X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/blobdiff_plain/c85b702265244a34b1f977c9bf22f913689b906f..3c499fe72ea3c8527663a4fb7df9f6d627fc42b7:/server/dcgi.c diff --git a/server/dcgi.c b/server/dcgi.c index 07e1825..33630fa 100644 --- a/server/dcgi.c +++ b/server/dcgi.c @@ -1,6 +1,6 @@ /* * This file is part of DisOrder. - * Copyright (C) 2004, 2005, 2006, 2007 Richard Kettlewell + * Copyright (C) 2004-2008 Richard Kettlewell * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -39,7 +39,6 @@ #include "vector.h" #include "sink.h" #include "cgi.h" -#include "dcgi.h" #include "log.h" #include "configuration.h" #include "table.h" @@ -54,6 +53,13 @@ #include "defs.h" #include "trackname.h" #include "charset.h" +#include "dcgi.h" +#include "url.h" +#include "mime.h" +#include "sendmail.h" +#include "base64.h" + +char *login_cookie; static void expand(cgi_sink *output, const char *template, @@ -68,15 +74,23 @@ struct entry { const char *display; }; +static const char nonce_base64_table[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/*"; + static const char *nonce(void) { - static unsigned long count; - char *s; + static uint32_t count; - byte_xasprintf(&s, "%lx%lx%lx", - (unsigned long)time(0), - (unsigned long)getpid(), - count++); - return s; + struct ndata { + uint16_t count; + uint16_t pid; + uint32_t when; + } nd; + + nd.count = count++; + nd.pid = (uint32_t)getpid(); + nd.when = (uint32_t)time(0); + return generic_to_base64((void *)&nd, sizeof nd, + nonce_base64_table); } static int compare_entry(const void *a, const void *b) { @@ -99,18 +113,60 @@ static const char *front_url(void) { return config->url; } +static void header_cookie(struct sink *output) { + struct dynstr d[1]; + struct url u; + + memset(&u, 0, sizeof u); + dynstr_init(d); + parse_url(config->url, &u); + if(login_cookie) { + dynstr_append_string(d, "disorder="); + dynstr_append_string(d, login_cookie); + } else { + /* Force browser to discard cookie */ + dynstr_append_string(d, "disorder=none;Max-Age=0"); + } + if(u.path) { + /* The default domain matches the request host, so we need not override + * that. But the default path only goes up to the rightmost /, which would + * cause the browser to expose the cookie to other CGI programs on the same + * web server. */ + dynstr_append_string(d, ";Version=1;Path="); + /* Formally we are supposed to quote the path, since it invariably has a + * slash in it. However Safari does not parse quoted paths correctly, so + * this won't work. Fortunately nothing else seems to care about proper + * quoting of paths, so in practice we get with it. (See also + * parse_cookie() where we are liberal about cookie paths on the way back + * in.) */ + dynstr_append_string(d, u.path); + } + dynstr_terminate(d); + cgi_header(output, "Set-Cookie", d->vec); +} + static void redirect(struct sink *output) { const char *back; - cgi_header(output, "Location", - (back = cgi_get("back")) ? back : front_url()); + back = cgi_get("back"); + cgi_header(output, "Location", back && *back ? back : front_url()); + header_cookie(output); cgi_body(output); } +static void expand_template(dcgi_state *ds, cgi_sink *output, + const char *action) { + cgi_header(output->sink, "Content-Type", "text/html"); + header_cookie(output->sink); + cgi_body(output->sink); + expand(output, action, ds); +} + static void lookups(dcgi_state *ds, unsigned want) { unsigned need; struct queue_entry *r, *rnext; const char *dir, *re; + char *rights; if(ds->g->client && (need = want ^ (ds->g->flags & want)) != 0) { if(need & DC_QUEUE) @@ -145,6 +201,12 @@ static void lookups(dcgi_state *ds, unsigned want) { &ds->g->files, &ds->g->nfiles)) ds->g->nfiles = 0; } + if(need & DC_RIGHTS) { + ds->g->rights = RIGHT_READ; /* fail-safe */ + if(!disorder_userinfo(ds->g->client, disorder_user(ds->g->client), + "rights", &rights)) + parse_rights(rights, &ds->g->rights, 