'. t('Insufficient permissions:') .'
- ';
foreach ($errors as $error) {
$message .= '
- '.$error.' '; @@ -261,215 +175,68 @@ if (! is_file($GLOBALS['config']['CONFIG_FILE'])) { } // Display the installation form if no existing config is found - install(); -} - -$GLOBALS['title'] = !empty($GLOBALS['title']) ? escape($GLOBALS['title']) : ''; -$GLOBALS['titleLink'] = !empty($GLOBALS['titleLink']) ? escape($GLOBALS['titleLink']) : ''; -$GLOBALS['redirector'] = !empty($GLOBALS['redirector']) ? escape($GLOBALS['redirector']) : ''; - -// a token depending of deployment salt, user password, and the current ip -define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); - -// Sniff browser language and set date format accordingly. -if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { - autoLocale($_SERVER['HTTP_ACCEPT_LANGUAGE']); -} -header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. - -//================================================================================================== -// Checking session state (i.e. is the user still logged in) -//================================================================================================== - -function setup_login_state() { - if ($GLOBALS['config']['OPEN_SHAARLI']) { - return true; - } - $userIsLoggedIn = false; // By default, we do not consider the user as logged in; - $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. - if (!isset($GLOBALS['login'])) { - $userIsLoggedIn = false; // Shaarli is not configured yet. - $loginFailure = true; - } - if (isset($_COOKIE['shaarli_staySignedIn']) && - $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && - !$loginFailure) - { - fillSessionInfo(); - $userIsLoggedIn = true; - } - // If session does not exist on server side, or IP address has changed, or session has expired, logout. - if (empty($_SESSION['uid']) || - ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || - time() >= $_SESSION['expires_on']) - { - logout(); - $userIsLoggedIn = false; - $loginFailure = true; - } - if (!empty($_SESSION['longlastingsession'])) { - $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. - } - else { - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. - } - if (!$loginFailure) { - $userIsLoggedIn = true; - } - - return $userIsLoggedIn; -} -$userIsLoggedIn = setup_login_state(); - -// ------------------------------------------------------------------------------------------ -// PubSubHubbub protocol support (if enabled) [UNTESTED] -// (Source: http://aldarone.fr/les-flux-rss-shaarli-et-pubsubhubbub/ ) -if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) include './publisher.php'; -function pubsubhub() -{ - if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) - { - $p = new Publisher($GLOBALS['config']['PUBSUBHUB_URL']); - $topic_url = array ( - index_url($_SERVER).'?do=atom', - index_url($_SERVER).'?do=rss' - ); - $p->publish_update($topic_url); - } -} - -// ------------------------------------------------------------------------------------------ -// Session management - -// Returns the IP address of the client (Used to prevent session cookie hijacking.) -function allIPs() -{ - $ip = $_SERVER["REMOTE_ADDR"]; - // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy. - if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; } - if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; } - return $ip; + install($conf, $sessionManager, $loginManager); } -function fillSessionInfo() { - $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) - $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. - $_SESSION['username']=$GLOBALS['login']; - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. -} +$loginManager->checkLoginState($_COOKIE, $clientIpId); -// Check that user/password is correct. -function check_auth($login,$password) -{ - $hash = sha1($password.$login.