tt-rss/backend.php

<?php
	set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .
		get_include_path());

	/* remove ill effects of magic quotes */

	if (get_magic_quotes_gpc()) {
		function stripslashes_deep($value) {
			$value = is_array($value) ?
				array_map('stripslashes_deep', $value) : stripslashes($value);
				return $value;
		}

		$_POST = array_map('stripslashes_deep', $_POST);
		$_GET = array_map('stripslashes_deep', $_GET);
		$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
		$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
	}

	$op = $_REQUEST["op"];
	@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];

	if (!$method)
		$method = 'index';
	else
		$method = strtolower($method);

	/* Public calls compatibility shim */

	$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",
		"fbexport", "logout", "pubsub");

	if (array_search($op, $public_calls) !== false) {
		header("Location: public.php?" . $_SERVER['QUERY_STRING']);
		return;
	}

	@$csrf_token = $_REQUEST['csrf_token'];

	require_once "sessions.php";
	require_once "functions.php";
	require_once "config.php";
	require_once "db.php";
	require_once "db-prefs.php";

	startup_gettext();

	$script_started = microtime(true);

	$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);

	if (!init_connection($link)) return;

	header("Content-Type: text/json; charset=utf-8");

	if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {
		ob_start("ob_gzhandler");
	}

	if (SINGLE_USER_MODE) {
		authenticate_user($link, "admin", null);
	}

	if ($_SESSION["uid"]) {
		load_user_plugins($link, $_SESSION["uid"]);
	}

	$purge_intervals = array(
		0  => __("Use default"),
		-1 => __("Never purge"),
		5  => __("1 week old"),
		14 => __("2 weeks old"),
		31 => __("1 month old"),
		60 => __("2 months old"),
		90 => __("3 months old"));

	$update_intervals = array(
		0   => __("Default interval"),
		-1  => __("Disable updates"),
		15  => __("Each 15 minutes"),
		30  => __("Each 30 minutes"),
		60  => __("Hourly"),
		240 => __("Each 4 hours"),
		720 => __("Each 12 hours"),
		1440 => __("Daily"),
		10080 => __("Weekly"));

	$update_intervals_nodefault = array(
		-1  => __("Disable updates"),
		15  => __("Each 15 minutes"),
		30  => __("Each 30 minutes"),
		60  => __("Hourly"),
		240 => __("Each 4 hours"),
		720 => __("Each 12 hours"),
		1440 => __("Daily"),
		10080 => __("Weekly"));

	$access_level_names = array(
		0 => __("User"),
		5 => __("Power User"),
		10 => __("Administrator"));

	#$error = sanity_check($link);

	#if ($error['code'] != 0 && $op != "logout") {
	#	print json_encode(array("error" => $error));
	#	return;
	#}

	$op = str_replace("-", "_", $op);

	global $pluginhost;
	$override = $pluginhost->lookup_handler($op, $method);

	if (class_exists($op) || $override) {

		if ($override) {
			$handler = $override;
		} else {
			$handler = new $op($link, $_REQUEST);
		}

		if ($handler && implements_interface($handler, 'IHandler')) {
			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
				if ($handler->before($method)) {
					if ($method && method_exists($handler, $method)) {
						$handler->$method();
					} else {
						if (method_exists($handler, "catchall")) {
							$handler->catchall($method);
						}
					}
					$handler->after();
					return;
				} else {
					header("Content-Type: text/json");
					print json_encode(array("error" => array("code" => 6)));
					return;
				}
			} else {
				header("Content-Type: text/json");
				print json_encode(array("error" => array("code" => 6)));
				return;
			}
		}
	}

	header("Content-Type: text/json");
	print json_encode(array("error" => array("code" => 7)));

	// We close the connection to database.
	db_close($link);
?>
change short php tags to long ones 2006-08-19 09:04:45 +02:00			`<?php`
modify include path order (closes #514) 2012-12-09 10:41:22 +01:00			`set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .`
			`get_include_path());`
overall directory tree cleanup 2011-12-11 20:59:25 +01:00
disable magic quotes if needed 2007-05-19 15:47:37 +02:00			`/* remove ill effects of magic quotes */`

make sure magic quote workaround actually works 2010-09-07 11:22:10 +02:00			`if (get_magic_quotes_gpc()) {`
use better magic quotes removal fix 2010-09-04 09:59:33 +02:00			`function stripslashes_deep($value) {`
backend/view: use JSON instead of XML; backend: output session invalid error using JSON 2011-03-18 10:46:22 +01:00			`$value = is_array($value) ?`
use better magic quotes removal fix 2010-09-04 09:59:33 +02:00			`array_map('stripslashes_deep', $value) : stripslashes($value);`
			`return $value;`
			`}`

