'. t('Insufficient permissions:') .'
- ';
foreach ($errors as $error) {
$message .= '
- '.$error.' '; @@ -262,82 +167,59 @@ if (! is_file($GLOBALS['config']['CONFIG_FILE'])) { } // Display the installation form if no existing config is found - install(); + install($conf, $sessionManager); } -$GLOBALS['title'] = !empty($GLOBALS['title']) ? escape($GLOBALS['title']) : ''; -$GLOBALS['titleLink'] = !empty($GLOBALS['titleLink']) ? escape($GLOBALS['titleLink']) : ''; -$GLOBALS['redirector'] = !empty($GLOBALS['redirector']) ? escape($GLOBALS['redirector']) : ''; - // a token depending of deployment salt, user password, and the current ip -define('STAY_SIGNED_IN_TOKEN', sha1($GLOBALS['hash'].$_SERVER["REMOTE_ADDR"].$GLOBALS['salt'])); +define('STAY_SIGNED_IN_TOKEN', sha1($conf->get('credentials.hash') . $_SERVER['REMOTE_ADDR'] . $conf->get('credentials.salt'))); -// Sniff browser language and set date format accordingly. -if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { - autoLocale($_SERVER['HTTP_ACCEPT_LANGUAGE']); -} -header('Content-Type: text/html; charset=utf-8'); // We use UTF-8 for proper international characters handling. - -//================================================================================================== -// Checking session state (i.e. is the user still logged in) -//================================================================================================== - -function setup_login_state() { - if ($GLOBALS['config']['OPEN_SHAARLI']) { - return true; - } - $userIsLoggedIn = false; // By default, we do not consider the user as logged in; - $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. - if (!isset($GLOBALS['login'])) { - $userIsLoggedIn = false; // Shaarli is not configured yet. - $loginFailure = true; - } - if (isset($_COOKIE['shaarli_staySignedIn']) && - $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && - !$loginFailure) - { - fillSessionInfo(); - $userIsLoggedIn = true; - } - // If session does not exist on server side, or IP address has changed, or session has expired, logout. - if (empty($_SESSION['uid']) || - ($GLOBALS['disablesessionprotection']==false && $_SESSION['ip']!=allIPs()) || - time() >= $_SESSION['expires_on']) - { - logout(); - $userIsLoggedIn = false; - $loginFailure = true; - } - if (!empty($_SESSION['longlastingsession'])) { - $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. - } - else { - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. - } - if (!$loginFailure) { - $userIsLoggedIn = true; - } - - return $userIsLoggedIn; -} -$userIsLoggedIn = setup_login_state(); - -// ------------------------------------------------------------------------------------------ -// PubSubHubbub protocol support (if enabled) [UNTESTED] -// (Source: http://aldarone.fr/les-flux-rss-shaarli-et-pubsubhubbub/ ) -if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) include './publisher.php'; -function pubsubhub() +/** + * Checking session state (i.e. is the user still logged in) + * + * @param ConfigManager $conf The configuration manager. + * + * @return bool: true if the user is logged in, false otherwise. + */ +function setup_login_state($conf) { - if (!empty($GLOBALS['config']['PUBSUBHUB_URL'])) + if ($conf->get('security.open_shaarli')) { + return true; + } + $userIsLoggedIn = false; // By default, we do not consider the user as logged in; + $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met. + if (! $conf->exists('credentials.login')) { + $userIsLoggedIn = false; // Shaarli is not configured yet. + $loginFailure = true; + } + if (isset($_COOKIE['shaarli_staySignedIn']) && + $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN && + !$loginFailure) + { + fillSessionInfo($conf); + $userIsLoggedIn = true; + } + // If session does not exist on server side, or IP address has changed, or session has expired, logout. + if (empty($_SESSION['uid']) + || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) + || time() >= $_SESSION['expires_on']) { - $p = new Publisher($GLOBALS['config']['PUBSUBHUB_URL']); - $topic_url = array ( - index_url($_SERVER).'?do=atom', - index_url($_SERVER).'?do=rss' - ); - $p->publish_update($topic_url); + logout(); + $userIsLoggedIn = false; + $loginFailure = true; } + if (!empty($_SESSION['longlastingsession'])) { + $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked. + } + else { + $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date. + } + if (!