$GLOBALS['salt']); - if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) - { // Login/password is correct. - fillSessionInfo(); - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'Login successful'); - return True; - } - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'Login failed for user '.$login); - return False; -} - -// Returns true if the user is logged in. +/** + * Adapter function to ensure compatibility with third-party templates + * + * @see https://github.com/shaarli/Shaarli/pull/1086 + * + * @return bool true when the user is logged in, false otherwise + */ function isLoggedIn() { - global $userIsLoggedIn; - return $userIsLoggedIn; + global $loginManager; + return $loginManager->isLoggedIn(); } -// Force logout. -function logout() { - if (isset($_SESSION)) { - unset($_SESSION['uid']); - unset($_SESSION['ip']); - unset($_SESSION['username']); - unset($_SESSION['privateonly']); - } - setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); -} - - -// ------------------------------------------------------------------------------------------ -// Brute force protection system -// Several consecutive failed logins will ban the IP address for 30 minutes. -if (!is_file($GLOBALS['config']['IPBANS_FILENAME'])) file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], "array(),'BANS'=>array()),true).";\n?>"); -include $GLOBALS['config']['IPBANS_FILENAME']; -// Signal a failed login. Will ban the IP if too many failures: -function ban_loginFailed() -{ - $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; - if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0; - $gb['FAILURES'][$ip]++; - if ($gb['FAILURES'][$ip]>($GLOBALS['config']['BAN_AFTER']-1)) - { - $gb['BANS'][$ip]=time()+$GLOBALS['config']['BAN_DURATION']; - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'IP address banned from login'); - } - $GLOBALS['IPBANS'] = $gb; - file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], ""); -} - -// Signals a successful login. Resets failed login counter. -function ban_loginOk() -{ - $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; - unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); - $GLOBALS['IPBANS'] = $gb; - file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], ""); -} - -// Checks if the user CAN login. If 'true', the user can try to login. -function ban_canLogin() -{ - $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; - if (isset($gb['BANS'][$ip])) - { - // User is banned. Check if the ban has expired: - if ($gb['BANS'][$ip]<=time()) - { // Ban expired, user can try to login again. - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'Ban lifted.'); - unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); - file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], ""); - return true; // Ban has expired, user can login. - } - return false; // User is banned. - } - return true; // User is not banned. -} // ------------------------------------------------------------------------------------------ // Process login form: Check if login/password is correct. -if (isset($_POST['login'])) -{ - if (!ban_canLogin()) die('I said: NO. You are banned for the moment. Go away.'); - if (isset($_POST['password']) && tokenOk($_POST['token']) && (check_auth($_POST['login'], $_POST['password']))) - { // Login/password is OK. - ban_loginOk(); - // If user wants to keep the session cookie even after the browser closes: - if (!empty($_POST['longlastingsession'])) - { - setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); - $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) - $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. - - $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; - session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side +if (isset($_POST['login'])) { + if (! $loginManager->canLogin($_SERVER)) { + die(t('I said: NO. You are banned for the moment. Go away.')); + } + if (isset($_POST['password']) + && $sessionManager->checkToken($_POST['token']) + && $loginManager->checkCredentials($_SERVER['REMOTE_ADDR'], $clientIpId, $_POST['login'], $_POST['password']) + ) { + $loginManager->handleSuccessfulLogin($_SERVER); + + $cookiedir = ''; + if (dirname($_SERVER['SCRIPT_NAME']) != '/') { // Note: Never forget the trailing slash on the cookie path! - session_regenerate_id(true); // Send cookie with new expiration date to browser. + $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; } - else // Standard session expiration (=when browser closes) - { - $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; - session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" - session_regenerate_id(true); + + if (!empty($_POST['longlastingsession'])) { + // Keep the session cookie even after the browser closes + $sessionManager->setStaySignedIn(true); + $expirationTime = $sessionManager->extendSession(); + + setcookie( + $loginManager::$STAY_SIGNED_IN_COOKIE, + $loginManager->getStaySignedInToken(), + $expirationTime, + WEB_PATH + ); + + } else { + // Standard session expiration (=when browser closes) + $expirationTime = 0; } + // Send cookie with the new expiration date to the browser + session_set_cookie_params($expirationTime, $cookiedir, $_SERVER['SERVER_NAME']); + session_regenerate_id(true); + // Optional redirect after login: if (isset($_GET['post'])) { $uri = '?post='. urlencode($_GET['post']); - foreach (array('description', 'source', 'title') as $param) { + foreach (array('description', 'source', 'title', 'tags') as $param) { if (!empty($_GET[$param])) { $uri .= '&'.$param.'='.urlencode($_GET[$param]); } @@ -491,210 +258,43 @@ if (isset($_POST['login'])) } } header('Location: ?'); exit; - } - else - { - ban_loginFailed(); - $redir = ''; + } else { + $loginManager->handleFailedLogin($_SERVER); + $redir = '&username='. urlencode($_POST['login']); if (isset($_GET['post'])) { - $redir = '?post=' . urlencode($_GET['post']); - foreach (array('description', 'source', 'title') as $param) { + $redir .= '&post=' . urlencode($_GET['post']); + foreach (array('description', 'source', 'title', 'tags') as $param) { if (!empty($_GET[$param])) { $redir .= '&' . $param . '=' . urlencode($_GET[$param]); } } } - echo ''; // Redirect to login screen. + // Redirect to login screen. + echo ''; exit; } } -// ------------------------------------------------------------------------------------------ -// Misc utility functions: - -// Convert post_max_size/upload_max_filesize (e.g. '16M') parameters to bytes. -function return_bytes($val) -{ - $val = trim($val); $last=strtolower($val[strlen($val)-1]); - switch($last) - { - case 'g': $val *= 1024; - case 'm': $val *= 1024; - case 'k': $val *= 1024; - } - return $val; -} - -// Try to determine max file size for uploads (POST). -// Returns an integer (in bytes) -function getMaxFileSize() -{ - $size1 = return_bytes(ini_get('post_max_size')); - $size2 = return_bytes(ini_get('upload_max_filesize')); - // Return the smaller of two: - $maxsize = min($size1,$size2); - // FIXME: Then convert back to readable notations ? (e.g. 2M instead of 2000000) - return $maxsize; -} - // ------------------------------------------------------------------------------------------ // Token management for XSRF protection // Token should be used in any form which acts on data (create,update,delete,import...). if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are attached to the session. -// Returns a token. -function getToken() -{ - $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string. - $_SESSION['tokens'][$rnd]=1; // Store it on the server side. - return $rnd; -} - -// Tells if a token is OK. Using this function will destroy the token. -// true=token is OK. -function tokenOk($token) -{ - if (isset($_SESSION['tokens'][$token])) - { - unset($_SESSION['tokens'][$token]); // Token is used: destroy it. - return true; // Token is OK. - } - return false; // Wrong token, or already used. -} - -// ------------------------------------------------------------------------------------------ -/* This class is in charge of building the final page. - (This is basically a wrapper around RainTPL which