X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/blobdiff_plain/4ecbdbd99dea3236c3c6d5ea5401a08c56de5d3c..ac152d06f4cfa9abcd4a88de7dbc6a9040f99c0d:/server/dcgi.c

diff --git a/server/dcgi.c b/server/dcgi.c
index 07e1825..27c77b1 100644
--- a/server/dcgi.c
+++ b/server/dcgi.c
@@ -39,7 +39,6 @@
 #include "vector.h"
 #include "sink.h"
 #include "cgi.h"
-#include "dcgi.h"
 #include "log.h"
 #include "configuration.h"
 #include "table.h"
@@ -54,6 +53,12 @@
 #include "defs.h"
 #include "trackname.h"
 #include "charset.h"
+#include "dcgi.h"
+#include "url.h"
+#include "mime.h"
+#include "sendmail.h"
+
+char *login_cookie;
 
 static void expand(cgi_sink *output,
 		   const char *template,
@@ -99,18 +104,54 @@ static const char *front_url(void) {
   return config->url;
 }
 
+static void header_cookie(struct sink *output) {
+  struct dynstr d[1];
+  struct url u;
+
+  memset(&u, 0, sizeof u);
+  dynstr_init(d);
+  parse_url(config->url, &u);
+  if(login_cookie) {
+    dynstr_append_string(d, "disorder=");
+    dynstr_append_string(d, quote822(login_cookie, 0));
+  } else {
+    /* Force browser to discard cookie */
+    dynstr_append_string(d, "disorder=none;Max-Age=0");
+  }
+  if(u.path) {
+    /* The default domain matches the request host, so we need not override
+     * that.  But the default path only goes up to the rightmost /, which would
+     * cause the browser to expose the cookie to other CGI programs on the same
+     * web server. */
+    dynstr_append_string(d, ";Path=");
+    dynstr_append_string(d, quote822(u.path, 0));
+  }
+  dynstr_terminate(d);
+  cgi_header(output, "Set-Cookie", d->vec);
+}
+
 static void redirect(struct sink *output) {
   const char *back;
 
-  cgi_header(output, "Location",
-	     (back = cgi_get("back")) ? back : front_url());
+  back = cgi_get("back");
+  cgi_header(output, "Location", back && *back ? back : front_url());
+  header_cookie(output);
   cgi_body(output);
 }
 
+static void expand_template(dcgi_state *ds, cgi_sink *output,
+			    const char *action) {
+  cgi_header(output->sink, "Content-Type", "text/html");
+  header_cookie(output->sink);
+  cgi_body(output->sink);
+  expand(output, action, ds);
+}
+
 static void lookups(dcgi_state *ds, unsigned want) {
   unsigned need;
   struct queue_entry *r, *rnext;
   const char *dir, *re;
+  char *rights;
 
   if(ds->g->client && (need = want ^ (ds->g->flags & want)) != 0) {
     if(need & DC_QUEUE)
@@ -145,6 +186,12 @@ static void lookups(dcgi_state *ds, unsigned want) {
 			  &ds->g->files, &ds->g->nfiles))
 	  ds->g->nfiles = 0;
     }
+    if(need & DC_RIGHTS) {
+      ds->g->rights = RIGHT_READ;	/* fail-safe */
+      if(!disorder_userinfo(ds->g->client, disorder_user(ds->g->client),
+			    "rights", &rights))
+	parse_rights(rights, &ds->g->rights, 1);
+    }
     ds->g->flags |= need;
   }
 }
@@ -245,6 +292,7 @@ static void act_playing(cgi_sink *output, dcgi_state *ds) {
   byte_snprintf(r, sizeof r, "%ld;url=%s", refresh > 0 ? refresh : 1,
 		front_url());
   cgi_header(output->sink, "Refresh", r);
+  header_cookie(output->sink);
   cgi_body(output->sink);
   expand(output, "playing", ds);
 }
@@ -311,9 +359,11 @@ static void act_volume(cgi_sink *output, dcgi_state *ds) {
      * URL) */
     cgi_header(output->sink, "Location",
 	       (back = cgi_get("back")) ? back : volume_url());
+    header_cookie(output->sink);
     cgi_body(output->sink);
   } else {
     cgi_header(output->sink, "Content-Type", "text/html");
+    header_cookie(output->sink);
     cgi_body(output->sink);
     expand(output, "volume", ds);
   }
@@ -382,6 +432,7 @@ static void act_prefs(cgi_sink *output, dcgi_state *ds) {
   for(numfile = 0; numfile < nfiles; ++numfile)
     process_prefs(ds, numfile);
   cgi_header(output->sink, "Content-Type", "text/html");
+  header_cookie(output->sink);
   cgi_body(output->sink);
   expand(output, "prefs", ds);
 }
@@ -400,12 +451,131 @@ static void act_resume(cgi_sink *output,
   redirect(output->sink);
 }
 
