http user auth, password changer in preferences

backend.php

@@ -1,6 +1,8 @@
 <?
 	session_start();
 
+	if (!$_SESSION["uid"]) { exit; }
+
 	define(SCHEMA_VERSION, 2);
 
 	require_once "config.php";
@@ -9,8 +11,8 @@
 	require_once "functions.php";
 	require_once "magpierss/rss_fetch.inc";
 
-	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
-	$_SESSION["name"] = PLACEHOLDER_NAME;
+//	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
+//	$_SESSION["name"] = PLACEHOLDER_NAME;
 
 	$op = $_REQUEST["op"];
 
@@ -1578,6 +1580,34 @@
 				print "Unknown option: $pref_name";
 			}
 
+		} else if ($subop == "Change password") {
+
+			if (WEB_DEMO_MODE) return;
+
+			$old_pw = $_POST["OLD_PASSWORD"];
+			$new_pw = $_POST["OLD_PASSWORD"];
+
+			$old_pw_hash = 'SHA1:' . sha1($_POST["OLD_PASSWORD"]);
+			$new_pw_hash = 'SHA1:' . sha1($_POST["NEW_PASSWORD"]);
+
+			$active_uid = $_SESSION["uid"];
+
+			if ($old_pw && $new_pw) {
+
+				$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
+
+				$result = db_query($link, "SELECT id FROM ttrss_users WHERE 
+					id = '$active_uid' AND (pwd_hash = '$old_pw' OR 
+						pwd_hash = '$old_pw_hash')");
+
+				if (db_num_rows($result) == 1) {
+					db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash' 
+						WHERE id = '$active_uid'");				
+				}
+			}
+
+			header("Location: prefs.php");
+	
 		} else if ($subop == "Reset to defaults") {
 
 			if (WEB_DEMO_MODE) return;
@@ -1591,6 +1621,29 @@
 
 		} else {
 
+			print "<form action=\"backend.php\" method=\"POST\">";
+
+			print "<table width=\"100%\" class=\"prefPrefsList\">";
+ 			print "<tr><td colspan='3'><h3>Authentication</h3></tr></td>";
+
+			print "<tr><td width=\"40%\">Old password</td>";
+			print "<td><input class=\"editbox\" type=\"password\"
+				name=\"OLD_PASSWORD\"></td></tr>";
+
+			print "<tr><td width=\"40%\">New password</td>";
+			
+			print "<td><input class=\"editbox\" type=\"password\"
+				name=\"NEW_PASSWORD\"></td></tr>";
+
+			print "</table>";
+
+			print "<input type=\"hidden\" name=\"op\" value=\"pref-prefs\">";
+
+			print "<p><input class=\"button\" type=\"submit\" 
+				value=\"Change password\" name=\"subop\">";
+
+			print "</form>";
+
 			$result = db_query($link, "SELECT 
 				ttrss_user_prefs.pref_name,short_desc,help_text,value,type_name,
 				section_name,def_value
@@ -1602,8 +1655,6 @@
 
 			print "<form action=\"backend.php\" method=\"POST\">";
 
-			print "<table width=\"100%\" class=\"prefPrefsList\">";
-	
 			$lnum = 0;
 
 			$active_section = "";
@@ -1613,8 +1664,10 @@
 				if ($active_section != $line["section_name"]) {
 
 					if ($active_section != "") {
-						print "</table><p><table width=\"100%\" class=\"prefPrefsList\">";
+						print "</table>";
 					}
+
+					print "<p><table width=\"100%\" class=\"prefPrefsList\">";
 				
 					$active_section = $line["section_name"];				
 					

functions.php

@@ -4,8 +4,8 @@
 	require_once 'config.php';
 	require_once 'db-prefs.php';
 
-	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
-	$_SESSION["name"] = PLACEHOLDER_NAME;
+//	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
+//	$_SESSION["name"] = PLACEHOLDER_NAME;
 
 	define('MAGPIE_OUTPUT_ENCODING', 'UTF-8');
 
@@ -516,4 +516,29 @@
 
 	}
 
+	function authenticate_user($link) {
+
+		if (!$_SERVER['PHP_AUTH_USER']) {
+
+			header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+			header('HTTP/1.0 401 Unauthorized');
+			print "<h1>401 Unathorized</h1>";
+			exit;
+			
+		} else {
+
+			$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
+			$password = db_escape_string($_SERVER['PHP_AUTH_PW']);
+			$pwd_hash = 'SHA1:' . sha1($password);
+
+			$result = db_query($link, "SELECT id,login FROM ttrss_users WHERE 
+				login = '$login' AND (pwd_hash = '$password' OR pwd_hash = '$pwd_hash')");
+
+			if (db_num_rows($result) == 1) {
+				$_SESSION["uid"] = db_fetch_result($result, 0, "id");
+				$_SESSION["name"] = db_fetch_result($result, 0, "login");
+			}			
+		}
+	}
+
 ?>

opml.php

@@ -13,7 +13,7 @@
 	require_once "db.php";
 	require_once "db-prefs.php";
 
-	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
+//	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
 
 	$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
 

prefs.js

@@ -818,3 +818,4 @@ function dispOptionHelp(event, sender) {
 
 } */
 
+

prefs.php

@@ -8,8 +8,8 @@
 
 	$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
 
-	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
-	$_SESSION["name"] = PLACEHOLDER_NAME;
+//	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
+//	$_SESSION["name"] = PLACEHOLDER_NAME;
 
 	initialize_user_prefs($link, $_SESSION["uid"]); 
 	// FIXME this needs to be moved somewhere after user creation

tt-rss.php

@@ -1,6 +1,6 @@
 <?
 	session_start();
-
+	
 	require_once "version.php"; 
 	require_once "config.php";
 	require_once "db-prefs.php";
@@ -8,9 +8,10 @@
 
 	$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
 
-	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
-	$_SESSION["name"] = PLACEHOLDER_NAME;
+	authenticate_user($link);
 
+//	$_SESSION["uid"] = PLACEHOLDER_UID; // FIXME: placeholder
+//	$_SESSION["name"] = PLACEHOLDER_NAME;
 
 	initialize_user_prefs($link, $_SESSION["uid"]); 
 	// FIXME this needs to be moved somewhere after user creation

version.php

@@ -1,4 +1,3 @@
 <?
 	define(VERSION, "1.0.7.99");
 ?>
-