/,
+								"&key=" + new_link);
+
+							new Effect.Highlight(e);
+
+							notify('');
+	
+						} else {
+							notify_error("Could not change feed URL.");
+						}
+				} });
+		}
+	} catch (e) {
+		exception_error("genUrlChangeKey", e);
+	}
+	return false;
+}
+

functions.php

@@ -4203,12 +4203,19 @@
 				$search_q = "";
 			}
 
-			$rss_link = "backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q";
+			$rss_link = htmlspecialchars(get_self_url_prefix() . 
+				"/backend.php?op=rss&id=$feed_id&is_cat=$is_cat&view-mode=$view_mode$search_q");
+
+			#print "
+			#	<a target=\"_blank\"
+			#		title=\"".__("View as RSS feed")."\"
+			#		href=\"$rss_link\">
+			#		<img class=\"noborder\" src=\"images/feed-icon-12x12.png\"></a>";
 
 			print "
-				<a target=\"_blank\"
+				<a href=\"#\"
 					title=\"".__("View as RSS feed")."\"
-					href=\"$rss_link\">
+					onclick=\"displayDlg('generatedFeed', '$feed_id:$is_cat:$rss_link')\">
 					<img class=\"noborder\" src=\"images/feed-icon-12x12.png\"></a>";
 
 			print "</div>";
@@ -5110,9 +5117,9 @@
 
 		$vgroup_last_feed = $vgr_last_feed;
 
-		if ($feed == -2) {
+/*		if ($feed == -2) {
 			$feed_site_url = article_publish_url($link);
-		}
+		} */
 
 		/// STOP //////////////////////////////////////////////////////////////////////////////////
 
@@ -5730,15 +5737,10 @@
 		return $tag;
 	}
 
-	function generate_publish_key() {
-		return sha1(uniqid(rand(), true));
-	}
-
-	function article_publish_url($link) {
+	function get_self_url_prefix() {
 
 		$url_path = "";
 	
-
 		if ($_SERVER['HTTPS'] != "on") {
 			$url_path = "http://";
 		} else {
@@ -5746,22 +5748,13 @@
 		}
 
 		$url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
-		$url_path .= "/backend.php?op=publish&key=" . 
-			get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]);
 
 		return $url_path;
+
 	}
-        function opml_publish_url($link){
-		$url_path = "";
+	function opml_publish_url($link){
 
-
-		if ($_SERVER['HTTPS'] != "on") {
-			$url_path = "http://";
-		} else {
-			$url_path = "https://";
-		}
-
-		$url_path .= $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
+		$url_path = get_self_url_prefix();
 		$url_path .= "/opml.php?op=publish&key=" . 
 			get_pref($link, "_PREFS_PUBLISH_KEY", $_SESSION["uid"]);
 
@@ -6368,6 +6361,13 @@
 
 		if (db_affected_rows($link, $result) != 0 && $caption) {
 
+			/* Remove access key for the label */
+
+			$ext_id = -11 - $id;
+
+			db_query($link, "DELETE FROM ttrss_access_keys WHERE
+				feed_id = '$ext_id' AND owner_uid = $owner_uid");
+
 			/* Disable filters that reference label being removed */
 	
 			db_query($link, "UPDATE ttrss_filters SET
@@ -6559,6 +6559,11 @@
 				orig_feed_id = '$id' WHERE feed_id = '$id' AND 
 					marked = true AND owner_uid = $owner_uid");
 