$loginFailure) { + $userIsLoggedIn = true; + } + + return $userIsLoggedIn; } +$userIsLoggedIn = setup_login_state($conf); // ------------------------------------------------------------------------------------------ // Session management @@ -345,32 +227,46 @@ function pubsubhub() // Returns the IP address of the client (Used to prevent session cookie hijacking.) function allIPs() { - $ip = $_SERVER["REMOTE_ADDR"]; + $ip = $_SERVER['REMOTE_ADDR']; // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy. if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; } if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; } return $ip; } -function fillSessionInfo() { - $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) - $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. - $_SESSION['username']=$GLOBALS['login']; - $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. +/** + * Load user session. + * + * @param ConfigManager $conf Configuration Manager instance. + */ +function fillSessionInfo($conf) +{ + $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) + $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. + $_SESSION['username']= $conf->get('credentials.login'); + $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. } -// Check that user/password is correct. -function check_auth($login,$password) +/** + * Check that user/password is correct. + * + * @param string $login Username + * @param string $password User password + * @param ConfigManager $conf Configuration Manager instance. + * + * @return bool: authentication successful or not. + */ +function check_auth($login, $password, $conf) { - $hash = sha1($password.$login.$GLOBALS['salt']); - if ($login==$GLOBALS['login'] && $hash==$GLOBALS['hash']) + $hash = sha1($password . $login . $conf->get('credentials.salt')); + if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash')) { // Login/password is correct. - fillSessionInfo(); - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'Login successful'); - return True; + fillSessionInfo($conf); + logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful'); + return true; } - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'Login failed for user '.$login); - return False; + logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login failed for user '.$login); + return false; } // Returns true if the user is logged in. @@ -387,6 +283,7 @@ function logout() { unset($_SESSION['ip']); unset($_SESSION['username']); unset($_SESSION['privateonly']); + unset($_SESSION['untaggedonly']); } setcookie('shaarli_staySignedIn', FALSE, 0, WEB_PATH); } @@ -395,34 +292,71 @@ function logout() { // ------------------------------------------------------------------------------------------ // Brute force protection system // Several consecutive failed logins will ban the IP address for 30 minutes. -if (!is_file($GLOBALS['config']['IPBANS_FILENAME'])) file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], "array(),'BANS'=>array()),true).";\n?>"); -include $GLOBALS['config']['IPBANS_FILENAME']; -// Signal a failed login. Will ban the IP if too many failures: -function ban_loginFailed() +if (!is_file($conf->get('resource.ban_file', 'data/ipbans.php'))) { + // FIXME! globals + file_put_contents( + $conf->get('resource.ban_file', 'data/ipbans.php'), + "array(),'BANS'=>array()),true).";\n?>" + ); +} +include $conf->get('resource.ban_file', 'data/ipbans.php'); +/** + * Signal a failed login. Will ban the IP if too many failures: + * + * @param ConfigManager $conf Configuration Manager instance. + */ +function ban_loginFailed($conf) { - $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; - if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0; + $ip = $_SERVER['REMOTE_ADDR']; + $trusted = $conf->get('security.trusted_proxies', array()); + if (in_array($ip, $trusted)) { + $ip = getIpAddressFromProxy($_SERVER, $trusted); + if (!$ip) { + return; + } + } + $gb = $GLOBALS['IPBANS']; + if (! isset($gb['FAILURES'][$ip])) { + $gb['FAILURES'][$ip]=0; + } $gb['FAILURES'][$ip]++; - if ($gb['FAILURES'][$ip]>($GLOBALS['config']['BAN_AFTER']-1)) + if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) { - $gb['BANS'][$ip]=time()+$GLOBALS['config']['BAN_DURATION']; - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'IP address banned from login'); + $gb['BANS'][$ip] = time() + $conf->get('security.ban_after', 1800); + logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'IP address banned from login'); } $GLOBALS['IPBANS'] = $gb; - file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], ""); + file_put_contents( + $conf->get('resource.ban_file', 