."If you installed Shaarli through Git or using the development branch,\n"
."please refer to the installation documentation to install PHP"
." dependencies using Composer:\n"
- ."- https://github.com/shaarli/Shaarli/wiki/Server-requirements\n"
- ."- https://github.com/shaarli/Shaarli/wiki/Download-and-Installation";
+ ."- https://shaarli.readthedocs.io/en/master/Server-requirements/\n"
+ ."- https://shaarli.readthedocs.io/en/master/Download-and-Installation/";
exit;
}
require_once 'inc/rain.tpl.class.php';
ob_start(); // Output buffering for the page cache.
-// In case stupid admin has left magic_quotes enabled in php.ini:
-if (get_magic_quotes_gpc())
-{
- function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
- $_POST = array_map('stripslashes_deep', $_POST);
- $_GET = array_map('stripslashes_deep', $_GET);
- $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
-}
-
// Prevent caching on client side or proxy: (yes, it's ugly)
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
*/
function setup_login_state($conf)
{
- if ($conf->get('security.open_shaarli')) {
- return true;
- }
- $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
- $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
- if (! $conf->exists('credentials.login')) {
- $userIsLoggedIn = false; // Shaarli is not configured yet.
- $loginFailure = true;
- }
- if (isset($_COOKIE['shaarli_staySignedIn']) &&
- $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
- !$loginFailure)
- {
- fillSessionInfo($conf);
- $userIsLoggedIn = true;
- }
- // If session does not exist on server side, or IP address has changed, or session has expired, logout.
- if (empty($_SESSION['uid'])
+ if ($conf->get('security.open_shaarli')) {
+ return true;
+ }
+ $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
+ $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
+ if (! $conf->exists('credentials.login')) {
+ $userIsLoggedIn = false; // Shaarli is not configured yet.
+ $loginFailure = true;
+ }
+ if (isset($_COOKIE['shaarli_staySignedIn']) &&
+ $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
+ !$loginFailure)
+ {
+ fillSessionInfo($conf);
+ $userIsLoggedIn = true;
+ }
+ // If session does not exist on server side, or IP address has changed, or session has expired, logout.
+ if (empty($_SESSION['uid'])
|| ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
|| time() >= $_SESSION['expires_on'])
- {
- logout();
- $userIsLoggedIn = false;
- $loginFailure = true;
- }
- if (!empty($_SESSION['longlastingsession'])) {
- $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
- }
- else {
- $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
- }
- if (!$loginFailure) {
- $userIsLoggedIn = true;
- }
-
- return $userIsLoggedIn;
+ {
+ logout();
+ $userIsLoggedIn = false;
+ $loginFailure = true;
+ }
+ if (!empty($_SESSION['longlastingsession'])) {
+ $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
+ }
+ else {
+ $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
+ }
+ if (!$loginFailure) {
+ $userIsLoggedIn = true;
+ }
+
+ return $userIsLoggedIn;
}
$userIsLoggedIn = setup_login_state($conf);
*/
function fillSessionInfo($conf)
{
- $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
- $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
- $_SESSION['username']= $conf->get('credentials.login');
- $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
+ $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
+ $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked.
+ $_SESSION['username']= $conf->get('credentials.login');
+ $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
}
/**
$hash = sha1($password . $login . $conf->get('credentials.salt'));
if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
{ // Login/password is correct.
- fillSessionInfo($conf);
+ fillSessionInfo($conf);
logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
return true;
}
unset($_SESSION['ip']);
unset($_SESSION['username']);
unset($_SESSION['privateonly']);
+ unset($_SESSION['untaggedonly']);
}
setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH);
}
// If user wants to keep the session cookie even after the browser closes:
if (!empty($_POST['longlastingsession']))
{
- setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
- $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year)
- $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side.
+ $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
+ $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
+ setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
+ $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side.
$cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
* @param ConfigManager $conf Configuration Manager instance.
