Includes:
- og:title
- og:type -> article
- og:image -> if there is a thumbnail
- og:url -> permalink
- og:description -> first 300 chars of raw description
- article:published_time
- article:modified_time
- article:tag -> one OG meta tag for each shaare tag
Fixes#258
Do not try to alter the datastore by updating thumbnails if the user isn't logged in.
Also, do not enable thumbnails if PHP GD extension is not installed/loaded
- add a default thumb size value (125x90px)
- improve private vertical bar visual, especially with thumbnails
- translations
- add a sync thumbs button in tool and empty picwall page
- fixes WT download mode in JSON config
* requires PHP 5.6
* use blazy on linklist since a lot more thumbs are retrieved
* thumbnails can be disabled
* thumbs size is now 120x120
* thumbs are now cropped to fit the expected size
Fixes#345#425#487#543#588#590
There already are dedicated tokens for:
- CSRF protection
- user stay-signed-in feature, via cookie
This token was most likely intended as a randomly generated,
server-side, secret key to be used when generating hashes.
See http://sebsauvage.net/wiki/doku.php?id=php:session [FR]
Relevant section:
Une clé secrète unique aléatoire est générée côté serveur (et jamais
envoyée). Elle peut servir pour signer les formulaires (HMAC) ou
générer des token de formulaires (protection contre XSRF).
Voir $_SESSION['uid'].
Translation:
A unique, server-side secret key is randomly generated (and never
transmitted). It can be used to sign forms (HMAC) or generate form
tokens (protection against XSRF).
See $_SESSION['uid']
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Changed:
- move INACTIVITY_TIMEOUT to SessionManager
- inject a dependency to a SessionManager instance in:
- fillSessionInfo()
- setup_login_state()
- check_auth()
- cleanup related code and comments
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
* Added german language selection
* German language file created
* typo
* extra space removed and typo corrected
* lines 1314 through 1408 removed as suggested
Relates to https://github.com/shaarli/Shaarli/issues/324
Added:
- Add the `LoginManager` class to manage logins and bans
Changed:
- Refactor IP ban management
- Simplify logic
- Avoid using globals, inject dependencies
Fixed:
- Use `ban_duration` instead of `ban_after` when setting a new ban
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
When the key filter is clicked once, it only displays private link. When it is clicked on again, it becomes red and only public links are displayed. Another click and all links are displayed. The current visibility status is shown in the search banner
Fixes#1030
Relates to https://github.com/shaarli/Shaarli/pull/1005
Changed:
- pass a copy of the ConfigManager instance instead of a reference
- move FakeConfigManager to a dedicated file
- update tests
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Use CURLOPT_WRITEFUNCTION to check the response code and content type (only allow HTML).
Also extract the title and charset during downloading chunk of data, and stop it when everything has been extracted.
Closes#579
Relates to https://github.com/shaarli/Shaarli/issues/324
Added:
- `SessionManager` class to group session-related features
- unit tests
Changed:
- `getToken()` -> `SessionManager->generateToken()`
- `tokenOk()` -> `SessionManager->checkToken()`
- inject a `$token` parameter to `PageBuilder`'s constructor
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
* translation system and unit tests
* Translations everywhere
Dont use translation merge
It is not available with PHP builtin gettext, so it would have lead to inconsistency.
With large imports it has a large impact on performances and isn't really useful.
Instead, write an IMPORT event, which let client using the history service resync its DB.
-> 15k link import done in 6 seconds.
Fixes#985
The hash is generated using the same salt as the one used for credentials (1 salt per instance) in order to avoid exposing the instance version.
Fixes#965
- new setting *force_login* added and documented
- if both, *force_login* and *hide_public_links* are set to true, all requests
(except for the feeds) are redirected to the login page
- when searching for tags you can now include '*' as wildcard placeholder
- new search reduces overall overhead when filtering for tags
- fixed combination with description tag search ('#' prefix)
- tests added
- the default state for the login page's 'remember me' checkbox can now be configured
- adapted the default and vintage theme to consider the new setting
- added documentation for the new setting
Fixes#784
From now, searching for tags with an empty value will return only not tagged links,
with the search bar showing `x results [not tagged]`.
Note that using the api, the searchtags request parameter must be set to `false` to get the same result.