			`$_POST = array_map('stripslashes_deep', $_POST);`
			`$_GET = array_map('stripslashes_deep', $_GET);`
			`$_COOKIE = array_map('stripslashes_deep', $_COOKIE);`
			`$_REQUEST = array_map('stripslashes_deep', $_REQUEST);`
disable magic quotes if needed 2007-05-19 15:47:37 +02:00			`}`

fix sharing for not logged in users 2011-10-04 12:03:16 +02:00			`$op = $_REQUEST["op"];`
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];`

experimental CSRF protection 2011-12-26 09:02:52 +01:00			`if (!$method)`
			`$method = 'index';`
			`else`
			`$method = strtolower($method);`

add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`/* Public calls compatibility shim */`

			`$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",`
			`"fbexport", "logout", "pubsub");`

			`if (array_search($op, $public_calls) !== false) {`
			`header("Location: public.php?" . $_SERVER['QUERY_STRING']);`
			`return;`
			`}`
fix sharing for not logged in users 2011-10-04 12:03:16 +02:00
do not generate warning on csrf_token being unassigned 2012-01-08 20:51:47 +01:00			`@$csrf_token = $_REQUEST['csrf_token'];`
experimental CSRF protection 2011-12-26 09:02:52 +01:00
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`require_once "sessions.php";`
modify includes to init session before translations are applied 2013-01-04 22:28:07 +01:00			`require_once "functions.php";`
provide startup config.php value checking, report at D001 2006-03-27 18:08:51 +02:00			`require_once "config.php";`
better fatal error handling by frontend (remove error.php) 2006-03-31 07:18:55 +02:00			`require_once "db.php";`
			`require_once "db-prefs.php";`
provide startup config.php value checking, report at D001 2006-03-27 18:08:51 +02:00
config: remove ENABLE_TRANSLATIONS 2011-03-18 17:25:06 +01:00			`startup_gettext();`
no-cache fixes for safari 2007-03-02 12:34:34 +01:00
replace getmicrotime() wrapper with microtime(true) (2) 2013-02-27 19:20:14 +01:00			`$script_started = microtime(true);`
login system tweaks 2007-03-02 11:48:46 +01:00
backend/view: use JSON instead of XML; backend: output session invalid error using JSON 2011-03-18 10:46:22 +01:00			`$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);`
login system tweaks 2007-03-02 11:48:46 +01:00
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`if (!init_connection($link)) return;`
implement tiny-OOP routing 2011-12-12 21:20:53 +01:00
use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json; charset=utf-8");`
automatically logout user when session expires 2005-11-19 15:46:23 +01:00
only enable ob_gzhandler if it exists 2012-03-20 11:45:43 +01:00			`if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {`
backend/viewfeed: use JSON 2011-03-18 10:55:45 +01:00			`ob_start("ob_gzhandler");`
			`}`

backend: force login on init when in single user mode 2009-10-27 13:27:09 +01:00			`if (SINGLE_USER_MODE) {`
			`authenticate_user($link, "admin", null);`
			`}`

experimental support for per-user plugins (bump schema) 2012-12-24 21:45:10 +01:00			`if ($_SESSION["uid"]) {`
			`load_user_plugins($link, $_SESSION["uid"]);`
			`}`

simplify update/purge interval selection 2006-03-20 15:30:51 +01:00			`$purge_intervals = array(`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`0 => __("Use default"),`
			`-1 => __("Never purge"),`
			`5 => __("1 week old"),`
			`14 => __("2 weeks old"),`
			`31 => __("1 month old"),`
			`60 => __("2 months old"),`
			`90 => __("3 months old"));`
simplify update/purge interval selection 2006-03-20 15:30:51 +01:00
			`$update_intervals = array(`
rework feed dialog layouts 2008-08-06 09:51:28 +02:00			`0 => __("Default interval"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`-1 => __("Disable updates"),`
add 15 minute feed update interval 2007-06-01 02:55:53 +02:00			`15 => __("Each 15 minutes"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`30 => __("Each 30 minutes"),`
pref-prefs: show default update interval as a dropdown 2010-01-20 11:20:20 +01:00			`60 => __("Hourly"),`
			`240 => __("Each 4 hours"),`
			`720 => __("Each 12 hours"),`
			`1440 => __("Daily"),`
			`10080 => __("Weekly"));`