+static void act_login(cgi_sink *output,
+		      dcgi_state *ds) {
+  const char *username, *password, *back;
+  disorder_client *c;
+
+  username = cgi_get("username");
+  password = cgi_get("password");
+  if(!username || !password
+     || !strcmp(username, "guest")/*bodge to avoid guest cookies*/) {
+    /* We're just visiting the login page */
+    expand_template(ds, output, "login");
+    return;
+  }
+  c = disorder_new(1);
+  if(disorder_connect_user(c, username, password)) {
+    cgi_set_option("error", "loginfailed");
+    expand_template(ds, output, "login");
+    return;
+  }
+  if(disorder_make_cookie(c, &login_cookie)) {
+    cgi_set_option("error", "cookiefailed");
+    expand_template(ds, output, "login");
+    return;
+  }
+  /* We have a new cookie */
+  header_cookie(output->sink);
+  cgi_set_option("status", "loginok");
+  if((back = cgi_get("back")) && *back)
+    /* Redirect back to somewhere or other */
+    redirect(output->sink);
+  else
+    /* Stick to the login page */
+    expand_template(ds, output, "login");
+}
+
+static void act_logout(cgi_sink *output,
+		       dcgi_state *ds) {
+  disorder_revoke(ds->g->client);
+  login_cookie = 0;
+  /* Reconnect as guest */
+  disorder_cgi_login(ds, output);
+  /* Back to the login page */
+  cgi_set_option("status", "logoutok");
+  expand_template(ds, output, "login");
+}
+
+static void act_register(cgi_sink *output,
+			 dcgi_state *ds) {
+  const char *username, *password, *email;
+  char *confirm, *content_type;
+  const char *text, *encoding, *charset;
+
+  username = cgi_get("username");
+  password = cgi_get("password");
+  email = cgi_get("email");
+
+  if(!username || !*username) {
+    cgi_set_option("error", "nousername");
+    expand_template(ds, output, "login");
+    return;
+  }
+  if(!password || !*password) {
+    cgi_set_option("error", "nopassword");
+    expand_template(ds, output, "login");
+    return;
+  }
+  if(!email || !*email) {
+    cgi_set_option("error", "noemail");
+    expand_template(ds, output, "login");
+    return;
+  }
+  /* We could well do better address validation but for now we'll just do the
+   * minimum */
+  if(!strchr(email, '@')) {
+    cgi_set_option("error", "bademail");
+    expand_template(ds, output, "login");
+    return;
+  }
+  if(disorder_register(ds->g->client, username, password, email, &confirm)) {
+    cgi_set_option("error", "cannotregister");
+    expand_template(ds, output, "login");
+    return;
+  }
+  /* Send the user a mail */
+  /* TODO templatize this */
+  byte_xasprintf((char **)&text,
+		 "Welcome to DisOrder.  To active your login, please visit this URL:\n"
+		 "\n"
+		 "%s?c=%s\n", config->url, urlencodestring(confirm));
+  if(!(text = mime_encode_text(text, &charset, &encoding)))
+    fatal(0, "cannot encode email");
+  byte_xasprintf(&content_type, "text/plain;charset=%s",
+		 quote822(charset, 0));
+  sendmail("", config->mail_sender, email, "Welcome to DisOrder",
+	   encoding, content_type, text); /* TODO error checking  */
+  /* We'll go back to the login page with a suitable message */
+  cgi_set_option("status", "registered");
+  expand_template(ds, output, "login");
+}
+
+static void act_confirm(cgi_sink *output,
+			dcgi_state *ds) {
+  const char *confirmation;
+
+  if(!(confirmation = cgi_get("c"))) {
+    cgi_set_option("error", "noconfirm");
+    expand_template(ds, output, "login");
+  }
+  if(disorder_confirm(ds->g->client, confirmation)) {
+    cgi_set_option("error", "badconfirm");
+    expand_template(ds, output, "login");
+  }
+  cgi_set_option("status", "confirmed");
+  expand_template(ds, output, "login");
+}
+
 static const struct action {
   const char *name;
   void (*handler)(cgi_sink *output, dcgi_state *ds);
 } actions[] = {
+  { "confirm", act_confirm },
   { "disable", act_disable },
   { "enable", act_enable },
+  { "login", act_login },
+  { "logout", act_logout },
   { "move", act_move },
   { "pause", act_pause },
   { "play", act_play },
@@ -413,6 +583,7 @@ static const struct action {
   { "prefs", act_prefs },
   { "random-disable", act_random_disable },
   { "random-enable", act_random_enable },
+  { "register", act_register },
   { "remove", act_remove },
   { "resume", act_resume },
   { "scratch", act_scratch },
@@ -446,7 +617,7 @@ static void exp_version(int attribute((unused)) nargs,
 			char attribute((unused)) **args,
 			cgi_sink *output,
 			void attribute((unused)) *u) {
-  cgi_output(output, "%s", disorder_version_string);
+  cgi_output(output, "%s", disorder_short_version_string);
 }
 
