1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/freshrss_ynh.git synced 2024-09-03 18:36:33 +02:00
freshrss_ynh/sources/app/FreshRSS.php

183 lines
5.9 KiB
PHP
Raw Normal View History

2014-07-23 15:52:50 +02:00
<?php
class FreshRSS extends Minz_FrontController {
public function init() {
if (!isset($_SESSION)) {
Minz_Session::init('FreshRSS');
}
$loginOk = $this->accessControl(Minz_Session::param('currentUser', ''));
$this->loadParamsView();
2014-09-27 10:10:43 +02:00
if (Minz_Request::isPost() && !is_referer_from_same_domain()) {
2014-09-21 12:12:35 +02:00
$loginOk = false; //Basic protection against XSRF attacks
Minz_Error::error(
403,
array('error' => array(Minz_Translate::t('access_denied') . ' [HTTP_REFERER=' .
htmlspecialchars(empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER']) . ']'))
);
}
Minz_View::_param('loginOk', $loginOk);
2014-07-23 15:52:50 +02:00
$this->loadStylesAndScripts($loginOk); //TODO: Do not load that when not needed, e.g. some Ajax requests
$this->loadNotifications();
}
2014-09-21 12:12:35 +02:00
private static function getCredentialsFromLongTermCookie() {
$token = Minz_Session::getLongTermCookie('FreshRSS_login');
if (!ctype_alnum($token)) {
return array();
}
$tokenFile = DATA_PATH . '/tokens/' . $token . '.txt';
$mtime = @filemtime($tokenFile);
if ($mtime + 2629744 < time()) { //1 month //TODO: Use a configuration instead
@unlink($tokenFile);
return array(); //Expired or token does not exist
}
$credentials = @file_get_contents($tokenFile);
return $credentials === false ? array() : explode("\t", $credentials, 2);
}
2014-07-23 15:52:50 +02:00
private function accessControl($currentUser) {
if ($currentUser == '') {
switch (Minz_Configuration::authType()) {
case 'form':
2014-09-21 12:12:35 +02:00
$credentials = self::getCredentialsFromLongTermCookie();
if (isset($credentials[1])) {
$currentUser = trim($credentials[0]);
Minz_Session::_param('passwordHash', trim($credentials[1]));
}
$loginOk = $currentUser != '';
if (!$loginOk) {
$currentUser = Minz_Configuration::defaultUser();
Minz_Session::_param('passwordHash');
}
2014-07-23 15:52:50 +02:00
break;
case 'http_auth':
$currentUser = httpAuthUser();
$loginOk = $currentUser != '';
break;
case 'persona':
$loginOk = false;
$email = filter_var(Minz_Session::param('mail'), FILTER_VALIDATE_EMAIL);
if ($email != '') { //TODO: Remove redundancy with indexController
$personaFile = DATA_PATH . '/persona/' . $email . '.txt';
if (($currentUser = @file_get_contents($personaFile)) !== false) {
$currentUser = trim($currentUser);
$loginOk = true;
}
}
if (!$loginOk) {
$currentUser = Minz_Configuration::defaultUser();
}
break;
case 'none':
$currentUser = Minz_Configuration::defaultUser();
$loginOk = true;
break;
default:
$currentUser = Minz_Configuration::defaultUser();
$loginOk = false;
break;
}
} else {
$loginOk = true;
}
if (!ctype_alnum($currentUser)) {
Minz_Session::_param('currentUser', '');
die('Invalid username [' . $currentUser . ']!');
}
try {
$this->conf = new FreshRSS_Configuration($currentUser);
Minz_View::_param ('conf', $this->conf);
Minz_Session::_param('currentUser', $currentUser);
} catch (Minz_Exception $me) {
$loginOk = false;
try {
$this->conf = new FreshRSS_Configuration(Minz_Configuration::defaultUser());
Minz_Session::_param('currentUser', Minz_Configuration::defaultUser());
Minz_View::_param('conf', $this->conf);
$notif = array(
'type' => 'bad',
'content' => 'Invalid configuration for user [' . $currentUser . ']!',
);
Minz_Session::_param ('notification', $notif);
Minz_Log::record ($notif['content'] . ' ' . $me->getMessage(), Minz_Log::WARNING);
Minz_Session::_param('currentUser', '');
} catch (Exception $e) {
die($e->getMessage());
}
}
if ($loginOk) {
switch (Minz_Configuration::authType()) {
case 'form':
$loginOk = Minz_Session::param('passwordHash') === $this->conf->passwordHash;
break;
case 'http_auth':
$loginOk = strcasecmp($currentUser, httpAuthUser()) === 0;
break;
case 'persona':
$loginOk = strcasecmp(Minz_Session::param('mail'), $this->conf->mail_login) === 0;
break;
case 'none':
$loginOk = true;
break;
default:
$loginOk = false;
break;
}
}
return $loginOk;
}
private function loadParamsView () {
Minz_Session::_param ('language', $this->conf->language);
Minz_Translate::init();
$output = Minz_Request::param ('output', '');
if (($output === '') || ($output !== 'normal' && $output !== 'rss' && $output !== 'reader' && $output !== 'global')) {
$output = $this->conf->view_mode;
Minz_Request::_param ('output', $output);
}
}
2014-09-27 10:10:43 +02:00
private function loadStylesAndScripts($loginOk) {
2014-07-23 15:52:50 +02:00
$theme = FreshRSS_Themes::load($this->conf->theme);
if ($theme) {
foreach($theme['files'] as $file) {
2014-09-27 10:10:43 +02:00
if ($file[0] === '_') {
$theme_id = 'base-theme';
$filename = substr($file, 1);
} else {
$theme_id = $theme['id'];
$filename = $file;
}
$filetime = @filemtime(PUBLIC_PATH . '/themes/' . $theme_id . '/' . $filename);
Minz_View::appendStyle(Minz_Url::display(
'/themes/' . $theme_id . '/' . $filename . '?' . $filetime
));
2014-07-23 15:52:50 +02:00
}
}
switch (Minz_Configuration::authType()) {
case 'form':
if (!$loginOk) {
Minz_View::appendScript(Minz_Url::display ('/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js')));
}
break;
case 'persona':
Minz_View::appendScript('https://login.persona.org/include.js');
break;
}
2014-09-21 12:12:35 +02:00
Minz_View::appendScript(Minz_Url::display('/scripts/jquery.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/jquery.min.js')));
Minz_View::appendScript(Minz_Url::display('/scripts/shortcut.js?' . @filemtime(PUBLIC_PATH . '/scripts/shortcut.js')));
Minz_View::appendScript(Minz_Url::display('/scripts/main.js?' . @filemtime(PUBLIC_PATH . '/scripts/main.js')));
2014-07-23 15:52:50 +02:00
}
private function loadNotifications () {
$notif = Minz_Session::param ('notification');
if ($notif) {
Minz_View::_param ('notification', $notif);
Minz_Session::_param ('notification');
}
}
}