			`$update_intervals_nodefault = array(`
			`-1 => __("Disable updates"),`
			`15 => __("Each 15 minutes"),`
			`30 => __("Each 30 minutes"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`60 => __("Hourly"),`
			`240 => __("Each 4 hours"),`
			`720 => __("Each 12 hours"),`
			`1440 => __("Daily"),`
			`10080 => __("Weekly"));`
simplify update/purge interval selection 2006-03-20 15:30:51 +01:00
user editor improved, some form parameter validation reimplemented for prototyped-forms 2006-05-20 16:26:00 +02:00			`$access_level_names = array(`
backend/view: use JSON instead of XML; backend: output session invalid error using JSON 2011-03-18 10:46:22 +01:00			`0 => __("User"),`
add new access level 5, show user's level in prefs 2008-04-04 05:46:51 +02:00			`5 => __("Power User"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`10 => __("Administrator"));`
user editor improved, some form parameter validation reimplemented for prototyped-forms 2006-05-20 16:26:00 +02:00
do not perform sanity checks on each backend request 2012-07-10 13:24:04 +02:00			`#$error = sanity_check($link);`
rework initial sanitycheck to use JSON 2011-03-18 15:39:23 +01:00
do not perform sanity checks on each backend request 2012-07-10 13:24:04 +02:00			`#if ($error['code'] != 0 && $op != "logout") {`
			`# print json_encode(array("error" => $error));`
			`# return;`
			`#}`
mark feeds with update errors in feedlist (closes #8) 2005-12-16 18:35:04 +01:00
add pref_feeds class 2011-12-13 06:29:22 +01:00			`$op = str_replace("-", "_", $op);`

implement plugin routing masks, add example plugin 2012-12-23 20:05:51 +01:00			`global $pluginhost;`
			`$override = $pluginhost->lookup_handler($op, $method);`
move update daemon code to common function, reorganize backend.php (patch from landure) 2008-01-26 06:33:59 +01:00
implement plugin routing masks, add example plugin 2012-12-23 20:05:51 +01:00			`if (class_exists($op) \|\| $override) {`

			`if ($override) {`
			`$handler = $override;`
			`} else {`
			`$handler = new $op($link, $_REQUEST);`
			`}`

			`if ($handler && implements_interface($handler, 'IHandler')) {`
experimental CSRF protection 2011-12-26 09:02:52 +01:00			`if (validate_csrf($csrf_token) \|\| $handler->csrf_ignore($method)) {`
			`if ($handler->before($method)) {`
			`if ($method && method_exists($handler, $method)) {`
			`$handler->$method();`
experimental new plugin system 2012-12-23 11:52:18 +01:00			`} else {`
			`if (method_exists($handler, "catchall")) {`
			`$handler->catchall($method);`
			`}`
experimental CSRF protection 2011-12-26 09:02:52 +01:00			`}`
			`$handler->after();`
			`return;`
login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet 2012-09-10 17:01:06 +02:00			`} else {`
use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json");`
login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet 2012-09-10 17:01:06 +02:00			`print json_encode(array("error" => array("code" => 6)));`
			`return;`
add tiny-OOP style backend RPC 2011-12-12 20:32:29 +01:00			`}`
experimental CSRF protection 2011-12-26 09:02:52 +01:00			`} else {`
use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json");`
experimental CSRF protection 2011-12-26 09:02:52 +01:00			`print json_encode(array("error" => array("code" => 6)));`
implement tiny-OOP routing 2011-12-12 21:20:53 +01:00			`return;`
add tiny-OOP style backend RPC 2011-12-12 20:32:29 +01:00			`}`
			`}`
			`}`

use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json");`
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`print json_encode(array("error" => array("code" => 7)));`
add tweet button to digest, misc digest fixes; rework article tweeting to use ajax loading of needed info 2010-11-25 10:58:29 +01:00
move update daemon code to common function, reorganize backend.php (patch from landure) 2008-01-26 06:33:59 +01:00			`// We close the connection to database.`
updated mysql schema 2005-09-07 14:42:49 +02:00			`db_close($link);`
initial mockup 2005-08-21 12:13:10 +02:00			`?>`