/*
* This file is part of DisOrder.
- * Copyright (C) 2004, 2005, 2006, 2007 Richard Kettlewell
+ * Copyright (C) 2004-2008 Richard Kettlewell
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
#include "url.h"
#include "mime.h"
#include "sendmail.h"
+#include "base64.h"
char *login_cookie;
const char *display;
};
+static const char nonce_base64_table[] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/*";
+
static const char *nonce(void) {
- static unsigned long count;
- char *s;
+ static uint32_t count;
+
+ struct ndata {
+ uint16_t count;
+ uint16_t pid;
+ uint32_t when;
+ } nd;
- byte_xasprintf(&s, "%lx%lx%lx",
- (unsigned long)time(0),
- (unsigned long)getpid(),
- count++);
- return s;
+ nd.count = count++;
+ nd.pid = (uint32_t)getpid();
+ nd.when = (uint32_t)time(0);
+ return generic_to_base64((void *)&nd, sizeof nd,
+ nonce_base64_table);
}
static int compare_entry(const void *a, const void *b) {
parse_url(config->url, &u);
if(login_cookie) {
dynstr_append_string(d, "disorder=");
- dynstr_append_string(d, quote822(login_cookie, 0));
+ dynstr_append_string(d, login_cookie);
} else {
/* Force browser to discard cookie */
dynstr_append_string(d, "disorder=none;Max-Age=0");
* that. But the default path only goes up to the rightmost /, which would
* cause the browser to expose the cookie to other CGI programs on the same
* web server. */
- dynstr_append_string(d, ";Path=");
- dynstr_append_string(d, quote822(u.path, 0));
+ dynstr_append_string(d, ";Version=1;Path=");
+ /* Formally we are supposed to quote the path, since it invariably has a
+ * slash in it. However Safari does not parse quoted paths correctly, so
+ * this won't work. Fortunately nothing else seems to care about proper
+ * quoting of paths, so in practice we get with it. (See also
+ * parse_cookie() where we are liberal about cookie paths on the way back
+ * in.) */
+ dynstr_append_string(d, u.path);
}
dynstr_terminate(d);
cgi_header(output, "Set-Cookie", d->vec);
disorder_unset(ds->g->client, file, "pick_at_random");
else
disorder_set(ds->g->client, file, "pick_at_random", "0");
- if((value = numbered_arg("tags", numfile)))
- disorder_set(ds->g->client, file, "tags", value);
+ if((value = numbered_arg("tags", numfile))) {
+ if(!*value)
+ disorder_unset(ds->g->client, file, "tags");
+ else
+ disorder_set(ds->g->client, file, "tags", value);
+ }
+ if((value = numbered_arg("weight", numfile))) {
+ if(!*value || !strcmp(value, "90000"))
+ disorder_unset(ds->g->client, file, "weight");
+ else
+ disorder_set(ds->g->client, file, "weight", value);
+ }
} else if((name = cgi_get("name"))) {
/* Raw preferences. Not well supported in the templates at the moment. */
value = cgi_get("value");
expand_template(ds, output, "login");
return;
}
- c = disorder_new(1);
+ /* We'll need a new connection as we are going to stop being guest */
+ c = disorder_new(0);
if(disorder_connect_user(c, username, password)) {
cgi_set_option("error", "loginfailed");
expand_template(ds, output, "login");
expand_template(ds, output, "login");
return;
}
+ /* Use the new connection henceforth */
+ ds->g->client = c;
+ ds->g->flags = 0;
/* We have a new cookie */
header_cookie(output->sink);
- if((back = cgi_get("back")) && back)
+ cgi_set_option("status", "loginok");
+ if((back = cgi_get("back")) && *back)
/* Redirect back to somewhere or other */
redirect(output->sink);
else
/* Reconnect as guest */
disorder_cgi_login(ds, output);
/* Back to the login page */
+ cgi_set_option("status", "logoutok");
expand_template(ds, output, "login");
}