- [ ] Update API doc
* The tag list can be sort alphabetically or by most used tag
* Edit/Delete are perform using AJAX, or fallback to 'do=changetag' page
* New features aren't backported to vintage theme
The goal of this is to be able to adapt the timezone form
in template without hacking the HTML already rendered.
* there are two arrays available:
* `continents` which contains only a list of available continents
* `cities` which contains a list of available timezone cities, associated with their continent
Note: there are two distinct array because RainTPL doesn't support nested loop very well.
Use case: rest API service
* saved by default in data/history
* same format as datastore.php
* traced events:
* save/edit/delete link
* change settings or plugins settings
* rename tag
Error:
An error occurred while parsing configuration JSON file (data/config.json.php): error code #4
➜ Syntax error
Please check your JSON syntax (without PHP comment tags) using a JSON lint tool such as jsonlint.com.
Use php-intl extension to display datetimes a bit more nicely, depending on the locale.
What changes:
* the day is no longer displayed
* day number and month are ordered according to the locale
* the timezone is more readable (UTC+1 instead of CET)
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
To access LinkDB items with its ArrayAccess implementation, the IDs must be consistent, which isn't the case before `updateMethodDatastoreIds()` execution. v0.6.4 method `updateMethodRenameDashTags()` was accessing it, so an upgrade <0.6.4 to >0.8.x was failing.
This just move the minor update `RenameDashTags` after the IDs update.
* Private tags: make sure empty tags are properly filtered
* Search results:
* Use preg_split instead of function combination
* Add normalize_spaces to remove extra whitespaces displaying empty tags search
Use a GET form to delete links: harmonize with edit_link and preparation for #585
Bug fixes:
* LinkDB element can't be passed as reference, fix error:
PHP Notice: Indirect modification of overloaded element of LinkDB has no effect
* Resource cache folder setting wasn't set correctly
* REST API routes are handle by Slim.
* Every API controller go through ApiMiddleware which handles security.
* First service implemented `/info`, for tests purpose.
All existing link will keep their permalinks.
New links will have smallhash generated with date+id.
The purpose of this is to avoid collision between links due to their creation date.
creation and update dates are now DateTime objects.
Since this update is very sensitve (changing the whole database), the datastore will be automatically backed up into the file datastore.<datetime>.php.
Links now use an incremental unique numeric identifier.
This ID is persistent and must never change.
ArrayAccess is used to match the link ID with the array keys (see the comment in LinkDB for more details)
Key 'created' added, with creation date as a DateTime object. 'updated' is now also a DateTime.
All plugins can optionally add an init function named `pluginname_init()` which is called when the plugin is loaded.
This function is aware of the config, and can return initialization errors, which are displayed in the header template.
Note that the previous error system hack no longer work.
Relates to https://github.com/shaarli/Shaarli/issues/607
Modifications:
- [application][tests] NetscapeBookmarkUtils: more permissive doctype detection
The IE bookmark exports contain extra escape sequences, which can be observed
by binary comparison of the reference input data used in tests:
$ cmp -b -l -n 8 netscape_basic.htm internet_explorer_encoding.htm
1 74 < 357 M-o
2 41 ! 273 M-;
3 104 D 277 M-?
4 117 O 74 <
5 103 C 41 !
6 124 T 104 D
7 131 Y 117 O
8 120 P 103 C
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Relates to #607
Relates to #608
Relates to #493 (abandoned)
Additions:
- use Composer's autoload to load 3rd-party dependencies under vendor/
Modifications:
- [import] replace the current parser with a generic, stable parser
- move code to application/NetscapeBookmarkUtils
- improve status report after parsing
- [router] use the same endpoint for both bookmark upload and import dialog
- [template] update bookmark import options
- allow adding tags to all imported links
- allow selecting the visibility (privacy) of imported links
- [tests] ensure bookmarks are properly parsed and imported in the LinkDB
- reuse reference input from the parser's test data
See:
- https://github.com/shaarli/netscape-bookmark-parser
- https://getcomposer.org/doc/01-basic-usage.md#autoloading
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
* Add a new settings (which needs to be manually set): `security.trusted_proxies`
* On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers.
* If found, the client address is added in ipbans, else we do nothing.
Fixes#409