diff options
33 files changed, 1949 insertions, 349 deletions
@@ -34,7 +34,7 @@ The Red Matrix is free and open source distributed under the MIT license. Please connect with one of the developer channels ("Channel One" would be a good choice) if you are interested in helping us out. -[Please help us change the world by providing a small donation.](http://pledgie.com/campaigns/18417) (Large donations are also graciously accepted). +[Please help us change the world by providing a small donation.](http://redmatrix.me/siteinfo) (Large donations are also graciously accepted). If you would like to become a member of the Red Matrix **right now** , please select a public hub from one of our open providers at [https://zothub.com/pubsites](https://zothub.com/pubsites). All sites are interlinked and you can always move to another, so the choice of site can be somewhat arbitrary.
\ No newline at end of file @@ -279,6 +279,7 @@ define ( 'PERMS_NETWORK' , 0x0002 ); define ( 'PERMS_SITE' , 0x0004 ); define ( 'PERMS_CONTACTS' , 0x0008 ); define ( 'PERMS_SPECIFIC' , 0x0080 ); +define ( 'PERMS_AUTHED' , 0x0100 ); // Address book flags diff --git a/include/account.php b/include/account.php index 7d1aa598d..1206223d9 100644 --- a/include/account.php +++ b/include/account.php @@ -401,3 +401,58 @@ function user_deny($hash) { return true; } + + +/** + * @function downgrade_accounts() + * Checks for accounts that have past their expiration date. + * If the account has a service class which is not the site default, + * the service class is reset to the site default and expiration reset to never. + * If the account has no service class it is expired and subsequently disabled. + * called from include/poller.php as a scheduled task. + * + * Reclaiming resources which are no longer within the service class limits is + * not the job of this function, but this can be implemented by plugin if desired. + * Default behaviour is to stop allowing additional resources to be consumed. + */ + + +function downgrade_accounts() { + + $r = q("select * from account where not ( account_flags & %d ) + and account_expires != '0000-00-00 00:00:00' + and account_expires < UTC_TIMESTAMP() ", + intval(ACCOUNT_EXPIRED) + ); + + if(! $r) + return; + + $basic = get_config('system','default_service_class'); + + + foreach($r as $rr) { + + if(($basic) && ($rr['account_service_class']) && ($rr['account_service_class'] != $basic)) { + $x = q("UPDATE account set account_service_class = '%s', account_expires = '%s' + where account_id = %d limit 1", + dbesc($basic), + dbesc('0000-00-00 00:00:00'), + intval($rr['account_id']) + ); + $ret = array('account' => $rr); + call_hooks('account_downgrade', $ret ); + logger('downgrade_accounts: Account id ' . $rr['account_id'] . ' downgraded.'); + } + else { + $x = q("UPDATE account SET account_flags = (account_flags | %d) where account_id = %d limit 1", + intval(ACCOUNT_EXPIRED), + intval($rr['account_id']) + ); + $ret = array('account' => $rr); + call_hooks('account_downgrade', $ret); + logger('downgrade_accounts: Account id ' . $rr['account_id'] . ' expired.'); + } + } +} + diff --git a/include/auth.php b/include/auth.php index 2b7c385fd..a3b028c73 100644 --- a/include/auth.php +++ b/include/auth.php @@ -93,7 +93,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p } } - $r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_hash = '%s' limit 1", + $r = q("select * from xchan left join hubloc on xchan_hash = hubloc_hash where xchan_hash = '%s' limit 1", dbesc($_SESSION['visitor_id']) ); if($r) { @@ -230,3 +230,13 @@ else { authenticate_success($record, true, true); } } + + +function match_openid($authid) { + $r = q("select * from pconfig where cat = 'system' and k = 'openid' and v = '%s' limit 1", + dbesc($authid) + ); + if($r) + return $r[0]['uid']; + return false; +} diff --git a/include/follow.php b/include/follow.php index 845ce11da..0508a8b37 100644 --- a/include/follow.php +++ b/include/follow.php @@ -16,6 +16,8 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) $result = array('success' => false,'message' => ''); $a = get_app(); + $is_red = false; + if(! allowed_url($url)) { $result['message'] = t('Channel is blocked on this site.'); @@ -37,82 +39,94 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) $ret = zot_finger($url,$channel); if($ret['success']) { + $is_red = true; $j = json_decode($ret['body'],true); } - else { - $result['message'] = t('Channel discovery failed. Website may be down or misconfigured.'); - logger('mod_follow: ' . $result['message']); - return $result; - } - logger('follow: ' . $url . ' ' . print_r($j,true)); + if($is_red && $j) { - if(! $j) { - $result['message'] = t('Response from remote channel was not understood.'); - logger('mod_follow: ' . $result['message']); - return $result; - } + $my_perms = PERMS_W_STREAM|PERMS_W_MAIL; + logger('follow: ' . $url . ' ' . print_r($j,true), LOGGER_DEBUG); - if(! ($j['success'] && $j['guid'])) { - $result['message'] = t('Response from remote channel was incomplete.'); - logger('mod_follow: ' . $result['message']); - return $result; - } - // Premium channel, set confirm before callback to avoid recursion + if(! ($j['success'] && $j['guid'])) { + $result['message'] = t('Response from remote channel was incomplete.'); + logger('mod_follow: ' . $result['message']); + return $result; + } - if(array_key_exists('connect_url',$j) && (! $confirm)) - goaway(zid($j['connect_url'])); + // Premium channel, set confirm before callback to avoid recursion + if(array_key_exists('connect_url',$j) && (! $confirm)) + goaway(zid($j['connect_url'])); - // check service class limits + // check service class limits - $r = q("select count(*) as total from abook where abook_channel = %d and not (abook_flags & %d) ", - intval($uid), - intval(ABOOK_FLAG_SELF) - ); - if($r) - $total_channels = $r[0]['total']; + $r = q("select count(*) as total from abook where abook_channel = %d and not (abook_flags & %d) ", + intval($uid), + intval(ABOOK_FLAG_SELF) + ); + if($r) + $total_channels = $r[0]['total']; - if(! service_class_allows($uid,'total_channels',$total_channels)) { - $result['message'] = upgrade_message(); - return $result; - } + if(! service_class_allows($uid,'total_channels',$total_channels)) { + $result['message'] = upgrade_message(); + return $result; + } - // do we have an xchan and hubloc? - // If not, create them. + // do we have an xchan and hubloc? + // If not, create them. - $x = import_xchan($j); + $x = import_xchan($j); - if(! $x['success']) - return $x; + if(! $x['success']) + return $x; - $xchan_hash = $x['hash']; + $xchan_hash = $x['hash']; - $their_perms = 0; + $their_perms = 0; - $global_perms = get_perms(); + $global_perms = get_perms(); - if( array_key_exists('permissions',$j) && array_key_exists('data',$j['permissions'])) { - $permissions = crypto_unencapsulate(array( - 'data' => $j['permissions']['data'], - 'key' => $j['permissions']['key'], - 'iv' => $j['permissions']['iv']), - $channel['channel_prvkey']); - if($permissions) - $permissions = json_decode($permissions,true); - logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA); - } - else - $permissions = $j['permissions']; + if( array_key_exists('permissions',$j) && array_key_exists('data',$j['permissions'])) { + $permissions = crypto_unencapsulate(array( + 'data' => $j['permissions']['data'], + 'key' => $j['permissions']['key'], + 'iv' => $j['permissions']['iv']), + $channel['channel_prvkey']); + if($permissions) + $permissions = json_decode($permissions,true); + logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA); + } + else + $permissions = $j['permissions']; - foreach($permissions as $k => $v) { - if($v) { - $their_perms = $their_perms | intval($global_perms[$k][1]); + foreach($permissions as $k => $v) { + if($v) { + $their_perms = $their_perms | intval($global_perms[$k][1]); + } } } + else { + + // attempt network auto-discovery + + $my_perms = 0; + $their_perms = 0; + $xchan_hash = ''; + + + + + } + + if(! $xchan_hash) { + $result['message'] = t('Channel discovery failed.'); + logger('follow: ' . $result['message']); + return $result; + } if((local_user()) && $uid == local_user()) { $aid = get_account_id(); @@ -156,7 +170,7 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) intval($uid), dbesc($xchan_hash), intval($their_perms), - intval(PERMS_W_STREAM|PERMS_W_MAIL), + intval($my_perms), dbesc(datetime_convert()), dbesc(datetime_convert()) ); @@ -172,7 +186,8 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) ); if($r) { $result['abook'] = $r[0]; - proc_run('php', 'include/notifier.php', 'permission_update', $result['abook']['abook_id']); + if($is_red) + proc_run('php', 'include/notifier.php', 'permission_update', $result['abook']['abook_id']); } $arr = array('channel_id' => $uid, 'abook' => $result['abook']); @@ -188,12 +203,6 @@ function new_contact($uid,$url,$channel,$interactive = false, $confirm = false) group_add_member($uid,'',$xchan_hash,$g['id']); } - // Then send a ping/message to the other side - - $result['success'] = true; return $result; - - - } diff --git a/include/identity.php b/include/identity.php index d0fffaede..d83498a69 100644 --- a/include/identity.php +++ b/include/identity.php @@ -1104,6 +1104,11 @@ function get_theme_uid() { if(! $uid) return local_user(); } + if(! $uid) { + $x = get_sys_channel(); + if($x) + return $x['channel_id']; + } return $uid; } @@ -1137,7 +1142,7 @@ function get_default_profile_photo($size = 175) { */ function is_foreigner($s) { - return((strpbrk($s,':@')) ? true : false); + return((strpbrk($s,'.:@')) ? true : false); } diff --git a/include/items.php b/include/items.php index c90bfb41c..7e15e9411 100755 --- a/include/items.php +++ b/include/items.php @@ -725,14 +725,60 @@ function import_author_xchan($x) { return $arr['xchan_hash']; if((! array_key_exists('network', $x)) || ($x['network'] === 'zot')) { - return import_author_zot($x); + $y = import_author_zot($x); } - // TODO: create xchans for other common and/or aligned networks + if($x['network'] === 'rss') { + $y = import_author_rss($x); + } + + return(($y) ? $y : false); +} + +function import_author_rss($x) { + + if(! $x['url']) + return false; + + $r = q("select xchan_hash from xchan where xchan_network = 'rss' and xchan_url = '%s' limit 1", + dbesc($x['url']) + ); + if($r) { + logger('import_author_rss: in cache' , LOGGER_DEBUG); + return $r[0]['xchan_hash']; + } + $name = trim($x['name']); + + $r = q("insert into xchan ( xchan_hash, xchan_url, xchan_name, xchan_network ) + values ( '%s', '%s', '%s', '%s' )", + dbesc($x['url']), + dbesc($x['url']), + dbesc(($name) ? $name : t('Unknown')), + dbesc('rss') + ); + if($r) { + + $photos = import_profile_photo($x['photo'],$x['url']); + + if($photos) { + $r = q("update xchan set xchan_photo_date = '%s', xchan_photo_l = '%s', xchan_photo_m = '%s', xchan_photo_s = '%s', xchan_photo_mimetype = '%s' where xchan_url = '%s' and xchan_network = 'rss' limit 1", + dbesc(datetime_convert('UTC','UTC',$arr['photo_updated'])), + dbesc($photos[0]), + dbesc($photos[1]), + dbesc($photos[2]), + dbesc($photos[3]), + dbesc($x['url']) + ); + if($r) + return $x['url']; + } + } return false; + } + function encode_item($item) { $x = array(); $x['type'] = 'activity'; diff --git a/include/language.php b/include/language.php index 2e7ad5ff1..b43f5aacc 100644 --- a/include/language.php +++ b/include/language.php @@ -1,22 +1,28 @@ -<?php /** @file */ - - +<?php /** - * translation support + * @file + * + * @brief translation support + * + * This file contains functions to work with translations and other + * language related tasks. */ /** + * @brief Get the browser's submitted preferred languages. + * + * This functions parses the HTTP_ACCEPT_LANGUAGE header sent by the browser and + * extracts the preferred languages and their priority. * * Get the language setting directly from system variables, bypassing get_config() * as database may not yet be configured. * * If possible, we use the value from the browser. * + * @return array with ordered list of preferred languages from browser */ - function get_browser_language() { - $langs = array(); if (x($_SERVER,'HTTP_ACCEPT_LANGUAGE')) { @@ -43,9 +49,18 @@ function get_browser_language() { return $langs; } - +/** + * @brief Returns the best language for which also a translation exists. + * + * This function takes the results from get_browser_language() and compares it + * with the available translations and returns the best fitting language for + * which there exists a translation. + * + * If there is no match fall back to config['system']['language'] + * + * @return Language code in 2-letter ISO 639-1 (en). + */ function get_best_language() { - $langs = get_browser_language(); if(isset($langs) && count($langs)) { @@ -79,7 +94,6 @@ function push_lang($language) { $a->strings = array(); load_translation_table($language); $a->language = $language; - } function pop_lang() { @@ -109,7 +123,7 @@ function load_translation_table($lang, $install = false) { if(! $install) { $plugins = q("SELECT name FROM addon WHERE installed=1;"); - if ($plugins!