X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/blobdiff_plain/7f66f58b384d81cb04c6ed9c3844582762f5c698..91370169de7f552f3a54e5ef9e079a202a5efbfa:/server/dcgi.c?ds=sidebyside diff --git a/server/dcgi.c b/server/dcgi.c index e81aac6..19e25e0 100644 --- a/server/dcgi.c +++ b/server/dcgi.c @@ -1,6 +1,6 @@ /* * This file is part of DisOrder. - * Copyright (C) 2004, 2005, 2006, 2007 Richard Kettlewell + * Copyright (C) 2004-2008 Richard Kettlewell * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -39,7 +39,6 @@ #include "vector.h" #include "sink.h" #include "cgi.h" -#include "dcgi.h" #include "log.h" #include "configuration.h" #include "table.h" @@ -54,6 +53,11 @@ #include "defs.h" #include "trackname.h" #include "charset.h" +#include "dcgi.h" +#include "url.h" +#include "mime.h" +#include "sendmail.h" +#include "base64.h" char *login_cookie; @@ -70,15 +74,23 @@ struct entry { const char *display; }; +static const char nonce_base64_table[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/*"; + static const char *nonce(void) { - static unsigned long count; - char *s; + static uint32_t count; + + struct ndata { + uint16_t count; + uint16_t pid; + uint32_t when; + } nd; - byte_xasprintf(&s, "%lx%lx%lx", - (unsigned long)time(0), - (unsigned long)getpid(), - count++); - return s; + nd.count = count++; + nd.pid = (uint32_t)getpid(); + nd.when = (uint32_t)time(0); + return generic_to_base64((void *)&nd, sizeof nd, + nonce_base64_table); } static int compare_entry(const void *a, const void *b) { @@ -103,21 +115,34 @@ static const char *front_url(void) { static void header_cookie(struct sink *output) { struct dynstr d[1]; - char *s; + struct url u; + memset(&u, 0, sizeof u); + dynstr_init(d); + parse_url(config->url, &u); if(login_cookie) { - dynstr_init(d); - for(s = login_cookie; *s; ++s) { - if(*s == '"') - dynstr_append(d, '\\'); - dynstr_append(d, *s); - } - dynstr_terminate(d); - byte_xasprintf(&s, "disorder=\"%s\"", d->vec); /* TODO domain, path, expiry */ - cgi_header(output, "Set-Cookie", s); - } else + dynstr_append_string(d, "disorder="); + dynstr_append_string(d, login_cookie); + } else { /* Force browser to discard cookie */ - cgi_header(output, "Set-Cookie", "disorder=none;Max-Age=0"); + dynstr_append_string(d, "disorder=none;Max-Age=0"); + } + if(u.path) { + /* The default domain matches the request host, so we need not override + * that. But the default path only goes up to the rightmost /, which would + * cause the browser to expose the cookie to other CGI programs on the same + * web server. */ + dynstr_append_string(d, ";Version=1;Path="); + /* Formally we are supposed to quote the path, since it invariably has a + * slash in it. However Safari does not parse quoted paths correctly, so + * this won't work. Fortunately nothing else seems to care about proper + * quoting of paths, so in practice we get with it. (See also + * parse_cookie() where we are liberal about cookie paths on the way back + * in.) */ + dynstr_append_string(d, u.path); + } + dynstr_terminate(d); + cgi_header(output, "Set-Cookie", d->vec); } static void redirect(struct sink *output) { @@ -141,6 +166,7 @@ static void lookups(dcgi_state *ds, unsigned want) { unsigned need; struct queue_entry *r, *rnext; const char *dir, *re; + char *rights; if(ds->g->client && (need = want ^ (ds->g->flags & want)) != 0) { if(need & DC_QUEUE) @@ -175,6 +201,12 @@ static void lookups(dcgi_state *ds, unsigned want) { &ds->g->files, &ds->g->nfiles)) ds->g->nfiles = 0; } + if(need & DC_RIGHTS) { + ds->g->rights = RIGHT_READ; /* fail-safe */ + if(!disorder_userinfo(ds->g->client, disorder_user(ds->g->client), + "rights", &rights)) + parse_rights(rights, &ds->g->rights, 1); + } ds->g->flags |= need; } } @@ -447,7 +479,8 @@ static void act_login(cgi_sink *output, expand_template(ds, output, "login"); return; } - c = disorder_new(1); + /* We'll need a new connection as we are going to stop being guest */ + c = disorder_new(0); if(disorder_connect_user(c, username, password)) { cgi_set_option("error", "loginfailed"); expand_template(ds, output, "login"); @@ -458,9 +491,13 @@ static void act_login(cgi_sink *output, expand_template(ds, output, "login"); return; } + /* Use the new connection henceforth */ + ds->g->client = c; + ds->g->flags = 0; /* We have a new cookie */ header_cookie(output->sink); - if((back = cgi_get("back")) && back) + cgi_set_option("status", "loginok"); + if((back = cgi_get("back")) && *back) /* Redirect back to somewhere or other */ redirect(output->sink); else @@ -473,22 +510,21 @@ static void act_logout(cgi_sink *output, disorder_revoke(ds->g->client); login_cookie = 0; /* Reconnect as guest */ - ds->g->client = disorder_new(0); - if(disorder_connect_cookie(ds->g->client, 0)) { - disorder_cgi_error(output, ds, "connect"); - exit(0); - } + disorder_cgi_login(ds, output); /* Back to the login page */ + cgi_set_option("status", "logoutok"); expand_template(ds, output, "login"); } static void act_register(cgi_sink *output, dcgi_state *ds) { - const char *username, *password, *email; - char *confirm; + const char *username, *password, *password2, *email; + char *confirm, *content_type; + const char *text, *encoding, *charset; username = cgi_get("username"); - password = cgi_get("password"); + password = cgi_get("password1"); + password2 = cgi_get("password2"); email = cgi_get("email"); if(!username || !*username) { @@ -501,6 +537,11 @@ static void act_register(cgi_sink *output, expand_template(ds, output, "login"); return; } + if(!password2 || !*password2 || strcmp(password, password2)) { + cgi_set_option("error", "passwordmismatch"); + expand_template(ds, output, "login"); + return; + } if(!email || !*email) { cgi_set_option("error", "noemail"); expand_template(ds, output, "login"); @@ -518,16 +559,132 @@ static void act_register(cgi_sink *output, expand_template(ds, output, "login"); return; } + /* Send the user a mail */ + /* TODO templatize this */ + byte_xasprintf((char **)&text, + "Welcome to DisOrder. To active your login, please visit this URL:\n" + "\n" + "%s?c=%s\n", config->url, urlencodestring(confirm)); + if(!(text = mime_encode_text(text, &charset, &encoding))) + fatal(0, "cannot encode email"); + byte_xasprintf(&content_type, "text/plain;charset=%s", + quote822(charset, 0)); + sendmail("", config->mail_sender, email, "Welcome to DisOrder", + encoding, content_type, text); /* TODO error checking */ /* We'll go back to the login page with a suitable message */ - cgi_set_option("registered", "registeredok"); + cgi_set_option("status", "registered"); + expand_template(ds, output, "login"); +} + +static void act_confirm(cgi_sink *output, + dcgi_state *ds) { + const char *confirmation; + + if(!(confirmation = cgi_get("c"))) { + cgi_set_option("error", "noconfirm"); + expand_template(ds, output, "login"); + } + /* Confirm our registration */ + if(disorder_confirm(ds->g->client, confirmation)) { + cgi_set_option("error", "badconfirm"); + expand_template(ds, output, "login"); + } + /* Get a cookie */ + if(disorder_make_cookie(ds->g->client, &login_cookie)) { + cgi_set_option("error", "cookiefailed"); + expand_template(ds, output, "login"); + return; + } + /* Discard any cached data JIC */ + ds->g->flags = 0; + /* We have a new cookie */ + header_cookie(output->sink); + cgi_set_option("status", "confirmed"); expand_template(ds, output, "login"); } +static void act_edituser(cgi_sink *output, + dcgi_state *ds) { + const char *email = cgi_get("email"), *password = cgi_get("changepassword1"); + const char *password2 = cgi_get("changepassword2"); + int newpassword = 0; + disorder_client *c; + + if((password && *password) || (password && *password2)) { + if(!password || !password2 || strcmp(password, password2)) { + cgi_set_option("error", "passwordmismatch"); + expand_template(ds, output, "login"); + return; + } + } else + password = password2 = 