'data/ipbans.php'), + "" + ); } -// Signals a successful login. Resets failed login counter. -function ban_loginOk() +/** + * Signals a successful login. Resets failed login counter. + * + * @param ConfigManager $conf Configuration Manager instance. + */ +function ban_loginOk($conf) { - $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; + $ip = $_SERVER['REMOTE_ADDR']; + $gb = $GLOBALS['IPBANS']; unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); $GLOBALS['IPBANS'] = $gb; - file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], ""); + file_put_contents( + $conf->get('resource.ban_file', 'data/ipbans.php'), + "" + ); } -// Checks if the user CAN login. If 'true', the user can try to login. -function ban_canLogin() +/** + * Checks if the user CAN login. If 'true', the user can try to login. + * + * @param ConfigManager $conf Configuration Manager instance. + * + * @return bool: true if the user is allowed to login. + */ +function ban_canLogin($conf) { $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; if (isset($gb['BANS'][$ip])) @@ -430,9 +364,12 @@ function ban_canLogin() // User is banned. Check if the ban has expired: if ($gb['BANS'][$ip]<=time()) { // Ban expired, user can try to login again. - logm($GLOBALS['config']['LOG_FILE'], $_SERVER['REMOTE_ADDR'], 'Ban lifted.'); + logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Ban lifted.'); unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]); - file_put_contents($GLOBALS['config']['IPBANS_FILENAME'], ""); + file_put_contents( + $conf->get('resource.ban_file', 'data/ipbans.php'), + "" + ); return true; // Ban has expired, user can login. } return false; // User is banned. @@ -444,16 +381,19 @@ function ban_canLogin() // Process login form: Check if login/password is correct. if (isset($_POST['login'])) { - if (!ban_canLogin()) die('I said: NO. You are banned for the moment. Go away.'); - if (isset($_POST['password']) && tokenOk($_POST['token']) && (check_auth($_POST['login'], $_POST['password']))) - { // Login/password is OK. - ban_loginOk(); + if (!ban_canLogin($conf)) die(t('I said: NO. You are banned for the moment. Go away.')); + if (isset($_POST['password']) + && $sessionManager->checkToken($_POST['token']) + && (check_auth($_POST['login'], $_POST['password'], $conf)) + ) { // Login/password is OK. + ban_loginOk($conf); // If user wants to keep the session cookie even after the browser closes: if (!empty($_POST['longlastingsession'])) { - setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH); - $_SESSION['longlastingsession']=31536000; // (31536000 seconds = 1 year) - $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // Set session expiration on server-side. + $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year) + $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now) + setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH); + $_SESSION['expires_on'] = $expiration; // Set session expiration on server-side. $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/'; session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side @@ -470,7 +410,7 @@ if (isset($_POST['login'])) // Optional redirect after login: if (isset($_GET['post'])) { $uri = '?post='. urlencode($_GET['post']); - foreach (array('description', 'source', 'title') as $param) { + foreach (array('description', 'source', 'title', 'tags') as $param) { if (!empty($_GET[$param])) { $uri .= '&'.$param.'='.urlencode($_GET[$param]); } @@ -495,83 +435,39 @@ if (isset($_POST['login'])) } else { - ban_loginFailed(); + ban_loginFailed($conf); $redir = '&username='. $_POST['login']; if (isset($_GET['post'])) { $redir .= '&post=' . urlencode($_GET['post']); - foreach (array('description', 'source', 'title') as $param) { + foreach (array('description', 'source', 'title', 'tags') as $param) { if (!empty($_GET[$param])) { $redir .= '&' . $param . '=' . urlencode($_GET[$param]); } } } - echo ''; // Redirect to login screen. + // Redirect to login screen. + echo ''; exit; } } -// ------------------------------------------------------------------------------------------ -// Misc utility functions: - -// Convert post_max_size/upload_max_filesize (e.g. '16M') parameters to bytes. -function return_bytes($val) -{ - $val = trim($val); $last=strtolower($val[strlen($val)-1]); - switch($last) - { - case 'g': $val *= 1024; - case 'm': $val *= 1024; - case 'k': $val *= 1024; - } - return $val; -} - -// Try to determine max file size for uploads (POST). -// Returns an integer (in bytes) -function getMaxFileSize() -{ - $size1 = return_bytes(ini_get('post_max_size')); - $size2 = return_bytes(ini_get('upload_max_filesize')); - // Return the smaller of two: - $maxsize = min($size1,$size2); - // FIXME: Then convert back to readable notations ? (e.g. 2M instead of 2000000) - return $maxsize; -} - // ------------------------------------------------------------------------------------------ // Token management for XSRF protection // Token should be used in any form which acts on data (create,update,delete,import...). if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are attached to the session. -// Returns a token. -function getToken() -{ - $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string. - $_SESSION['tokens'][$rnd]=1; // Store it on the server side. - return $rnd; -} - -// Tells if a token is OK. Using this function will destroy the token. -// true=token is OK. -function tokenOk($token) -{ - if (isset($_SESSION['tokens'][$token])) - { - unset($_SESSION['tokens'][$token]); // Token is used: destroy it. - return true; // Token is OK. - } - return false; // Wrong token, or already used. -} - -// ------------------------------------------------------------------------------------------ -// Daily RSS feed: 1 RSS entry per day giving all the links on that day. -// Gives the last 7 days (which have links). -// This RSS feed cannot be filtered. -function showDailyRSS() { +/** + * Daily RSS feed: 1 RSS entry per day giving all the links on that day. + * Gives the last 7 days (which have links). + * This RSS feed cannot be filtered. + * + * @param ConfigManager $conf Configuration Manager instance. + */ +function showDailyRSS($conf) { // Cache system $query = $_SERVER['QUERY_STRING']; $cache = new CachedPage( - $GLOBALS['config']['PAGECACHE'], + $conf->get('config.PAGE_CACHE'), page_url($_SERVER), startsWith($query,'do=dailyrss') && !isLoggedIn() ); @@ -584,32 +480,27 @@ function showDailyRSS() { // If cached was not found (or not usable), then read the database and build the response: // Read links from database (and filter private links if used it not logged in). $LINKSDB = new LinkDB( - $GLOBALS['config']['DATASTORE'], + $conf->get('resource.datastore'), isLoggedIn(), - $GLOBALS['config']['HIDE_PUBLIC_LINKS'], - $GLOBALS['redirector'], - $GLOBALS['config']['REDIRECTOR_URLENCODE'] + $conf->get('privacy.hide_public_links'), + $conf->get('redirector.url'), + $conf->get('redirector.encode_url') ); /* Some Shaarlies may have very few links, so we need to look - back in time (rsort()) until we have enough days ($nb_of_days). + back in time until we have enough days ($nb_of_days). */ - $linkdates = array(); - foreach ($LINKSDB as $linkdate => $value) { - $linkdates[] = $linkdate; - } - rsort($linkdates); $nb_of_days = 7; // We take 7 days. - $today = Date('Ymd'); + $today = date('Ymd'); $days = array(); - foreach ($linkdates as $linkdate) { - $day = substr($linkdate, 0, 8); // Extract day (without time) - if (strcmp($day,$today) < 0) { + foreach ($LINKSDB as $link) { + $day = $link['created']->format('Ymd'); // Extract day (without time) + if (strcmp($day, $today) < 0) { if (empty($days[$day])) { $days[$day] = array(); } - $days[$day][] = $linkdate; + $days[$day][] = $link; } if (count($days) > $nb_of_days) { @@ -622,43 +513,40 @@ function showDailyRSS() { $pageaddr = escape(index_url($_SERVER)); echo '
- ',$data) as $html) // explode is very fast - { - $link = array('linkdate'=>'','title'=>'','url'=>'','description'=>'','tags'=>'','private'=>0); - $d = explode('
- ',$html);
- if (startsWith($d[0], '(.*?)!i',$d[0],$matches); $link['title'] = (isset($matches[1]) ? trim($matches[1]) : ''); // Get title
- $link['title'] = html_entity_decode($link['title'],ENT_QUOTES,'UTF-8');
- preg_match_all('! ([A-Z_]+)=\"(.*?)"!i',$html,$matches,PREG_SET_ORDER); // Get all other attributes
- $raw_add_date=0;
- foreach($matches as $m)
- {
- $attr=$m[1]; $value=$m[2];
- if ($attr=='HREF') $link['url']=html_entity_decode($value,ENT_QUOTES,'UTF-8');
- elseif ($attr=='ADD_DATE')
- {
- $raw_add_date=intval($value);
- if ($raw_add_date>30000000000) $raw_add_date/=1000; //If larger than year 2920, then was likely stored in milliseconds instead of seconds
- }
- elseif ($attr=='PRIVATE') $link['private']=($value=='0'?0:1);
- elseif ($attr=='TAGS') $link['tags']=html_entity_decode(str_replace(',',' ',$value),ENT_QUOTES,'UTF-8');
- }
- if ($link['url']!='')
- {
- if ($private==1) $link['private']=1;
- $dblink = $LINKSDB->getLinkFromUrl($link['url']); // See if the link is already in database.
