cgi/actions.c, lib/client*.[ch]: Don't use priv connection to check passwd.

[disorder] / cgi / actions.c

diff --git a/cgi/actions.c b/cgi/actions.c
index ab52c2d9b1284b55e2a7f5468409ecc0e83a1581..6f094cb7780a98b928092fcfe45869d801c3e7c0 100644 (file)
--- a/cgi/actions.c
+++ b/cgi/actions.c
@@ -44,7 +44,7 @@ static void redirect(const char *url) {
   if(printf("Location: %s\n"
             "%s\n"
             "\n", url, dcgi_cookie_header()) < 0)
-    fatal(errno, "error writing to stdout");
+    disorder_fatal(errno, "error writing to stdout");
 }
 
 /*$ playing
@@ -76,14 +76,13 @@ static void act_playing(void) {
      && dcgi_playing->sofar >= 0) {
     /* Try to put the next refresh at the start of the next track. */
     xtime(&now);
-    fin = now + length - dcgi_playing->sofar + config->gap;
+    fin = now + length - dcgi_playing->sofar;
     if(now + refresh > fin)
       refresh = fin - now;
   }
   if(dcgi_queue && dcgi_queue->origin == origin_scratch) {
-    /* next track is a scratch, don't leave more than the inter-track gap */
-    if(refresh > config->gap)
-      refresh = config->gap;
+    /* next track is a scratch, refresh immediately */
+    refresh = 0;
   }
   if(!dcgi_playing
      && ((dcgi_queue
@@ -91,17 +90,20 @@ static void act_playing(void) {
          || dcgi_random_enabled)
      && dcgi_enabled) {
     /* no track playing but playing is enabled and there is something coming
-     * up, must be in a gap */
-    if(refresh > config->gap)
-      refresh = config->gap;
+     * up, so refresh immediately */
+    refresh = 0;
   }
+  /* Bound the refresh interval below as a back-stop against the above
+   * calculations coming up with a stupid answer */
+  if(refresh < config->refresh_min)
+    refresh = config->refresh_min;
   if((action = cgi_get("action")))
     url = cgi_makeurl(config->url, "action", action, (char *)0);
   else
     url = config->url;
   if(printf("Refresh: %ld;url=%s\n",
             refresh, url) < 0)
-    fatal(errno, "error writing to stdout");
+    disorder_fatal(errno, "error writing to stdout");
   dcgi_expand("playing", 1);
 }
 
@@ -176,12 +178,12 @@ static void act_remove(void) {
 
   if(dcgi_client) {
     if(!(id = cgi_get("id")))
-      error(0, "missing 'id' argument");
+      disorder_error(0, "missing 'id' argument");
     else if(!(q = dcgi_findtrack(id)))
-      error(0, "unknown queue id %s", id);
+      disorder_error(0, "unknown queue id %s", id);
     else if(q->origin == origin_scratch)
       /* can't scratch scratches */
-      error(0, "does not make sense to scratch or remove %s", id);
+      disorder_error(0, "does not make sense to scratch or remove %s", id);
     else if(q->state == playing_paused
             || q->state == playing_started)
       /* removing the playing track = scratching */
@@ -191,7 +193,7 @@ static void act_remove(void) {
       disorder_remove(dcgi_client, id);
     else
       /* various error states */
-      error(0, "does not make sense to scratch or remove %s", id);
+      disorder_error(0, "does not make sense to scratch or remove %s", id);
   }
   redirect(0);
 }
@@ -208,18 +210,18 @@ static void act_move(void) {
 