==false) { + if ($plugins !== false) { foreach($plugins as $p) { $name = $p['name']; if(file_exists("addon/$name/lang/$lang/strings.php")) { @@ -128,15 +142,18 @@ function load_translation_table($lang, $install = false) { } -// translate string if translation exists - +/** + * @brief translate string if translation exists. + * + * @param s string that should get translated + * @return translated string if exsists, otherwise s + */ function t($s) { - global $a; if(x($a->strings,$s)) { $t = $a->strings[$s]; - return is_array($t)?$t[0]:$t; + return is_array($t) ? $t[0] : $t; } return $s; } @@ -147,14 +164,14 @@ function tt($singular, $plural, $count){ if(x($a->strings,$singular)) { $t = $a->strings[$singular]; - $f = 'string_plural_select_' . str_replace('-','_',$a->language); + $f = 'string_plural_select_' . str_replace('-', '_', $a->language); if(! function_exists($f)) $f = 'string_plural_select_default'; $k = $f($count); - return is_array($t)?$t[$k]:$t; + return is_array($t) ? $t[$k] : $t; } - if ($count!=1){ + if ($count != 1){ return $plural; } else { return $singular; @@ -168,84 +185,47 @@ function string_plural_select_default($n) { return ($n != 1); } - - +/** + * @brief Takes a string and tries to identify the language. + * + * It uses the pear library Text_LanguageDetect and it can identify 52 human languages. + * It returns the identified languges and a confidence score for each. + * + * Strings need to have a min length config['system']['language_detect_min_length'] + * and you can influence the confidence that must be met before a result will get + * returned through config['system']['language_detect_min_confidence']. + * + * @see http://pear.php.net/package/Text_LanguageDetect + * @param s A string to examine + * @return Language code in 2-letter ISO 639-1 (en, de, fr) format + */ function detect_language($s) { - - $detected_languages = array( - 'Albanian' => 'sq', - 'Arabic' => 'ar', - 'Azeri' => 'az', - 'Bengali' => 'bn', - 'Bulgarian' => 'bg', - 'Cebuano' => '', - 'Croatian' => 'hr', - 'Czech' => 'cz', - 'Danish' => 'da', - 'Dutch' => 'nl', - 'English' => 'en', - 'Estonian' => 'et', - 'Farsi' => 'fa', - 'Finnish' => 'fi', - 'French' => 'fr', - 'German' => 'de', - 'Hausa' => 'ha', - 'Hawaiian' => '', - 'Hindi' => 'hi', - 'Hungarian' => 'hu', - 'Icelandic' => 'is', - 'Indonesian' => 'id', - 'Italian' => 'it', - 'Kazakh' => 'kk', - 'Kyrgyz' => 'ky', - 'Latin' => 'la', - 'Latvian' => 'lv', - 'Lithuanian' => 'lt', - 'Macedonian' => 'mk', - 'Mongolian' => 'mn', - 'Nepali' => 'ne', - 'Norwegian' => 'no', - 'Pashto' => 'ps', - 'Pidgin' => '', - 'Polish' => 'pl', - 'Portuguese' => 'pt', - 'Romanian' => 'ro', - 'Russian' => 'ru', - 'Serbian' => 'sr', - 'Slovak' => 'sk', - 'Slovene' => 'sl', - 'Somali' => 'so', - 'Spanish' => 'es', - 'Swahili' => 'sw', - 'Swedish' => 'sv', - 'Tagalog' => 'tl', - 'Turkish' => 'tr', - 'Ukrainian' => 'uk', - 'Urdu' => 'ur', - 'Uzbek' => 'uz', - 'Vietnamese' => 'vi', - 'Welsh' => 'cy' - ); - require_once('Text/LanguageDetect.php'); - $min_length = get_config('system','language_detect_min_length'); + $min_length = get_config('system', 'language_detect_min_length'); if($min_length === false) $min_length = LANGUAGE_DETECT_MIN_LENGTH; - $min_confidence = get_config('system','language_detect_min_confidence'); + $min_confidence = get_config('system', 'language_detect_min_confidence'); if($min_confidence === false) $min_confidence = LANGUAGE_DETECT_MIN_CONFIDENCE; - - $naked_body = preg_replace('/\[(.+?)\]/','',$s); - if(mb_strlen($naked_body) < intval($min_length)) + // strip off bbcode + $naked_body = preg_replace('/\[(.+?)\]/', '', $s); + if(mb_strlen($naked_body) < intval($min_length)) { + logger('detect language: string length less than ' . intval($min_length), LOGGER_DATA); return ''; + } $l = new Text_LanguageDetect; - $lng = $l->detectConfidence($naked_body); - - logger('detect language: ' . print_r($lng,true) . $naked_body, LOGGER_DATA); + try { + // return 2-letter ISO 639-1 (en) language code + $l->setNameMode(2); + $lng = $l->detectConfidence($naked_body); + logger('detect language: ' . print_r($lng, true) . $naked_body, LOGGER_DATA); + } catch (Text_LanguageDetect_Exception $e) { + logger('detect language exception: ' . $e->getMessage(), LOGGER_DATA); + } if((! $lng) || (! (x($lng,'language')))) { return ''; @@ -256,6 +236,29 @@ function detect_language($s) { return ''; } - return(($lng && (x($lng,'language'))) ? $detected_languages[ucfirst($lng['language'])] : ''); + return($lng['language']); +} + +/** + * @brief Returns the display name of a given language code. + * + * By default we use the localized language name. You can switch the result + * to any language with the optional 2nd parameter $l. + * + * $s and $l can be in any format that PHP's Locale understands. We will mostly + * use the 2-letter ISO 639-1 (en, de, fr) format. + * + * If nothing could be looked up it returns $s. + * + * @param $s Language code to look up + * @param $l (optional) In which language to return the name + * @return string with the language name, or $s if unrecognized + */ +function get_language_name($s, $l = null) { + if($l === null) + $l = $s; + logger('get_language_name: for ' . $s . ' in ' . $l . ' returns: ' . Locale::getDisplayLanguage($s, $l), LOGGER_DEBUG); + return Locale::getDisplayLanguage($s, $l); } + diff --git a/include/menu.php b/include/menu.php index e9049bf8e..2f1719d0b 100644 --- a/include/menu.php +++ b/include/menu.php @@ -38,7 +38,7 @@ function menu_render($menu, $edit = false) { return replace_macros(get_markup_template('usermenu.tpl'),array( '$menu' => $menu['menu'], - '$edit' => $edit, + '$edit' => (($edit) ? t("Edit") : ''), '$items' => $menu['items'] )); } diff --git a/include/permissions.php b/include/permissions.php index 420591c54..eb1a7966f 100644 --- a/include/permissions.php +++ b/include/permissions.php @@ -88,8 +88,13 @@ function get_all_perms($uid,$observer_xchan,$internal_use = true) { // These take priority over all other settings. if($observer_xchan) { + if($r[0][$channel_perm] & PERMS_AUTHED) { + $ret[$perm_name] = true; + continue; + } + if(! $abook_checked) { - $x = q("select abook_my_perms, abook_flags from abook + $x = q("select abook_my_perms, abook_flags, xchan_network from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d and abook_xchan = '%s' and not ( abook_flags & %d ) limit 1", intval($uid), dbesc($observer_xchan), @@ -137,9 +142,9 @@ function get_all_perms($uid,$observer_xchan,$internal_use = true) { continue; } - // If we're still here, we have an observer, which means they're in the network. + // If we're still here, we have an observer, check the network. - if($r[0][$channel_perm] & PERMS_NETWORK) { + if(($r[0][$channel_perm] & PERMS_NETWORK) && ($x[0]['xchan_network'] === 'zot')) { $ret[$perm_name] = true; continue; } @@ -240,7 +245,11 @@ function perm_is_allowed($uid,$observer_xchan,$permission) { return false; if($observer_xchan) { - $x = q("select abook_my_perms, abook_flags from abook where abook_channel = %d and abook_xchan = '%s' and not ( abook_flags & %d ) limit 1", + if($r[0][$channel_perm] & PERMS_AUTHED) + return true; + + $x = q("select abook_my_perms, abook_flags, xchan_network from abook left join xchan on abook_xchan = xchan_hash + where abook_channel = %d and abook_xchan = '%s' and not ( abook_flags & %d ) limit 1", intval($uid), dbesc($observer_xchan), intval(ABOOK_FLAG_SELF) @@ -272,9 +281,9 @@ function perm_is_allowed($uid,$observer_xchan,$permission) { return false; } - // If we're still here, we have an observer, which means they're in the network. + // If we're still here, we have an observer, check the network. - if($r[0][$channel_perm] & PERMS_NETWORK) + if(($r[0][$channel_perm] & PERMS_NETWORK) && ($x[0]['xchan_network'] === 'zot')) return true; diff --git a/include/photo/photo_driver.php b/include/photo/photo_driver.php index c2eeafa54..484550cb7 100644 --- a/include/photo/photo_driver.php +++ b/include/photo/photo_driver.php @@ -538,14 +538,20 @@ function import_profile_photo($photo,$xchan,$thing = false) { } $photo_failure = false; + $img_str = ''; + if($photo) { + $filename = basename($photo); + $type = guess_image_type($photo,true); - $filename = basename($photo); - $type = guess_image_type($photo,true); - $result = z_fetch_url($photo,true); + if(! $type) + $type = 'image/jpeg'; - if($result['success']) - $img_str = $result['body']; + $result = z_fetch_url($photo,true); + + if($result['success']) + $img_str = $result['body']; + } $img = photo_factory($img_str, $type); if($img->is_valid()) { diff --git a/include/poller.php b/include/poller.php index ce9b75eb3..1c6f68eab 100644 --- a/include/poller.php +++ b/include/poller.php @@ -32,16 +32,6 @@ function poller_run($argv, $argc){ proc_run('php',"include/queue.php"); - // expire any expired accounts - - q("UPDATE account - SET account_flags = (account_flags | %d) - where not (account_flags & %d) - and account_expires != '0000-00-00 00:00:00' - and account_expires < UTC_TIMESTAMP() ", - intval(ACCOUNT_EXPIRED), - intval(ACCOUNT_EXPIRED) - ); // expire any expired mail @@ -115,6 +105,9 @@ function poller_run($argv, $argc){ q("delete from notify where seen = 1 and date < UTC_TIMESTAMP() - INTERVAL 30 DAY"); + // expire any expired accounts + require_once('include/account.php'); + downgrade_accounts(); // If this is a directory server, request a sync with an upstream // directory at least once a day, up to once every poll interval. diff --git a/include/text.php b/include/text.php index 2f5accf6e..dfd35c769 100755 --- a/include/text.php +++ b/include/text.php @@ -1324,24 +1324,15 @@ function prepare_text($text,$content_type = 'text/bbcode') { function zidify_callback($match) { - if (feature_enabled(local_user(),'sendzid')) { - $replace = '<a' . $match[1] . ' href="' . zid($match[2]) . '"'; - } - else { - $replace = '<a' . $match[1] . 