1); + } ds->g->flags |= need; } } @@ -245,6 +307,7 @@ static void act_playing(cgi_sink *output, dcgi_state *ds) { byte_snprintf(r, sizeof r, "%ld;url=%s", refresh > 0 ? refresh : 1, front_url()); cgi_header(output->sink, "Refresh", r); + header_cookie(output->sink); cgi_body(output->sink); expand(output, "playing", ds); } @@ -311,9 +374,11 @@ static void act_volume(cgi_sink *output, dcgi_state *ds) { * URL) */ cgi_header(output->sink, "Location", (back = cgi_get("back")) ? back : volume_url()); + header_cookie(output->sink); cgi_body(output->sink); } else { cgi_header(output->sink, "Content-Type", "text/html"); + header_cookie(output->sink); cgi_body(output->sink); expand(output, "volume", ds); } @@ -361,8 +426,18 @@ static void process_prefs(dcgi_state *ds, int numfile) { disorder_unset(ds->g->client, file, "pick_at_random"); else disorder_set(ds->g->client, file, "pick_at_random", "0"); - if((value = numbered_arg("tags", numfile))) - disorder_set(ds->g->client, file, "tags", value); + if((value = numbered_arg("tags", numfile))) { + if(!*value) + disorder_unset(ds->g->client, file, "tags"); + else + disorder_set(ds->g->client, file, "tags", value); + } + if((value = numbered_arg("weight", numfile))) { + if(!*value || !strcmp(value, "90000")) + disorder_unset(ds->g->client, file, "weight"); + else + disorder_set(ds->g->client, file, "weight", value); + } } else if((name = cgi_get("name"))) { /* Raw preferences. Not well supported in the templates at the moment. */ value = cgi_get("value"); @@ -382,6 +457,7 @@ static void act_prefs(cgi_sink *output, dcgi_state *ds) { for(numfile = 0; numfile < nfiles; ++numfile) process_prefs(ds, numfile); cgi_header(output->sink, "Content-Type", "text/html"); + header_cookie(output->sink); cgi_body(output->sink); expand(output, "prefs", ds); } @@ -400,12 +476,228 @@ static void act_resume(cgi_sink *output, redirect(output->sink); } +static void act_login(cgi_sink *output, + dcgi_state *ds) { + const char *username, *password, *back; + disorder_client *c; + + username = cgi_get("username"); + password = cgi_get("password"); + if(!username || !password + || !strcmp(username, "guest")/*bodge to avoid guest cookies*/) { + /* We're just visiting the login page */ + expand_template(ds, output, "login"); + return; + } + /* We'll need a new connection as we are going to stop being guest */ + c = disorder_new(0); + if(disorder_connect_user(c, username, password)) { + cgi_set_option("error", "loginfailed"); + expand_template(ds, output, "login"); + return; + } + if(disorder_make_cookie(c, &login_cookie)) { + cgi_set_option("error", "cookiefailed"); + expand_template(ds, output, "login"); + return; + } + /* Use the new connection henceforth */ + ds->g->client = c; + ds->g->flags = 0; + /* We have a new cookie */ + header_cookie(output->sink); + cgi_set_option("status", "loginok"); + if((back = cgi_get("back")) && *back) + /* Redirect back to somewhere or other */ + redirect(output->sink); + else + /* Stick to the login page */ + expand_template(ds, output, "login"); +} + +static void act_logout(cgi_sink *output, + dcgi_state *ds) { + disorder_revoke(ds->g->client); + login_cookie = 0; + /* Reconnect as guest */ + disorder_cgi_login(ds, output); + /* Back to the login page */ + cgi_set_option("status", "logoutok"); + expand_template(ds, output, "login"); +} + +static void act_register(cgi_sink *output, + dcgi_state *ds) { + const char *username, *password, *password2, *email; + char *confirm, *content_type; + const char *text, *encoding, *charset; + + username = cgi_get("username"); + password = cgi_get("password1"); + password2 = cgi_get("password2"); + email = cgi_get("email"); + + if(!username || !*username) { + cgi_set_option("error", "nousername"); + expand_template(ds, output, "login"); + return; + } + if(!password || !