* @param PluginManager $pluginManager Plugin Manager instance,
* @param LinkDB $LINKSDB
+ * @param History $history instance
*/
function renderPage($conf, $pluginManager, $LINKSDB, $history)
{
$PAGE->assign('username', escape($_GET['username']));
}
$PAGE->assign('returnurl',(isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']):''));
+ // add default state of the 'remember me' checkbox
+ $PAGE->assign('remember_user_default', $conf->get('privacy.remember_user_default'));
$PAGE->renderPage('loginform');
exit;
}
// -------- Tag cloud
if ($targetPage == Router::$PAGE_TAGCLOUD)
{
- $tags= $LINKSDB->allTags();
+ $visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all';
+ $filteringTags = isset($_GET['searchtags']) ? explode(' ', $_GET['searchtags']) : [];
+ $tags = $LINKSDB->linksCountPerTag($filteringTags, $visibility);
// We sort tags alphabetically, then choose a font size according to count.
// First, find max value.
$maxcount = max($maxcount, $value);
}
- // Sort tags alphabetically: case insensitive, support locale if available.
- uksort($tags, function($a, $b) {
- // Collator is part of PHP intl.
- if (class_exists('Collator')) {
- $c = new Collator(setlocale(LC_COLLATE, 0));
- if (!intl_is_failure(intl_get_error_code())) {
- return $c->compare($a, $b);
- }
- }
- return strcasecmp($a, $b);
- });
+ alphabetical_sort($tags, false, true);
$tagList = array();
foreach($tags as $key => $value) {
+ if (in_array($key, $filteringTags)) {
+ continue;
+ }
// Tag font size scaling:
// default 15 and 30 logarithm bases affect scaling,
// 22 and 6 are arbitrary font sizes for max and min sizes.
}
$data = array(
+ 'search_tags' => implode(' ', $filteringTags),
'tags' => $tagList,
);
$pluginManager->executeHooks('render_tagcloud', $data, array('loggedin' => isLoggedIn()));
$PAGE->assign($key, $value);
}
- $PAGE->renderPage('tagcloud');
+ $PAGE->renderPage('tag.cloud');
+ exit;
+ }
+
+ // -------- Tag list
+ if ($targetPage == Router::$PAGE_TAGLIST)
+ {
+ $visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all';
+ $filteringTags = isset($_GET['searchtags']) ? explode(' ', $_GET['searchtags']) : [];
+ $tags = $LINKSDB->linksCountPerTag($filteringTags, $visibility);
+ foreach ($filteringTags as $tag) {
+ if (array_key_exists($tag, $tags)) {
+ unset($tags[$tag]);
+ }
+ }
+
+ if (! empty($_GET['sort']) && $_GET['sort'] === 'alpha') {
+ alphabetical_sort($tags, false, true);
+ }
+
+ $data = [
+ 'search_tags' => implode(' ', $filteringTags),
+ 'tags' => $tags,
+ ];
+ $pluginManager->executeHooks('render_taglist', $data, ['loggedin' => isLoggedIn()]);
+
+ foreach ($data as $key => $value) {
+ $PAGE->assign($key, $value);
+ }
+
+ $PAGE->renderPage('tag.list');
exit;
}
exit;
}
+ // -------- User wants to see only untagged links (toggle)
+ if (isset($_GET['untaggedonly'])) {
+ $_SESSION['untaggedonly'] = empty($_SESSION['untaggedonly']);
+
+ if (! empty($_SERVER['HTTP_REFERER'])) {
+ $location = generateLocation($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'], array('untaggedonly'));
+ } else {
+ $location = '?';
+ }
+ header('Location: '. $location);
+ exit;
+ }
+
// -------- Handle other actions allowed for non-logged in users:
if (!isLoggedIn())
{
if ($targetPage == Router::$PAGE_CHANGETAG)
{
if (empty($_POST['fromtag']) || (empty($_POST['totag']) && isset($_POST['renametag']))) {
+ $PAGE->assign('fromtag', ! empty($_GET['fromtag']) ? escape($_GET['fromtag']) : '');
$PAGE->renderPage('changetag');
exit;
}
die('Wrong token.');
}
- // Delete a tag:
- if (isset($_POST['deletetag']) && !empty($_POST['fromtag'])) {
- $needle = trim($_POST['fromtag']);
- // True for case-sensitive tag search.