pre-fills some fields.) - p = new pageBuilder; - p.assign('myfield','myvalue'); - p.renderPage('mytemplate'); - -*/ -class pageBuilder -{ - private $tpl; // RainTPL template - - function __construct() - { - $this->tpl = false; - } - - /** - * Initialize all default tpl tags. - */ - private function initialize() - { - $this->tpl = new RainTPL; - - try { - $version = ApplicationUtils::checkUpdate( - shaarli_version, - $GLOBALS['config']['UPDATECHECK_FILENAME'], - $GLOBALS['config']['UPDATECHECK_INTERVAL'], - $GLOBALS['config']['ENABLE_UPDATECHECK'], - isLoggedIn(), - $GLOBALS['config']['UPDATECHECK_BRANCH'] - ); - $this->tpl->assign('newVersion', escape($version)); - $this->tpl->assign('versionError', ''); - - } catch (Exception $exc) { - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], $exc->getMessage()); - $this->tpl->assign('newVersion', ''); - $this->tpl->assign('versionError', escape($exc->getMessage())); - } - - $this->tpl->assign('feedurl', escape(index_url($_SERVER))); - $searchcrits = ''; // Search criteria - if (!empty($_GET['searchtags'])) { - $searchcrits .= '&searchtags=' . urlencode($_GET['searchtags']); - } - if (!empty($_GET['searchterm'])) { - $searchcrits .= '&searchterm=' . urlencode($_GET['searchterm']); - } - $this->tpl->assign('searchcrits', $searchcrits); - $this->tpl->assign('source', index_url($_SERVER)); - $this->tpl->assign('version', shaarli_version); - $this->tpl->assign('scripturl', index_url($_SERVER)); - $this->tpl->assign('pagetitle', 'Shaarli'); - $this->tpl->assign('privateonly', !empty($_SESSION['privateonly'])); // Show only private links? - if (!empty($GLOBALS['title'])) { - $this->tpl->assign('pagetitle', $GLOBALS['title']); - } - if (!empty($GLOBALS['titleLink'])) { - $this->tpl->assign('titleLink', $GLOBALS['titleLink']); - } - if (!empty($GLOBALS['pagetitle'])) { - $this->tpl->assign('pagetitle', $GLOBALS['pagetitle']); - } - $this->tpl->assign('shaarlititle', empty($GLOBALS['title']) ? 'Shaarli': $GLOBALS['title']); - if (!empty($GLOBALS['plugin_errors'])) { - $this->tpl->assign('plugin_errors', $GLOBALS['plugin_errors']); - } - } - - // The following assign() method is basically the same as RainTPL (except that it's lazy) - public function assign($what,$where) - { - if ($this->tpl===false) $this->initialize(); // Lazy initialization - $this->tpl->assign($what,$where); - } - - /** - * Assign an array of data to the template builder. - * - * @param array $data Data to assign. - * - * @return false if invalid data. - */ - public function assignAll($data) - { - // Lazy initialization - if ($this->tpl === false) { - $this->initialize(); - } - - if (empty($data) || !is_array($data)){ - return false; - } - - foreach ($data as $key => $value) { - $this->assign($key, $value); - } - } - - // Render a specific page (using a template). - // e.g. pb.renderPage('picwall') - public function renderPage($page) - { - if ($this->tpl===false) $this->initialize(); // Lazy initialization - $this->tpl->draw($page); - } - - /** - * Render a 404 page (uses the template : tpl/404.tpl) - * - * usage : $PAGE->render404('The link was deleted') - * @param string $message A messate to display what is not found - */ - public function render404($message='The page you are trying to reach does not exist or has been deleted.') { - header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found'); - $this->tpl->assign('error_message', $message); - $this->renderPage('404'); - } -} - -// ------------------------------------------------------------------------------------------ -// Daily RSS feed: 1 RSS entry per day giving all the links on that day. -// Gives the last 7 days (which have links). -// This RSS feed cannot be filtered. -function showDailyRSS() { +/** + * Daily RSS feed: 1 RSS entry per day giving all the links on that day. + * Gives the last 7 days (which have links). + * This RSS feed cannot be filtered. + * + * @param ConfigManager $conf Configuration Manager instance + * @param LoginManager $loginManager LoginManager instance + */ +function showDailyRSS($conf, $loginManager) { // Cache system $query = $_SERVER['QUERY_STRING']; $cache = new CachedPage( - $GLOBALS['config']['PAGECACHE'], + $conf->get('config.PAGE_CACHE'), page_url($_SERVER), - startsWith($query,'do=dailyrss') && !isLoggedIn() + startsWith($query,'do=dailyrss') && !