diff options
Diffstat (limited to 'src/SemanticScuttle')
-rw-r--r-- | src/SemanticScuttle/Model/Bookmark.php | 46 | ||||
-rw-r--r-- | src/SemanticScuttle/Service/Bookmark.php | 10 | ||||
-rw-r--r-- | src/SemanticScuttle/Service/User.php | 88 | ||||
-rw-r--r-- | src/SemanticScuttle/constants.php | 5 | ||||
-rw-r--r-- | src/SemanticScuttle/header.php | 1 |
5 files changed, 128 insertions, 22 deletions
diff --git a/src/SemanticScuttle/Model/Bookmark.php b/src/SemanticScuttle/Model/Bookmark.php new file mode 100644 index 0000000..8bda0b3 --- /dev/null +++ b/src/SemanticScuttle/Model/Bookmark.php @@ -0,0 +1,46 @@ +<?php +/** + * SemanticScuttle - your social bookmark manager. + * + * PHP version 5. + * + * @category Bookmarking + * @package SemanticScuttle + * @author Christian Weiske <cweiske@cweiske.de> + * @license GPL http://www.gnu.org/licenses/gpl.html + * @link http://sourceforge.net/projects/semanticscuttle + */ + +/** + * Bookmark model class, keeping the data of a single bookmark. + * It will slowly replace the old array style format. + * + * @category Bookmarking + * @package SemanticScuttle + * @author Christian Weiske <cweiske@cweiske.de> + * @license GPL http://www.gnu.org/licenses/gpl.html + * @link http://sourceforge.net/projects/semanticscuttle + */ +class SemanticScuttle_Model_Bookmark +{ + /** + * Checks if the given URL is valid and may be used with this + * SemanticScuttle installation. + * + * @param string $url URL to verify. + * + * @return boolean True if the URL is allowed, false if not + */ + public static function isValidUrl($url) + { + $scheme = parse_url($url, PHP_URL_SCHEME); + if (array_search($scheme, $GLOBALS['allowedProtocols']) === false) { + return false; + } + return true; + } + +} + + +?>
\ No newline at end of file diff --git a/src/SemanticScuttle/Service/Bookmark.php b/src/SemanticScuttle/Service/Bookmark.php index a30ad5f..919ca7a 100644 --- a/src/SemanticScuttle/Service/Bookmark.php +++ b/src/SemanticScuttle/Service/Bookmark.php @@ -435,6 +435,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService /** * Adds a bookmark to the database. * + * Security checks are being made here, but no error reasons will be + * returned. It is the responsibility of the code that calls + * addBookmark() to verify the data. + * * @param string $address Full URL of the bookmark * @param string $title Bookmark title * @param string $description Long bookmark description @@ -453,7 +457,8 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService * @param boolean $fromImport True when the bookmark is from an import. * @param integer $sId ID of user who creates the bookmark. * - * @return integer Bookmark ID + * @return mixed Integer bookmark ID if saving succeeded, false in + * case of an error. Error reasons are not returned. */ public function addBookmark( $address, $title, $description, $privateNote, $status, $tags, @@ -466,6 +471,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService } $address = $this->normalize($address); + if (!SemanticScuttle_Model_Bookmark::isValidUrl($address)) { + return false; + } /* * Note that if date is NULL, then it's added with a date and diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php index 9ef8430..072ce85 100644 --- a/src/SemanticScuttle/Service/User.php +++ b/src/SemanticScuttle/Service/User.php @@ -29,6 +29,14 @@ require_once 'SemanticScuttle/Model/User.php'; class SemanticScuttle_Service_User extends SemanticScuttle_DbService { /** + * The ID of the currently logged on user. + * NULL when not logged in. + * + * @var integer + */ + protected $currentuserId = null; + + /** * Currently logged on user from database * * @var array @@ -363,10 +371,17 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService */ public function getCurrentUserId() { + if ($this->currentuserId !== null) { + return $this->currentuserId; + } + if (isset($_SESSION[$this->getSessionKey()])) { - return (int)$_SESSION[$this->getSessionKey()]; + $this->currentuserId = (int)$_SESSION[$this->getSessionKey()]; + return $this->currentuserId; + + } - } else if (isset($_COOKIE[$this->getCookieKey()])) { + if (isset($_COOKIE[$this->getCookieKey()])) { $cook = explode(':', $_COOKIE[$this->getCookieKey()]); //cookie looks like this: 'id:md5(username+password)' $query = 'SELECT * FROM '. $this->getTableName() . @@ -385,10 +400,10 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService if ($row = $this->db->sql_fetchrow($dbresult)) { $this->setCurrentUserId( - (int)$row[$this->getFieldName('primary')] + (int)$row[$this->getFieldName('primary')], true ); $this->db->sql_freeresult($dbresult); - return (int)$_SESSION[$this->getSessionKey()]; + return $this->currentuserId; } } return false; @@ -402,16 +417,23 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService * @internal * No ID verification is being done. * - * @param integer $user User ID or null to unset the user + * @param integer $user User ID or null to unset the user + * @param boolean $storeInSession Store the user ID in the session * * @return void */ - public function setCurrentUserId($user) + public function setCurrentUserId($user, $storeInSession = false) { if ($user === null) { - unset($_SESSION[$this->getSessionKey()]); + $this->currentuserId = null; + if ($storeInSession) { + unset($_SESSION[$this->getSessionKey()]); + } } else { - $_SESSION[$this->getSessionKey()] = (int)$user; + $this->currentuserId = (int)$user; + if ($storeInSession) { + $_SESSION[$this->getSessionKey()] = $this->currentuserId; + } } //reload user object $this->getCurrentUser(true); @@ -449,10 +471,9 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $this->db->sql_freeresult($dbresult); if ($row) { - $id = $_SESSION[$this->getSessionKey()] - = $row[$this->getFieldName('primary')]; + $this->setCurrentUserId($row[$this->getFieldName('primary')], true); if ($remember) { - $cookie = $id .':'. md5($username.