- $linksToAlter = $LINKSDB->filterSearch(array('searchtags' => $needle), true);
- foreach($linksToAlter as $key=>$value)
- {
- $tags = explode(' ',trim($value['tags']));
- unset($tags[array_search($needle,$tags)]); // Remove tag.
- $value['tags']=trim(implode(' ',$tags));
- $LINKSDB[$key]=$value;
- $history->updateLink($LINKSDB[$key]);
- }
- $LINKSDB->save($conf->get('resource.page_cache'));
- echo '<script>alert("Tag was removed from '.count($linksToAlter).' links.");document.location=\'?do=changetag\';</script>';
- exit;
- }
-
- // Rename a tag:
- if (isset($_POST['renametag']) && !empty($_POST['fromtag']) && !empty($_POST['totag'])) {
- $needle = trim($_POST['fromtag']);
- // True for case-sensitive tag search.
- $linksToAlter = $LINKSDB->filterSearch(array('searchtags' => $needle), true);
- foreach($linksToAlter as $key=>$value) {
- $tags = preg_split('/\s+/', trim($value['tags']));
- // Replace tags value.
- $tags[array_search($needle, $tags)] = trim($_POST['totag']);
- $value['tags'] = implode(' ', array_unique($tags));
- $LINKSDB[$key] = $value;
- $history->updateLink($LINKSDB[$key]);
- }
- $LINKSDB->save($conf->get('resource.page_cache')); // Save to disk.
- echo '<script>alert("Tag was renamed in '.count($linksToAlter).' links.");document.location=\'?searchtags='.urlencode(escape($_POST['totag'])).'\';</script>';
- exit;
+ $alteredLinks = $LINKSDB->renameTag(escape($_POST['fromtag']), escape($_POST['totag']));
+ $LINKSDB->save($conf->get('resource.page_cache'));
+ foreach ($alteredLinks as $link) {
+ $history->updateLink($link);
}
+ $delete = empty($_POST['totag']);
+ $redirect = $delete ? 'do=changetag' : 'searchtags='. urlencode(escape($_POST['totag']));
+ $alert = $delete
+ ? sprintf(t('The tag was removed from %d links.'), count($alteredLinks))
+ : sprintf(t('The tag was renamed in %d links.'), count($alteredLinks));
+ echo '<script>alert("'. $alert .'");document.location=\'?'. $redirect .'\';</script>';
+ exit;
}
// -------- User wants to add a link without using the bookmarklet: Show form.
// Linkdate is kept here to:
// - use the same permalink for notes as they're displayed when creating them
// - let users hack creation date of their posts
- // See: https://github.com/shaarli/Shaarli/wiki/Datastore-hacks#changing-the-timestamp-for-a-link
+ // See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare
$linkdate = escape($_POST['lf_linkdate']);
if (isset($LINKSDB[$id])) {
// Edit
// Remove duplicates.
$tags = implode(' ', array_unique(explode(' ', $tags)));
- $url = trim($_POST['lf_url']);
- if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
- && ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
- && ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
- ) {
- $url = 'http://' . $url;
+ if (empty(trim($_POST['lf_url']))) {
+ $_POST['lf_url'] = '?' . smallHash($linkdate . $id);
}
+ $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
$link = array(
'id' => $id,
// -------- User clicked the "Delete" button when editing a link: Delete link from database.
if ($targetPage == Router::$PAGE_DELETELINK)
{
- // We do not need to ask for confirmation:
- // - confirmation is handled by JavaScript
- // - we are protected from XSRF by the token.
