From: VirtualTam <virtualtam+github@flibidi.net>
Date: Sun, 27 Aug 2017 14:36:53 +0000 (+0200)
Subject: Merge pull request #944 from thewilli/configure-rememberme
X-Git-Tag: v0.9.4~7^2~10
X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=e4ed3a46b7029eeed757daf33596eb5d345c32b5;hp=-c;p=github%2Fshaarli%2FShaarli.git

Merge pull request #944 from thewilli/configure-rememberme

new setting: default value for 'remember me' checkbox
---

e4ed3a46b7029eeed757daf33596eb5d345c32b5
diff --combined application/config/ConfigManager.php
index 0fc5a5c7,c94d92a8..fdd5b3d7
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@@ -9,8 -9,8 +9,8 @@@ use Shaarli\Config\Exception\Unauthoriz
   *
   * Manages all Shaarli's settings.
   * See the documentation for more information on settings:
 - *   - doc/Shaarli-configuration.html
 - *   - https://github.com/shaarli/Shaarli/wiki/Shaarli-configuration
 + *   - doc/md/Shaarli-configuration.md
 + *   - https://shaarli.readthedocs.io/en/master/Shaarli-configuration/#configuration
   */
  class ConfigManager
  {
@@@ -328,6 -328,8 +328,8 @@@
          $this->setEmpty('privacy.default_private_links', false);
          $this->setEmpty('privacy.hide_public_links', false);
          $this->setEmpty('privacy.hide_timestamps', false);
+         // default state of the 'remember me' checkbox of the login form
+         $this->setEmpty('privacy.remember_user_default', true);
  
          $this->setEmpty('thumbnail.enable_thumbnails', true);
          $this->setEmpty('thumbnail.enable_localcache', true);
diff --combined index.php
index 7df6d819,f2f3b93e..e0a7b416
--- a/index.php
+++ b/index.php
@@@ -48,8 -48,8 +48,8 @@@ if (! file_exists(__DIR__ . '/vendor/au
          ."If you installed Shaarli through Git or using the development branch,\n"
          ."please refer to the installation documentation to install PHP"
          ." dependencies using Composer:\n"
 -        ."- https://github.com/shaarli/Shaarli/wiki/Server-requirements\n"
 -        ."- https://github.com/shaarli/Shaarli/wiki/Download-and-Installation";
 +        ."- https://shaarli.readthedocs.io/en/master/Server-requirements/\n"
 +        ."- https://shaarli.readthedocs.io/en/master/Download-and-Installation/";
      exit;
  }
  require_once 'inc/rain.tpl.class.php';
@@@ -133,6 -133,15 +133,6 @@@ date_default_timezone_set($conf->get('g
  
  ob_start();  // Output buffering for the page cache.
  
 -// In case stupid admin has left magic_quotes enabled in php.ini:
 -if (get_magic_quotes_gpc())
 -{
 -    function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; }
 -    $_POST = array_map('stripslashes_deep', $_POST);
 -    $_GET = array_map('stripslashes_deep', $_GET);
 -    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
 -}
 -
  // Prevent caching on client side or proxy: (yes, it's ugly)
  header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
  header("Cache-Control: no-store, no-cache, must-revalidate");
@@@ -177,42 -186,42 +177,42 @@@ if (isset($_SERVER['HTTP_ACCEPT_LANGUAG
   */
  function setup_login_state($conf)
  {
 -	if ($conf->get('security.open_shaarli')) {
 -	    return true;
 -	}
 -	$userIsLoggedIn = false; // By default, we do not consider the user as logged in;
 -	$loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
 -	if (! $conf->exists('credentials.login')) {
 -	    $userIsLoggedIn = false;  // Shaarli is not configured yet.
 -	    $loginFailure = true;
 -	}
 -	if (isset($_COOKIE['shaarli_staySignedIn']) &&
 -	    $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
 -	    !$loginFailure)
 -	{
 -	    fillSessionInfo($conf);
 -	    $userIsLoggedIn = true;
 -	}
 -	// If session does not exist on server side, or IP address has changed, or session has expired, logout.
 -	if (empty($_SESSION['uid'])
 +    if ($conf->get('security.open_shaarli')) {
 +        return true;
 +    }
 +    $userIsLoggedIn = false; // By default, we do not consider the user as logged in;
 +    $loginFailure = false; // If set to true, every attempt to authenticate the user will fail. This indicates that an important condition isn't met.
 +    if (! $conf->exists('credentials.login')) {
 +        $userIsLoggedIn = false;  // Shaarli is not configured yet.
 +        $loginFailure = true;
 +    }
 +    if (isset($_COOKIE['shaarli_staySignedIn']) &&
 +        $_COOKIE['shaarli_staySignedIn']===STAY_SIGNED_IN_TOKEN &&
 +        !$loginFailure)
 +    {
 +        fillSessionInfo($conf);
 +        $userIsLoggedIn = true;
 +    }
 +    // If session does not exist on server side, or IP address has changed, or session has expired, logout.
 +    if (empty($_SESSION['uid'])
          || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs())
          || time() >= $_SESSION['expires_on'])
 -	{
 -	    logout();
 -	    $userIsLoggedIn = false;
 -	    $loginFailure = true;
 -	}
 -	if (!empty($_SESSION['longlastingsession'])) {
 -	    $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
 -	}
 -	else {
 -	    $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
 -	}
 -	if (!$loginFailure) {
 -	    $userIsLoggedIn = true;
 -	}
 -
 -	return $userIsLoggedIn;
 +    {
 +        logout();
 +        $userIsLoggedIn = false;
 +        $loginFailure = true;
 +    }
 +    if (!empty($_SESSION['longlastingsession'])) {
 +        $_SESSION['expires_on']=time()+$_SESSION['longlastingsession']; // In case of "Stay signed in" checked.
 +    }
 +    else {
 +        $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Standard session expiration date.
 +    }
 +    if (!$loginFailure) {
 +        $userIsLoggedIn = true;
 +    }
 +
 +    return $userIsLoggedIn;
  }
  $userIsLoggedIn = setup_login_state($conf);
  