 static void exp_nonce(int attribute((unused)) nargs,
@@ -1110,17 +1281,12 @@ static void exp_scratchable(int attribute((unused)) nargs,
 			    cgi_sink *output,
 			    void attribute((unused)) *u) {
   dcgi_state *ds = u;
-  int result;
-
-  if(config->restrictions & RESTRICT_SCRATCH) {
-    lookups(ds, DC_PLAYING);
-    result = (ds->g->playing
-	      && (!ds->g->playing->submitter
-		  || !strcmp(ds->g->playing->submitter,
-			     disorder_user(ds->g->client))));
-  } else
-    result = 1;
-  sink_printf(output->sink, "%s", bool2str(result));
+
+  lookups(ds, DC_PLAYING|DC_RIGHTS);
+  sink_printf(output->sink, "%s",
+	      bool2str(right_scratchable(ds->g->rights,
+					 disorder_user(ds->g->client),
+					 ds->g->playing)));
 }
 
 static void exp_removable(int attribute((unused)) nargs,
@@ -1128,16 +1294,25 @@ static void exp_removable(int attribute((unused)) nargs,
 			  cgi_sink *output,
 			  void attribute((unused)) *u) {
   dcgi_state *ds = u;
-  int result;
 
-  if(config->restrictions & RESTRICT_REMOVE)
-    result = (ds->track
-	      && ds->track->submitter
-	      && !strcmp(ds->track->submitter,
-			 disorder_user(ds->g->client)));
-  else
-    result = 1;
-  sink_printf(output->sink, "%s", bool2str(result));
+  lookups(ds, DC_RIGHTS);
+  sink_printf(output->sink, "%s",
+	      bool2str(right_removable(ds->g->rights,
+				       disorder_user(ds->g->client),
+				       ds->track)));
+}
+
+static void exp_movable(int attribute((unused)) nargs,
+			char attribute((unused)) **args,
+			cgi_sink *output,
+			void attribute((unused)) *u) {
+  dcgi_state *ds = u;
+
+  lookups(ds, DC_RIGHTS);
+  sink_printf(output->sink, "%s",
+	      bool2str(right_movable(ds->g->rights,
+				     disorder_user(ds->g->client),
+				     ds->track)));
 }
 
 static void exp_navigate(int attribute((unused)) nargs,
@@ -1401,6 +1576,34 @@ static void exp_nfiles(int attribute((unused)) nargs,
     cgi_output(output, "1");
 }
 