static void act_register(cgi_sink *output,
dcgi_state *ds) {
- const char *username, *password, *email;
+ const char *username, *password, *password2, *email;
char *confirm, *content_type;
const char *text, *encoding, *charset;
username = cgi_get("username");
- password = cgi_get("password");
+ password = cgi_get("password1");
+ password2 = cgi_get("password2");
email = cgi_get("email");
if(!username || !*username) {
expand_template(ds, output, "login");
return;
}
+ if(!password2 || !*password2 || strcmp(password, password2)) {
+ cgi_set_option("error", "passwordmismatch");
+ expand_template(ds, output, "login");
+ return;
+ }
if(!email || !*email) {
cgi_set_option("error", "noemail");
expand_template(ds, output, "login");
byte_xasprintf((char **)&text,
"Welcome to DisOrder. To active your login, please visit this URL:\n"
"\n"
- " %s?confirm=%s\n", config->url, urlencodestring(confirm));
+ "%s?c=%s\n", config->url, urlencodestring(confirm));
if(!(text = mime_encode_text(text, &charset, &encoding)))
fatal(0, "cannot encode email");
byte_xasprintf(&content_type, "text/plain;charset=%s",
sendmail("", config->mail_sender, email, "Welcome to DisOrder",
encoding, content_type, text); /* TODO error checking */
/* We'll go back to the login page with a suitable message */
- cgi_set_option("registered", "registeredok");
+ cgi_set_option("status", "registered");
expand_template(ds, output, "login");
}
dcgi_state *ds) {
const char *confirmation;
- if(!(confirmation = cgi_get("confirm"))) {
+ if(!(confirmation = cgi_get("c"))) {
cgi_set_option("error", "noconfirm");
expand_template(ds, output, "login");
}
+ /* Confirm our registration */
if(disorder_confirm(ds->g->client, confirmation)) {
cgi_set_option("error", "badconfirm");
expand_template(ds, output, "login");
}
- cgi_set_option("confirmed", "confirmedok");
+ /* Get a cookie */
+ if(disorder_make_cookie(ds->g->client, &login_cookie)) {
+ cgi_set_option("error", "cookiefailed");
+ expand_template(ds, output, "login");
+ return;
+ }
+ /* Discard any cached data JIC */
+ ds->g->flags = 0;
+ /* We have a new cookie */
+ header_cookie(output->sink);
+ cgi_set_option("status", "confirmed");
expand_template(ds, output, "login");
}
+static void act_edituser(cgi_sink *output,
+ dcgi_state *ds) {
+ const char *email = cgi_get("email"), *password = cgi_get("changepassword1");
+ const char *password2 = cgi_get("changepassword2");
+ int newpassword = 0;
+ disorder_client *c;
+
+ if((password && *password) || (password && *password2)) {
+ if(!password || !password2 || strcmp(password, password2)) {
+ cgi_set_option("error", "passwordmismatch");
+ expand_template(ds, output, "login");
+ return;
+ }
+ } else
+ password = password2 = 0;
+
+ if(email) {
+ if(disorder_edituser(ds->g->client, disorder_user(ds->g->client),
+ "email", email)) {
+ cgi_set_option("error", "badedit");
+ expand_template(ds, output, "login");
+ return;
+ }
+ }
+ if(password) {
+ if(disorder_edituser(ds->g->client, disorder_user(ds->g->client),
+ "password", password)) {
+ cgi_set_option("error", "badedit");
+ expand_template(ds, output, "login");
+ return;
+ }
+ newpassword = 1;
+ }
+ if(newpassword) {
+ login_cookie = 0; /* it'll be invalid now */
+ /* This is a bit duplicative of act_login() */
+ c = disorder_new(0);
+ if(disorder_connect_user(c, disorder_user(ds->g->client), password)) {
+ cgi_set_option("error", "loginfailed");
+ expand_template(ds, output, "login");
+ return;
+ }
+ if(disorder_make_cookie(c, &login_cookie)) {
+ cgi_set_option("error", "cookiefailed");
+ expand_template(ds, output, "login");