+			/* Remove access key for the feed */
+
+			db_query($link, "DELETE FROM ttrss_access_keys WHERE
+				feed_id = '$id' AND owner_uid = $owner_uid");
+
 			/* remove the feed */
 
 			db_query($link, "DELETE FROM ttrss_feeds 
@@ -6899,4 +6904,51 @@
 		if (!in_array($email, $_SESSION['stored_emails']))
 			array_push($_SESSION['stored_emails'], $email);
 	}
+
+	function update_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) {
+		if (!$owner_uid) $owner_uid = $_SESSION["uid"];
+
+		$sql_is_cat = bool_to_sql_bool($is_cat);
+
+		$result = db_query($link, "SELECT access_key FROM ttrss_access_keys 
+			WHERE feed_id = '$feed_id'	AND is_cat = $sql_is_cat 
+			AND owner_uid = " . $owner_uid);
+
+		if (db_num_rows($result) == 1) {
+			$key = db_escape_string(sha1(uniqid(rand(), true)));
+
+			db_query($link, "UPDATE ttrss_access_keys SET access_key = '$key'
+				WHERE feed_id = '$feed_id' AND is_cat = $sql_is_cat 
+				AND owner_uid = " . $owner_uid);
+
+			return $key;
+
+		} else {
+			return get_feed_access_key($link, $feed_id, $is_cat, $owner_uid);
+		}
+	}
+
+	function get_feed_access_key($link, $feed_id, $is_cat, $owner_uid = false) {
+
+		if (!$owner_uid) $owner_uid = $_SESSION["uid"];
+
+		$sql_is_cat = bool_to_sql_bool($is_cat);
+
+		$result = db_query($link, "SELECT access_key FROM ttrss_access_keys 
+			WHERE feed_id = '$feed_id'	AND is_cat = $sql_is_cat 
+			AND owner_uid = " . $owner_uid);
+
+		if (db_num_rows($result) == 1) {
+			return db_fetch_result($result, 0, "access_key");
+		} else {
+			$key = db_escape_string(sha1(uniqid(rand(), true)));
+
+			$result = db_query($link, "INSERT INTO ttrss_access_keys 
+				(access_key, feed_id, is_cat, owner_uid)
+				VALUES ('$key', '$feed_id', $sql_is_cat, '$owner_uid')");
+
+			return $key;
+		}
+		return false;
+	}
 ?>

modules/backend-rpc.php

@@ -464,25 +464,11 @@
 			return;
 		}
 
-		if ($subop == "regenPubKey") {
-
-			print "<rpc-reply>";
-
-			set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]);
-
-			$new_link = article_publish_url($link);		
-
-			print "<link><![CDATA[$new_link]]></link>";
-
-			print "</rpc-reply>";
-
-			return;
-		}
-
 		if ($subop == "regenOPMLKey") {
 
 			print "<rpc-reply>";
-			set_pref($link, " _PREFS_OPML_PUBLISH_KEY", generate_publish_key(), $_SESSION["uid"]);
+			set_pref($link, " _PREFS_OPML_PUBLISH_KEY", 
+				sha1(uniqid(rand(), true)), $_SESSION["uid"]);
 			$new_link = opml_publish_url($link);		
 			print "<link><![CDATA[$new_link]]></link>";
 			print "</rpc-reply>";
@@ -1119,6 +1105,21 @@
 			return;
 		}
 
+		if ($subop == "regenFeedKey") {
+			$feed_id = db_escape_string($_REQUEST['id']);
+			$is_cat = (bool) db_escape_string($_REQUEST['is_cat']);
+
+			print "<rpc-reply>";
+
+			$new_key = update_feed_access_key($link, $feed_id, $is_cat);
+
+			print "<link><![CDATA[$new_key]]></link>";
+
+			print "</rpc-reply>";
+
+			return;
+		}
+
 		print "<rpc-reply><error>Unknown method: $subop</error></rpc-reply>";
 	}
 ?>

modules/popup-dialog.php

@@ -158,33 +158,6 @@
 			return;
 		}
 
-		if ($id == "pubUrl") {
-
-			print "<div id=\"infoBoxTitle\">".__('Published Articles')."</div>";
-			print "<div class=\"infoBoxContents\">";
-	
-			$url_path = article_publish_url($link);
-
-			print __("Your Published articles feed URL is:");
-
-			print "<div class=\"tagCloudContainer\">";
-			print "<a id='pub_feed_url' href='$url_path' target='_blank'>$url_path</a>";
-			print "</div>";
-
-			print "<div align='center'>";
-
-			print "<button onclick=\"return pubRegenKey()\">".
-				__('Generate new URL')."</button> ";
-
-			print "<input class=\"button\"
-				type=\"submit\" onclick=\"return closeInfoBox()\" 
-				value=\"".__('Close this window')."\">";
-
-			print "</div></div>";
-
-			return;
-		}
-
 		if ($id == "pubOPMLUrl") {
 
 			print "<div id=\"infoBoxTitle\">".__('Public OPML URL')."</div>";
@@ -777,6 +750,39 @@
 			return;
 		}
 
