Commit graph

422 commits

Author SHA1 Message Date
VirtualTam
51f0128cdb Refactor session and cookie timeout control
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
fab87c2696 Move LoginManager and SessionManager to the Security namespace
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
68dcaccfa4 LoginManager: remove unused parameter
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
89ccc83ba4 Login: update PageBuilder and default/vintage templates
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
8474208474 Pass the client IP ID to LoginManager
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-06-02 16:46:06 +02:00
VirtualTam
63ea23c2a6 Refactor user credential validation at login time
Changed:
- move login/password verification to LoginManager
- code cleanup

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
49f1832316 Refactor PHP session handling during login/logout
Changed:
- move $_SESSION handling to SessionManager
- code cleanup

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
db45a36a53 Refactor SessionManager::$INACTIVITY_TIMEOUT
Changed:
- move INACTIVITY_TIMEOUT to SessionManager
- inject a dependency to a SessionManager instance in:
  - fillSessionInfo()
  - setup_login_state()
  - check_auth()
- cleanup related code and comments

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
VirtualTam
88110550b8 Refactor client session hijacking protection
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-05-29 22:53:54 +02:00
ArthurHoaro
8d2cac1be6 Fix parameter order which was preventing max_dl parameter to work properly 2018-05-01 16:40:08 +02:00
ArthurHoaro
15410df113 Fix warning when trying to save redictor setting from the configure page
It has been removed from the web page.

Fixes #1099
2018-03-13 18:11:58 +01:00
ArthurHoaro
4294bc7b98
Merge pull request #1096 from ArthurHoaro/feature/download-params
Make max download size and timeout configurable
2018-03-13 18:02:49 +01:00
ArthurHoaro
4ff3ed1c47 Make max download size and timeout configurable
Fixes #1061
2018-03-07 23:03:21 +01:00
ArthurHoaro
d2d4f993e1 PSR: use elseif instead of else if
See https://www.php-fig.org/psr/psr-2/\#51-if-elseif-else
2018-02-28 22:34:40 +01:00
ArthurHoaro
980efd6cf8 Use a specific page title in all pages
Also fixed a few French translation issues

Fixes #954 #955
2018-02-24 12:48:49 +01:00
VirtualTam
44acf70681 Refactor login / ban authentication steps
Relates to https://github.com/shaarli/Shaarli/issues/324

Added:
- Add the `LoginManager` class to manage logins and bans

Changed:
- Refactor IP ban management
- Simplify logic
- Avoid using globals, inject dependencies

Fixed:
- Use `ban_duration` instead of `ban_after` when setting a new ban

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-02-05 18:12:09 +01:00
ArthurHoaro
a381c373b3
Merge pull request #1074 from kalvn/feature/dailymarkdown
Executes daily hooks before creating columns.
2018-02-02 19:23:26 +01:00
ArthurHoaro
bc3ce7ec2a
Merge pull request #1038 from ArthurHoaro/feature/public-only-filter
Add a filter to only display public links
2018-02-02 19:22:37 +01:00
kalvn
50142efd1b Executes daily hooks before creating columns. 2018-02-01 13:16:58 +01:00
ArthurHoaro
b7c412d4d0 Use LC_COLLATE instead of LC_MESSAGES if php-intl is not installed
As stated in the docs:

> LC_MESSAGES for system responses (available if PHP was compiled with libintl)

Fixes #1067
2018-01-31 12:39:17 +01:00
ArthurHoaro
d2f6d909e5 Public/private filter: use two separate buttons
#1038
2018-01-24 18:46:31 +01:00
ArthurHoaro
d449f79a0d
Merge pull request #977 from ArthurHoaro/feature/dl-filter
Extract the title/charset during page download, and check content type
2018-01-23 18:41:38 +01:00
VirtualTam
65c002ca18 Fix XSS vulnerability
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2018-01-04 15:53:48 +01:00
ArthurHoaro
9d4736a3e9 Add a filter to only display public links
When the key filter is clicked once, it only displays private link. When it is clicked on again, it becomes red and only public links are displayed. Another click and all links are displayed. The current visibility status is shown in the search banner

Fixes #1030
2017-12-16 14:32:56 +01:00
ArthurHoaro
fd08b50a80 Don't URL encode description links if parameter 'redirector.encode_url' is set to false 2017-11-07 20:23:58 +01:00
ArthurHoaro
d65342e304 Extract the title/charset during page download, and check content type
Use CURLOPT_WRITEFUNCTION to check the response code and content type (only allow HTML).
Also extract the title and charset during downloading chunk of data, and stop it when everything has been extracted.