-
if (! tokenOk($_GET['token'])) {
die('Wrong token.');
}
- $id = intval(escape($_GET['lf_linkdate']));
- $link = $LINKSDB[$id];
- $pluginManager->executeHooks('delete_link', $link);
- unset($LINKSDB[$id]);
+ if (strpos($_GET['lf_linkdate'], ' ') !== false) {
+ $ids = array_values(array_filter(preg_split('/\s+/', escape($_GET['lf_linkdate']))));
+ } else {
+ $ids = [$_GET['lf_linkdate']];
+ }
+ foreach ($ids as $id) {
+ $id = (int) escape($id);
+ $link = $LINKSDB[$id];
+ $pluginManager->executeHooks('delete_link', $link);
+ unset($LINKSDB[$id]);
+ }
$LINKSDB->save($conf->get('resource.page_cache')); // save to disk
$history->deleteLink($link);
'link' => $link,
'link_is_new' => false,
'http_referer' => (isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']) : ''),
- 'tags' => $LINKSDB->allTags(),
+ 'tags' => $LINKSDB->linksCountPerTag(),
);
$pluginManager->executeHooks('render_editlink', $data);
'url' => $url,
'description' => $description,
'tags' => $tags,
- 'private' => $private
+ 'private' => $private,
);
} else {
$link['linkdate'] = $link['created']->format(LinkDB::LINK_DATE_FORMAT);
'link_is_new' => $link_is_new,
'http_referer' => (isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']) : ''),
'source' => (isset($_GET['source']) ? $_GET['source'] : ''),
- 'tags' => $LINKSDB->allTags(),
+ 'tags' => $LINKSDB->linksCountPerTag(),
'default_private_links' => $conf->get('privacy.default_private_links', false),
);
$pluginManager->executeHooks('render_editlink', $data);
exit;
}
+ // Get a fresh token
+ if ($targetPage == Router::$GET_TOKEN) {
+ header('Content-Type:text/plain');
+ echo getToken($conf);
+ exit;
+ }
+
// -------- Otherwise, simply display search form and links:
showLinkList($PAGE, $LINKSDB, $conf, $pluginManager);
exit;
function buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager)
{
// Used in templates
- $searchtags = !empty($_GET['searchtags']) ? escape(normalize_spaces($_GET['searchtags'])) : '';
+ if (isset($_GET['searchtags'])) {
+ if (! empty($_GET['searchtags'])) {
+ $searchtags = escape(normalize_spaces($_GET['searchtags']));
+ } else {
+ $searchtags = false;
+ }
+ } else {
+ $searchtags = '';
+ }
$searchterm = !empty($_GET['searchterm']) ? escape(normalize_spaces($_GET['searchterm'])) : '';
// Smallhash filter
} else {
// Filter links according search parameters.
$visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all';
- $linksToDisplay = $LINKSDB->filterSearch($_GET, false, $visibility);
+ $request = [
+ 'searchtags' => $searchtags,
+ 'searchterm' => $searchterm,
+ ];
+ $linksToDisplay = $LINKSDB->filterSearch($request, false, $visibility, !empty($_SESSION['untaggedonly']));
}
// ---- Handle paging.
}
// Compute paging navigation
- $searchtagsUrl = empty($searchtags) ? '' : '&searchtags=' . urlencode($searchtags);
+ $searchtagsUrl = $searchtags === '' ? '' : '&searchtags=' . urlencode($searchtags);
$searchtermUrl = empty($searchterm) ? '' : '&searchterm=' . urlencode($searchterm);
$previous_page_url = '';
if ($i != count($keys)) {
$_SESSION['LINKS_PER_PAGE'] = $conf->get('general.links_per_page', 20);
}
+try {
+ $history = new History($conf->get('resource.history'));
+} catch(Exception $e) {
+ die($e->getMessage());
+}
+
$linkDb = new LinkDB(
$conf->get('resource.datastore'),
isLoggedIn(),
$conf->get('redirector.encode_url')
);
-try {
- $history = new History($conf->get('resource.history'));
-} catch(Exception $e) {
- die($e->getMessage());
-}
-
$container = new \Slim\Container();
$container['conf'] = $conf;
$container['plugins'] = $pluginManager;