RIP self-registration

This commit is contained in:
Andrew Dolgov 2021-02-12 15:57:43 +03:00
parent 3268364693
commit d23a261b92
4 changed files with 2 additions and 379 deletions

View File

@ -89,23 +89,6 @@
// intervals is disabled and all articles (which are not starred)
// older than this amount of days are purged.
// ***********************************
// *** Self-registrations by users ***
// ***********************************
define('ENABLE_REGISTRATION', false);
// Allow users to register themselves. Please be aware that allowing
// random people to access your tt-rss installation is a security risk
// and potentially might lead to data loss or server exploit. Disabled
// by default.
define('REG_NOTIFY_ADDRESS', 'user@your.domain.dom');
// Email address to send new user notifications to.
define('REG_MAX_USERS', 10);
// Maximum amount of users which will be allowed to register on this
// system. 0 - no limit.
// **********************************
// *** Cookies and login sessions ***
// **********************************

View File

@ -177,13 +177,7 @@
<fieldset class="align-right">
<label> </label>
<button dojoType="dijit.form.Button" type="submit" class="alt-primary"><?php echo __('Log in') ?></button>
<?php if (defined('ENABLE_REGISTRATION') && ENABLE_REGISTRATION) { ?>
<button onclick="return UtilityApp.gotoRegForm()" dojoType="dijit.form.Button">
<?php echo __("Create new account") ?></button>
<?php } ?>
</fieldset>
</form>

View File

@ -1,3 +1,3 @@
<?php # This file has been generated at: Fri Dec 11 09:30:20 MSK 2020
<?php # This file has been generated at: Fri Feb 12 15:56:39 MSK 2021
define('GENERATED_CONFIG_CHECK', 26);
$required_defines = array( 'DB_TYPE', 'DB_HOST', 'DB_USER', 'DB_NAME', 'DB_PASS', 'MYSQL_CHARSET', 'SELF_URL_PATH', 'SINGLE_USER_MODE', 'SIMPLE_UPDATE_MODE', 'PHP_EXECUTABLE', 'LOCK_DIRECTORY', 'CACHE_DIR', 'ICONS_DIR', 'ICONS_URL', 'AUTH_AUTO_CREATE', 'AUTH_AUTO_LOGIN', 'FORCE_ARTICLE_PURGE', 'ENABLE_REGISTRATION', 'REG_NOTIFY_ADDRESS', 'REG_MAX_USERS', 'SESSION_COOKIE_LIFETIME', 'SMTP_FROM_NAME', 'SMTP_FROM_ADDRESS', 'DIGEST_SUBJECT', 'CHECK_FOR_UPDATES', 'ENABLE_GZIP_OUTPUT', 'PLUGINS', 'LOG_DESTINATION', 'CONFIG_VERSION'); ?>
$required_defines = array( 'DB_TYPE', 'DB_HOST', 'DB_USER', 'DB_NAME', 'DB_PASS', 'MYSQL_CHARSET', 'SELF_URL_PATH', 'SINGLE_USER_MODE', 'SIMPLE_UPDATE_MODE', 'PHP_EXECUTABLE', 'LOCK_DIRECTORY', 'CACHE_DIR', 'ICONS_DIR', 'ICONS_URL', 'AUTH_AUTO_CREATE', 'AUTH_AUTO_LOGIN', 'FORCE_ARTICLE_PURGE', 'SESSION_COOKIE_LIFETIME', 'SMTP_FROM_NAME', 'SMTP_FROM_ADDRESS', 'DIGEST_SUBJECT', 'CHECK_FOR_UPDATES', 'ENABLE_GZIP_OUTPUT', 'PLUGINS', 'LOG_DESTINATION', 'CONFIG_VERSION'); ?>