'class="zrl"' . $match[2] . ' href="' . zid($match[3]) . '"'; - } - + $is_zid = ((feature_enabled(local_user(),'sendzid')) || (strpos($match[1],'zrl')) ? true : false); + $replace = '<a' . $match[1] . ' href="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"'; $x = str_replace($match[0],$replace,$match[0]); return $x; } function zidify_img_callback($match) { - if (feature_enabled(local_user(),'sendzid')) { - $replace = '<img' . $match[1] . ' src="' . zid($match[2]) . '"'; - } - else { - $replace = '<img' . $match[1] . ' src="' . zid($match[2]) . '"'; - } + $is_zid = ((feature_enabled(local_user(),'sendzid')) || (strpos($match[1],'zrl')) ? true : false); + $replace = '<img' . $match[1] . ' src="' . (($is_zid) ? zid($match[2]) : $match[2]) . '"'; $x = str_replace($match[0],$replace,$match[0]); return $x; @@ -1349,25 +1340,13 @@ function zidify_img_callback($match) { function zidify_links($s) { - if(feature_enabled(local_user(),'sendzid')) { - $s = preg_replace_callback('/\<a(.*?)href\=\"(.*?)\"/ism','zidify_callback',$s); - $s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"/ism','zidify_img_callback',$s); - } - else { - $s = preg_replace_callback('/\<a(.*?)class\=\"zrl\"(.*?)href\=\"(.*?)\"/ism','zidify_callback',$s); - $s = preg_replace_callback('/\<img class\=\"zrl\"(.*?)src\=\"(.*?)\"/ism','zidify_img_callback',$s); -// FIXME - remove the following line and redo the regex for the prev line once all Red images are converted to zmg - $s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"/ism','zidify_img_callback',$s); - } - + $s = preg_replace_callback('/\<a(.*?)href\=\"(.*?)\"/ism','zidify_callback',$s); + $s = preg_replace_callback('/\<img(.*?)src\=\"(.*?)\"/ism','zidify_img_callback',$s); return $s; } - - - /** * return atom link elements for all of our hubs */ @@ -1924,3 +1903,7 @@ function in_arrayi($needle, $haystack) { return in_array(strtolower($needle), array_map('strtolower', $haystack)); } +function normalise_openid($s) { + return trim(str_replace(array('http://','https://'),array('',''),$s),'/'); +} + diff --git a/library/openid/README b/library/openid/README new file mode 100644 index 000000000..799b452ac --- /dev/null +++ b/library/openid/README @@ -0,0 +1,49 @@ +This class provides a simple interface for OpenID (1.1 and 2.0) authentication. +Supports Yadis discovery. + +The authentication process is stateless/dumb. + +Usage: +Sign-on with OpenID is a two step process: +Step one is authentication with the provider: +<code> +$openid = new LightOpenID('my-host.example.org'); +$openid->identity = 'ID supplied by user'; +header('Location: ' . $openid->authUrl()); +</code> + +The provider then sends various parameters via GET, one of them is openid_mode. +Step two is verification: +<code> +if ($this->data['openid_mode']) { + $openid = new LightOpenID('my-host.example.org'); + echo $openid->validate() ? 'Logged in.' : 'Failed'; +} +</code> + * +Change the 'my-host.example.org' to your domain name. Do NOT use $_SERVER['HTTP_HOST'] +for that, unless you know what you are doing. + * +Optionally, you can set $returnUrl and $realm (or $trustRoot, which is an alias). +The default values for those are: +$openid->realm = (!empty($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST']; +$openid->returnUrl = $openid->realm . $_SERVER['REQUEST_URI']; +If you don't know their meaning, refer to any openid tutorial, or specification. Or just guess. + * +AX and SREG extensions are supported. +To use them, specify $openid->required and/or $openid->optional before calling $openid->authUrl(). +These are arrays, with values being AX schema paths (the 'path' part of the URL). +For example: + $openid->required = array('namePerson/friendly', 'contact/email'); + $openid->optional = array('namePerson/first'); +If the server supports only SREG or OpenID 1.1, these are automaticaly +mapped to SREG names, so that user doesn't have to know anything about the server. + * +To get the values, use $openid->getAttributes(). + * +The library requires PHP >= 5.1.2 with curl or http/https stream wrappers enabled. +@author Mewp +@contributors Brice http://github.com/brice/ +@copyright Copyright (c) 2010, Mewp +@copyright Copyright (c) 2010, Brice +@license http://www.opensource.org/licenses/mit-license.php MIT
\ No newline at end of file diff --git a/library/openid/example-google.php b/library/openid/example-google.php new file mode 100644 index 000000000..f23f2cc48 --- /dev/null +++ b/library/openid/example-google.php @@ -0,0 +1,24 @@ +<?php +# Logging in with Google accounts requires setting special identity, so this example shows how to do it. +require 'openid.php'; +try { + # Change 'localhost' to your domain name. + $openid = new LightOpenID('localhost'); + if(!$openid->mode) { + if(isset($_GET['login'])) { + $openid->identity = 'https://www.google.com/accounts/o8/id'; + header('Location: ' . $openid->authUrl()); + } +?> +<form action="?login" method="post"> + <button>Login with Google</button> +</form> +<?php + } elseif($openid->mode == 'cancel') { + echo 'User has canceled authentication!'; + } else { + echo 'User ' . ($openid->validate() ? $openid->identity . ' has ' : 'has not ') . 'logged in.'; + } +} catch(ErrorException $e) { + echo $e->getMessage(); +} diff --git a/library/openid/example.php b/library/openid/example.php new file mode 100644 index 000000000..e4ab107fe --- /dev/null +++ b/library/openid/example.php @@ -0,0 +1,23 @@ +<?php +require 'openid.php'; +try { + # Change 'localhost' to your domain name. + $openid = new LightOpenID('localhost'); + if(!$openid->mode) { + if(isset($_POST['openid_identifier'])) { + $openid->identity = $_POST['openid_identifier']; + header('Location: ' . $openid->authUrl()); + } +?> +<form action="" method="post"> + OpenID: <input type="text" name="openid_identifier" /> <button>Submit</button> +</form> +<?php + } elseif($openid->mode == 'cancel') { + echo 'User has canceled authentication!'; + } else { + echo 'User ' . ($openid->validate() ? $openid->identity . ' has ' : 'has not ') . 'logged in.'; + } +} catch(ErrorException $e) { + echo $e->getMessage(); +} diff --git a/library/openid.php b/library/openid/openid.php index 3c58beb8a..00250c59d 100644 --- a/library/openid.php +++ b/library/openid/openid.php @@ -8,7 +8,7 @@ * Sign-on with OpenID is a two step process: * Step one is authentication with the provider: * <code> - * $openid = new LightOpenID; + * $openid = new LightOpenID('my-host.example.org'); * $openid->identity = 'ID supplied by user'; * header('Location: ' . $openid->authUrl()); * </code> @@ -16,15 +16,18 @@ * Step two is verification: * <code> * if ($this->data['openid_mode']) { - * $openid = new LightOpenID; + * $openid = new LightOpenID('my-host.example.org'); * echo $openid->validate() ? 'Logged in.' : 'Failed'; * } * </code> * + * Change the 'my-host.example.org' to your domain name. Do NOT use $_SERVER['HTTP_HOST'] + * for that, unless you know what you are doing. + * * Optionally, you can set $returnUrl and $realm (or $trustRoot, which is an alias). * The default values for those are: * $openid->realm = (!empty($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST']; - * $openid->returnUrl = $openid->realm . $_SERVER['REQUEST_URI']; # without the query part, if present + * $openid->returnUrl = $openid->realm . $_SERVER['REQUEST_URI']; * If you don't know their meaning, refer to any openid tutorial, or specification. Or just guess. * * AX and SREG extensions are supported. @@ -39,7 +42,7 @@ * To get the values, use $openid->getAttributes(). * * - * The library requires PHP >= 5.1.2 with curl or http/https stream wrappers enabled.. + * The library requires PHP >= 5.1.2 with curl or http/https stream wrappers enabled. * @author Mewp * @copyright Copyright (c) 2010, Mewp * @license http://www.opensource.org/licenses/mit-license.php MIT @@ -49,11 +52,13 @@ class LightOpenID public $returnUrl , $required = array() , $optional = array() - , $verify_perr = null - , $capath = null; + , $verify_peer = null + , $capath = null + , $cainfo = null + , $data; private $identity, $claimed_id; protected $server, $version, $trustRoot, $aliases, $identifier_select = false - , $ax = false, $sreg = false, $data; + , $ax = false, $sreg = false, $setup_url = null; static protected $ax_to_sreg = array( 'namePerson/friendly' => 'nickname', 'contact/email' => 'email', @@ -66,14 +71,28 @@ class LightOpenID 'pref/timezone' => 'timezone', ); - function __construct() + function __construct($host) { - $this->trustRoot = (!empty($_SERVER['HTTPS']) ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST']; - $uri = $_SERVER['REQUEST_URI']; - $uri = strpos($uri, '?') ? substr($uri, 0, strpos($uri, '?')) : $uri; + $this->trustRoot = (strpos($host, '://') ? $host : 'http://' . $host); + if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') + || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) + && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') + ) { + $this->trustRoot = (strpos($host, '://') ? $host : 'https://' . $host); + } + + if(($host_end = strpos($this->trustRoot, '/', 8)) !== false) { + $this->trustRoot = substr($this->trustRoot, 0, $host_end); + } + + $uri = rtrim(preg_replace('#((?<=\?)|&)openid\.[^&]+#', '', $_SERVER['REQUEST_URI']), '?'); $this->returnUrl = $this->trustRoot . $uri; - $this->data = $_POST + $_GET; # OPs may send data as POST or GET. + $this->data = ($_SERVER['REQUEST_METHOD'] === 'POST') ? $_POST : $_GET; + + if(!function_exists('curl_init') && !in_array('https', stream_get_wrappers())) { + throw new ErrorException('You must have either https wrappers or curl enabled.'); + } } function __set($name, $value) @@ -109,6 +128,8 @@ class LightOpenID case 'trustRoot': case 'realm': return $this->trustRoot; + case 'mode': + return empty($this->data['openid_mode']) ? null : $this->data['openid_mode']; } } @@ -143,11 +164,15 @@ class LightOpenID curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/xrds+xml, */*')); - if($this->verify_perr !== null) { + if($this->verify_peer !== null) { curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); if($this->capath) { curl_setopt($curl, CURLOPT_CAPATH, $this->capath); } + + if($this->cainfo) { + curl_setopt($curl, CURLOPT_CAINFO, $this->cainfo); + } } if ($method == 'POST') { @@ -188,7 +213,7 @@ class LightOpenID protected function request_streams($url, $method='GET', $params=array()) { if(!