*password) { + cgi_set_option("error", "nopassword"); + expand_template(ds, output, "login"); + return; + } + if(!password2 || !*password2 || strcmp(password, password2)) { + cgi_set_option("error", "passwordmismatch"); + expand_template(ds, output, "login"); + return; + } + if(!email || !*email) { + cgi_set_option("error", "noemail"); + expand_template(ds, output, "login"); + return; + } + /* We could well do better address validation but for now we'll just do the + * minimum */ + if(!strchr(email, '@')) { + cgi_set_option("error", "bademail"); + expand_template(ds, output, "login"); + return; + } + if(disorder_register(ds->g->client, username, password, email, &confirm)) { + cgi_set_option("error", "cannotregister"); + expand_template(ds, output, "login"); + return; + } + /* Send the user a mail */ + /* TODO templatize this */ + byte_xasprintf((char **)&text, + "Welcome to DisOrder. To active your login, please visit this URL:\n" + "\n" + "%s?c=%s\n", config->url, urlencodestring(confirm)); + if(!(text = mime_encode_text(text, &charset, &encoding))) + fatal(0, "cannot encode email"); + byte_xasprintf(&content_type, "text/plain;charset=%s", + quote822(charset, 0)); + sendmail("", config->mail_sender, email, "Welcome to DisOrder", + encoding, content_type, text); /* TODO error checking */ + /* We'll go back to the login page with a suitable message */ + cgi_set_option("status", "registered"); + expand_template(ds, output, "login"); +} + +static void act_confirm(cgi_sink *output, + dcgi_state *ds) { + const char *confirmation; + + if(!(confirmation = cgi_get("c"))) { + cgi_set_option("error", "noconfirm"); + expand_template(ds, output, "login"); + } + /* Confirm our registration */ + if(disorder_confirm(ds->g->client, confirmation)) { + cgi_set_option("error", "badconfirm"); + expand_template(ds, output, "login"); + } + /* Get a cookie */ + if(disorder_make_cookie(ds->g->client, &login_cookie)) { + cgi_set_option("error", "cookiefailed"); + expand_template(ds, output, "login"); + return; + } + /* Discard any cached data JIC */ + ds->g->flags = 0; + /* We have a new cookie */ + header_cookie(output->sink); + cgi_set_option("status", "confirmed"); + expand_template(ds, output, "login"); +} + +static void act_edituser(cgi_sink *output, + dcgi_state *ds) { + const char *email = cgi_get("email"), *password = cgi_get("changepassword1"); + const char *password2 = cgi_get("changepassword2"); + int newpassword = 0; + disorder_client *c; + + if((password && *password) || (password && *password2)) { + if(!password || !password2 || strcmp(password, password2)) { + cgi_set_option("error", "passwordmismatch"); + expand_template(ds, output, "login"); + return; + } + } else + password = password2 = 0; + + if(email) { + if(disorder_edituser(ds->g->client, disorder_user(ds->g->client), + "email", email)) { + cgi_set_option("error", "badedit"); + expand_template(ds, output, "login"); + return; + } + } + if(password) { + if(disorder_edituser(ds->g->client, disorder_user(ds->g->client), + "password", password)) { + cgi_set_option("error", "badedit"); + expand_template(ds, output, "login"); + return; + } + newpassword = 1; + } + if(newpassword) { + login_cookie = 0; /* it'll be invalid now */ + /* This is a bit duplicative of act_login() */ + c = disorder_new(0); + if(disorder_connect_user(c, disorder_user(ds->g->client), password)) { + cgi_set_option("error", "loginfailed"); + expand_template(ds, output, "login"); + return; + } + if(disorder_make_cookie(c, &login_cookie)) { + cgi_set_option("error", "cookiefailed"); + expand_template(ds, output, "login"); + return; + } + /* Use the new connection henceforth */ + ds->g->client = c; + ds->g->flags = 0; + /* We have a new cookie */ + header_cookie(output->sink); + } + cgi_set_option("status", "edited"); + expand_template(ds, output, "login"); +} + +static void act_reminder(cgi_sink *output, + dcgi_state *ds) { + const char *const username = cgi_get("username"); + + if(!username || !