- if ($dblink==false)
- { // Link not in database, let's import it...
- if (empty($raw_add_date)) $raw_add_date=time(); // In case of shitty bookmark file with no ADD_DATE
-
- // Make sure date/time is not already used by another link.
- // (Some bookmark files have several different links with the same ADD_DATE)
- // We increment date by 1 second until we find a date which is not used in DB.
- // (so that links that have the same date/time are more or less kept grouped by date, but do not conflict.)
- while (!empty($LINKSDB[date('Ymd_His',$raw_add_date)])) { $raw_add_date++; }// Yes, I know it's ugly.
- $link['linkdate']=date('Ymd_His',$raw_add_date);
- $LINKSDB[$link['linkdate']] = $link;
- $import_count++;
- }
- else // Link already present in database.
- {
- if ($overwrite)
- { // If overwrite is required, we import link data, except date/time.
- $link['linkdate']=$dblink['linkdate'];
- $LINKSDB[$link['linkdate']] = $link;
- $import_count++;
- }
- }
-
- }
- }
- }
- $LINKSDB->savedb($GLOBALS['config']['PAGECACHE']);
-
- echo '';
- }
- else
- {
- echo '';
- }
-}
-
/**
* Template for the list of links () * This function fills all the necessary fields in the $PAGE for the template 'linklist.html' * - * @param pageBuilder $PAGE pageBuilder instance. - * @param LinkDB $LINKSDB LinkDB instance. + * @param pageBuilder $PAGE pageBuilder instance. + * @param LinkDB $LINKSDB LinkDB instance. + * @param ConfigManager $conf Configuration Manager instance. + * @param PluginManager $pluginManager Plugin Manager instance. */ -function buildLinkList($PAGE,$LINKSDB) +function buildLinkList($PAGE,$LINKSDB, $conf, $pluginManager) { // Used in templates - $searchtags = !empty($_GET['searchtags']) ? escape($_GET['searchtags']) : ''; - $searchterm = !empty($_GET['searchterm']) ? escape($_GET['searchterm']) : ''; + if (isset($_GET['searchtags'])) { + if (! empty($_GET['searchtags'])) { + $searchtags = escape(normalize_spaces($_GET['searchtags'])); + } else { + $searchtags = false; + } + } else { + $searchtags = ''; + } + $searchterm = !empty($_GET['searchterm']) ? escape(normalize_spaces($_GET['searchterm'])) : ''; // Smallhash filter if (! empty($_SERVER['QUERY_STRING']) @@ -1688,8 +1667,12 @@ function buildLinkList($PAGE,$LINKSDB) } } else { // Filter links according search parameters. - $privateonly = !empty($_SESSION['privateonly']); - $linksToDisplay = $LINKSDB->filterSearch($_GET, false, $privateonly); + $visibility = ! empty($_SESSION['privateonly']) ? 'private' : 'all'; + $request = [ + 'searchtags' => $searchtags, + 'searchterm' => $searchterm, + ]; + $linksToDisplay = $LINKSDB->filterSearch($request, false, $visibility, !empty($_SESSION['untaggedonly'])); } // ---- Handle paging. @@ -1698,10 +1681,7 @@ function buildLinkList($PAGE,$LINKSDB) $keys[] = $key; } - // If there is only a single link, we change on-the-fly the title of the page. - if (count($linksToDisplay) == 1) { - $GLOBALS['pagetitle'] = $linksToDisplay[$keys[0]]['title'].' - '.$GLOBALS['title']; - } + // Select articles according to paging. $pagecount = ceil(count($keys) / $_SESSION['LINKS_PER_PAGE']); @@ -1716,15 +1696,22 @@ function buildLinkList($PAGE,$LINKSDB) while ($i<$end && $i
'; @@ -1954,11 +1950,14 @@ function lazyThumbnail($url,$href=false) } -// ----------------------------------------------------------------------------------------------- -// Installation -// This function should NEVER be called if the file data/config.php exists. -function install() -{ +/** + * Installation + * This function should NEVER be called if the file data/config.php exists. + * + * @param ConfigManager $conf Configuration Manager instance. + * @param SessionManager $sessionManager SessionManager instance + */ +function install($conf, $sessionManager) { // On free.fr host, make sure the /sessions directory exists, otherwise login will not work. if (endsWith($_SERVER['HTTP_HOST'],'.free.fr') && !is_dir($_SERVER['DOCUMENT_ROOT'].'/sessions')) mkdir($_SERVER['DOCUMENT_ROOT'].'/sessions',0705); @@ -1967,12 +1966,20 @@ function install() // (Because on some hosts, session.save_path may not be set correctly, // or we may not have write access to it.) if (isset($_GET['test_session']) && ( !isset($_SESSION) || !isset($_SESSION['session_tested']) || $_SESSION['session_tested']!='Working')) - { // Step 2: Check if data in session is correct. - echo '
Sessions do not seem to work correctly on your server.
