diff options
| author | Arno Richter <oelna@oelna.de> | 2022-12-13 21:29:39 +0100 |
|---|---|---|
| committer | Arno Richter <oelna@oelna.de> | 2022-12-13 21:29:39 +0100 |
| commit | f0e3ff408db8ee40611f75cdf96892f90034bd60 (patch) | |
| tree | 00feafe091b3ac0cf5828f0ccb9a5d58d8aedb47 | |
| parent | b7f338941dcac2a21df2cc4e7fada572616997a2 (diff) | |
| download | microblog-f0e3ff408db8ee40611f75cdf96892f90034bd60.tar.gz microblog-f0e3ff408db8ee40611f75cdf96892f90034bd60.tar.bz2 microblog-f0e3ff408db8ee40611f75cdf96892f90034bd60.zip | |
overhaul login flow and cookie handling. fix very bad permission error for editing and deleting posts.
| -rw-r--r-- | functions.php | 22 | ||||
| -rw-r--r-- | index.php | 27 | ||||
| -rw-r--r-- | loginform.inc.php | 9 | ||||
| -rw-r--r-- | postform.inc.php | 14 | ||||
| -rw-r--r-- | single.inc.php | 49 | ||||
| -rw-r--r-- | timeline.inc.php | 22 |
6 files changed, 88 insertions, 55 deletions
diff --git a/functions.php b/functions.php index 84be8ac..1586bed 100644 --- a/functions.php +++ b/functions.php @@ -6,6 +6,26 @@ function path($fragment=null) { return (!empty($config['path'][$fragment])) ? $config['path'][$fragment] : false; } +function check_login() { + global $config; + + if(isset($_COOKIE['microblog_login'])) { + if($_COOKIE['microblog_login'] === sha1($config['url'].$config['admin_pass'])) { + // correct auth data, extend cookie life + $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; + setcookie('microblog_login', sha1($config['url'].$config['admin_pass']), NOW+$config['cookie_life'], '/', $domain, false); + + return true; + } else { + // invalid cookie data + unset($_COOKIE['microblog_login']); + setcookie('microblog_login', '', time()-3600, '/', $domain, false); + } + } + + return false; +} + function db_insert($content, $timestamp=NOW) { global $db; if(empty($db)) return false; @@ -106,7 +126,7 @@ function db_posts_count() { function ping_microblog() { global $config; $ping_url = 'https://micro.blog/ping'; - $feed_url = $config['url'].'/feed.json'; + $feed_url = $config['url'].'/feed/json'; $ch = curl_init($ping_url); curl_setopt($ch, CURLOPT_POST, true); @@ -1,20 +1,29 @@ <?php require_once(__DIR__.DIRECTORY_SEPARATOR.'config.php'); + // check user credentials + $config['logged_in'] = false; + $config['logged_in'] = check_login(); + + // subpages if(is_numeric(path(0))) { // show a single blog post require_once(ROOT.DS.'single.inc.php'); + } elseif(mb_strtolower(path(0)) === 'login') { - // show login form - require_once(ROOT.DS.'loginform.inc.php'); + require_once(ROOT.DS.'loginform.inc.php'); + + } elseif(mb_strtolower(path(0)) === 'logout') { + $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; + setcookie('microblog_login', '', time()-3600, '/', $domain, false); + unset($_COOKIE['microblog_login']); + + header('Location: '.$config['url']); + die(); + } elseif(mb_strtolower(path(0)) === 'new') { - if(isset($_COOKIE['microblog_login']) && $_COOKIE['microblog_login'] === sha1($config['url'].$config['admin_pass'])) { - // show the post form - require_once(ROOT.DS.'postform.inc.php'); - } else { - header('Location: '.$config['url'].'/login'); - die(); - } + require_once(ROOT.DS.'postform.inc.php'); + } else { // redirect everything else to the homepage if(!empty(path(0)) && path(0) != 'page') { diff --git a/loginform.inc.php b/loginform.inc.php index ad7e031..c218baa 100644 --- a/loginform.inc.php +++ b/loginform.inc.php @@ -7,7 +7,7 @@ $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; setcookie('microblog_login', sha1($config['url'].