+		if ($id == "generatedFeed") {
+
+			print "<div id=\"infoBoxTitle\">".__('View as RSS')."</div>";
+			print "<div class=\"infoBoxContents\">";
+	
+			$params = explode(":", $param, 3);
+			$feed_id = db_escape_string($params[0]);
+			$is_cat = (bool) $params[1];
+
+			$key = get_feed_access_key($link, $feed_id, $is_cat);
+
+			$url_path = htmlspecialchars($params[2]) . "&key=" . $key;
+
+			print __("You can view this feed as RSS using the following URL:");
+
+			print "<div class=\"tagCloudContainer\">";
+			print "<a id='gen_feed_url' href='$url_path' target='_blank'>$url_path</a>";
+			print "</div>";
+
+			print "<div align='center'>";
+
+			print "<button onclick=\"return genUrlChangeKey('$feed_id', '$is_cat')\">".
+				__('Generate new URL')."</button> ";
+
+			print "<input class=\"button\"
+				type=\"submit\" onclick=\"return closeInfoBox()\" 
+				value=\"".__('Close this window')."\">";
+
+			print "</div></div>";
+
+			return;
+		}
+
 		print "<div id='infoBoxTitle'>Internal Error</div>
 			<div id='infoBoxContents'>
 			<p>Unknown dialog <b>$id</b></p>

modules/pref-feeds.php

@@ -1447,7 +1447,8 @@
 			__('Export OPML')."</button>";
 
 		if (!get_pref($link, "_PREFS_OPML_PUBLISH_KEY")){
-			set_pref($link, "_PREFS_OPML_PUBLISH_KEY", generate_publish_key());
+			set_pref($link, "_PREFS_OPML_PUBLISH_KEY", 
+				sha1(uniqid(rand(), true)));
 		}
 
 		print "<p>".__('Your OPML can be published publicly and can be subscribed by anyone who knows the URL below.');
@@ -1489,13 +1490,12 @@
 
 		print "<h3>".__("Published articles")."</h3>";
 
-		if (!get_pref($link, "_PREFS_PUBLISH_KEY")) {
-			set_pref($link, "_PREFS_PUBLISH_KEY", generate_publish_key());
-		}
-		
 		print "<p>".__('Published articles are exported as a public RSS feed and can be subscribed by anyone who knows the URL specified below.')."</p>";
 
-		print "<button onclick=\"return displayDlg('pubUrl')\">".
+		$rss_url = '-2::' . htmlspecialchars(get_self_url_prefix() . 
+				"/backend.php?op=rss&id=-2&view-mode=all_articles");;
+
+		print "<button onclick=\"return displayDlg('generatedFeed', '$rss_url')\">".
 			__('Display URL')."</button> ";
                
 

prefs.js

@@ -1569,43 +1569,6 @@ function feedlistToggleSLAT() {
 	updateFeedList()
 }
 
-function pubRegenKey() {
-
-	try {
-		var ok = confirm(__("Replace current publishing address with a new one?"));
-	
-		if (ok) {
-	
-			notify_progress("Trying to change address...", true);
-	
-			var query = "?op=rpc&subop=regenPubKey";
-	
-			new Ajax.Request("backend.php", {
-				parameters: query,
-				onComplete: function(transport) {
-						var new_link = transport.responseXML.getElementsByTagName("link")[0];
-	
-						var e = $('pub_feed_url');
-	
-						if (new_link) {
-							e.href = new_link.firstChild.nodeValue;
-							e.innerHTML = new_link.firstChild.nodeValue;
-	
-							new Effect.Highlight(e);
-
-							notify('');
-	
-						} else {
-							notify_error("Could not change feed URL.");
-						}
-				} });
-		}
-	} catch (e) {
-		exception_error("pubRegenKey", e);
-	}
-	return false;
-}
-
 function opmlRegenKey() {
 