$this->hostExists($url)) { - throw new ErrorException('Invalid request.'); + throw new ErrorException("Could not connect to $url.", 404); } $params = http_build_query($params, '', '&'); @@ -199,7 +224,9 @@ class LightOpenID 'method' => 'GET', 'header' => 'Accept: application/xrds+xml, */*', 'ignore_errors' => true, - ) + ), 'ssl' => array( + 'CN_match' => parse_url($url, PHP_URL_HOST), + ), ); $url = $url . ($params ? '?' . $params : ''); break; @@ -210,7 +237,9 @@ class LightOpenID 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => $params, 'ignore_errors' => true, - ) + ), 'ssl' => array( + 'CN_match' => parse_url($url, PHP_URL_HOST), + ), ); break; case 'HEAD': @@ -219,11 +248,15 @@ class LightOpenID # we have to change the defaults. $default = stream_context_get_options(stream_context_get_default()); stream_context_get_default( - array('http' => array( - 'method' => 'HEAD', - 'header' => 'Accept: application/xrds+xml, */*', - 'ignore_errors' => true, - )) + array( + 'http' => array( + 'method' => 'HEAD', + 'header' => 'Accept: application/xrds+xml, */*', + 'ignore_errors' => true, + ), 'ssl' => array( + 'CN_match' => parse_url($url, PHP_URL_HOST), + ), + ) ); $url = $url . ($params ? '?' . $params : ''); @@ -263,10 +296,11 @@ class LightOpenID } if($this->verify_peer) { - $opts += array('ssl' => array( + $opts['ssl'] += array( 'verify_peer' => true, 'capath' => $this->capath, - )); + 'cafile' => $this->cainfo, + ); } $context = stream_context_create ($opts); @@ -276,7 +310,9 @@ class LightOpenID protected function request($url, $method='GET', $params=array()) { - if(function_exists('curl_init') && !ini_get('safe_mode') && (! strlen(ini_get('open_basedir')))) { + if (function_exists('curl_init') + && (!in_array('https', stream_get_wrappers()) || !ini_get('safe_mode') && !ini_get('open_basedir')) + ) { return $this->request_curl($url, $method, $params); } return $this->request_streams($url, $method, $params); @@ -297,7 +333,7 @@ class LightOpenID . (empty($url['port'])?'':":{$url['port']}") . (empty($url['path'])?'':$url['path']) . (empty($url['query'])?'':"?{$url['query']}") - . (empty($url['fragment'])?'':":{$url['fragment']}"); + . (empty($url['fragment'])?'':"#{$url['fragment']}"); return $url; } @@ -342,84 +378,90 @@ class LightOpenID $headers = $this->request($url, 'HEAD'); $next = false; - if (isset($headers['x-xrds-location'])) { - $url = $this->build_url(parse_url($url), parse_url(trim($headers['x-xrds-location']))); - $next = true; - } + if (isset($headers['x-xrds-location'])) { + $url = $this->build_url(parse_url($url), parse_url(trim($headers['x-xrds-location']))); + $next = true; + } - if (isset($headers['content-type']) - && ((strpos($headers['content-type'], 'application/xrds+xml') !== false - ) || (strpos($headers['content-type'], 'text/xml') !== false))) { - # Found an XRDS document, now let's find the server, and optionally delegate. - $content = $this->request($url, 'GET'); - - preg_match_all('#<Service.*?>(.*?)</Service>#s', $content, $m); - foreach($m[1] as $content) { - $content = ' ' . $content; # The space is added, so that strpos doesn't return 0. - - # OpenID 2 - $ns = preg_quote('http://specs.openid.net/auth/2.0/'); - if(preg_match('#<Type>\s*'.$ns.'(server|signon)\s*</Type>#s', $content, $type)) { - if ($type[1] == 'server') $this->identifier_select = true; - - preg_match('#<URI.*?>(.*)</URI>#', $content, $server); - preg_match('#<(Local|Canonical)ID>(.*)</\1ID>#', $content, $delegate); - if (empty($server)) { - return false; - } - # Does the server advertise support for either AX or SREG? - $this->ax = (bool) strpos($content, '<Type>http://openid.net/srv/ax/1.0</Type>'); - $this->sreg = strpos($content, '<Type>http://openid.net/sreg/1.0</Type>') - || strpos($content, '<Type>http://openid.net/extensions/sreg/1.1</Type>'); - - $server = $server[1]; - if (isset($delegate[2])) $this->identity = trim($delegate[2]); - $this->version = 2; -logger('Server: ' . $server); - $this->server = $server; - return $server; + if (isset($headers['content-type']) + && (strpos($headers['content-type'], 'application/xrds+xml') !== false + || strpos($headers['content-type'], 'text/xml') !== false) + ) { + # Apparently, some providers return XRDS documents as text/html. + # While it is against the spec, allowing this here shouldn't break + # compatibility with anything. + # --- + # Found an XRDS document, now let's find the server, and optionally delegate. + $content = $this->request($url, 'GET'); + + preg_match_all('#<Service.*?>(.*?)</Service>#s', $content, $m); + foreach($m[1] as $content) { + $content = ' ' . $content; # The space is added, so that strpos doesn't return 0. + + # OpenID 2 + $ns = preg_quote('http://specs.openid.net/auth/2.0/'); + if(preg_match('#<Type>\s*'.$ns.'(server|signon)\s*</Type>#s', $content, $type)) { + if ($type[1] == 'server') $this->identifier_select = true; + + preg_match('#<URI.*?>(.*)</URI>#', $content, $server); + preg_match('#<(Local|Canonical)ID>(.*)</\1ID>#', $content, $delegate); + if (empty($server)) { + return false; } + # Does the server advertise support for either AX or SREG? + $this->ax = (bool) strpos($content, '<Type>http://openid.net/srv/ax/1.0</Type>'); + $this->sreg = strpos($content, '<Type>http://openid.net/sreg/1.0</Type>') + || strpos($content, '<Type>http://openid.net/extensions/sreg/1.1</Type>'); - # OpenID 1.1 - $ns = preg_quote('http://openid.net/signon/1.1'); - if (preg_match('#<Type>\s*'.$ns.'\s*</Type>#s', $content)) { - - preg_match('#<URI.*?>(.*)</URI>#', $content, $server); - preg_match('#<.*?Delegate>(.*)</.*?Delegate>#', $content, $delegate); - if (empty($server)) { - return false; - } - # AX can be used only with OpenID 2.0, so checking only SREG - $this->sreg = strpos($content, '<Type>http://openid.net/sreg/1.0</Type>') - || strpos($content, '<Type>http://openid.net/extensions/sreg/1.1</Type>'); - - $server = $server[1]; - if (isset($delegate[1])) $this->identity = $delegate[1]; - $this->version = 1; - - $this->server = $server; - return $server; - } + $server = $server[1]; + if (isset($delegate[2])) $this->identity = trim($delegate[2]); + $this->version = 2; + + $this->server = $server; + return $server; } - $next = true; - $yadis = false; - $url = $originalUrl; - $content = null; - break; + # OpenID 1.1 + $ns = preg_quote('http://openid.net/signon/1.1'); + if (preg_match('#<Type>\s*'.$ns.'\s*</Type>#s', $content)) { + + preg_match('#<URI.*?>(.*)</URI>#', $content, $server); + preg_match('#<.*?Delegate>(.*)</.*?Delegate>#', $content, $delegate); + if (empty($server)) { + return false; + } + # AX can be used only with OpenID 2.0, so checking only SREG + $this->sreg = strpos($content, '<Type>http://openid.net/sreg/1.0</Type>') + || strpos($content, '<Type>http://openid.net/extensions/sreg/1.1</Type>'); + + $server = $server[1]; + if (isset($delegate[1])) $this->identity = $delegate[1]; + $this->version = 1; + + $this->server = $server; + return $server; + } } + + $next = true; + $yadis = false; + $url = $originalUrl; + $content = null; + break; + } if ($next) continue; # There are no relevant information in headers, so we search the body. $content = $this->request($url, 'GET'); - if ($location = $this->htmlTag($content, 'meta', 'http-equiv', 'X-XRDS-Location', 'content')) { + $location = $this->htmlTag($content, 'meta', 'http-equiv', 'X-XRDS-Location', 'content'); + if ($location) { $url = $this->build_url(parse_url($url), parse_url($location)); continue; } } if (!$content) $content = $this->request($url, 'GET'); -logger('openid' . $content); + # At this point, the YADIS Discovery has failed, so we'll switch # to openid2 HTML discovery, then fallback to openid 1.1 discovery. $server = $this->htmlTag($content, 'link', 'rel', 'openid2.provider', 'href'); @@ -443,9 +485,9 @@ logger('openid' . $content); return $server; } - throw new ErrorException('No servers found!'); + throw new ErrorException("No OpenID Server found at $url", 404); } - throw new ErrorException('Endless redirection!'); + throw new ErrorException('Endless redirection!', 500); } protected function sregParams() @@ -514,7 +556,7 @@ logger('openid' . $content); return $params; } - protected function authUrl_v1() + protected function authUrl_v1($immediate) { $returnUrl = $this->returnUrl; # If we have an openid.delegate that is different from our claimed id, @@ -526,7 +568,7 @@ logger('openid' . $content); $params = array( 'openid.return_to' => $returnUrl, - 'openid.mode' => 'checkid_setup', + 'openid.mode' => $immediate ? 'checkid_immediate' : 'checkid_setup', 'openid.identity' => $this->identity, 'openid.trust_root' => $this->trustRoot, ) + $this->sregParams(); @@ -535,11 +577,11 @@ logger('openid' . $content); , array('query' => http_build_query($params, '', '&'))); } - protected function authUrl_v2($identifier_select) + protected function authUrl_v2($immediate) { $params = array( 'openid.ns' => 'http://specs.openid.net/auth/2.0', - 'openid.mode' => 'checkid_setup', + 'openid.mode' => $immediate ? 'checkid_immediate' : 'checkid_setup', 'openid.return_to' => $this->returnUrl, 'openid.realm' => $this->trustRoot, ); @@ -555,7 +597,7 @@ logger('openid' . $content); $params += $this->axParams() + $this->sregParams(); } - if ($identifier_select) { + if ($this->identifier_select) { $params['openid.identity'] = $params['openid.claimed_id'] = 'http://specs.openid.net/auth/2.0/identifier_select'; } else { @@ -573,17 +615,15 @@ logger('openid' . $content); * @param String $select_identifier Whether to request OP to select identity for an user in OpenID 2. Does not affect OpenID 1. * @throws ErrorException */ - function authUrl($identifier_select = null) + function authUrl($immediate = false) { + if ($this->setup_url && !$immediate) return $this->setup_url; if (!$this->server) $this->discover($this->identity); if ($this->version == 2) { - if ($identifier_select === null) { - return $this->authUrl_v2($this->identifier_select); - } - return $this->authUrl_v2($identifier_select); + return $this->authUrl_v2($immediate); } - return $this->authUrl_v1(); + return $this->authUrl_v1($immediate); } /** @@ -593,6 +633,18 @@ logger('openid' . $content); */ function validate() { + # If the request was using immediate mode, a failure may be reported + # by presenting user_setup_url (for 1.1) or reporting + # mode 'setup_needed' (for 2.0). Also catching all modes other than + # id_res, in order to avoid throwing errors. + if(isset($this->data['openid_user_setup_url'])) { + $this->setup_url = $this->data['openid_user_setup_url']; + return false; + } + if($this->mode != 'id_res') { + return false; + } + $this->claimed_id = isset($this->data['openid_claimed_id'])?$this->data['openid_claimed_id']:$this->data['openid_identity']; $params = array( 'openid.assoc_handle' => $this->data['openid_assoc_handle'], @@ -605,7 +657,9 @@ logger('openid' . $content); # Even though we should know location of the endpoint, # we still need to verify it by discovery, so $server is not set here $params['openid.ns'] = 'http://specs.openid.net/auth/2.0'; - } elseif(isset($this->data['openid_claimed_id'])) { + } elseif (isset($this->data['openid_claimed_id']) + && $this->data['openid_claimed_id'] != $this->data['openid_identity'] + ) { # If it's an OpenID 1 provider, and we've got claimed_id, # we have to append it to the returnUrl, like authUrl_v1 does. $this->returnUrl .