0; + + if(email) { + if(disorder_edituser(ds->g->client, disorder_user(ds->g->client), + "email", email)) { + cgi_set_option("error", "badedit"); + expand_template(ds, output, "login"); + return; + } + } + if(password) { + if(disorder_edituser(ds->g->client, disorder_user(ds->g->client), + "password", password)) { + cgi_set_option("error", "badedit"); + expand_template(ds, output, "login"); + return; + } + newpassword = 1; + } + if(newpassword) { + login_cookie = 0; /* it'll be invalid now */ + /* This is a bit duplicative of act_login() */ + c = disorder_new(0); + if(disorder_connect_user(c, disorder_user(ds->g->client), password)) { + cgi_set_option("error", "loginfailed"); + expand_template(ds, output, "login"); + return; + } + if(disorder_make_cookie(c, &login_cookie)) { + cgi_set_option("error", "cookiefailed"); + expand_template(ds, output, "login"); + return; + } + /* Use the new connection henceforth */ + ds->g->client = c; + ds->g->flags = 0; + /* We have a new cookie */ + header_cookie(output->sink); + } + cgi_set_option("status", "edited"); + expand_template(ds, output, "login"); +} + +static void act_reminder(cgi_sink *output, + dcgi_state *ds) { + const char *const username = cgi_get("username"); + + if(!username || !*username) { + cgi_set_option("error", "nousername"); + expand_template(ds, output, "login"); + return; + } + if(disorder_reminder(ds->g->client, username)) { + cgi_set_option("error", "reminderfailed"); + expand_template(ds, output, "login"); + return; + } + cgi_set_option("status", "reminded"); + expand_template(ds, output, "login"); +} + static const struct action { const char *name; void (*handler)(cgi_sink *output, dcgi_state *ds); } actions[] = { + { "confirm", act_confirm }, { "disable", act_disable }, + { "edituser", act_edituser }, { "enable", act_enable }, { "login", act_login }, { "logout", act_logout }, @@ -539,6 +696,7 @@ static const struct action { { "random-disable", act_random_disable }, { "random-enable", act_random_enable }, { "register", act_register }, + { "reminder", act_reminder }, { "remove", act_remove }, { "resume", act_resume }, { "scratch", act_scratch }, @@ -1236,17 +1394,12 @@ static void exp_scratchable(int attribute((unused)) nargs, cgi_sink *output, void attribute((unused)) *u) { dcgi_state *ds = u; - int result; - - if(config->restrictions & RESTRICT_SCRATCH) { - lookups(ds, DC_PLAYING); - result = (ds->g->playing - && (!ds->g->playing->submitter - || !strcmp(ds->g->playing->submitter, - disorder_user(ds->g->client)))); - } else - result = 1; - sink_printf(output->sink, "%s", bool2str(result)); + + lookups(ds, DC_PLAYING|DC_RIGHTS); + sink_printf(output->sink, "%s", + bool2str(right_scratchable(ds->g->rights, + disorder_user(ds->g->client), + ds->g->playing))); } static void exp_removable(int attribute((unused)) nargs, @@ -1254,16 +1407,25 @@ static void exp_removable(int attribute((unused)) nargs, cgi_sink *output, void attribute((unused)) *u) { dcgi_state *ds = u; - int result; - if(config->restrictions & RESTRICT_REMOVE) - result = (ds->track - && ds->track->submitter - && !strcmp(ds->track->submitter, - disorder_user(ds->g->client))); - else - result = 1; - sink_printf(output->sink, "%s", bool2str(result)); + lookups(ds, DC_RIGHTS); + sink_printf(output->sink, "%s", + bool2str(right_removable(ds->g->rights, + disorder_user(ds->g->client), + ds->track))); +} + +static void exp_movable(int attribute((unused)) nargs, + char attribute((unused)) **args, + cgi_sink *output, + void attribute((unused)) *u) { + dcgi_state *ds = u; + + lookups(ds, DC_RIGHTS); + sink_printf(output->sink, "%s", + bool2str(right_movable(ds->g->rights, + disorder_user(ds->g->client), + ds->track))); } static void exp_navigate(int attribute((unused)) nargs, @@ -1536,6 +1698,58 @@ static void exp_user(int attribute((unused)) nargs, cgi_output(output, "%s", disorder_user(ds->g->client)); } +static void exp_right(int attribute((unused)) nargs, + char **args, + cgi_sink *output, + void *u) { + dcgi_state *const ds = u; + const char *right = expandarg(args[0], ds); + rights_type r; + + lookups(ds, DC_RIGHTS); + if(parse_rights(right, &r, 1/*report*/)) + r = 0; + if(args[1] == 0) + cgi_output(output, "%s", bool2str(!!