From b6ae2804463d89385613b6d463cab024a3b11b08 Mon Sep 17 00:00:00 2001 From: wn_ Date: Wed, 17 Mar 2021 13:48:27 +0000 Subject: [PATCH 1/6] Switch 'Handler_Public->getProfiles' to ORM --- classes/handler/public.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index 6a67827db..75b6d5f06 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -266,19 +266,19 @@ class Handler_Public extends Handler { $rv = []; if ($login) { - $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users - WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND LOWER(login) = LOWER(?) ORDER BY title"); - $sth->execute([$login]); + $profiles = ORM::for_table('ttrss_settings_profiles') + ->table_alias('p') + ->join('ttrss_users', ['p.owner_uid', '=', 'u.id'], 'u') + ->where_raw('LOWER(u.login) = LOWER(?)', [$login]) + ->order_by_asc('title') + ->find_many(); $rv = [ [ "value" => 0, "label" => __("Default profile") ] ]; - while ($line = $sth->fetch()) { - $id = $line["id"]; - $title = $line["title"]; - - array_push($rv, [ "label" => $title, "value" => $id ]); + foreach ($profiles as $profile) { + array_push($rv, [ "label" => $profile->title, "value" => $profile->id ]); } - } + } print json_encode($rv); } From 7ea48f7a4bc83d3ff9e7c5557a2341aac52ff2f1 Mon Sep 17 00:00:00 2001 From: wn_ Date: Wed, 17 Mar 2021 14:00:19 +0000 Subject: [PATCH 2/6] Switch 'Handler_Public->rss' to ORM --- classes/handler/public.php | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index 75b6d5f06..c2c345219 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -312,23 +312,20 @@ class Handler_Public extends Handler { UserHelper::authenticate("admin", null); } - $owner_id = false; - if ($key) { - $sth = $this->pdo->prepare("SELECT owner_uid FROM - ttrss_access_keys WHERE access_key = ? AND feed_id = ?"); - $sth->execute([$key, $feed]); - - if ($row = $sth->fetch()) - $owner_id = $row["owner_uid"]; + $access_key = ORM::for_table('ttrss_access_keys') + ->select('owner_uid') + ->where(['access_key' => $key, 'feed_id' => $feed]) + ->find_one(); + + if ($access_key) { + $this->generate_syndicated_feed($access_key->owner_uid, $feed, $is_cat, $limit, + $offset, $search, $view_mode, $format, $order, $orig_guid, $start_ts); + return; + } } - if ($owner_id) { - $this->generate_syndicated_feed($owner_id, $feed, $is_cat, $limit, - $offset, $search, $view_mode, $format, $order, $orig_guid, $start_ts); - } else { - header('HTTP/1.1 403 Forbidden'); - } + header('HTTP/1.1 403 Forbidden'); } function updateTask() { From f057c124d1dd4f4bf55f5641731b264363ceb2b9 Mon Sep 17 00:00:00 2001 From: wn_ Date: Wed, 17 Mar 2021 15:49:07 +0000 Subject: [PATCH 3/6] Switch 'Handler_Public->login' to ORM, fix 'Handler_Public->getProfiles' --- classes/handler/public.php | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index c2c345219..6c3c91e78 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -268,6 +268,7 @@ class Handler_Public extends Handler { if ($login) { $profiles = ORM::for_table('ttrss_settings_profiles') ->table_alias('p') + ->select_many('title' , ['profile_id' => 'p.id']) ->join('ttrss_users', ['p.owner_uid', '=', 'u.id'], 'u') ->where_raw('LOWER(u.login) = LOWER(?)', [$login]) ->order_by_asc('title') @@ -276,7 +277,7 @@ class Handler_Public extends Handler { $rv = [ [ "value" => 0, "label" => __("Default profile") ] ]; foreach ($profiles as $profile) { - array_push($rv, [ "label" => $profile->title, "value" => $profile->id ]); + array_push($rv, [ "label" => $profile->title, "value" => $profile->profile_id ]); } } @@ -370,18 +371,13 @@ class Handler_Public extends Handler { $_SESSION["safe_mode"] = $safe_mode; if (!empty($_POST["profile"])) { - $profile = (int) clean($_POST["profile"]); - $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles - WHERE id = ? AND owner_uid = ?"); - $sth->execute([$profile, $_SESSION['uid']]); + $profile_obj = ORM::for_table('ttrss_settings_profiles') + ->where(['id' => $profile, 'owner_uid' => $_SESSION['uid']]) + ->find_one(); - if ($sth->fetch()) { - $_SESSION["profile"] = $profile; - } else { - $_SESSION["profile"] = null; - } + $_SESSION["profile"] = $profile_obj ? $profile : null; } } else { From 541a07250ce535ddac4402ddccb60e7e90513c2b Mon Sep 17 00:00:00 2001 From: wn_ Date: Wed, 17 Mar 2021 16:18:06 +0000 Subject: [PATCH 4/6] Switch 'Handler_Public->forgotpass' to ORM --- classes/handler/public.php | 88 +++++++++++++++----------------------- 1 file changed, 34 insertions(+), 54 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index 6c3c91e78..fc3a6818c 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -447,24 +447,21 @@ class Handler_Public extends Handler { $login = clean($_REQUEST["login"]); if ($login) { - $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users - WHERE LOWER(login) = LOWER(?)"); - $sth->execute([$login]); + $user = ORM::for_table('ttrss_users') + ->select('id', 'resetpass_token') + ->where_raw('LOWER(login) = LOWER(?)', [$login]) + ->find_one(); - if ($row = $sth->fetch()) { - $id = $row["id"]; - $resetpass_token_full = $row["resetpass_token"]; - list($timestamp, $resetpass_token) = explode(":", $resetpass_token_full); + if ($user) { + list($timestamp, $resetpass_token) = explode(":", $user->resetpass_token); if ($timestamp && $resetpass_token && $timestamp >= time() - 15*60*60 && $resetpass_token === $hash) { + $user->resetpass_token = null; + $user->save(); - $sth = $this->pdo->prepare("UPDATE ttrss_users SET resetpass_token = NULL - WHERE id = ?"); - $sth->execute([$id]); - - UserHelper::reset_password($id, true); + UserHelper::reset_password($user->id, true); print "

"."Completed."."

"; @@ -513,7 +510,6 @@ class Handler_Public extends Handler { "; } else if ($method == 'do') { - $login = clean($_POST["login"]); $email = clean($_POST["email"]); $test = clean($_POST["test"]); @@ -525,64 +521,51 @@ class Handler_Public extends Handler { "; - } else { - // prevent submitting this form multiple times $_SESSION["pwdreset:testvalue1"] = rand(1, 1000); $_SESSION["pwdreset:testvalue2"] = rand(1, 1000); - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users - WHERE LOWER(login) = LOWER(?) AND email = ?"); - $sth->execute([$login, $email]); + $user = ORM::for_table('ttrss_users') + ->select('id') + ->where_raw('LOWER(login) = LOWER(?)', [$login]) + ->where('email', $email) + ->find_one(); - if ($row = $sth->fetch()) { + if ($user) { print_notice("Password reset instructions are being sent to your email address."); - $id = $row["id"]; - - if ($id) { - $resetpass_token = sha1(get_random_bytes(128)); - $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token . - "&login=" . urlencode($login); - - $tpl = new Templator(); - - $tpl->readTemplateFromFile("resetpass_link_template.txt"); + $resetpass_token = sha1(get_random_bytes(128)); + $resetpass_link = get_self_url_prefix() . "/public.php?op=forgotpass&hash=" . $resetpass_token . + "&login=" . urlencode($login); - $tpl->setVariable('LOGIN', $login); - $tpl->setVariable('RESETPASS_LINK', $resetpass_link); - $tpl->setVariable('TTRSS_HOST', Config::get(Config::SELF_URL_PATH)); + $tpl = new Templator(); - $tpl->addBlock('message'); + $tpl->readTemplateFromFile("resetpass_link_template.txt"); - $message = ""; + $tpl->setVariable('LOGIN', $login); + $tpl->setVariable('RESETPASS_LINK', $resetpass_link); + $tpl->setVariable('TTRSS_HOST', Config::get(Config::SELF_URL_PATH)); - $tpl->generateOutputToString($message); + $tpl->addBlock('message'); - $mailer = new Mailer(); + $message = ""; - $rc = $mailer->mail(["to_name" => $login, - "to_address" => $email, - "subject" => __("[tt-rss] Password reset request"), - "message" => $message]); + $tpl->generateOutputToString($message); - if (!$rc) print_error($mailer->error()); + $mailer = new Mailer(); - $resetpass_token_full = time() . ":" . $resetpass_token; + $rc = $mailer->mail(["to_name" => $login, + "to_address" => $email, + "subject" => __("[tt-rss] Password reset request"), + "message" => $message]); - $sth = $this->pdo->prepare("UPDATE ttrss_users - SET resetpass_token = ? - WHERE LOWER(login) = LOWER(?) AND email = ?"); + if (!$rc) print_error($mailer->error()); - $sth->execute([$resetpass_token_full, $login, $email]); - - } else { - print_error("User ID not found."); - } + $user->resetpass_token = time() . ":" . $resetpass_token; + $user->save(); print "".__("Return to Tiny Tiny RSS").""; - } else { print_error(__("Sorry, login and email combination not found.")); @@ -590,17 +573,14 @@ class Handler_Public extends Handler { "; - } } - } print ""; print ""; print ""; print ""; - } function dbupdate() { From baf3ecd4cff13c69b2243ef06a56606773de3ed5 Mon Sep 17 00:00:00 2001 From: wn_ Date: Wed, 17 Mar 2021 16:30:17 +0000 Subject: [PATCH 5/6] Fix a couple of array index warnings in 'Handler_Public->forgotpass' --- classes/handler/public.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index fc3a6818c..f9d118999 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -408,7 +408,7 @@ class Handler_Public extends Handler { startup_gettext(); session_start(); - @$hash = clean($_REQUEST["hash"]); + $hash = clean($_REQUEST["hash"] ?? ''); header('Content-Type: text/html; charset=utf-8'); ?> @@ -441,7 +441,7 @@ class Handler_Public extends Handler { print "

".__("Password recovery")."

"; print "
"; - @$method = clean($_POST['method']); + $method = clean($_POST['method'] ?? ''); if ($hash) { $login = clean($_REQUEST["login"]); From cd52ca80abd24fb9b355264f88fd48893b2bd6b5 Mon Sep 17 00:00:00 2001 From: wn_ Date: Wed, 17 Mar 2021 16:34:52 +0000 Subject: [PATCH 6/6] Minor cleanup in 'Handler_Public->getProfiles' --- classes/handler/public.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index f9d118999..98042111b 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -268,16 +268,16 @@ class Handler_Public extends Handler { if ($login) { $profiles = ORM::for_table('ttrss_settings_profiles') ->table_alias('p') - ->select_many('title' , ['profile_id' => 'p.id']) - ->join('ttrss_users', ['p.owner_uid', '=', 'u.id'], 'u') - ->where_raw('LOWER(u.login) = LOWER(?)', [$login]) + ->select_many('title' , 'p.id') + ->join('ttrss_users', ['owner_uid', '=', 'u.id'], 'u') + ->where_raw('LOWER(login) = LOWER(?)', [$login]) ->order_by_asc('title') ->find_many(); $rv = [ [ "value" => 0, "label" => __("Default profile") ] ]; foreach ($profiles as $profile) { - array_push($rv, [ "label" => $profile->title, "value" => $profile->profile_id ]); + array_push($rv, [ "label" => $profile->title, "value" => $profile->id ]); } }