= (strpos($this->returnUrl, '?') ? '&' : '?') @@ -665,8 +719,8 @@ logger('openid' . $content); } $attributes = array(); - foreach ($this->data as $key => $value) { - $keyMatch = 'openid_' . $alias . '_value_'; + foreach (explode(',', $this->data['openid_signed']) as $key) { + $keyMatch = $alias . '.value.'; if (substr($key, 0, strlen($keyMatch)) != $keyMatch) { continue; } @@ -677,8 +731,10 @@ logger('openid' . $content); # to check, than cause an E_NOTICE. continue; } + $value = $this->data['openid_' . $alias . '_value_' . $key]; $key = substr($this->data['openid_' . $alias . '_type_' . $key], strlen('http://axschema.org/')); + $attributes[$key] = $value; } return $attributes; @@ -688,8 +744,8 @@ logger('openid' . $content); { $attributes = array(); $sreg_to_ax = array_flip(self::$ax_to_sreg); - foreach ($this->data as $key => $value) { - $keyMatch = 'openid_sreg_'; + foreach (explode(',', $this->data['openid_signed']) as $key) { + $keyMatch = 'sreg.'; if (substr($key, 0, strlen($keyMatch)) != $keyMatch) { continue; } @@ -698,7 +754,7 @@ logger('openid' . $content); # The field name isn't part of the SREG spec, so we ignore it. continue; } - $attributes[$sreg_to_ax[$key]] = $value; + $attributes[$sreg_to_ax[$key]] = $this->data['openid_sreg_' . $key]; } return $attributes; } diff --git a/library/openid/provider/example-mysql.php b/library/openid/provider/example-mysql.php new file mode 100644 index 000000000..574e3c811 --- /dev/null +++ b/library/openid/provider/example-mysql.php @@ -0,0 +1,194 @@ +<?php +/** + * This example shows several things: + * - How a setup interface should look like. + * - How to use a mysql table for authentication + * - How to store associations in mysql table, instead of php sessions. + * - How to store realm authorizations. + * - How to send AX/SREG parameters. + * For the example to work, you need to create the necessary tables: +CREATE TABLE Users ( + id INT NOT NULL auto_increment PRIMARY KEY, + login VARCHAR(32) NOT NULL, + password CHAR(40) NOT NULL, + firstName VARCHAR(32) NOT NULL, + lastName VARCHAR(32) NOT NULL +); + +CREATE TABLE AllowedSites ( + user INT NOT NULL, + realm TEXT NOT NULL, + attributes TEXT NOT NULL, + INDEX(user) +); + +CREATE TABLE Associations ( + id INT NOT NULL PRIMARY KEY, + data TEXT NOT NULL +); + * + * This is only an example. Don't use it in your code as-is. + * It has several security flaws, which you shouldn't copy (like storing plaintext login and password in forms). + * + * This setup could be very easily flooded with many associations, + * since non-private ones aren't automatically deleted. + * You could prevent this by storing a date of association and removing old ones, + * or by setting $this->dh = false; + * However, the latter one would disable stateful mode, unless connecting via HTTPS. + */ +require 'provider.php'; + +mysql_connect(); +mysql_select_db('test'); + +function getUserData($handle=null) +{ + if(isset($_POST['login'],$_POST['password'])) { + $login = mysql_real_escape_string($_POST['login']); + $password = sha1($_POST['password']); + $q = mysql_query("SELECT * FROM Users WHERE login = '$login' AND password = '$password'"); + if($data = mysql_fetch_assoc($q)) { + return $data; + } + if($handle) { + echo 'Wrong login/password.'; + } + } + if($handle) { + ?> + <form action="" method="post"> + <input type="hidden" name="openid.assoc_handle" value="<?php echo $handle?>"> + Login: <input type="text" name="login"><br> + Password: <input type="password" name="password"><br> + <button>Submit</button> + </form> + <?php + die(); + } +} + +class MysqlProvider extends LightOpenIDProvider +{ + private $attrMap = array( + 'namePerson/first' => 'First name', + 'namePerson/last' => 'Last name', + 'namePerson/friendly' => 'Nickname (login)' + ); + + private $attrFieldMap = array( + 'namePerson/first' => 'firstName', + 'namePerson/last' => 'lastName', + 'namePerson/friendly' => 'login' + ); + + function setup($identity, $realm, $assoc_handle, $attributes) + { + $data = getUserData($assoc_handle); + echo '<form action="" method="post">' + . '<input type="hidden" name="openid.assoc_handle" value="' . $assoc_handle . '">' + . '<input type="hidden" name="login" value="' . $_POST['login'] .'">' + . '<input type="hidden" name="password" value="' . $_POST['password'] .'">' + . "<b>$realm</b> wishes to authenticate you."; + if($attributes['required'] || $attributes['optional']) { + echo " It also requests following information (required fields marked with *):" + . '<ul>'; + + foreach($attributes['required'] as $attr) { + if(isset($this->attrMap[$attr])) { + echo '<li>' + . '<input type="checkbox" name="attributes[' . $attr . ']"> ' + . $this->attrMap[$attr] . '(*)</li>'; + } + } + + foreach($attributes['optional'] as $attr) { + if(isset($this->attrMap[$attr])) { + echo '<li>' + . '<input type="checkbox" name="attributes[' . $attr . ']"> ' + . $this->attrMap[$attr] . '</li>'; + } + } + echo '</ul>'; + } + echo '<br>' + . '<button name="once">Allow once</button> ' + . '<button name="always">Always allow</button> ' + . '<button name="cancel">cancel</button> ' + . '</form>'; + } + + function checkid($realm, &$attributes) + { + if(isset($_POST['cancel'])) { + $this->cancel(); + } + + $data = getUserData(); + if(!$data) { + return false; + } + $realm = mysql_real_escape_string($realm); + $q = mysql_query("SELECT attributes FROM AllowedSites WHERE user = '{$data['id']}' AND realm = '$realm'"); + + $attrs = array(); + if($attrs = mysql_fetch_row($q)) { + $attrs = explode(',', $attributes[0]); + } elseif(isset($_POST['attributes'])) { + $attrs = array_keys($_POST['attributes']); + } elseif(!isset($_POST['once']) && !isset($_POST['always'])) { + return false; + } + + $attributes = array(); + foreach($attrs as $attr) { + if(isset($this->attrFieldMap[$attr])) { + $attributes[$attr] = $data[$this->attrFieldMap[$attr]]; + } + } + + if(isset($_POST['always'])) { + $attrs = mysql_real_escape_string(implode(',', array_keys($attributes))); + mysql_query("REPLACE INTO AllowedSites VALUES('{$data['id']}', '$realm', '$attrs')"); + } + + return $this->serverLocation . '?' . $data['login']; + } + + function assoc_handle() + { + # We generate an integer assoc handle, because it's just faster to look up an integer later. + $q = mysql_query("SELECT MAX(id) FROM Associations"); + $result = mysql_fetch_row($q); + return $q[0]+1; + } + + function setAssoc($handle, $data) + { + $data = mysql_real_escape_string(serialize($data)); + mysql_query("REPLACE INTO Associations VALUES('$handle', '$data')"); + } + + function getAssoc($handle) + { + if(!is_numeric($handle)) { + return false; + } + $q = mysql_query("SELECT data FROM Associations WHERE id = '$handle'"); + $data = mysql_fetch_row($q); + if(!$data) { + return false; + } + return unserialize($data[0]); + } + + function delAssoc($handle) + { + if(!is_numeric($handle)) { + return false; + } + mysql_query("DELETE FROM Associations WHERE id = '$handle'"); + } + +} +$op = new MysqlProvider; +$op->server(); diff --git a/library/openid/provider/example.php b/library/openid/provider/example.php new file mode 100644 index 000000000..b8a4c24a9 --- /dev/null +++ b/library/openid/provider/example.php @@ -0,0 +1,53 @@ +<?php +/** + * This example shows how to create a basic provider usin HTTP Authentication. + * This is only an example. You shouldn't use it as-is in your code. + */ +require 'provider.php'; + +class BasicProvider extends LightOpenIDProvider +{ + public $select_id = true; + public $login = ''; + public $password = ''; + + function __construct() + { + parent::__construct(); + + # If we use select_id, we must disable it for identity pages, + # so that an RP can discover it and get proper data (i.e. without select_id) + if(isset($_GET['id'])) { + $this->select_id = false; + } + } + + function setup($identity, $realm, $assoc_handle, $attributes) + { + header('WWW-Authenticate: Basic realm="' . $this->data['openid_realm'] . '"'); + header('HTTP/1.0 401 Unauthorized'); + } + + function checkid($realm, &$attributes) + { + if(!isset($_SERVER['PHP_AUTH_USER'])) { + return false; + } + + if ($_SERVER['PHP_AUTH_USER'] == $this->login + && $_SERVER['PHP_AUTH_PW'] == $this->password + ) { + # Returning identity + # It can be any url that leads here, or to any other place that hosts + # an XRDS document pointing here. + return $this->serverLocation . '?id=' . $this->login; + } + + return false; + } + +} +$op = new BasicProvider; +$op->login = 'test'; +$op->password = 'test'; +$op->server(); diff --git a/library/openid/provider/provider.php b/library/openid/provider/provider.php new file mode 100644 index 000000000..03fbe1c81 --- /dev/null +++ b/library/openid/provider/provider.php @@ -0,0 +1,845 @@ +<?php +/** + * Using this class, you can easily set up an OpenID Provider. + * It's independent of LightOpenID class. + * It requires either GMP or BCMath for session encryption, + * but will work without them (although either via SSL, or in stateless mode only). + * Also, it requires PHP >= 5.1.2 + * + * This is an alpha version, using it in production code is not recommended, + * until you are *sure* that it works and is secure. + * + * Please send me messages about your testing results + * (even if successful, so I know that it has been tested). + * Also, if you think there's a way to make it easier to use, tell me -- it's an alpha for a reason. + * Same thing applies to bugs in code, suggestions, + * and everything else you'd like to say about the library. + * + * There's no usage documentation here, see the examples. + * + * @author Mewp + * @copyright Copyright (c) 2010, Mewp + * @license http://www.opensource.org/licenses/mit-license.php MIT + */ +ini_set('error_log','log'); +abstract class LightOpenIDProvider +{ + # URL-s to XRDS and server location. + public $xrdsLocation, $serverLocation; + + # Should we operate in server, or signon mode? + public $select_id = false; + + # Lifetime of an association. + protected $assoc_lifetime = 600; + + # Variables below are either set automatically, or are constant. + # ----- + # Can we support DH? + protected $dh = true; + protected $ns = 'http://specs.openid.net/auth/2.0'; + protected $data, $assoc; + + # Default DH parameters as defined in the specification. + protected $default_modulus; + protected $default_gen = 'Ag=='; + + # AX <-> SREG transform + protected $ax_to_sreg = array( + 'namePerson/friendly' => 'nickname', + 'contact/email' => 'email', + 'namePerson' => 'fullname', + 'birthDate' => 'dob', + 'person/gender' => 'gender', + 'contact/postalCode/home' => 'postcode', + 'contact/country/home' => 'country', + 'pref/language' => 'language', + 'pref/timezone' => 'timezone', + ); + + # Math + private $add, $mul, $pow, $mod, $div, $powmod; + # ----- + + # ------------------------------------------------------------------------ # + # Functions you probably want to implement when extending the class. + + /** + * Checks whether an user is authenticated. + * The function should determine what fields it wants to send to the RP, + * and put them in the $attributes array. + * @param Array $attributes + * @param String $realm Realm used for authentication. + * @return String OP-local identifier of an authenticated user, or an empty value. + */ + abstract function checkid($realm, &$attributes); + + /** + * Displays an user interface for inputting user's login and password. + * Attributes are always AX field namespaces, with stripped host part. + * For example, the $attributes array may be: + * array( 'required' => array('namePerson/friendly', 'contact/email'), + * 'optional' => array('pref/timezone', 'pref/language') + * @param String $identity Discovered identity string. May be used to extract login, unless using $this->select_id + * @param String $realm Realm used for authentication. + * @param String Association handle. must be sent as openid.assoc_handle in $_GET or $_POST in subsequent requests. + * @param Array User attributes requested by the RP. + */ + abstract function setup($identity, $realm, $assoc_handle, $attributes); + + /** + * Stores an association. + * If you want to use php sessions in your provider code, you have to replace