$loginManager->isLoggedIn() ); $cached = $cache->cachedVersion(); if (!empty($cached)) { @@ -705,32 +305,27 @@ function showDailyRSS() { // If cached was not found (or not usable), then read the database and build the response: // Read links from database (and filter private links if used it not logged in). $LINKSDB = new LinkDB( - $GLOBALS['config']['DATASTORE'], - isLoggedIn(), - $GLOBALS['config']['HIDE_PUBLIC_LINKS'], - $GLOBALS['redirector'], - $GLOBALS['config']['REDIRECTOR_URLENCODE'] + $conf->get('resource.datastore'), + $loginManager->isLoggedIn(), + $conf->get('privacy.hide_public_links'), + $conf->get('redirector.url'), + $conf->get('redirector.encode_url') ); /* Some Shaarlies may have very few links, so we need to look - back in time (rsort()) until we have enough days ($nb_of_days). + back in time until we have enough days ($nb_of_days). */ - $linkdates = array(); - foreach ($LINKSDB as $linkdate => $value) { - $linkdates[] = $linkdate; - } - rsort($linkdates); $nb_of_days = 7; // We take 7 days. - $today = Date('Ymd'); + $today = date('Ymd'); $days = array(); - foreach ($linkdates as $linkdate) { - $day = substr($linkdate, 0, 8); // Extract day (without time) - if (strcmp($day,$today) < 0) { + foreach ($LINKSDB as $link) { + $day = $link['created']->format('Ymd'); // Extract day (without time) + if (strcmp($day, $today) < 0) { if (empty($days[$day])) { $days[$day] = array(); } - $days[$day][] = $linkdate; + $days[$day][] = $link; } if (count($days) > $nb_of_days) { @@ -743,43 +338,40 @@ function showDailyRSS() { $pageaddr = escape(index_url($_SERVER)); echo '
- ',$data) as $html) // explode is very fast - { - $link = array('linkdate'=>'','title'=>'','url'=>'','description'=>'','tags'=>'','private'=>0); - $d = explode('
- ',$html);
- if (startsWith($d[0], '(.*?)!i',$d[0],$matches); $link['title'] = (isset($matches[1]) ? trim($matches[1]) : ''); // Get title
- $link['title'] = html_entity_decode($link['title'],ENT_QUOTES,'UTF-8');
- preg_match_all('! ([A-Z_]+)=\"(.*?)"!i',$html,$matches,PREG_SET_ORDER); // Get all other attributes
- $raw_add_date=0;
- foreach($matches as $m)
- {
- $attr=$m[1]; $value=$m[2];
- if ($attr=='HREF') $link['url']=html_entity_decode($value,ENT_QUOTES,'UTF-8');
- elseif ($attr=='ADD_DATE')
- {
- $raw_add_date=intval($value);
- if ($raw_add_date>30000000000) $raw_add_date/=1000; //If larger than year 2920, then was likely stored in milliseconds instead of seconds
- }
- elseif ($attr=='PRIVATE') $link['private']=($value=='0'?0:1);
- elseif ($attr=='TAGS') $link['tags']=html_entity_decode(str_replace(',',' ',$value),ENT_QUOTES,'UTF-8');
- }
- if ($link['url']!='')
- {
- if ($private==1) $link['private']=1;
- $dblink = $LINKSDB->getLinkFromUrl($link['url']); // See if the link is already in database.
- if ($dblink==false)
- { // Link not in database, let's import it...
- if (empty($raw_add_date)) $raw_add_date=time(); // In case of shitty bookmark file with no ADD_DATE
-
- // Make sure date/time is not already used by another link.
- // (Some bookmark files have several different links with the same ADD_DATE)
- // We increment date by 1 second until we find a date which is not used in DB.
- // (so that links that have the same date/time are more or less kept grouped by date, but do not conflict.)
- while (!empty($LINKSDB[date('Ymd_His',$raw_add_date)])) { $raw_add_date++; }// Yes, I know it's ugly.
- $link['linkdate']=date('Ymd_His',$raw_add_date);
- $LINKSDB[$link['linkdate']] = $link;
- $import_count++;
- }
- else // Link already present in database.
- {
- if ($overwrite)
- { // If overwrite is required, we import link data, except date/time.
