From 09e9f34bb495b435e826bce8cf716258039d4642 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 11 Feb 2021 10:22:27 +0300
Subject: [PATCH] add UserHelper::find_user_by_login() and rewrite some user
 checks to invoke it instead of going through PDO

---
 classes/api.php            | 40 ++++++++++++++------------------------
 classes/auth/base.php      | 27 ++++++++++---------------
 classes/handler/public.php |  8 ++------
 classes/pref/users.php     | 12 ++----------
 classes/userhelper.php     | 18 ++++++++++++++---
 register.php               | 21 +++++---------------
 update.php                 |  7 ++-----
 7 files changed, 51 insertions(+), 82 deletions(-)

diff --git a/classes/api.php b/classes/api.php
index 7e4691b32..fd783a63e 100755
--- a/classes/api.php
+++ b/classes/api.php
@@ -59,35 +59,25 @@ class API extends Handler {
 
 		if (SINGLE_USER_MODE) $login = "admin";
 
-		$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
-		$sth->execute([$login]);
-
-		if ($row = $sth->fetch()) {
-			$uid = $row["id"];
+		if ($uid = UserHelper::find_user_by_login($login)) {
+			if (get_pref("ENABLE_API_ACCESS", $uid)) {
+				if (UserHelper::authenticate($login, $password, false,  Auth_Base::AUTH_SERVICE_API)) {               // try login with normal password
+					$this->wrap(self::STATUS_OK, array("session_id" => session_id(),
+						"api_level" => self::API_LEVEL));
+				} else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password
+					$this->wrap(self::STATUS_OK,	array("session_id" => session_id(),
+						"api_level" => self::API_LEVEL));
+				} else {                                                         // else we are not logged in
+					user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
+					$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
+				}
+			} else {
+				$this->wrap(self::STATUS_ERR, array("error" => "API_DISABLED"));
+			}
 		} else {
-			$uid = 0;
-		}
-
-		if (!$uid) {
 			$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
 			return;
 		}
-
-		if (get_pref("ENABLE_API_ACCESS", $uid)) {
-			if (UserHelper::authenticate($login, $password, false,  Auth_Base::AUTH_SERVICE_API)) {               // try login with normal password
-				$this->wrap(self::STATUS_OK, array("session_id" => session_id(),
-					"api_level" => self::API_LEVEL));
-			} else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password
-				$this->wrap(self::STATUS_OK,	array("session_id" => session_id(),
-					"api_level" => self::API_LEVEL));
-			} else {                                                         // else we are not logged in
-				user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
-				$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
-			}
-		} else {
-			$this->wrap(self::STATUS_ERR, array("error" => "API_DISABLED"));
-		}
-
 	}
 
 	function logout() {
diff --git a/classes/auth/base.php b/classes/auth/base.php
index 1d68ae537..d54e9d8a2 100644
--- a/classes/auth/base.php
+++ b/classes/auth/base.php
@@ -15,13 +15,14 @@ abstract class Auth_Base extends Plugin implements IAuthModule {
 
 	// Auto-creates specified user if allowed by system configuration
 	// Can be used instead of find_user_by_login() by external auth modules
-	function auto_create_user($login, $password = false) {
+	function auto_create_user(string $login, $password = false) {
 		if ($login && defined('AUTH_AUTO_CREATE') && AUTH_AUTO_CREATE) {
-			$user_id = $this->find_user_by_login($login);
-
-			if (!$password) $password = make_password();
+			$user_id = UserHelper::find_user_by_login($login);
 
 			if (!$user_id) {
+
+				if (!$password) $password = make_password();
+
 				$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 				$pwd_hash = encrypt_password($password, $salt, true);
 
@@ -30,26 +31,18 @@ abstract class Auth_Base extends Plugin implements IAuthModule {
 						VALUES (LOWER(?), 0, null, NOW(), ?,?)");
 				$sth->execute([$login, $pwd_hash, $salt]);
 
-				return $this->find_user_by_login($login);
+				return UserHelper::find_user_by_login($login);
 
 			} else {
 				return $user_id;
 			}
 		}
 
-		return $this->find_user_by_login($login);
+		return UserHelper::find_user_by_login($login);
 	}
 
-	function find_user_by_login($login) {
-		$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
-			LOWER(login) = LOWER(?)");
-		$sth->execute([$login]);
-
-		if ($row = $sth->fetch()) {
-			return $row["id"];
-		} else {
-			return false;
-		}
-
+	// @deprecated
+	function find_user_by_login(string $login) {
+		return UserHelper::find_user_by_login($login);
 	}
 }
diff --git a/classes/handler/public.php b/classes/handler/public.php
index a1ed667be..c6310f18b 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -248,19 +248,15 @@ class Handler_Public extends Handler {
 		$login = clean($_REQUEST["login"]);
 		$fresh = clean($_REQUEST["fresh"]) == "1";
 
-		$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
-		$sth->execute([$login]);
-
-		if ($row = $sth->fetch()) {
-			$uid = $row["id"];
+		$uid = UserHelper::find_user_by_login($login);
 