*username) { + cgi_set_option("error", "nousername"); + expand_template(ds, output, "login"); + return; + } + if(disorder_reminder(ds->g->client, username)) { + cgi_set_option("error", "reminderfailed"); + expand_template(ds, output, "login"); + return; + } + cgi_set_option("status", "reminded"); + expand_template(ds, output, "login"); +} + static const struct action { const char *name; void (*handler)(cgi_sink *output, dcgi_state *ds); } actions[] = { + { "confirm", act_confirm }, { "disable", act_disable }, + { "edituser", act_edituser }, { "enable", act_enable }, + { "login", act_login }, + { "logout", act_logout }, { "move", act_move }, { "pause", act_pause }, { "play", act_play }, @@ -413,6 +705,8 @@ static const struct action { { "prefs", act_prefs }, { "random-disable", act_random_disable }, { "random-enable", act_random_enable }, + { "register", act_register }, + { "reminder", act_reminder }, { "remove", act_remove }, { "resume", act_resume }, { "scratch", act_scratch }, @@ -446,7 +740,7 @@ static void exp_version(int attribute((unused)) nargs, char attribute((unused)) **args, cgi_sink *output, void attribute((unused)) *u) { - cgi_output(output, "%s", disorder_version_string); + cgi_output(output, "%s", disorder_short_version_string); } static void exp_nonce(int attribute((unused)) nargs, @@ -1110,17 +1404,12 @@ static void exp_scratchable(int attribute((unused)) nargs, cgi_sink *output, void attribute((unused)) *u) { dcgi_state *ds = u; - int result; - - if(config->restrictions & RESTRICT_SCRATCH) { - lookups(ds, DC_PLAYING); - result = (ds->g->playing - && (!ds->g->playing->submitter - || !strcmp(ds->g->playing->submitter, - disorder_user(ds->g->client)))); - } else - result = 1; - sink_printf(output->sink, "%s", bool2str(result)); + + lookups(ds, DC_PLAYING|DC_RIGHTS); + sink_printf(output->sink, "%s", + bool2str(right_scratchable(ds->g->rights, + disorder_user(ds->g->client), + ds->g->playing))); } static void exp_removable(int attribute((unused)) nargs, @@ -1128,16 +1417,25 @@ static void exp_removable(int attribute((unused)) nargs, cgi_sink *output, void attribute((unused)) *u) { dcgi_state *ds = u; - int result; - if(config->restrictions & RESTRICT_REMOVE) - result = (ds->track - && ds->track->submitter - && !strcmp(ds->track->submitter, - disorder_user(ds->g->client))); - else - result = 1; - sink_printf(output->sink, "%s", bool2str(result)); + lookups(ds, DC_RIGHTS); + sink_printf(output->sink, "%s", + bool2str(right_removable(ds->g->rights, + disorder_user(ds->g->client), + ds->track))); +} + +static void exp_movable(int attribute((unused)) nargs, + char attribute((unused)) **args, + cgi_sink *output, + void attribute((unused)) *u) { + dcgi_state *ds = u; + + lookups(ds, DC_RIGHTS); + sink_printf(output->sink, "%s", + bool2str(right_movable(ds->g->rights, + disorder_user(ds->g->client), + ds->track))); } static void exp_navigate(int attribute((unused)) nargs, @@ -1401,6 +1699,67 @@ static void exp_nfiles(int attribute((unused)) nargs, cgi_output(output, "1"); } +static void exp_user(int attribute((unused)) nargs, + char attribute((unused)) **args, + cgi_sink *output, + void *u) { + dcgi_state *const ds = u; + + cgi_output(output, "%s", disorder_user(ds->g->client)); +} + +static void exp_right(int attribute((unused)) nargs, + char **args, + cgi_sink *output, + void *u) { + dcgi_state *const ds = u; + const char *right = expandarg(args[0], ds); + rights_type r; + + lookups(ds, DC_RIGHTS); + if(parse_rights(right, &r, 1/*report*/)) + r = 0; + if(args[1] == 0) + cgi_output(output, "%s", bool2str(!!