it. + * @param String $handle Association handle -- should be used as a key. + * @param Array $assoc Association data. + */ + protected function setAssoc($handle, $assoc) + { + $oldSession = session_id(); + session_commit(); + session_id($assoc['handle']); + session_start(); + $_SESSION['assoc'] = $assoc; + session_commit(); + if($oldSession) { + session_id($oldSession); + session_start(); + } + } + + /** + * Retreives association data. + * If you want to use php sessions in your provider code, you have to replace it. + * @param String $handle Association handle. + * @return Array Association data. + */ + protected function getAssoc($handle) + { + $oldSession = session_id(); + session_commit(); + session_id($handle); + session_start(); + if(empty($_SESSION['assoc'])) { + return null; + } + return $_SESSION['assoc']; + session_commit(); + if($oldSession) { + session_id($oldSession); + session_start(); + } + } + + /** + * Deletes an association. + * If you want to use php sessions in your provider code, you have to replace it. + * @param String $handle Association handle. + */ + protected function delAssoc($handle) + { + $oldSession = session_id(); + session_commit(); + session_id($handle); + session_start(); + session_destroy(); + if($oldSession) { + session_id($oldSession); + session_start(); + } + } + + # ------------------------------------------------------------------------ # + # Functions that you might want to implement. + + /** + * Redirects the user to an url. + * @param String $location The url that the user will be redirected to. + */ + protected function redirect($location) + { + header('Location: ' . $location); + die(); + } + + /** + * Generates a new association handle. + * @return string + */ + protected function assoc_handle() + { + return sha1(microtime()); + } + + /** + * Generates a random shared secret. + * @return string + */ + protected function shared_secret($hash) + { + $length = 20; + if($hash == 'sha256') { + $length = 256; + } + + $secret = ''; + for($i = 0; $i < $length; $i++) { + $secret .= mt_rand(0,255); + } + + return $secret; + } + + /** + * Generates a private key. + * @param int $length Length of the key. + */ + protected function keygen($length) + { + $key = ''; + for($i = 1; $i < $length; $i++) { + $key .= mt_rand(0,9); + } + $key .= mt_rand(1,9); + + return $key; + } + + # ------------------------------------------------------------------------ # + # Functions that you probably shouldn't touch. + + function __construct() + { + $this->default_modulus = + 'ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX+YkcLiemOcPy' + . 'm2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi/368Ygo79JRnxTkXjgmY0' + . 'rxlJ5bU1zIKaSDuKdiI+XUkKJX8Fvf8W8vsixYOr'; + + $location = (!empty($_SERVER['HTTPS']) ? 'https' : 'http') . '://' + . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; + $location = preg_replace('/\?.*/','',$location); + $this->serverLocation = $location; + $location .= (strpos($location, '?') ? '&' : '?') . 'xrds'; + $this->xrdsLocation = $location; + + $this->data = $_GET + $_POST; + + # We choose GMP if avaiable, and bcmath otherwise + if(function_exists('gmp_add')) { + $this->add = 'gmp_add'; + $this->mul = 'gmp_mul'; + $this->pow = 'gmp_pow'; + $this->mod = 'gmp_mod'; + $this->div = 'gmp_div'; + $this->powmod = 'gmp_powm'; + } elseif(function_exists('bcadd')) { + $this->add = 'bcadd'; + $this->mul = 'bcmul'; + $this->pow = 'bcpow'; + $this->mod = 'bcmod'; + $this->div = 'bcdiv'; + $this->powmod = 'bcpowmod'; + } else { + # If neither are avaiable, we can't use DH + $this->dh = false; + } + + # However, we do require the hash functions. + # They should be built-in anyway. + if(!function_exists('hash_algos')) { + $this->dh = false; + } + } + + /** + * Displays an XRDS document, or redirects to it. + * By default, it detects whether it should display or redirect automatically. + * @param bool|null $force When true, always display the document, when false always redirect. + */ + function xrds($force=null) + { + if($force) { + echo $this->xrdsContent(); + die(); + } elseif($force === false) { + header('X-XRDS-Location: '. $this->xrdsLocation); + return; + } + + if (isset($_GET['xrds']) + || (isset($_SERVER['HTTP_ACCEPT']) && strpos($_SERVER['HTTP_ACCEPT'], 'application/xrds+xml') !== false) + ) { + header('Content-Type: application/xrds+xml'); + echo $this->xrdsContent(); + die(); + } + + header('X-XRDS-Location: ' . $this->xrdsLocation); + } + + /** + * Returns the content of the XRDS document + * @return String The XRDS document. + */ + protected function xrdsContent() + { + $lines = array( + '<?xml version="1.0" encoding="UTF-8"?>', + '<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">', + '<XRD>', + ' <Service>', + ' <Type>' . $this->ns . '/' . ($this->select_id ? 'server' : 'signon') .'</Type>', + ' <URI>' . $this->serverLocation . '</URI>', + ' </Service>', + '</XRD>', + '</xrds:XRDS>' + ); + return implode("\n", $lines); + } + + /** + * Does everything that a provider has to -- in one function. + */ + function server() + { + if(isset($this->data['openid_assoc_handle'])) { + $this->assoc = $this->getAssoc($this->data['openid_assoc_handle']); + if(isset($this->assoc['data'])) { + # We have additional data stored for setup. + $this->data += $this->assoc['data']; + unset($this->assoc['data']); + } + } + + if (isset($this->data['openid_ns']) + && $this->data['openid_ns'] == $this->ns + ) { + if(!isset($this->data['openid_mode'])) $this->errorResponse(); + + switch($this->data['openid_mode']) + { + case 'checkid_immediate': + case 'checkid_setup': + $this->checkRealm(); + # We support AX xor SREG. + $attributes = $this->ax(); + if(!$attributes) { + $attributes = $this->sreg(); + } + + # Even if some user is authenticated, we need to know if it's + # the same one that want's to authenticate. + # Of course, if we use select_id, we accept any user. + if (($identity = $this->checkid($this->data['openid_realm'], $attrValues)) + && ($this->select_id || $identity == $this->data['openid_identity']) + ) { + $this->positiveResponse($identity, $attrValues); + } elseif($this->data['openid_mode'] == 'checkid_immediate') { + $this->redirect($this->response(array('openid.mode' => 'setup_needed'))); + } else { + if(!$this->assoc) { + $this->generateAssociation(); + $this->assoc['private'] = true; + } + $this->assoc['data'] = $this->data; + $this->setAssoc($this->assoc['handle'], $this->assoc); + $this->setup($this->data['openid_identity'], + $this->data['openid_realm'], + $this->assoc['handle'], + $attributes); + } + break; + case 'associate': + $this->associate(); + break; + case 'check_authentication': + $this->checkRealm(); + if($this->verify()) { + echo "ns:$this->ns\nis_valid:true"; + if(strpos($this->data['openid_signed'],'invalidate_handle') !== false) { + echo "\ninvalidate_handle:" . $this->data['openid_invalidate_handle']; + } + } else { + echo "ns:$this->ns\nis_valid:false"; + } + die(); + break; + default: + $this->errorResponse(); + } + } else { + $this->xrds(); + } + } + + protected function checkRealm() + { + if (!isset($this->data['openid_return_to'], $this->data['openid_realm'])) { + $this->errorResponse(); + } + + $realm = str_replace('\*', '[^/]', preg_quote($this->data['openid_realm'])); + if(!preg_match("#^$realm#", $this->data['openid_return_to'])) { + $this->errorResponse(); + } + } + + protected function ax() + { + # Namespace prefix that the fields must have. + $ns = 'http://axschema.org/'; + + # First, we must find out what alias is used for AX. + # Let's check the most likely one + $alias = null; + if (isset($this->data['openid_ns_ax']) + && $this->data['openid_ns_ax'] == 'http://openid.net/srv/ax/1.0' + ) { + $alias = 'ax'; + } else { + foreach($this->data as $name => $value) { + if ($value == 'http://openid.net/srv/ax/1.0' + && preg_match('/openid_ns_(.+)/', $name, $m) + ) { + $alias = $m[1]; + break; + } + } + } + + if(!$alias) { + return null; + } + + $fields = array(); + # Now, we must search again, this time for field aliases + foreach($this->data as $name => $value) { + if (strpos($name, 'openid_' . $alias . '_type') === false + || strpos($value, $ns) === false) { + continue; + } + + $name = substr($name, strlen('openid_' . $alias . '_type_')); + $value = substr($value, strlen($ns)); + + $fields[$name] = $value; + } + + # Then, we find out what fields are required and optional + $required = array(); + $if_available = array(); + foreach(array('required','if_available') as $type) { + if(empty($this->data["openid_{$alias}_{$type}"])) { + continue; + } + $attributes = explode(',', $this->data["openid_{$alias}_{$type}"]); + foreach($attributes as $attr) { + if(empty($fields[$attr])) { + # There is an undefined field here, so we ignore it. + continue; + } + + ${$type}[] = $fields[$attr]; + } + } + + $this->data['ax'] = true; + return array('required' => $required, 'optional' => $if_available); + } + + protected function sreg() + { + $sreg_to_ax = array_flip($this->ax_to_sreg); + + $attributes = array('required' => array(), 'optional' => array()); + + if (empty($this->data['openid_sreg_required']) + && empty($this->data['openid_sreg_optional']) + ) { + return $attributes; + } + + foreach(array('required', 'optional') as $type) { + foreach(explode(',',$this->data['openid_sreg_' . $type]) as $attr) { + if(empty($sreg_to_ax[$attr])) { + # Undefined attribute in SREG request. + # Shouldn't happen, but we check anyway. + continue; + } + + $attributes[$type][] = $sreg_to_ax[$attr]; + } + } + + return $attributes; + } + + /** + * Aids an RP in assertion verification. + * @return bool Information whether the verification suceeded. + */ + protected function verify() + { + # Firstly, we need to make sure that there's an association. + # Otherwise the verification will fail, + # because we've signed assoc_handle in the assertion + if(empty($this->assoc)) { + return false; + } + + # Next, we check that it's a private association, + # i.e. one made without RP input. + # Otherwise, the RP shouldn't ask us to verify. + if(empty($this->assoc['private'])) { + return false; + } + + # Now we have to check if the nonce is correct, to prevent replay attacks. + if($this->data['openid_response_nonce'] != $this->assoc['nonce']) { + return false; + } + + # Getting the signed fields for signature. + $sig = array(); + $signed = explode(',', $this->data['openid_signed']); + foreach($signed as $field) { + $name = strtr($field, '.', '_'); + if(!isset($this->data['openid_' . $name])) { + return false; + } + + $sig[$field] = $this->data['openid_' . $name]; + } + + # Computing the signature and checking if it matches. + $sig = $this->keyValueForm($sig); + if ($this->data['openid_sig'] != + base64_encode(hash_hmac($this->assoc['hash'], $sig, $this->assoc['mac'], true)) + ) { + return false; + } + + # Clearing the nonce, so that it won't be used again. + $this->assoc['nonce'] = null; + + if(empty($this->assoc['private'])) { + # Commiting changes to the association. + $this->setAssoc($this->assoc['handle'], $this->assoc); + } else { + # Private associations shouldn't be used again, se we can as well delete them. + $this->delAssoc($this->assoc['handle']); + } + + # Nothing has failed, so the verification was a success. + return true; + } + + /** + * Performs association with an RP. + */ + protected function associate() + { + # Rejecting no-encryption without TLS. + if(empty($_SERVER['HTTPS']) && $this->data['openid_session_type'] == 'no-encryption') { + $this->directErrorResponse(); + } + + # Checking whether we support DH at all. + if (!