+		if ($uid) {
 			print Feeds::getGlobalUnread($uid);
 
 			if ($fresh) {
 				print ";";
 				print Feeds::getFeedArticles(-3, false, true, $uid);
 			}
-
 		} else {
 			print "-1;User not found";
 		}
diff --git a/classes/pref/users.php b/classes/pref/users.php
index 45c4b82b8..67daa884f 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -237,22 +237,14 @@ class Pref_Users extends Handler_Protected {
 
 			if (!$login) return; // no blank usernames
 
-			$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
-				LOWER(login) = LOWER(?)");
-			$sth->execute([$login]);
-
-			if (!$sth->fetch()) {
+			if (!UserHelper::find_user_by_login($login)) {
 
 				$sth = $this->pdo->prepare("INSERT INTO ttrss_users
 					(login,pwd_hash,access_level,last_login,created, salt)
 					VALUES (LOWER(?), ?, 0, null, NOW(), ?)");
 				$sth->execute([$login, $pwd_hash, $salt]);
 
-				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
-					LOWER(login) = LOWER(?) AND pwd_hash = ?");
-				$sth->execute([$login, $pwd_hash]);
-
-				if ($row = $sth->fetch()) {
+				if ($new_uid = UserHelper::find_user_by_login($login)) {
 
 					$new_uid = $row['id'];
 
diff --git a/classes/userhelper.php b/classes/userhelper.php
index 4519f2803..6c6ad10d9 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -1,8 +1,7 @@
 <?php
 class UserHelper {
 
-	static function authenticate($login, $password, $check_only = false, $service = false) {
-
+	static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) {
 		if (!SINGLE_USER_MODE) {
 			$user_id = false;
 			$auth_module = false;
@@ -71,7 +70,7 @@ class UserHelper {
 		}
 	}
 
-	static function load_user_plugins($owner_uid, $pluginhost = false) {
+	static function load_user_plugins(int $owner_uid, PluginHost $pluginhost = null) {
 
 		if (!$pluginhost) $pluginhost = PluginHost::getInstance();
 
@@ -145,4 +144,17 @@ class UserHelper {
 		}
 	}
 
+	static function find_user_by_login(string $login) {
+		$pdo = Db::pdo();
+
+		$sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE
+			LOWER(login) = LOWER(?)");
+		$sth->execute([$login]);
+
+		if ($row = $sth->fetch()) {
+			return $row["id"];
+		}
+
+		return false;
+	}
 }
diff --git a/register.php b/register.php
index be0f9d40f..dde3f2d8d 100644
--- a/register.php
+++ b/register.php
@@ -73,12 +73,8 @@
 	if ($action == "check") {
 		header("Content-Type: application/xml");
 
-		$login = trim(db_escape_string( $_REQUEST['login']));
-
-		$result = db_query( "SELECT id FROM ttrss_users WHERE
-			LOWER(login) = LOWER('$login')");
-
-		$is_registered = db_num_rows($result) > 0;
+		$login = clean($_REQUEST['login']);
+		$is_registered = UserHelper::find_user_by_login($login);
 
 		print "<result>";
 
@@ -258,10 +254,7 @@
 
 		if ($test == "four" || $test == "4") {
 
-			$result = db_query( "SELECT id FROM ttrss_users WHERE
-				login = '$login'");
-
-			$is_registered = db_num_rows($result) > 0;
+			$is_registered = UserHelper::find_user_by_login($login);
 
 			if ($is_registered) {
 				print_error(__('Sorry, this username is already taken.'));
@@ -279,18 +272,14 @@
 					(login,pwd_hash,access_level,last_login, email, created, salt)
 					VALUES (LOWER('$login'), '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
 
-				$result = db_query( "SELECT id FROM ttrss_users WHERE
-					login = '$login' AND pwd_hash = '$pwd_hash'");
+				$new_uid = UserHelper::find_user_by_login($login);
 
-				if (db_num_rows($result) != 1) {
+				if (!$new_uid) {
 					print_error(__('Registration failed.'));
 					print "<p><form method=\"GET\" action=\"index.php\">
 					<input type=\"submit\" value=\"".__("Return to Tiny Tiny RSS")."\">
 					</form>";
 				} else {
-
-					$new_uid = db_fetch_result($result, 0, "id");
-
 					Pref_Users::initialize_user($new_uid);
 
 					$reg_text = "Hi!\n".
diff --git a/update.php b/update.php
index 0bf8f499f..56158ca48 100755
--- a/update.php
+++ b/update.php
@@ -502,13 +502,10 @@
 
 		Debug::log("Exporting feeds of user $user to $filename as OPML...");
 
-		$sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE LOWER(login) = LOWER(?)");
-		$sth->execute([$user]);
-
-		if ($res = $sth->fetch()) {
+		if ($owner_uid = UserHelper::find_user_by_login($user)) {
 			$opml = new OPML("");
 
-			$rc = $opml->opml_export($filename, $res["id"], false, true, true);
+			$rc = $opml->opml_export($filename, $owner_uid, false, true, true);
 
 			Debug::log($rc ? "Success." : "Failed.");
 		} else {