View File

@ -1,354 +0,0 @@
<?php
// This file uses two additional include files:
//
// 1) templates/register_notice.txt - displayed above the registration form
// 2) register_expire_do.php - contains user expiration queries when necessary
set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .
get_include_path());
require_once "autoload.php";
require_once "functions.php";
require_once "sessions.php";
require_once "sanity_check.php";
require_once "config.php";
require_once "db.php";
startup_gettext();
$action = $_REQUEST["action"];
if (!init_plugins()) return;
if ($_REQUEST["format"] == "feed") {
header("Content-Type: text/xml");
print '<?xml version="1.0" encoding="utf-8"?>';
print "<feed xmlns=\"http://www.w3.org/2005/Atom\">
<id>".htmlspecialchars(SELF_URL_PATH . "/register.php")."</id>
<title>Tiny Tiny RSS registration slots</title>
<link rel=\"self\" href=\"".htmlspecialchars(SELF_URL_PATH . "/register.php?format=feed")."\"/>
<link rel=\"alternate\" href=\"".htmlspecialchars(SELF_URL_PATH)."\"/>";
if (ENABLE_REGISTRATION) {
$result = db_query( "SELECT COUNT(*) AS cu FROM ttrss_users");
$num_users = db_fetch_result($result, 0, "cu");
$num_users = REG_MAX_USERS - $num_users;
if ($num_users < 0) $num_users = 0;
$reg_suffix = "enabled";
} else {
$num_users = 0;
$reg_suffix = "disabled";
}
print "<entry>
<id>".htmlspecialchars(SELF_URL_PATH)."/register.php?$num_users"."</id>
<link rel=\"alternate\" href=\"".htmlspecialchars(SELF_URL_PATH . "/register.php")."\"/>";
print "<title>$num_users slots are currently available, registration $reg_suffix</title>";
print "<summary>$num_users slots are currently available, registration $reg_suffix</summary>";
print "</entry>";
print "</feed>";
return;
}
/* Remove users which didn't login after receiving their registration information */
if (DB_TYPE == "pgsql") {
db_query( "DELETE FROM ttrss_users WHERE last_login IS NULL
AND created < NOW() - INTERVAL '1 day' AND access_level = 0");
} else {
db_query( "DELETE FROM ttrss_users WHERE last_login IS NULL
AND created < DATE_SUB(NOW(), INTERVAL 1 DAY) AND access_level = 0");
}
if (file_exists("register_expire_do.php")) {
require_once "register_expire_do.php";
}
if ($action == "check") {
header("Content-Type: application/xml");
$login = clean($_REQUEST['login']);
$is_registered = UserHelper::find_user_by_login($login);
print "<result>";
printf("%d", $is_registered);
print "</result>";
return;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Create new account</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<?php echo stylesheet_tag("themes/light.css") ?>
<?php echo javascript_tag("js/common.js") ?>
<?php echo javascript_tag("lib/prototype.js") ?>
<?php echo javascript_tag("lib/scriptaculous/scriptaculous.js?load=effects,controls") ?>
<?php if (theme_exists(LOCAL_OVERRIDE_STYLESHEET)) {
echo stylesheet_tag(get_theme_path(LOCAL_OVERRIDE_STYLESHEET));
} ?>
</head>
<script type="text/javascript">
function checkUsername() {
try {
var f = document.forms['register_form'];
var login = f.login.value;
if (login == "") {
new Effect.Highlight(f.login);
f.sub_btn.disabled = true;
return false;
}
var query = "register.php?action=check&login=" +
encodeURIComponent(login);
new Ajax.Request(query, {
onComplete: function(transport) {
try {
var reply = transport.responseXML;
var result = reply.getElementsByTagName('result')[0];
var result_code = result.firstChild.nodeValue;
if (result_code == 0) {
new Effect.Highlight(f.login, {startcolor : '#00ff00'});
f.sub_btn.disabled = false;
} else {
new Effect.Highlight(f.login, {startcolor : '#ff0000'});
f.sub_btn.disabled = true;
}
} catch (e) {
App.Error.report(e);
}
} });
} catch (e) {
App.Error.report(e);
}
return false;
}
function validateRegForm() {
try {
var f = document.forms['register_form'];
if (f.login.value.length == 0) {
new Effect.Highlight(f.login);
return false;
}
if (f.email.value.length == 0) {
new Effect.Highlight(f.email);
return false;
}
if (f.turing_test.value.length == 0) {
new Effect.Highlight(f.turing_test);
return false;
}
return true;
} catch (e) {
alert(e.stack);
return false;
}
}
</script>
<body class="claro ttrss_utility">
<h1><?php echo __("Create new account") ?></h1>
<div class="content">
<?php
if (!ENABLE_REGISTRATION) {