$config['admin_pass']), NOW+$config['cookie_life'], '/', $domain, false); - header('Location: '.$config['url'].'/new'); + header('Location: '.$config['url']); die(); } else { header('HTTP/1.0 401 Unauthorized'); @@ -34,10 +34,11 @@ </head> <body> <div class="wrap"> - <nav> + <nav class="main"> <ul> - <li><a href="<?= $config['url'] ?>/">Timeline</a></li> - <li><a href="<?= $config['url'] ?>/new">New Status</a></li> + <li><a class="button" href="<?= $config['url'] ?>/">Timeline</a></li> + <?php if($config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li><?php endif; ?> + <?php if(!$config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/login">Login</a></li><?php endif; ?> </ul> </nav> <p>Please enter your login information.</p> diff --git a/postform.inc.php b/postform.inc.php index 4755b98..8ac41e4 100644 --- a/postform.inc.php +++ b/postform.inc.php @@ -1,20 +1,13 @@ <?php if(!defined('ROOT')) die('Don\'t call this directly.'); - // check user credentials - if(isset($_COOKIE['microblog_login']) && $_COOKIE['microblog_login'] === sha1($config['url'].$config['admin_pass'])) { - // correct auth data, extend cookie life - $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; - setcookie('microblog_login', sha1($config['url'].$config['admin_pass']), NOW+$config['cookie_life'], '/', $domain, false); - } else { + if(!$config['logged_in']) { // wrong data, kick user to login page header('HTTP/1.0 401 Unauthorized'); header('Location: '.$config['url'].'/login'); die(); } - header('Content-Type: text/html; charset=utf-8'); - $message = array(); if(!empty($_POST['content'])) { @@ -41,6 +34,8 @@ } } + header('Content-Type: text/html; charset=utf-8'); + ?><!DOCTYPE html> <html lang="<?= $config['language'] ?>" class="postform"> <head> @@ -58,7 +53,8 @@ <nav class="main"> <ul> <li><a class="button" href="<?= $config['url'] ?>/">Timeline</a></li> - <li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li> + <?php if($config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li><?php endif; ?> + <?php if(!$config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/login">Login</a></li><?php endif; ?> </ul> </nav> <?php if(isset($message['status']) && isset($message['message'])): ?> diff --git a/single.inc.php b/single.inc.php index 7c91686..f10db2f 100644 --- a/single.inc.php +++ b/single.inc.php @@ -8,32 +8,36 @@ if(mb_strtolower(path(1)) == 'delete') $action = 'delete'; if(mb_strtolower(path(1)) == 'edit') $action = 'edit'; - // delete post $error = false; - if(!empty($_POST['action']) && $_POST['action'] == 'delete') { - $result = db_delete((int) $_POST['id']); + if($config['logged_in']) { - if(!$result) { - $error = 'Post could not be deleted!'; - } else { - rebuild_feeds(); + // delete post + if(!empty($_POST['action']) && $_POST['action'] == 'delete') { + $result = db_delete((int) $_POST['id']); - header('Location: '.$config['url']); - die(); + if(!$result) { + $error = 'Post could not be deleted!'; + } else { + rebuild_feeds(); + + header('Location: '.$config['url']); + die(); + } } - } - // edit post - if(!empty($_POST['action']) && $_POST['action'] == 'edit') { - $result = db_update((int) $_POST['id'], $_POST['content']); + // edit post + if(!empty($_POST['action']) && $_POST['action'] == 'edit') { + + $result = db_update((int) $_POST['id'], $_POST['content']); - if(!$result) { - $error = 'Post could not be updated!'; - } else { - rebuild_feeds(); + if(!$result) { + $error = 'Post could not be updated!'; + } else { + rebuild_feeds(); - header('Location: '.$config['url'].'/'.$_POST['id']); - die(); + header('Location: '.$config['url'].'