- $link['linkdate']=$dblink['linkdate'];
- $LINKSDB[$link['linkdate']] = $link;
- $import_count++;
- }
- }
+ // Get a fresh token
+ if ($targetPage == Router::$GET_TOKEN) {
+ header('Content-Type:text/plain');
+ echo $sessionManager->generateToken($conf);
+ exit;
+ }
- }
+ // -------- Thumbnails Update
+ if ($targetPage == Router::$PAGE_THUMBS_UPDATE) {
+ $ids = [];
+ foreach ($LINKSDB as $link) {
+ // A note or not HTTP(S)
+ if ($link['url'][0] === '?' || ! startsWith(strtolower($link['url']), 'http')) {
+ continue;
}
+ $ids[] = $link['id'];
}
- $LINKSDB->savedb($GLOBALS['config']['PAGECACHE']);
-
- echo '';
+ $PAGE->assign('ids', $ids);
+ $PAGE->assign('pagetitle', t('Thumbnails update') .' - '. $conf->get('general.title', 'Shaarli'));
+ $PAGE->renderPage('thumbnails');
+ exit;
}
- else
- {
- echo '';
+
+ // -------- Single Thumbnail Update
+ if ($targetPage == Router::$AJAX_THUMB_UPDATE) {
+ if (! isset($_POST['id']) || ! ctype_digit($_POST['id'])) {
+ http_response_code(400);
+ exit;
+ }
+ $id = (int) $_POST['id'];
+ if (empty($LINKSDB[$id])) {
+ http_response_code(404);
+ exit;
+ }
+ $thumbnailer = new Thumbnailer($conf);
+ $link = $LINKSDB[$id];
+ $link['thumbnail'] = $thumbnailer->get($link['url']);
+ $LINKSDB[$id] = $link;
+ $LINKSDB->save($conf->get('resource.page_cache'));
+
+ echo json_encode($link);
+ exit;
}
+
+ // -------- Otherwise, simply display search form and links:
+ showLinkList($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager);
+ exit;
}
/**
* Template for the list of links () * This function fills all the necessary fields in the $PAGE for the template 'linklist.html' * - * @param pageBuilder $PAGE pageBuilder instance. - * @param LinkDB $LINKSDB LinkDB instance. + * @param pageBuilder $PAGE pageBuilder instance. + * @param LinkDB $LINKSDB LinkDB instance. + * @param ConfigManager $conf Configuration Manager instance. + * @param PluginManager $pluginManager Plugin Manager instance. + * @param LoginManager $loginManager LoginManager instance */ -function buildLinkList($PAGE,$LINKSDB) +function buildLinkList($PAGE, $LINKSDB, $conf, $pluginManager, $loginManager) { // Used in templates - $searchtags = !empty($_GET['searchtags']) ? escape($_GET['searchtags']) : ''; - $searchterm = !empty($_GET['searchterm']) ? escape($_GET['searchterm']) : ''; + if (isset($_GET['searchtags'])) { + if (! empty($_GET['searchtags'])) { + $searchtags = escape(normalize_spaces($_GET['searchtags'])); + } else { + $searchtags = false; + } + } else { + $searchtags = ''; + } + $searchterm = !empty($_GET['searchterm']) ? escape(normalize_spaces($_GET['searchterm'])) : ''; // Smallhash filter if (! empty($_SERVER['QUERY_STRING']) @@ -1816,8 +1585,12 @@ function buildLinkList($PAGE,$LINKSDB) } } else { // Filter links according search parameters. - $privateonly = !empty($_SESSION['privateonly']); - $linksToDisplay = $LINKSDB->filterSearch($_GET, false, $privateonly); + $visibility = ! empty($_SESSION['visibility']) ? $_SESSION['visibility'] : ''; + $request = [ + 'searchtags' => $searchtags, + 'searchterm' => $searchterm, + ]; + $linksToDisplay = $LINKSDB->filterSearch($request, false, $visibility, !empty($_SESSION['untaggedonly'])); } // ---- Handle paging. @@ -1826,11 +1599,6 @@ function buildLinkList($PAGE,$LINKSDB) $keys[] = $key; } - // If there is only a single link, we change on-the-fly the title of the page. - if (count($linksToDisplay) == 1) { - $GLOBALS['pagetitle'] = $linksToDisplay[$keys[0]]['title'].' - '.$GLOBALS['title']; - } - // Select articles according to paging. $pagecount = ceil(count($keys) / $_SESSION['LINKS_PER_PAGE']); $pagecount = $pagecount == 0 ? 1 : $pagecount; @@ -1840,22 +1608,47 @@ function buildLinkList($PAGE,$LINKSDB) // Start index. $i = ($page-1) * $_SESSION['LINKS_PER_PAGE']; $end = $i + $_SESSION['LINKS_PER_PAGE']; + + $thumbnailsEnabled = $conf->get('thumbnails.mode', Thumbnailer::MODE_NONE) !== Thumbnailer::MODE_NONE; + if ($thumbnailsEnabled) { + $thumbnailer = new Thumbnailer($conf); + } + $linkDisp = array(); while ($i<$end && $i
'; - - // Lazy image - $html.='
Sessions do not seem to work correctly on your server.