print_error(__("New user registrations are administratively disabled."));
print "<p><form method=\"GET\" action=\"backend.php\">
<input type=\"hidden\" name=\"op\" value=\"logout\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>";
return;
}
?>
<?php if (REG_MAX_USERS > 0) {
$result = db_query( "SELECT COUNT(*) AS cu FROM ttrss_users");
$num_users = db_fetch_result($result, 0, "cu");
} ?>
<?php if (!REG_MAX_USERS || $num_users < REG_MAX_USERS) { ?>
<!-- If you have any rules or ToS you'd like to display, enter them here -->
<?php if (file_exists("templates/register_notice.txt")) {
require_once "templates/register_notice.txt";
} ?>
<?php if (!$action) { ?>
<p><?php echo __('Your temporary password will be sent to the specified email. Accounts, which were not logged in once, are erased automatically 24 hours after temporary password is sent.') ?></p>
<form action="register.php" method="POST" name="register_form">
<input type="hidden" name="action" value="do_register">
<table>
<tr>
<td><?php echo __('Desired login:') ?></td><td>
<input name="login" required>
</td><td>
<input type="submit" value="<?php echo __('Check availability') ?>" onclick='return checkUsername()'>
</td></tr>
<tr><td><?php echo __('Email:') ?></td><td>
<input name="email" type="email" required>
</td></tr>
<tr><td><?php echo __('How much is two plus two:') ?></td><td>
<input name="turing_test" required></td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="sub_btn" value="<?php echo __('Submit registration') ?>"
disabled="disabled" onclick='return validateRegForm()'>
</td></tr>
</table>
</form>
<?php print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>"; ?>
<?php } else if ($action == "do_register") { ?>
<?php
$login = mb_strtolower(trim(db_escape_string( $_REQUEST["login"])));
$email = trim(db_escape_string( $_REQUEST["email"]));
$test = trim(db_escape_string( $_REQUEST["turing_test"]));
if (!$login || !$email || !$test) {
print_error(__("Your registration information is incomplete."));
print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>";
return;
}
if ($test == "four" || $test == "4") {
$is_registered = UserHelper::find_user_by_login($login);
if ($is_registered) {
print_error(__('Sorry, this username is already taken.'));
print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>";
} else {
$password = make_password();
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
db_query( "INSERT INTO ttrss_users
(login,pwd_hash,access_level,last_login, email, created, salt)
VALUES (LOWER('$login'), '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
$new_uid = UserHelper::find_user_by_login($login);
if (!$new_uid) {
print_error(__('Registration failed.'));
print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>";
} else {
Pref_Users::initialize_user($new_uid);
$reg_text = "Hi!\n".
"\n".
"You are receiving this message, because you (or somebody else) have opened\n".
"an account at Tiny Tiny RSS.\n".
"\n".
"Your login information is as follows:\n".
"\n".
"Login: $login\n".
"Password: $password\n".
"\n".
"Don't forget to login at least once to your new account, otherwise\n".
"it will be deleted in 24 hours.\n".
"\n".
"If that wasn't you, just ignore this message. Thanks.";
$mailer = new Mailer();
$rc = $mailer->mail(["to_address" => $email,
"subject" => "Registration information for Tiny Tiny RSS",
"message" => $reg_text]);
if (!$rc) print_error($mailer->error());
$reg_text = "Hi!\n".
"\n".
"New user had registered at your Tiny Tiny RSS installation.\n".
"\n".
"Login: $login\n".
"Email: $email\n";
$mailer = new Mailer();
$rc = $mailer->mail(["to_address" => REG_NOTIFY_ADDRESS,
"subject" => "Registration notice for Tiny Tiny RSS",
"message" => $reg_text]);
if (!$rc) print_error($mailer->error());
print_notice(__("Account created successfully."));
print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>";
}
}
} else {
print_error('Plese check the form again, you have failed the robot test.');
print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>";
}
}
?>
<?php } else { ?>
<?php print_notice(__('New user registrations are currently closed.')) ?>
<?php print "<p><form method=\"GET\" action=\"index.php\">
<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
</form>"; ?>
<?php } ?>
</div>
</body>
</html>