 	try {

sanity_check.php

@@ -2,7 +2,7 @@
 	require_once "functions.php";
 
 	define('EXPECTED_CONFIG_VERSION', 19);
-	define('SCHEMA_VERSION', 68);
+	define('SCHEMA_VERSION', 69);
 
 	if (!file_exists("config.php")) {
 		print "<b>Fatal Error</b>: You forgot to copy 

schema/ttrss_schema_mysql.sql

@@ -1,6 +1,7 @@
 SET NAMES utf8;
 SET CHARACTER SET utf8;
 
+drop table if exists ttrss_access_keys;
 drop table if exists ttrss_user_labels2;
 drop table if exists ttrss_labels2;
 drop table if exists ttrss_feedbrowser_cache;
@@ -241,7 +242,7 @@ create table ttrss_tags (id integer primary key auto_increment,
 
 create table ttrss_version (schema_version int not null) TYPE=InnoDB DEFAULT CHARSET=UTF8;
 
-insert into ttrss_version values (68);
+insert into ttrss_version values (69);
 
 create table ttrss_enclosures (id integer primary key auto_increment,
 	content_url text not null,
@@ -446,4 +447,11 @@ create table ttrss_user_labels2 (label_id integer not null,
 	foreign key (article_id) references ttrss_entries(id) ON DELETE CASCADE
 ) TYPE=InnoDB DEFAULT CHARSET=UTF8;
 
+create table ttrss_access_keys (id serial not null primary key,
+	access_key varchar(250) not null,
+	feed_id varchar(250) not null,
+	is_cat bool not null default false,
+	owner_uid integer not null,
+  	foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8;
+
 commit;

schema/ttrss_schema_pgsql.sql

@@ -1,3 +1,4 @@
+drop table ttrss_access_keys;
 drop table ttrss_user_labels2;
 drop table ttrss_labels2;
 drop table ttrss_feedbrowser_cache;
@@ -213,7 +214,7 @@ create index ttrss_tags_owner_uid_index on ttrss_tags(owner_uid);
 
 create table ttrss_version (schema_version int not null);
 
-insert into ttrss_version values (68);
+insert into ttrss_version values (69);
 
 create table ttrss_enclosures (id serial not null primary key,
 	content_url text not null,
@@ -405,4 +406,10 @@ create table ttrss_user_labels2 (
 	article_id integer not null references ttrss_entries(id) ON DELETE CASCADE
 );
 
+create table ttrss_access_keys (id serial not null primary key,
+	access_key varchar(250) not null,
+	feed_id varchar(250) not null,
+	is_cat boolean not null default false,
+	owner_uid integer not null references ttrss_users(id) on delete cascade);
+
 commit;

schema/versions/mysql/69.sql

@@ -0,0 +1,12 @@
+begin;
+
+create table ttrss_access_keys (id serial not null primary key,
+	access_key varchar(250) not null,
+	feed_id varchar(250) not null,
+	is_cat bool not null default false,
+	owner_uid integer not null,
+  	foreign key (owner_uid) references ttrss_users(id) ON DELETE CASCADE) TYPE=InnoDB DEFAULT CHARSET=UTF8;
+
+update ttrss_version set schema_version = 69;
+
+commit;

schema/versions/pgsql/69.sql

@@ -0,0 +1,11 @@
+begin;
+
+create table ttrss_access_keys (id serial not null primary key,
+	access_key varchar(250) not null,
+	feed_id varchar(250) not null,
+	is_cat bool not null default false,
+	owner_uid integer not null references ttrss_users(id) on delete cascade);
+
+update ttrss_version set schema_version = 69;
+
+commit;