'; - echo 'Make sure the variable session.save_path is set correctly in your php config, and that you have write access to it.
'; - echo 'It currently points to '.session_save_path().'
'; - echo 'Check that the hostname used to access Shaarli contains a dot. On some browsers, accessing your server via a hostname like \'localhost\' or any custom hostname without a dot causes cookie storage to fail. We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
'; - echo '
Click to try again.'; + { + // Step 2: Check if data in session is correct. + $msg = t( + 'Sessions do not seem to work correctly on your server.
'; die; } if (!isset($_SESSION['session_tested'])) @@ -2123,15 +1763,30 @@ function install() ) { $tz = $_POST['continent'].'/'.$_POST['city']; } - $GLOBALS['timezone'] = $tz; - // Everything is ok, let's create config file. - $GLOBALS['login'] = $_POST['setlogin']; - $GLOBALS['salt'] = sha1(uniqid('',true).'_'.mt_rand()); // Salt renders rainbow-tables attacks useless. - $GLOBALS['hash'] = sha1($_POST['setpassword'].$GLOBALS['login'].$GLOBALS['salt']); - $GLOBALS['title'] = (empty($_POST['title']) ? 'Shared links on '.escape(index_url($_SERVER)) : $_POST['title'] ); - $GLOBALS['config']['ENABLE_UPDATECHECK'] = !empty($_POST['updateCheck']); + $conf->set('general.timezone', $tz); + $login = $_POST['setlogin']; + $conf->set('credentials.login', $login); + $salt = sha1(uniqid('', true) .'_'. mt_rand()); + $conf->set('credentials.salt', $salt); + $conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt)); + if (!empty($_POST['title'])) { + $conf->set('general.title', escape($_POST['title'])); + } else { + $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER))); + } + $conf->set('translation.language', escape($_POST['language'])); + $conf->set('updates.check_updates', !empty($_POST['updateCheck'])); + $conf->set('api.enabled', !empty($_POST['enableApi'])); + $conf->set( + 'api.secret', + generate_api_secret( + $conf->get('credentials.login'), + $conf->get('credentials.salt') + ) + ); try { - writeConfig($GLOBALS, isLoggedIn()); + // Everything is ok, let's create config file. + $conf->write($loginManager->isLoggedIn()); } catch(Exception $e) { error_log( @@ -2147,242 +1802,68 @@ function install() exit; } - // Display config form: - list($timezone_form, $timezone_js) = generateTimeZoneForm(); - $timezone_html = ''; - if ($timezone_form != '') { - $timezone_html = '
'. + 'Make sure the variable "session.save_path" is set correctly in your PHP config, '. + 'and that you have write access to it.
'. + 'It currently points to %s.
'. + 'On some browsers, accessing your server via a hostname like \'localhost\' '. + 'or any custom hostname without a dot causes cookie storage to fail. '. + 'We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
' + ); + $msg = sprintf($msg, session_save_path()); + echo $msg; + echo '
'. t('Click to try again.') .'Timezone: '.$timezone_form.' 
- list($headers, $content) = get_http_response($url, 5);
- if (strpos($headers[0], '200 OK') !== false) {
- // Extract the link to the thumbnail
- preg_match('!