$this->dh && substr($this->data['openid_session_type'], 0, 2) == 'DH') { + $this->redirect($this->response(array( + 'openid.error' => 'DH not supported', + 'openid.error_code' => 'unsupported-type', + 'openid.session_type' => 'no-encryption' + ))); + } + + # Creating the association + $this->assoc = array(); + $this->assoc['hash'] = $this->data['openid_assoc_type'] == 'HMAC-SHA256' ? 'sha256' : 'sha1'; + $this->assoc['handle'] = $this->assoc_handle(); + + # Getting the shared secret + if($this->data['openid_session_type'] == 'no-encryption') { + $this->assoc['mac'] = base64_encode($this->shared_secret($this->assoc['hash'])); + } else { + $this->dh(); + } + + # Preparing the direct response... + $response = array( + 'ns' => $this->ns, + 'assoc_handle' => $this->assoc['handle'], + 'assoc_type' => $this->data['openid_assoc_type'], + 'session_type' => $this->data['openid_session_type'], + 'expires_in' => $this->assoc_lifetime + ); + + if(isset($this->assoc['dh_server_public'])) { + $response['dh_server_public'] = $this->assoc['dh_server_public']; + $response['enc_mac_key'] = $this->assoc['mac']; + } else { + $response['mac_key'] = $this->assoc['mac']; + } + + # ...and sending it. + echo $this->keyValueForm($response); + die(); + } + + /** + * Creates a private association. + */ + protected function generateAssociation() + { + $this->assoc = array(); + # We use sha1 by default. + $this->assoc['hash'] = 'sha1'; + $this->assoc['mac'] = $this->shared_secret('sha1'); + $this->assoc['handle'] = $this->assoc_handle(); + } + + /** + * Encrypts the MAC key using DH key exchange. + */ + protected function dh() + { + if(empty($this->data['openid_dh_modulus'])) { + $this->data['openid_dh_modulus'] = $this->default_modulus; + } + + if(empty($this->data['openid_dh_gen'])) { + $this->data['openid_dh_gen'] = $this->default_gen; + } + + if(empty($this->data['openid_dh_consumer_public'])) { + $this->directErrorResponse(); + } + + $modulus = $this->b64dec($this->data['openid_dh_modulus']); + $gen = $this->b64dec($this->data['openid_dh_gen']); + $consumerKey = $this->b64dec($this->data['openid_dh_consumer_public']); + + $privateKey = $this->keygen(strlen($modulus)); + $publicKey = $this->powmod($gen, $privateKey, $modulus); + $ss = $this->powmod($consumerKey, $privateKey, $modulus); + + $mac = $this->x_or(hash($this->assoc['hash'], $ss, true), $this->shared_secret($this->assoc['hash'])); + $this->assoc['dh_server_public'] = $this->decb64($publicKey); + $this->assoc['mac'] = base64_encode($mac); + } + + /** + * XORs two strings. + * @param String $a + * @param String $b + * @return String $a ^ $b + */ + protected function x_or($a, $b) + { + $length = strlen($a); + for($i = 0; $i < $length; $i++) { + $a[$i] = $a[$i] ^ $b[$i]; + } + + return $a; + } + + /** + * Prepares an indirect response url. + * @param array $params Parameters to be sent. + */ + protected function response($params) + { + $params += array('openid.ns' => $this->ns); + return $this->data['openid_return_to'] + . (strpos($this->data['openid_return_to'],'?') ? '&' : '?') + . http_build_query($params, '', '&'); + } + + /** + * Outputs a direct error. + */ + protected function errorResponse() + { + if(!empty($this->data['openid_return_to'])) { + $response = array( + 'openid.mode' => 'error', + 'openid.error' => 'Invalid request' + ); + $this->redirect($this->response($response)); + } else { + header('HTTP/1.1 400 Bad Request'); + $response = array( + 'ns' => $this->ns, + 'error' => 'Invalid request' + ); + echo $this->keyValueForm($response); + } + die(); + } + + /** + * Sends an positive assertion. + * @param String $identity the OP-Local Identifier that is being authenticated. + * @param Array $attributes User attributes to be sent. + */ + protected function positiveResponse($identity, $attributes) + { + # We generate a private association if there is none established. + if(!$this->assoc) { + $this->generateAssociation(); + $this->assoc['private'] = true; + } + + # We set openid.identity (and openid.claimed_id if necessary) to our $identity + if($this->data['openid_identity'] == $this->data['openid_claimed_id'] || $this->select_id) { + $this->data['openid_claimed_id'] = $identity; + } + $this->data['openid_identity'] = $identity; + + # Preparing fields to be signed + $params = array( + 'op_endpoint' => $this->serverLocation, + 'claimed_id' => $this->data['openid_claimed_id'], + 'identity' => $this->data['openid_identity'], + 'return_to' => $this->data['openid_return_to'], + 'realm' => $this->data['openid_realm'], + 'response_nonce' => gmdate("Y-m-d\TH:i:s\Z"), + 'assoc_handle' => $this->assoc['handle'], + ); + + $params += $this->responseAttributes($attributes); + + # Has the RP used an invalid association handle? + if (isset($this->data['openid_assoc_handle']) + && $this->data['openid_assoc_handle'] != $this->assoc['handle'] + ) { + $params['invalidate_handle'] = $this->data['openid_assoc_handle']; + } + + # Signing the $params + $sig = hash_hmac($this->assoc['hash'], $this->keyValueForm($params), $this->assoc['mac'], true); + $req = array( + 'openid.mode' => 'id_res', + 'openid.signed' => implode(',', array_keys($params)), + 'openid.sig' => base64_encode($sig), + ); + + # Saving the nonce and commiting the association. + $this->assoc['nonce'] = $params['response_nonce']; + $this->setAssoc($this->assoc['handle'], $this->assoc); + + # Preparing and sending the response itself + foreach($params as $name => $value) { + $req['openid.' . $name] = $value; + } + + $this->redirect($this->response($req)); + } + + /** + * Prepares an array of attributes to send + */ + protected function responseAttributes($attributes) + { + if(!$attributes) return array(); + + $ns = 'http://axschema.org/'; + + $response = array(); + if(isset($this->data['ax'])) { + $response['ns.ax'] = 'http://openid.net/srv/ax/1.0'; + foreach($attributes as $name => $value) { + $alias = strtr($name, '/', '_'); + $response['ax.type.' . $alias] = $ns . $name; + $response['ax.value.' . $alias] = $value; + } + return $response; + } + + foreach($attributes as $name => $value) { + if(!isset($this->ax_to_sreg[$name])) { + continue; + } + + $response['sreg.' . $this->ax_to_sreg[$name]] = $value; + } + return $response; + } + + /** + * Encodes fields in key-value form. + * @param Array $params Fields to be encoded. + * @return String $params in key-value form. + */ + protected function keyValueForm($params) + { + $str = ''; + foreach($params as $name => $value) { + $str .= "$name:$value\n"; + } + + return $str; + } + + /** + * Responds with an information that the user has canceled authentication. + */ + protected function cancel() + { + $this->redirect($this->response(array('openid.mode' => 'cancel'))); + } + + /** + * Converts base64 encoded number to it's decimal representation. + * @param String $str base64 encoded number. + * @return String Decimal representation of that number. + */ + protected function b64dec($str) + { + $bytes = unpack('C*', base64_decode($str)); + $n = 0; + foreach($bytes as $byte) { + $n = $this->add($this->mul($n, 256), $byte); + } + + return $n; + } + + /** + * Complements b64dec. + */ + protected function decb64($num) + { + $bytes = array(); + while($num) { + array_unshift($bytes, $this->mod($num, 256)); + $num = $this->div($num, 256); + } + + if($bytes && $bytes[0] > 127) { + array_unshift($bytes,0); + } + + array_unshift($bytes, 'C*'); + + return base64_encode(call_user_func_array('pack', $bytes)); + } + + function __call($name, $args) + { + switch($name) { + case 'add': + case 'mul': + case 'pow': + case 'mod': + case 'div': + case 'powmod': + if(function_exists('gmp_strval')) { + return gmp_strval(call_user_func_array($this->$name, $args)); + } + return call_user_func_array($this->$name, $args); + default: + throw new BadMethodCallException(); + } + } +} diff --git a/mod/bookmarks.php b/mod/bookmarks.php index 67208937d..c5be68b8e 100644 --- a/mod/bookmarks.php +++ b/mod/bookmarks.php @@ -57,7 +57,7 @@ function bookmarks_content(&$a) { if($x) { foreach($x as $xx) { $y = menu_fetch($xx['menu_name'],local_user(),get_observer_hash()); - $o .= menu_render($y); + $o .= menu_render($y,true); } } @@ -69,7 +69,7 @@ function bookmarks_content(&$a) { if($x) { foreach($x as $xx) { $y = menu_fetch($xx['menu_name'],local_user(),get_observer_hash()); - $o .= menu_render($y); + $o .= menu_render($y,true); } } diff --git a/mod/item.php b/mod/item.php index fa7720791..dc005bb20 100644 --- a/mod/item.php +++ b/mod/item.php @@ -453,6 +453,16 @@ function item_post(&$a) { * the post and we should keep it private. If it's encrypted we have no way of knowing * so we'll set the permissions regardless and realise that the media may not be * referenced in the post. + * + * What is preventing us from being able to upload photos into comments is dealing with + * the photo and attachment permissions, since we don't always know who was in the + * distribution for the top level post. + * + * We might be able to provide this functionality with a lot of fiddling: + * - if the top level post is public (make the photo public) + * - if the top level post was written by us or a wall post that belongs to us (match the top level post) + * - if the top level post has privacy mentions, add those to the permissions. + * - otherwise disallow the photo *or* make the photo public. This is the part that gets messy. */ if(! $preview) { diff --git a/mod/openid.php b/mod/openid.php new file mode 100644 index 000000000..1ab8749ee --- /dev/null +++ b/mod/openid.php @@ -0,0 +1,188 @@ +<?php + + +require_once('library/openid/openid.php'); +require_once('include/auth.php'); + +function openid_content(&$a) { + + $noid = get_config('system','disable_openid'); + if($noid) + goaway(z_root()); + + logger('mod_openid ' . print_r($_REQUEST,true), LOGGER_DATA); + + if(x($_REQUEST,'openid_mode')) { + + $openid = new LightOpenID(z_root()); + + if($openid->validate()) { + + logger('openid: validate'); + + $authid = normalise_openid($_REQUEST['openid_identity']); + + if(! strlen($authid)) { + logger( t('OpenID protocol error. No ID returned.') . EOL); + goaway(z_root()); + } + + $x = match_openid($authid); + if($x) { + + $r = q("select * from channel where channel_id = %d limit 1", + intval($x) + ); + if($r) { + $y = q("select * from account where account_id = %d limit 1", + intval($r[0]['channel_account_id']) + ); + if($y) { + foreach($y as $record) { + if(($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED)) { + logger('mod_openid: openid success for ' . $x[0]['channel_name']); + $_SESSION['uid'] = $r[0]['channel_id']; + $_SESSION['authenticated'] = true; + authenticate_success($record,true,true,true,true); + goaway(z_root()); + } + } + } + } + } + + // Successful OpenID login - but we can't match it to an existing account. + // See if they've got an xchan + + $r = q("select * from xconfig left join xchan on xchan_hash = xconfig.xchan where cat = 'system' and k = 'openid' and v = '%s' limit 1", + dbesc($authid) + ); + + if($r) { + $_SESSION['authenticated'] = 1; + $_SESSION['visitor_id'] = $r[0]['xchan_hash']; + $_SESSION['my_address'] = $r[0]['xchan_addr']; + $arr = array('xchan' => $r[0], 