/'.$_POST['id']); + die(); + } } } @@ -57,7 +61,8 @@ <nav class="main"> <ul> <li><a class="button" href="<?= $config['url'] ?>/">Timeline</a></li> - <li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li> + <?php if($config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li><?php endif; ?> + <?php if(!$config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/login">Login</a></li><?php endif; ?> </ul> </nav> <ul class="posts"> @@ -82,10 +87,10 @@ ?> <span class="post-timestamp"><time datetime="<?= $datetime ?>" data-unix-time="<?= $post['post_timestamp'] ?>"><?= $formatted_time ?></time></span> <nav class="post-meta"> - <ul> + <?php if($config['logged_in']): ?><ul> <li><a href="<?= $config['url'] ?>/<?= $post['id'] ?>/edit">Edit</a></li> <li><a href="<?= $config['url'] ?>/<?= $post['id'] ?>/delete">Delete</a></li> - </ul> + </ul><?php endif; ?> </nav> <p class="post-content"><?= nl2br(autolink($post['post_content'])) ?></p> <?php if($action == 'delete'): ?> diff --git a/timeline.inc.php b/timeline.inc.php index 3b419b2..35f7b9d 100644 --- a/timeline.inc.php +++ b/timeline.inc.php @@ -1,13 +1,11 @@ <?php if(!defined('ROOT')) die('Don\'t call this directly.'); - header('Content-Type: text/html; charset=utf-8'); - // check user credentials - if(isset($_COOKIE['microblog_login']) && $_COOKIE['microblog_login'] === sha1($config['url'].$config['admin_pass'])) { - // correct auth data, extend cookie life - $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; - setcookie('microblog_login', sha1($config['url'].$config['admin_pass']), NOW+$config['cookie_life'], '/', $domain, false); - } + // never cache the timeline (?) + header('Expires: Sun, 01 Jan 2014 00:00:00 GMT'); + header('Cache-Control: no-store, no-cache, must-revalidate'); + header('Cache-Control: post-check=0, pre-check=0', FALSE); + header('Pragma: no-cache'); // pagination $current_page = (path(0) == 'page' && is_numeric(path(1))) ? (int) path(1) : 1; @@ -18,6 +16,8 @@ // get posts $posts = db_select_posts(NOW, $config['posts_per_page'], 'desc', $offset); + header('Content-Type: text/html; charset=utf-8'); + ?><!DOCTYPE html> <html lang="<?= $config['language'] ?>" class="timeline"> <head> @@ -35,7 +35,8 @@ <nav class="main"> <ul> <li><a class="button" href="<?= $config['url'] ?>/">Timeline</a></li> - <li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li> + <?php if($config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/new">New Status</a></li><?php endif; ?> + <?php if(!$config['logged_in']): ?><li><a class="button" href="<?= $config['url'] ?>/login">Login</a></li><?php endif; ?> </ul> </nav> <ul class="posts"> @@ -51,10 +52,10 @@ ?> <a class="post-timestamp" href="<?= $config['url'] ?>/<?= $post['id'] ?>"><time datetime="<?= $datetime ?>" data-unix-time="<?= $post['post_timestamp'] ?>"><?= $formatted_time ?></time></a> <nav class="post-meta"> - <ul> + <?php if($config['logged_in']): ?><ul> <li><a href="<?= $config['url'] ?>/<?= $post['id'] ?>/edit">Edit</a></li> <li><a href="<?= $config['url'] ?>/<?= $post['id'] ?>/delete">Delete</a></li> - </ul> + </ul><?php endif; ?> </nav> <div class="post-content"><?= nl2br(autolink($post['post_content'])) ?></div> </li> @@ -74,6 +75,7 @@ <li><a href="<?= $config['url'] ?>/feed/atom">ATOM Feed</a></li> <li><a href="<?= $config['url'] ?>/feed/json">JSON Feed</a></li> <?php if($config['xmlrpc']): ?><li><a href="<?= $config['url'] ?>/xmlrpc">XML-RPC</a></li><?php endif; ?> + <?php if($config['logged_in']): ?><li><a href="<?= $config['url'] ?>/logout">Logout</a></li><?php endif; ?> </ul> </nav> </footer> |