diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/SemanticScuttle/Model/Bookmark.php | 46 | ||||
| -rw-r--r-- | src/SemanticScuttle/Service/Bookmark.php | 10 | ||||
| -rw-r--r-- | src/SemanticScuttle/Service/User.php | 88 | ||||
| -rw-r--r-- | src/SemanticScuttle/constants.php | 5 | ||||
| -rw-r--r-- | src/SemanticScuttle/header.php | 1 | 
5 files changed, 128 insertions, 22 deletions
| diff --git a/src/SemanticScuttle/Model/Bookmark.php b/src/SemanticScuttle/Model/Bookmark.php new file mode 100644 index 0000000..8bda0b3 --- /dev/null +++ b/src/SemanticScuttle/Model/Bookmark.php @@ -0,0 +1,46 @@ +<?php +/** + * SemanticScuttle - your social bookmark manager. + * + * PHP version 5. + * + * @category Bookmarking + * @package  SemanticScuttle + * @author   Christian Weiske <cweiske@cweiske.de> + * @license  GPL http://www.gnu.org/licenses/gpl.html + * @link     http://sourceforge.net/projects/semanticscuttle + */ + +/** + * Bookmark model class, keeping the data of a single bookmark. + * It will slowly replace the old array style format. + * + * @category Bookmarking + * @package  SemanticScuttle + * @author   Christian Weiske <cweiske@cweiske.de> + * @license  GPL http://www.gnu.org/licenses/gpl.html + * @link     http://sourceforge.net/projects/semanticscuttle + */ +class SemanticScuttle_Model_Bookmark +{ +    /** +     * Checks if the given URL is valid and may be used with this +     * SemanticScuttle installation. +     * +     * @param string $url URL to verify. +     * +     * @return boolean True if the URL is allowed, false if not +     */ +    public static function isValidUrl($url) +    { +        $scheme = parse_url($url, PHP_URL_SCHEME); +        if (array_search($scheme, $GLOBALS['allowedProtocols']) === false) { +            return false; +        } +        return true; +    } + +} + + +?>
\ No newline at end of file diff --git a/src/SemanticScuttle/Service/Bookmark.php b/src/SemanticScuttle/Service/Bookmark.php index a30ad5f..919ca7a 100644 --- a/src/SemanticScuttle/Service/Bookmark.php +++ b/src/SemanticScuttle/Service/Bookmark.php @@ -435,6 +435,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService      /**       * Adds a bookmark to the database.       * +     * Security checks are being made here, but no error reasons will be +     * returned. It is the responsibility of the code that calls +     * addBookmark() to verify the data. +     *       * @param string  $address     Full URL of the bookmark       * @param string  $title       Bookmark title       * @param string  $description Long bookmark description @@ -453,7 +457,8 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService       * @param boolean $fromImport  True when the bookmark is from an import.       * @param integer $sId         ID of user who creates the bookmark.       * -     * @return integer Bookmark ID +     * @return mixed Integer bookmark ID if saving succeeded, false in +     *               case of an error. Error reasons are not returned.       */      public function addBookmark(          $address, $title, $description, $privateNote, $status, $tags, @@ -466,6 +471,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService          }          $address = $this->normalize($address); +        if (!SemanticScuttle_Model_Bookmark::isValidUrl($address)) { +            return false; +        }          /*           * Note that if date is NULL, then it's added with a date and diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php index 9ef8430..072ce85 100644 --- a/src/SemanticScuttle/Service/User.php +++ b/src/SemanticScuttle/Service/User.php @@ -29,6 +29,14 @@ require_once 'SemanticScuttle/Model/User.php';  class SemanticScuttle_Service_User extends SemanticScuttle_DbService  {      /** +     * The ID of the currently logged on user. +     * NULL when not logged in. +     * +     * @var integer +     */ +    protected $currentuserId = null; + +    /**       * Currently logged on user from database       *       * @var array @@ -363,10 +371,17 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService       */      public function getCurrentUserId()      { +        if ($this->currentuserId !== null) { +            return $this->currentuserId; +        } +          if (isset($_SESSION[$this->getSessionKey()])) { -            return (int)$_SESSION[$this->getSessionKey()]; +            $this->currentuserId = (int)$_SESSION[$this->getSessionKey()]; +            return $this->currentuserId; + +        } -        } else if (isset($_COOKIE[$this->getCookieKey()])) { +        if (isset($_COOKIE[$this->getCookieKey()])) {              $cook = explode(':', $_COOKIE[$this->getCookieKey()]);              //cookie looks like this: 'id:md5(username+password)'              $query = 'SELECT * FROM '. $this->getTableName() . @@ -385,10 +400,10 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService              if ($row = $this->db->sql_fetchrow($dbresult)) {                  $this->setCurrentUserId( -                    (int)$row[$this->getFieldName('primary')] +                    (int)$row[$this->getFieldName('primary')], true                  );                  $this->db->sql_freeresult($dbresult); -                return (int)$_SESSION[$this->getSessionKey()]; +                return $this->currentuserId;              }          }          return false; @@ -402,16 +417,23 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService       * @internal       * No ID verification is being done.       * -     * @param integer $user User ID or null to unset the user +     * @param integer $user           User ID or null to unset the user +     * @param boolean $storeInSession Store the user ID in the session       *       * @return void       */ -    public function setCurrentUserId($user) +    public function setCurrentUserId($user, $storeInSession = false)      {          if ($user === null) { -            unset($_SESSION[$this->getSessionKey()]); +            $this->currentuserId = null; +            if ($storeInSession) { +                unset($_SESSION[$this->getSessionKey()]); +            }          } else { -            $_SESSION[$this->getSessionKey()] = (int)$user; +            $this->currentuserId = (int)$user; +            if ($storeInSession) { +                $_SESSION[$this->getSessionKey()] = $this->currentuserId; +            }          }          //reload user object          $this->getCurrentUser(true); @@ -449,10 +471,9 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService          $this->db->sql_freeresult($dbresult);          if ($row) { -            $id = $_SESSION[$this->getSessionKey()] -                = $row[$this->getFieldName('primary')]; +            $this->setCurrentUserId($row[$this->getFieldName('primary')], true);              if ($remember) { -                $cookie = $id .':'. md5($username.$password); +                $cookie = $this->currentuserId . ':' . md5($username.$password);                  setcookie(                      $this->cookiekey, $cookie,                      time() + $this->cookietime, '/' @@ -464,7 +485,13 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService          }      } -    function logout() { +    /** +     * Logs the user off +     * +     * @return void +     */ +    public function logout() +    {          @setcookie($this->getCookiekey(), '', time() - 1, '/');          unset($_COOKIE[$this->getCookiekey()]);          session_unset(); @@ -492,10 +519,18 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService          return $arrWatch;      } -    function getWatchNames($uId, $watchedby = false) { -        // Gets the list of user names being watched by the given user. -        // - If $watchedby is false get the list of users that $uId watches -        // - If $watchedby is true get the list of users that watch $uId + +    /** +     * Gets the list of user names being watched by the given user. +     * +     * @param integer $uId       User ID +     * @param boolean $watchedby if false: get the list of users that $uId watches +     *                           if true: get the list of users that watch $uId +     * +     * @return array Array of user names +     */ +    public function getWatchNames($uId, $watchedby = false) +    {          if ($watchedby) {              $table1 = 'b';              $table2 = 'a'; @@ -503,10 +538,22 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService              $table1 = 'a';              $table2 = 'b';          } -        $query = 'SELECT '. $table1 .'.'. $this->getFieldName('username') .' FROM '. $GLOBALS['tableprefix'] .'watched AS W, '. $this->getTableName() .' AS a, '. $this->getTableName() .' AS b WHERE W.watched = a.'. $this->getFieldName('primary') .' AND W.uId = b.'. $this->getFieldName('primary') .' AND '. $table2 .'.'. $this->getFieldName('primary') .' = '. intval($uId) .' ORDER BY '. $table1 .'.'. $this->getFieldName('username'); +        $primary   = $this->getFieldName('primary'); +        $userfield = $this->getFieldName('username'); +        $query = 'SELECT '. $table1 .'.'. $userfield +            . ' FROM '. $GLOBALS['tableprefix'] . 'watched AS W,' +            . ' ' . $this->getTableName() .' AS a,' +            . ' ' . $this->getTableName() .' AS b' +            . ' WHERE W.watched = a.' . $primary +            . ' AND W.uId = b.' . $primary +            . ' AND ' . $table2 . '.' . $primary . ' = '. intval($uId) +            . ' ORDER BY '. $table1 . '.' . $userfield; -        if (!($dbresult =& $this->db->sql_query($query))) { -            message_die(GENERAL_ERROR, 'Could not get watchlist', '', __LINE__, __FILE__, $query, $this->db); +        if (!($dbresult = $this->db->sql_query($query))) { +            message_die( +                GENERAL_ERROR, 'Could not get watchlist', +                '', __LINE__, __FILE__, $query, $this->db +            );              return false;          } @@ -515,13 +562,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService              $this->db->sql_freeresult($dbresult);              return $arrWatch;          } -        while ($row =& $this->db->sql_fetchrow($dbresult)) { +        while ($row = $this->db->sql_fetchrow($dbresult)) {              $arrWatch[] = $row[$this->getFieldName('username')];          }          $this->db->sql_freeresult($dbresult);          return $arrWatch;      } +      function getWatchStatus($watcheduser, $currentuser) {          // Returns true if the current user is watching the given user, and false otherwise.          $query = 'SELECT watched FROM '. $GLOBALS['tableprefix'] .'watched AS W INNER JOIN '. $this->getTableName() .' AS U ON U.'. $this->getFieldName('primary') .' = W.watched WHERE U.'. $this->getFieldName('primary') .' = '. intval($watcheduser) .' AND W.uId = '. intval($currentuser); diff --git a/src/SemanticScuttle/constants.php b/src/SemanticScuttle/constants.php index b023840..f8567d9 100644 --- a/src/SemanticScuttle/constants.php +++ b/src/SemanticScuttle/constants.php @@ -41,7 +41,10 @@ if (!isset($GLOBALS['root'])) {          $rootTmp .= '/';      } -    define('ROOT', 'http://'. $_SERVER['HTTP_HOST'] . $rootTmp); +    //we do not prepend http since we also want to support https connections +    // "http" is not required; it's automatically determined by the browser +    // depending on the current connection. +    define('ROOT', '//'. $_SERVER['HTTP_HOST'] . $rootTmp);  } else {      define('ROOT', $GLOBALS['root']);  } diff --git a/src/SemanticScuttle/header.php b/src/SemanticScuttle/header.php index 02d77f5..e931594 100644 --- a/src/SemanticScuttle/header.php +++ b/src/SemanticScuttle/header.php @@ -82,6 +82,7 @@ require_once 'SemanticScuttle/Service.php';  require_once 'SemanticScuttle/DbService.php';  require_once 'SemanticScuttle/Service/Factory.php';  require_once 'SemanticScuttle/functions.php'; +require_once 'SemanticScuttle/Model/Bookmark.php';  require_once 'SemanticScuttle/Model/UserArray.php';  if (count($GLOBALS['serviceoverrides']) > 0 | 