+static void exp_user(int attribute((unused)) nargs,
+		     char attribute((unused)) **args,
+		     cgi_sink *output,
+		     void *u) {
+  dcgi_state *const ds = u;
+
+  cgi_output(output, "%s", disorder_user(ds->g->client));
+}
+
+static void exp_right(int attribute((unused)) nargs,
+		      char **args,
+		      cgi_sink *output,
+		      void *u) {
+  dcgi_state *const ds = u;
+  const char *right = expandarg(args[0], ds);
+  rights_type r;
+
+  lookups(ds, DC_RIGHTS);
+  if(parse_rights(right, &r, 1/*report*/))
+    r = 0;
+  if(args[1] == 0)
+    cgi_output(output, "%s", bool2str(!!(r & ds->g->rights)));
+  else if(r & ds->g->rights)
+    expandstring(output, args[1], ds);
+  else if(args[2])
+    expandstring(output, args[2], ds);
+}
+
 static const struct cgi_expansion expansions[] = {
   { "#", 0, INT_MAX, EXP_MAGIC, exp_comment },
   { "action", 0, 0, 0, exp_action },
@@ -1428,6 +1631,7 @@ static const struct cgi_expansion expansions[] = {
   { "isrecent", 0, 0, 0, exp_isrecent },
   { "label", 1, 1, 0, exp_label },
   { "length", 0, 0, 0, exp_length },
+  { "movable", 0, 0, 0, exp_movable },
   { "navigate", 2, 2, EXP_MAGIC, exp_navigate },
   { "ne", 2, 2, 0, exp_ne },
   { "new", 1, 1, EXP_MAGIC, exp_new },
@@ -1448,6 +1652,7 @@ static const struct cgi_expansion expansions[] = {
   { "recent", 1, 1, EXP_MAGIC, exp_recent },
   { "removable", 0, 0, 0, exp_removable },
   { "resolve", 1, 1, 0, exp_resolve },
+  { "right", 1, 3, EXP_MAGIC, exp_right },
   { "scratchable", 0, 0, 0, exp_scratchable },
   { "search", 2, 3, EXP_MAGIC, exp_search },
   { "server-version", 0, 0, 0, exp_server_version },
@@ -1460,6 +1665,7 @@ static const struct cgi_expansion expansions[] = {
   { "transform", 2, 3, 0, exp_transform },
   { "url", 0, 0, 0, exp_url },
   { "urlquote", 1, 1, 0, exp_urlquote },
+  { "user", 0, 0, 0, exp_user },
   { "version", 0, 0, 0, exp_version },
   { "volume", 1, 1, 0, exp_volume },
   { "when", 0, 0, 0, exp_when },
@@ -1489,19 +1695,25 @@ static void perform_action(cgi_sink *output, dcgi_state *ds,
 			   const char *action) {
   int n;
 
+  /* We don't ever want anything to be cached */
+  cgi_header(output->sink, "Cache-Control", "no-cache");
   if((n = TABLE_FIND(actions, struct action, name, action)) >= 0)
     actions[n].handler(output, ds);
-  else {
-    cgi_header(output->sink, "Content-Type", "text/html");
-    cgi_body(output->sink);
-    expand(output, action, ds);
-  }
+  else
+    expand_template(ds, output, action);
 }
 
 void disorder_cgi(cgi_sink *output, dcgi_state *ds) {
   const char *action = cgi_get("action");
 
-  if(!action) action = "playing";
+  if(!action) {
+    /* We allow URLs which are just confirm=... in order to keep confirmation
+     * URLs, which are user-facing, as short as possible. */
+    if(cgi_get("c"))
+      action = "confirm";
+    else
+      action = "playing";
+  }
   perform_action(output, ds, action);
 }
 
@@ -1511,6 +1723,22 @@ void disorder_cgi_error(cgi_sink *output, dcgi_state *ds,
   perform_action(output, ds, "error");
 }
 
+/** @brief Log in as the current user or guest if none */
+void disorder_cgi_login(dcgi_state *ds, cgi_sink *output) {
+  /* Create a new connection */
+  ds->g->client = disorder_new(0);
+  /* Forget everything we knew */
+  ds->g->flags = 0;
+  /* Reconnect */
+  if(disorder_connect_cookie(ds->g->client, login_cookie)) {
+    disorder_cgi_error(output, ds, "connect");
+    exit(0);
+  }
+  /* If there was a cookie but it went bad, we forget it */
+  if(login_cookie && !strcmp(disorder_user(ds->g->client), "guest"))
+    login_cookie = 0;
+}
+
 /*
 Local Variables:
 c-basic-offset:2