$password); + $cookie = $this->currentuserId . ':' . md5($username.$password); setcookie( $this->cookiekey, $cookie, time() + $this->cookietime, '/' @@ -464,7 +485,13 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService } } - function logout() { + /** + * Logs the user off + * + * @return void + */ + public function logout() + { @setcookie($this->getCookiekey(), '', time() - 1, '/'); unset($_COOKIE[$this->getCookiekey()]); session_unset(); @@ -492,10 +519,18 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService return $arrWatch; } - function getWatchNames($uId, $watchedby = false) { - // Gets the list of user names being watched by the given user. - // - If $watchedby is false get the list of users that $uId watches - // - If $watchedby is true get the list of users that watch $uId + + /** + * Gets the list of user names being watched by the given user. + * + * @param integer $uId User ID + * @param boolean $watchedby if false: get the list of users that $uId watches + * if true: get the list of users that watch $uId + * + * @return array Array of user names + */ + public function getWatchNames($uId, $watchedby = false) + { if ($watchedby) { $table1 = 'b'; $table2 = 'a'; @@ -503,10 +538,22 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $table1 = 'a'; $table2 = 'b'; } - $query = 'SELECT '. $table1 .'.'. $this->getFieldName('username') .' FROM '. $GLOBALS['tableprefix'] .'watched AS W, '. $this->getTableName() .' AS a, '. $this->getTableName() .' AS b WHERE W.watched = a.'. $this->getFieldName('primary') .' AND W.uId = b.'. $this->getFieldName('primary') .' AND '. $table2 .'.'. $this->getFieldName('primary') .' = '. intval($uId) .' ORDER BY '. $table1 .'.'. $this->getFieldName('username'); + $primary = $this->getFieldName('primary'); + $userfield = $this->getFieldName('username'); + $query = 'SELECT '. $table1 .'.'. $userfield + . ' FROM '. $GLOBALS['tableprefix'] . 'watched AS W,' + . ' ' . $this->getTableName() .' AS a,' + . ' ' . $this->getTableName() .' AS b' + . ' WHERE W.watched = a.' . $primary + . ' AND W.uId = b.' . $primary + . ' AND ' . $table2 . '.' . $primary . ' = '. intval($uId) + . ' ORDER BY '. $table1 . '.' . $userfield; - if (!($dbresult =& $this->db->sql_query($query))) { - message_die(GENERAL_ERROR, 'Could not get watchlist', '', __LINE__, __FILE__, $query, $this->db); + if (!($dbresult = $this->db->sql_query($query))) { + message_die( + GENERAL_ERROR, 'Could not get watchlist', + '', __LINE__, __FILE__, $query, $this->db + ); return false; } @@ -515,13 +562,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $this->db->sql_freeresult($dbresult); return $arrWatch; } - while ($row =& $this->db->sql_fetchrow($dbresult)) { + while ($row = $this->db->sql_fetchrow($dbresult)) { $arrWatch[] = $row[$this->getFieldName('username')]; } $this->db->sql_freeresult($dbresult); return $arrWatch; } + function getWatchStatus($watcheduser, $currentuser) { // Returns true if the current user is watching the given user, and false otherwise. $query = 'SELECT watched FROM '. $GLOBALS['tableprefix'] .'watched AS W INNER JOIN '. $this->getTableName() .' AS U ON U.'. $this->getFieldName('primary') .' = W.watched WHERE U.'. $this->getFieldName('primary') .' = '. intval($watcheduser) .' AND W.uId = '. intval($currentuser); diff --git a/src/SemanticScuttle/constants.php b/src/SemanticScuttle/constants.php index b023840..f8567d9 100644 --- a/src/SemanticScuttle/constants.php +++ b/src/SemanticScuttle/constants.php @@ -41,7 +41,10 @@ if (!isset($GLOBALS['root'])) { $rootTmp .= '/'; } - define('ROOT', 'http://'. $_SERVER['HTTP_HOST'] . $rootTmp); + //we do not prepend http since we also want to support https connections + // "http" is not required; it's automatically determined by the browser + // depending on the current connection. + define('ROOT', '//'. $_SERVER['HTTP_HOST'] . $rootTmp); } else { define('ROOT', $GLOBALS['root']); } diff --git a/src/SemanticScuttle/header.php b/src/SemanticScuttle/header.php index 02d77f5..e931594 100644 --- a/src/SemanticScuttle/header.php +++ b/src/SemanticScuttle/header.php @@ -82,6 +82,7 @@ require_once 'SemanticScuttle/Service.php'; require_once 'SemanticScuttle/DbService.php'; require_once 'SemanticScuttle/Service/Factory.php'; require_once 'SemanticScuttle/functions.php'; +require_once 'SemanticScuttle/Model/Bookmark.php'; require_once 'SemanticScuttle/Model/UserArray.php'; if (count($GLOBALS['serviceoverrides']) > 0 |