(r & ds->g->rights))); + else if(r & ds->g->rights) + expandstring(output, args[1], ds); + else if(args[2]) + expandstring(output, args[2], ds); +} + +static void exp_userinfo(int attribute((unused)) nargs, + char **args, + cgi_sink *output, + void *u) { + dcgi_state *const ds = u; + const char *value; + + if(disorder_userinfo(ds->g->client, disorder_user(ds->g->client), args[0], + (char **)&value)) + value = ""; + cgi_output(output, "%s", value); +} + +static void exp_image(int attribute((unused)) nargs, + char **args, + cgi_sink *output, + void attribute((unused)) *u) { + char *labelname; + const char *imagestem; + + byte_xasprintf(&labelname, "images.%s", args[0]); + if(cgi_label_exists(labelname)) + imagestem = cgi_label(labelname); + else if(strchr(args[0], '.')) + imagestem = args[0]; + else + byte_xasprintf((char **)&imagestem, "%s.png", args[0]); + if(cgi_label_exists("url.static")) + cgi_output(output, "%s/%s", cgi_label("url.static"), imagestem); + else + cgi_output(output, "/disorder/%s", imagestem); +} + static const struct cgi_expansion expansions[] = { { "#", 0, INT_MAX, EXP_MAGIC, exp_comment }, { "action", 0, 0, 0, exp_action }, @@ -1416,6 +1775,7 @@ static const struct cgi_expansion expansions[] = { { "fullname", 0, 0, 0, exp_fullname }, { "id", 0, 0, 0, exp_id }, { "if", 2, 3, EXP_MAGIC, exp_if }, + { "image", 1, 1, 0, exp_image }, { "include", 1, 1, 0, exp_include }, { "index", 0, 0, 0, exp_index }, { "isdirectories", 0, 0, 0, exp_isdirectories }, @@ -1428,6 +1788,7 @@ static const struct cgi_expansion expansions[] = { { "isrecent", 0, 0, 0, exp_isrecent }, { "label", 1, 1, 0, exp_label }, { "length", 0, 0, 0, exp_length }, + { "movable", 0, 0, 0, exp_movable }, { "navigate", 2, 2, EXP_MAGIC, exp_navigate }, { "ne", 2, 2, 0, exp_ne }, { "new", 1, 1, EXP_MAGIC, exp_new }, @@ -1448,6 +1809,7 @@ static const struct cgi_expansion expansions[] = { { "recent", 1, 1, EXP_MAGIC, exp_recent }, { "removable", 0, 0, 0, exp_removable }, { "resolve", 1, 1, 0, exp_resolve }, + { "right", 1, 3, EXP_MAGIC, exp_right }, { "scratchable", 0, 0, 0, exp_scratchable }, { "search", 2, 3, EXP_MAGIC, exp_search }, { "server-version", 0, 0, 0, exp_server_version }, @@ -1460,6 +1822,8 @@ static const struct cgi_expansion expansions[] = { { "transform", 2, 3, 0, exp_transform }, { "url", 0, 0, 0, exp_url }, { "urlquote", 1, 1, 0, exp_urlquote }, + { "user", 0, 0, 0, exp_user }, + { "userinfo", 1, 1, 0, exp_userinfo }, { "version", 0, 0, 0, exp_version }, { "volume", 1, 1, 0, exp_volume }, { "when", 0, 0, 0, exp_when }, @@ -1489,19 +1853,25 @@ static void perform_action(cgi_sink *output, dcgi_state *ds, const char *action) { int n; + /* We don't ever want anything to be cached */ + cgi_header(output->sink, "Cache-Control", "no-cache"); if((n = TABLE_FIND(actions, struct action, name, action)) >= 0) actions[n].handler(output, ds); - else { - cgi_header(output->sink, "Content-Type", "text/html"); - cgi_body(output->sink); - expand(output, action, ds); - } + else + expand_template(ds, output, action); } void disorder_cgi(cgi_sink *output, dcgi_state *ds) { const char *action = cgi_get("action"); - if(!action) action = "playing"; + if(!action) { + /* We allow URLs which are just confirm=... in order to keep confirmation + * URLs, which are user-facing, as short as possible. */ + if(cgi_get("c")) + action = "confirm"; + else + action = "playing"; + } perform_action(output, ds, action); } @@ -1511,6 +1881,22 @@ void disorder_cgi_error(cgi_sink *output, dcgi_state *ds, perform_action(output, ds, "error"); } +/** @brief Log in as the current user or guest if none */ +void disorder_cgi_login(dcgi_state *ds, cgi_sink *output) { + /* Create a new connection */ + ds->g->client = disorder_new(0); + /* Forget everything we knew */ + ds->g->flags = 0; + /* Reconnect */ + if(disorder_connect_cookie(ds->g->client, login_cookie)) { + disorder_cgi_error(output, ds, "connect"); + exit(0); + } + /* If there was a cookie but it went bad, we forget it */ + if(login_cookie && !strcmp(disorder_user(ds->g->client), "guest")) + login_cookie = 0; +} + /* Local Variables: c-basic-offset:2