(r & ds->g->rights))); + else if(r & ds->g->rights) + expandstring(output, args[1], ds); + else if(args[2]) + expandstring(output, args[2], ds); +} + +static void exp_userinfo(int attribute((unused)) nargs, + char **args, + cgi_sink *output, + void *u) { + dcgi_state *const ds = u; + const char *value; + + if(disorder_userinfo(ds->g->client, disorder_user(ds->g->client), args[0], + (char **)&value)) + value = ""; + cgi_output(output, "%s", value); +} + +static void exp_image(int attribute((unused)) nargs, + char **args, + cgi_sink *output, + void attribute((unused)) *u) { + char *labelname; + const char *imagestem; + + byte_xasprintf(&labelname, "images.%s", args[0]); + if(cgi_label_exists(labelname)) + imagestem = cgi_label(labelname); + else if(strchr(args[0], '.')) + imagestem = args[0]; + else + byte_xasprintf((char **)&imagestem, "%s.png", args[0]); + if(cgi_label_exists("url.static")) + cgi_output(output, "%s/%s", cgi_label("url.static"), imagestem); + else + cgi_output(output, "/disorder/%s", imagestem); +} + static const struct cgi_expansion expansions[] = { { "#", 0, INT_MAX, EXP_MAGIC, exp_comment }, { "action", 0, 0, 0, exp_action }, @@ -1551,6 +1765,7 @@ static const struct cgi_expansion expansions[] = { { "fullname", 0, 0, 0, exp_fullname }, { "id", 0, 0, 0, exp_id }, { "if", 2, 3, EXP_MAGIC, exp_if }, + { "image", 1, 1, 0, exp_image }, { "include", 1, 1, 0, exp_include }, { "index", 0, 0, 0, exp_index }, { "isdirectories", 0, 0, 0, exp_isdirectories }, @@ -1563,6 +1778,7 @@ static const struct cgi_expansion expansions[] = { { "isrecent", 0, 0, 0, exp_isrecent }, { "label", 1, 1, 0, exp_label }, { "length", 0, 0, 0, exp_length }, + { "movable", 0, 0, 0, exp_movable }, { "navigate", 2, 2, EXP_MAGIC, exp_navigate }, { "ne", 2, 2, 0, exp_ne }, { "new", 1, 1, EXP_MAGIC, exp_new }, @@ -1583,6 +1799,7 @@ static const struct cgi_expansion expansions[] = { { "recent", 1, 1, EXP_MAGIC, exp_recent }, { "removable", 0, 0, 0, exp_removable }, { "resolve", 1, 1, 0, exp_resolve }, + { "right", 1, 3, EXP_MAGIC, exp_right }, { "scratchable", 0, 0, 0, exp_scratchable }, { "search", 2, 3, EXP_MAGIC, exp_search }, { "server-version", 0, 0, 0, exp_server_version }, @@ -1596,6 +1813,7 @@ static const struct cgi_expansion expansions[] = { { "url", 0, 0, 0, exp_url }, { "urlquote", 1, 1, 0, exp_urlquote }, { "user", 0, 0, 0, exp_user }, + { "userinfo", 1, 1, 0, exp_userinfo }, { "version", 0, 0, 0, exp_version }, { "volume", 1, 1, 0, exp_volume }, { "when", 0, 0, 0, exp_when }, @@ -1636,7 +1854,14 @@ static void perform_action(cgi_sink *output, dcgi_state *ds, void disorder_cgi(cgi_sink *output, dcgi_state *ds) { const char *action = cgi_get("action"); - if(!action) action = "playing"; + if(!action) { + /* We allow URLs which are just confirm=... in order to keep confirmation + * URLs, which are user-facing, as short as possible. */ + if(cgi_get("c")) + action = "confirm"; + else + action = "playing"; + } perform_action(output, ds, action); } @@ -1646,6 +1871,22 @@ void disorder_cgi_error(cgi_sink *output, dcgi_state *ds, perform_action(output, ds, "error"); } +/** @brief Log in as the current user or guest if none */ +void disorder_cgi_login(dcgi_state *ds, cgi_sink *output) { + /* Create a new connection */ + ds->g->client = disorder_new(0); + /* Forget everything we knew */ + ds->g->flags = 0; + /* Reconnect */ + if(disorder_connect_cookie(ds->g->client, login_cookie)) { + disorder_cgi_error(output, ds, "connect"); + exit(0); + } + /* If there was a cookie but it went bad, we forget it */ + if(login_cookie && !strcmp(disorder_user(ds->g->client), "guest")) + login_cookie = 0; +} + /* Local Variables: c-basic-offset:2