@@@ -236,10 -245,10 +236,10 @@@ function allIPs(
   */
  function fillSessionInfo($conf)
  {
 -	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
 -	$_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
 -	$_SESSION['username']= $conf->get('credentials.login');
 -	$_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
 +    $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
 +    $_SESSION['ip']=allIPs();                // We store IP address(es) of the client to make sure session is not hijacked.
 +    $_SESSION['username']= $conf->get('credentials.login');
 +    $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT;  // Set session expiration.
  }
  
  /**
@@@ -256,7 -265,7 +256,7 @@@ function check_auth($login, $password, 
      $hash = sha1($password . $login . $conf->get('credentials.salt'));
      if ($login == $conf->get('credentials.login') && $hash == $conf->get('credentials.hash'))
      {   // Login/password is correct.
 -		fillSessionInfo($conf);
 +        fillSessionInfo($conf);
          logm($conf->get('resource.log'), $_SERVER['REMOTE_ADDR'], 'Login successful');
          return true;
      }
@@@ -385,10 -394,9 +385,10 @@@ if (isset($_POST['login'])
          // If user wants to keep the session cookie even after the browser closes:
          if (!empty($_POST['longlastingsession']))
          {
 -			setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, time()+31536000, WEB_PATH);
 -            $_SESSION['longlastingsession']=31536000;  // (31536000 seconds = 1 year)
 -            $_SESSION['expires_on']=time()+$_SESSION['longlastingsession'];  // Set session expiration on server-side.
 +            $_SESSION['longlastingsession'] = 31536000; // (31536000 seconds = 1 year)
 +            $expiration = time() + $_SESSION['longlastingsession']; // calculate relative cookie expiration (1 year from now)
 +            setcookie('shaarli_staySignedIn', STAY_SIGNED_IN_TOKEN, $expiration, WEB_PATH);
 +            $_SESSION['expires_on'] = $expiration;  // Set session expiration on server-side.
  
              $cookiedir = ''; if(dirname($_SERVER['SCRIPT_NAME'])!='/') $cookiedir=dirname($_SERVER["SCRIPT_NAME"]).'/';
              session_set_cookie_params($_SESSION['longlastingsession'],$cookiedir,$_SERVER['SERVER_NAME']); // Set session cookie expiration on client side
@@@ -737,6 -745,8 +737,8 @@@ function renderPage($conf, $pluginManag
              $PAGE->assign('username', escape($_GET['username']));
          }
          $PAGE->assign('returnurl',(isset($_SERVER['HTTP_REFERER']) ? escape($_SERVER['HTTP_REFERER']):''));
+         // add default state of the 'remember me' checkbox
+         $PAGE->assign('remember_user_default', $conf->get('privacy.remember_user_default'));
          $PAGE->renderPage('loginform');
          exit;
      }
@@@ -1225,7 -1235,7 +1227,7 @@@
          // Linkdate is kept here to:
          //   - use the same permalink for notes as they're displayed when creating them
          //   - let users hack creation date of their posts
 -        //     See: https://github.com/shaarli/Shaarli/wiki/Datastore-hacks#changing-the-timestamp-for-a-link
 +        //     See: https://shaarli.readthedocs.io/en/master/Various-hacks/#changing-the-timestamp-for-a-shaare
          $linkdate = escape($_POST['lf_linkdate']);
          if (isset($LINKSDB[$id])) {
              // Edit
@@@ -1248,9 -1258,6 +1250,9 @@@
          // Remove duplicates.
          $tags = implode(' ', array_unique(explode(' ', $tags)));
  
 +        if (empty(trim($_POST['lf_url']))) {
 +            $_POST['lf_url'] = '?' . smallHash($linkdate . $id);
 +        }
          $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
  
          $link = array(