'; + { + // Step 2: Check if data in session is correct. + $msg = t( + '
'; - echo 'Make sure the variable session.save_path is set correctly in your php config, and that you have write access to it.
'; - echo 'It currently points to '.session_save_path().'
'; - echo 'Check that the hostname used to access Shaarli contains a dot. On some browsers, accessing your server via a hostname like \'localhost\' or any custom hostname without a dot causes cookie storage to fail. We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
'; - echo '
Click to try again.Sessions do not seem to work correctly on your server.
'; die; } if (!isset($_SESSION['session_tested'])) @@ -1994,15 +2001,30 @@ function install() ) { $tz = $_POST['continent'].'/'.$_POST['city']; } - $GLOBALS['timezone'] = $tz; - // Everything is ok, let's create config file. - $GLOBALS['login'] = $_POST['setlogin']; - $GLOBALS['salt'] = sha1(uniqid('',true).'_'.mt_rand()); // Salt renders rainbow-tables attacks useless. - $GLOBALS['hash'] = sha1($_POST['setpassword'].$GLOBALS['login'].$GLOBALS['salt']); - $GLOBALS['title'] = (empty($_POST['title']) ? 'Shared links on '.escape(index_url($_SERVER)) : $_POST['title'] ); - $GLOBALS['config']['ENABLE_UPDATECHECK'] = !empty($_POST['updateCheck']); + $conf->set('general.timezone', $tz); + $login = $_POST['setlogin']; + $conf->set('credentials.login', $login); + $salt = sha1(uniqid('', true) .'_'. mt_rand()); + $conf->set('credentials.salt', $salt); + $conf->set('credentials.hash', sha1($_POST['setpassword'] . $login . $salt)); + if (!empty($_POST['title'])) { + $conf->set('general.title', escape($_POST['title'])); + } else { + $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER))); + } + $conf->set('translation.language', escape($_POST['language'])); + $conf->set('updates.check_updates', !empty($_POST['updateCheck'])); + $conf->set('api.enabled', !empty($_POST['enableApi'])); + $conf->set( + 'api.secret', + generate_api_secret( + $conf->get('credentials.login'), + $conf->get('credentials.salt') + ) + ); try { - writeConfig($GLOBALS, isLoggedIn()); + // Everything is ok, let's create config file. + $conf->write(isLoggedIn()); } catch(Exception $e) { error_log( @@ -2018,49 +2040,48 @@ function install() exit; } - // Display config form: - list($timezone_form, $timezone_js) = generateTimeZoneForm(); - $timezone_html = ''; - if ($timezone_form != '') { - $timezone_html = '
'. + 'Make sure the variable "session.save_path" is set correctly in your PHP config, '. + 'and that you have write access to it.
'. + 'It currently points to %s.
'. + 'On some browsers, accessing your server via a hostname like \'localhost\' '. + 'or any custom hostname without a dot causes cookie storage to fail. '. + 'We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
' + ); + $msg = sprintf($msg, session_save_path()); + echo $msg; + echo '
'. t('Click to try again.') .'Timezone: '.$timezone_form.'