Closes #579
2017-10-28 14:35:49 +02:00
VirtualTam
fd7d84616d Move session ID check to SessionManager
Relates to https://github.com/shaarli/Shaarli/issues/324

Changed:
- `is_session_id_valid()` -> `SessionManager::checkId()`
- update tests

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-10-22 19:54:44 +02:00
VirtualTam
ebd650c06c Refactor session token management
Relates to https://github.com/shaarli/Shaarli/issues/324

Added:
- `SessionManager` class to group session-related features
- unit tests

Changed:
- `getToken()` -> `SessionManager->generateToken()`
- `tokenOk()` -> `SessionManager->checkToken()`
- inject a `$token` parameter to `PageBuilder`'s constructor

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-10-22 19:19:46 +02:00
ArthurHoaro
f39580c6fd Add language selection in the configure page of the default theme 2017-10-22 13:16:53 +02:00
ArthurHoaro
12266213d0 Shaarli's translation
* translation system and unit tests
 * Translations everywhere

Dont use translation merge

It is not available with PHP builtin gettext, so it would have lead to inconsistency.
2017-10-22 12:55:03 +02:00
ArthurHoaro
be9ddff2fb Merge pull request #987 from ArthurHoaro/hotfix/security-issue
Fix security issue reported by @chb9
2017-10-07 11:33:20 +02:00
ArthurHoaro
d14555a3df Fix security issue reported by @chbi
Vulnerability introduced by 6ccd0b218f - release with Shaarli v0.9.1.
2017-10-07 11:27:44 +02:00
VirtualTam
c8d96b4729 Merge pull request #979 from ArthurHoaro/feature/assets-cache-version
Add a version hash for asset loading to prevent browser's cache issue
2017-10-06 14:32:07 +02:00
Mark Gerarts
722caa2090 Allow setting of a default note title, see #963 2017-10-01 14:19:57 +02:00
ArthurHoaro
b3e1f92e9c Rename shaarli_version constant to uppercase 2017-10-01 11:11:16 +02:00
Willi Eggeling
27e21231e1 added option to redirect all anonymous users to login page
- new setting *force_login* added and documented
- if both, *force_login* and *hide_public_links* are set to true, all requests
  (except for the feeds) are redirected to the login page
2017-09-03 11:46:49 +02:00
ArthurHoaro
96a1c79456 Merge pull request #939 from ArthurHoaro/hotfix/firefox-social-title
Firefox Social title: Use document.title instead of RainTPL variable
2017-09-02 13:54:38 +02:00
ArthurHoaro
a3130d2c2f Make work behind a reverse proxy
Without HTTP_X_FORWARDED_PORT check,  might be set to false even though the user is using HTTPS, thus disabling Firefox Social block display
2017-09-02 13:50:49 +02:00
ArthurHoaro
87d019986e Merge pull request #950 from thewilli/delete-fix
fixed link deletion
2017-09-01 18:25:44 +02:00
ArthurHoaro
c5f5365ae6 Merge pull request #951 from thewilli/fix-daily
fixed daily links if there are no links
2017-09-01 18:25:09 +02:00
Willi Eggeling
a74f52a8d2 fixed link deletion
When deleting links, the js of the default theme separated ids by an escaped space ('+').
There was a trailing '+' after the ids which led to the php code detecting multiple values
even for single values. In combination with the id '0' this could led to no id found at all
and a resulting php error.

this commit fixes the behavior and adds an additional error handling and trimming to the php code.
2017-08-30 12:54:58 +02:00
Willi Eggeling
5a0045be79 fixed daily links if there are no links
- the previous code tried to use links from a previous day if there are no one for the current one
- the new code skips this part if there are no entries (i.e. days) at all
- modified showDaily() to fit PSR-1 and PSR-2
2017-08-30 12:42:58 +02:00
VirtualTam
e4ed3a46b7 Merge pull request #944 from thewilli/configure-rememberme
new setting: default value for 'remember me' checkbox
2017-08-27 16:36:53 +02:00
Willi Eggeling
2e07e77573 new setting: default value for 'remember me' checkbox
- the default state for the login page's 'remember me' checkbox can now be configured
- adapted the default and vintage theme to consider the new setting
- added documentation for the new setting
2017-08-27 16:03:37 +02:00
VirtualTam
fc27141cf6 Merge pull request #940 from ArthurHoaro/hotfix/empty-urls
Generates a permalink URL if the URL is set to blank
2017-08-27 13:15:43 +02:00
VirtualTam
e8cef3ac43 Merge pull request #942 from thewilli/fix-wiki-links
migrated Github wiki links to readthedocs
2017-08-27 13:12:58 +02:00
Willi Eggeling
a544b113f2 code clean: cookie expiration
- unified code style (spaces around operators)
- prevented expiration time to be calculated twice
- replaced tabs with spaces
2017-08-26 23:51:38 +02:00
Willi Eggeling
94c035ff71 removed doc and code references to magic quotes
- removed all references to magic quotes
- magic quotes are not supported on PHP >= 5.4 (https://secure.php.net/manual/en/security.magicquotes.php)
- Shaarli does not support PHP < 5.5
2017-08-26 11:27:18 +02:00
Willi Eggeling
cc8f572bc0 migrated Github wiki links to readthedocs 2017-08-26 09:40:57 +02:00
ArthurHoaro
c27f2f36f2 Generates a permalinks URL if the URL is set to blank
Fixes #926
2017-08-25 20:08:07 +02:00