+ return;
+ }
+ /* Use the new connection henceforth */
+ ds->g->client = c;
+ ds->g->flags = 0;
+ /* We have a new cookie */
+ header_cookie(output->sink);
+ }
+ cgi_set_option("status", "edited");
+ expand_template(ds, output, "login");
+}
+
+static void act_reminder(cgi_sink *output,
+ dcgi_state *ds) {
+ const char *const username = cgi_get("username");
+
+ if(!username || !*username) {
+ cgi_set_option("error", "nousername");
+ expand_template(ds, output, "login");
+ return;
+ }
+ if(disorder_reminder(ds->g->client, username)) {
+ cgi_set_option("error", "reminderfailed");
+ expand_template(ds, output, "login");
+ return;
+ }
+ cgi_set_option("status", "reminded");
+ expand_template(ds, output, "login");
+}
+
static const struct action {
const char *name;
void (*handler)(cgi_sink *output, dcgi_state *ds);
} actions[] = {
{ "confirm", act_confirm },
{ "disable", act_disable },
+ { "edituser", act_edituser },
{ "enable", act_enable },
{ "login", act_login },
{ "logout", act_logout },
{ "random-disable", act_random_disable },
{ "random-enable", act_random_enable },
{ "register", act_register },
+ { "reminder", act_reminder },
{ "remove", act_remove },
{ "resume", act_resume },
{ "scratch", act_scratch },
expandstring(output, args[2], ds);
}
+static void exp_userinfo(int attribute((unused)) nargs,
+ char **args,
+ cgi_sink *output,
+ void *u) {
+ dcgi_state *const ds = u;
+ const char *value;
+
+ if(disorder_userinfo(ds->g->client, disorder_user(ds->g->client), args[0],
+ (char **)&value))
+ value = "";
+ cgi_output(output, "%s", value);
+}
+
+static void exp_image(int attribute((unused)) nargs,
+ char **args,
+ cgi_sink *output,
+ void attribute((unused)) *u) {
+ char *labelname;
+ const char *imagestem;
+
+ byte_xasprintf(&labelname, "images.%s", args[0]);
+ if(cgi_label_exists(labelname))
+ imagestem = cgi_label(labelname);
+ else if(strchr(args[0], '.'))
+ imagestem = args[0];
+ else
+ byte_xasprintf((char **)&imagestem, "%s.png", args[0]);
+ if(cgi_label_exists("url.static"))
+ cgi_output(output, "%s/%s", cgi_label("url.static"), imagestem);
+ else
+ cgi_output(output, "/disorder/%s", imagestem);
+}
+
+static void exp_define(int attribute((unused)) nargs,
+ char **args,
+ cgi_sink attribute((unused)) *output,
+ void attribute((unused)) *u) {
+ const char *n = args[0], *a = args[1], *v = args[2];
+ int nas;
+ char **as = split(a, &nas, 0, 0, 0);
+
+ cgi_define(n, nas, as, v);
+}
+
static const struct cgi_expansion expansions[] = {
{ "#", 0, INT_MAX, EXP_MAGIC, exp_comment },
{ "action", 0, 0, 0, exp_action },
{ "arg", 1, 1, 0, exp_arg },
{ "basename", 0, 1, 0, exp_basename },
{ "choose", 2, 2, EXP_MAGIC, exp_choose },
+ { "define", 3, 3, EXP_MAGIC, exp_define },
{ "dirname", 0, 1, 0, exp_dirname },
{ "enabled", 0, 0, 0, exp_enabled },
{ "eq", 2, 2, 0, exp_eq },
{ "fullname", 0, 0, 0, exp_fullname },
{ "id", 0, 0, 0, exp_id },
{ "if", 2, 3, EXP_MAGIC, exp_if },
+ { "image", 1, 1, 0, exp_image },
{ "include", 1, 1, 0, exp_include },
{ "index", 0, 0, 0, exp_index },
{ "isdirectories", 0, 0, 0, exp_isdirectories },
{ "url", 0, 0, 0, exp_url },
{ "urlquote", 1, 1, 0, exp_urlquote },
{ "user", 0, 0, 0, exp_user },
+ { "userinfo", 1, 1, 0, exp_userinfo },
{ "version", 0, 0, 0, exp_version },
{ "volume", 1, 1, 0, exp_volume },
{ "when", 0, 0, 0, exp_when },
if(!action) {
/* We allow URLs which are just confirm=... in order to keep confirmation
* URLs, which are user-facing, as short as possible. */
- if(cgi_get("confirm"))
+ if(cgi_get("c"))
action = "confirm";
else
action = "playing";