   if(dcgi_client) {
     if(!(id = cgi_get("id")))
-      error(0, "missing 'id' argument");
+      disorder_error(0, "missing 'id' argument");
     else if(!(delta = cgi_get("delta")))
-      error(0, "missing 'delta' argument");
+      disorder_error(0, "missing 'delta' argument");
     else if(!(q = dcgi_findtrack(id)))
-      error(0, "unknown queue id %s", id);
+      disorder_error(0, "unknown queue id %s", id);
     else switch(q->state) {
     case playing_random:                /* unplayed randomly chosen track */
     case playing_unplayed:              /* haven't played this track yet */
       disorder_move(dcgi_client, id, atol(delta));
       break;
     default:
-      error(0, "does not make sense to scratch %s", id);
+      disorder_error(0, "does not make sense to scratch %s", id);
       break;
     }
   }
@@ -236,16 +238,17 @@ static void act_play(void) {
   char **tracks;
   int ntracks, n;
   struct tracksort_data *tsd;
+  char *id;
   
   if(dcgi_client) {
     if((track = cgi_get("track"))) {
-      disorder_play(dcgi_client, track);
+      disorder_play(dcgi_client, track, &id);
     } else if((dir = cgi_get("dir"))) {
       if(disorder_files(dcgi_client, dir, 0, &tracks, &ntracks))
         ntracks = 0;
       tsd = tracksort_init(ntracks, tracks, "track");
       for(n = 0; n < ntracks; ++n)
-        disorder_play(dcgi_client, tsd[n].track);
+        disorder_play(dcgi_client, tsd[n].track, &id);
     }
   }
   redirect(0);
@@ -304,8 +307,12 @@ static int login_as(const char *username, const char *password) {
 
   if(dcgi_cookie && dcgi_client)
     disorder_revoke(dcgi_client);
-  /* We'll need a new connection as we are going to stop being guest */
+  /* We'll need a new connection as we are going to stop being guest.
+   * Make sure it's unprivileged, so that the server actually bothers checking
+   * the password we supply.
+   */
   c = disorder_new(0);
+  disorder_force_unpriv(c);
   if(disorder_connect_user(c, username, password)) {
     login_error("loginfailed");
     return -1;
@@ -438,7 +445,7 @@ static void act_register(void) {
                 "\n"
                 "%s?c=%s\n", config->url, urlencodestring(confirm));
   if(!(text = mime_encode_text(text, &charset, &encoding)))
-    fatal(0, "cannot encode email");
+    disorder_fatal(0, "cannot encode email");
   byte_xasprintf(&content_type, "text/plain;charset=%s",
                 quote822(charset, 0));
   sendmail("", config->mail_sender, email, "Welcome to DisOrder",
@@ -608,7 +615,7 @@ static int process_prefs(int numfile) {
     byte_xasprintf((char **)&name, "trackname_%s_%s", context, part);
     disorder_set(dcgi_client, file, name, value);
   }
-  if((value = numbered_arg("random", numfile)))
+  if(numbered_arg("random", numfile))
     disorder_unset(dcgi_client, file, "pick_at_random");
   else
     disorder_set(dcgi_client, file, "pick_at_random", "0");
@@ -726,19 +733,19 @@ void dcgi_expand(const char *name, int header) {
     mx_expand_file(found, sink_discard(), 0);
   /* For unknown actions check that they aren't evil */
   if(!dcgi_valid_action(name))
-    fatal(0, "invalid action name '%s'", name);
+    disorder_fatal(0, "invalid action name '%s'", name);
   byte_xasprintf((char **)&p, "%s.tmpl", name);
   if(!(found = mx_find(p, 0/*report*/)))
-    fatal(errno, "cannot find %s", p);
+    disorder_fatal(errno, "cannot find %s", p);
   if(header) {
     if(printf("Content-Type: text/html; charset=UTF-8\n"
               "%s\n"
               "\n", dcgi_cookie_header()) < 0)
-      fatal(errno, "error writing to stdout");
+      disorder_fatal(errno, "error writing to stdout");
   }
   if(mx_expand_file(found, sink_stdio("stdout", stdout), 0) == -1
      || fflush(stdout) < 0)
-    fatal(errno, "error writing to stdout");
+    disorder_fatal(errno, "error writing to stdout");
 }
 
 /** @brief Execute a web action