'session' => $_SESSION); + call_hooks('magic_auth_openid_success',$arr); + $a->set_observer($r[0]); + require_once('include/security.php'); + $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); + info(sprintf( t('Welcome %s. Remote authentication successful.'),$r[0]['xchan_name'])); + logger('mod_openid: remote auth success from ' . $r[0]['xchan_addr']); + if($_SESSION['return_url']) + goaway($_SESSION['return_url']); + goaway(z_root()); + } + + // no xchan... + // create one. + // We should probably probe the openid url and figure out if they have any kind of social presence we might be able to + // scrape some identifying info from. + + $name = $authid; + $url = trim($_REQUEST['openid_identity'],'/'); + if(strpos($url,'http') === false) + $url = 'https://' . $url; + $pphoto = get_default_profile_photo(); + $parsed = @parse_url($url); + if($parsed) { + $host = $parsed['host']; + } + + $attr = $openid->getAttributes(); + + if(is_array($attr) && count($attr)) { + foreach($attr as $k => $v) { + if($k === 'namePerson/friendly') + $nick = notags(trim($v)); + if($k === 'namePerson/first') + $first = notags(trim($v)); + if($k === 'namePerson') + $name = notags(trim($v)); + if($k === 'contact/email') + $addr = notags(trim($v)); + if($k === 'media/image/aspect11') + $photosq = trim($v); + if($k === 'media/image/default') + $photo_other = trim($v); + } + } + if(! $nick) { + if($first) + $nick = $first; + else + $nick = $name; + } + + require_once('library/urlify/URLify.php'); + $x = strtolower(URLify::transliterate($nick)); + if($nick & $host) + $addr = $nick . '@' . $host; + $network = 'unknown'; + + if($photosq) + $pphoto = $photosq; + elseif($photo_other) + $pphoto = $photo_other; + + $x = q("insert into xchan ( xchan_hash, xchan_guid, xchan_guid_sig, xchan_pubkey, xchan_photo_mimetype, + xchan_photo_l, xchan_addr, xchan_url, xchan_connurl, xchan_follow, xchan_connpage, xchan_name, xchan_network, xchan_photo_date, + xchan_name_date, xchan_flags) + values ( '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d) ", + dbesc($url), + dbesc(''), + dbesc(''), + dbesc(''), + dbesc('image/jpeg'), + dbesc($pphoto), + dbesc($addr), + dbesc($url), + dbesc(''), + dbesc(''), + dbesc(''), + dbesc($name), + dbesc($network), + dbesc(datetime_convert()), + dbesc(datetime_convert()), + intval(XCHAN_FLAGS_HIDDEN) + ); + if($x) { + $r = q("select * from xchan where xchan_hash = '%s' limit 1", + dbesc($url) + ); + if($r) { + + $photos = import_profile_photo($pphoto,$url); + if($photos) { + $z = q("update xchan set xchan_photo_date = '%s', xchan_photo_l = '%s', xchan_photo_m = '%s', + xchan_photo_s = '%s', xchan_photo_mimetype = '%s' where xchan_hash = '%s' limit 1", + dbesc(datetime_convert()), + dbesc($photos[0]), + dbesc($photos[1]), + dbesc($photos[2]), + dbesc($photos[3]), + dbesc($url) + ); + } + + set_xconfig($url,'system','openid',$authid); + $_SESSION['authenticated'] = 1; + $_SESSION['visitor_id'] = $r[0]['xchan_hash']; + $_SESSION['my_address'] = $r[0]['xchan_addr']; + $arr = array('xchan' => $r[0], 'session' => $_SESSION); + call_hooks('magic_auth_openid_success',$arr); + $a->set_observer($r[0]); + info(sprintf( t('Welcome %s. Remote authentication successful.'),$r[0]['xchan_name'])); + logger('mod_openid: remote auth success from ' . $r[0]['xchan_addr']); + if($_SESSION['return_url']) + goaway($_SESSION['return_url']); + goaway(z_root()); + } + } + + } + } + notice( t('Login failed.') . EOL); + goaway(z_root()); + // NOTREACHED +} diff --git a/mod/rmagic.php b/mod/rmagic.php index b8c1c6553..946277327 100644 --- a/mod/rmagic.php +++ b/mod/rmagic.php @@ -22,31 +22,53 @@ function rmagic_init(&$a) { function rmagic_post(&$a) { - $address = $_REQUEST['address']; + $address = trim($_REQUEST['address']); + if(strpos($address,'@') === false) { - notice('Invalid address.'); - return; - } + $arr = array('address' => $address); + call_hooks('reverse_magic_auth', $arr); - $r = null; - if($address) { - $r = q("select hubloc_url from hubloc where hubloc_addr = '%s' limit 1", - dbesc($address) - ); - } - if($r) { - $url = $r[0]['hubloc_url']; + try { + require_once('library/openid/openid.php'); + $openid = new LightOpenID(z_root()); + $openid->identity = $address; + $openid->returnUrl = z_root() . '/openid'; + goaway($openid->authUrl()); + } catch (Exception $e) { + notice( t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.').'<br /><br >'. t('The error message was:').' '.$e->getMessage()); + } + + // if they're still here... + notice( t('Authentication failed.') . EOL); + return; } else { - $url = 'https://' . substr($address,strpos($address,'@')+1); - } - if($url) { - $dest = z_root() . '/' . str_replace('zid=','zid_=',$a->query_string); - goaway($url . '/magic' . '?f=&dest=' . $dest); - } + // Presumed Red identity. Perform reverse magic auth + + if(strpos($address,'@') === false) { + notice('Invalid address.'); + return; + } + $r = null; + if($address) { + $r = q("select hubloc_url from hubloc where hubloc_addr = '%s' limit 1", + dbesc($address) + ); + } + if($r) { + $url = $r[0]['hubloc_url']; + } + else { + $url = 'https://' . substr($address,strpos($address,'@')+1); + } + if($url) { + $dest = z_root() . '/' . str_replace('zid=','zid_=',$a->query_string); + goaway($url . '/magic' . '?f=&dest=' . $dest); + } + } } diff --git a/mod/settings.php b/mod/settings.php index 97965d0fd..5b0a8e8f2 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -798,6 +798,7 @@ function settings_content(&$a) { array( t('Anybody in your address book'), PERMS_CONTACTS), array( t('Anybody on this website'), PERMS_SITE), array( t('Anybody in this network'), PERMS_NETWORK), + array( t('Anybody authenticated'), PERMS_AUTHED), array( t('Anybody on the internet'), PERMS_PUBLIC) ); @@ -979,7 +980,7 @@ function settings_content(&$a) { '$h_descadvn' => t('Change the behaviour of this account for special situations'), '$pagetype' => $pagetype, '$expert' => feature_enabled(local_user(),'expert'), - '$hint' => t('Please enable expert mode (in Settings > Additional features) to adjust!'), + '$hint' => t('Please enable expert mode (in <a href="settings/features">Settings > Additional features</a>) to adjust!'), )); diff --git a/mod/siteinfo.php b/mod/siteinfo.php index 6b962c488..7fdb892d2 100644 --- a/mod/siteinfo.php +++ b/mod/siteinfo.php @@ -91,7 +91,7 @@ function siteinfo_content(&$a) { $admininfo = bbcode(get_config('system','admininfo')); $project_donate = t('Project Donations'); - $donate_text = t('<p>The Red Matrix is provided for you by volunteers working in their spare time. Your support will help us to build a better web. Select the following option for a one-time donation of your choosing</p>'); + $donate_text = t('<p>The Red Matrix is provided for you by volunteers working in their spare time. Your support will help us to build a better, freer, and privacy respecting web. Select the following option for a one-time donation of your choosing</p>'); $alternatively = t('<p>or</p>'); $recurring = t('Recurring Donation Options'); @@ -99,12 +99,12 @@ function siteinfo_content(&$a) { <h3>{$project_donate}</h3> $donate_text <form action="https://www.paypal.com/cgi-bin/webscr" method="post"><input type="hidden" name="cmd" value="_donations" /><input type="hidden" name="business" value="mike@macgirvin.com" /><input type="hidden" name="lc" value="US" /><input type="hidden" name="item_name" value="Distributed Social Network Support Donation" /><input type="hidden" name="no_note" value="0" /><input type="hidden" name="currency_code" value="USD" /><input type="hidden" name="bn" value="PP-DonationsBF:btn_donate_LG.gif:NonHostedGuest" /><input style="border: none;" type="image" name="submit" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" alt="Donations gladly accepted to support our work" /></form><br /> -$alternatively +<strong>$alternatively</strong> <form action="https://www.paypal.com/cgi-bin/webscr" method="post"><input type="hidden" name="cmd" value="_s-xclick" /><input type="hidden" name="hosted_button_id" value="FHV36KE28CYM8" /><br /> <table><tbody><tr><td><input type="hidden" name="on0" value="$recurring" />$recurring</td> </tr><tr><td> <select name="os0"><option value="Option 1">Option 1 : $3.00USD - monthly</option><option value="Option 2">Option 2 : $5.00USD - monthly</option><option value="Option 3">Option 3 : $10.00USD - monthly</option><option value="Option 4">Option 4 : $20.00USD - monthly</option></select></td> -</tr></tbody></table><p><input type="hidden" name="currency_code" value="USD" /><input type="image" border="0" name="submit" src="https://www.paypalobjects.com/en_US/i/btn/btn_subscribeCC_LG.gif" alt="PayPal - The safer, easier way to pay online!" /><img src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" alt="" width="1" height="1" border="0" /></p></form> +</tr></tbody></table><p><input type="hidden" name="currency_code" value="USD" /><input type="image" style="border: none;" border="0" name="submit" src="https://www.paypalobjects.com/en_US/i/btn/btn_subscribeCC_LG.gif" alt="PayPal - The safer, easier way to pay online!" /><img src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" alt="" width="1" height="1" border="0" /></p></form> <p></p> EOT; diff --git a/version.inc b/version.inc index cc21a24b6..4551fa398 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2014-02-16.590 +2014-02-18.592 diff --git a/view/css/mod_mitem.css b/view/css/mod_mitem.css new file mode 100644 index 000000000..377d164fe --- /dev/null +++ b/view/css/mod_mitem.css @@ -0,0 +1,7 @@ +.menu-item-list { + list-style-type: none; +} + +.mitem-edit { + margin-right: 15px; +}
\ No newline at end of file diff --git a/view/js/crypto.js b/view/js/crypto.js index 2e6402c62..c3a37d177 100644 --- a/view/js/crypto.js +++ b/view/js/crypto.js @@ -1,5 +1,4 @@ - function str_rot13 (str) { // http://kevin.vanzonneveld.net // + original by: Jonas Raoni Soares Silva (http://www.jsfromhell.com) @@ -43,7 +42,11 @@ function red_encrypt(alg, elem,text) { // key and hint need to be localised - var enc_key = bin2hex(prompt(aStr['passphrase'])); + var passphrase = prompt(aStr['passphrase']); + // let the user cancel this dialogue + if (passphrase == null) + return false; + var enc_key = bin2hex(passphrase); // If you don't provide a key you get rot13, which doesn't need a key // but consequently isn't secure. diff --git a/view/js/mod_settings.js b/view/js/mod_settings.js index 16101db57..8cd062f43 100644 --- a/view/js/mod_settings.js +++ b/view/js/mod_settings.js @@ -72,12 +72,12 @@ function channel_privacy_macro(n) { $('#id_profile_in_directory').val(0); } if(n == 2) { - $('#id_view_stream option').eq(5).attr('selected','selected'); - $('#id_view_profile option').eq(5).attr('selected','selected'); - $('#id_view_photos option').eq(5).attr('selected','selected'); - $('#id_view_contacts option').eq(5).attr('selected','selected'); - $('#id_view_storage option').eq(5).attr('selected','selected'); - $('#id_view_pages option').eq(5).attr('selected','selected'); + $('#id_view_stream option').eq(6).attr('selected','selected'); + $('#id_view_profile option').eq(6).attr('selected','selected'); + $('#id_view_photos option').eq(6).attr('selected','selected'); + $('#id_view_contacts option').eq(6).attr('selected','selected'); + $('#id_view_storage option').eq(6).attr('selected','selected'); + $('#id_view_pages option').eq(6).attr('selected','selected'); $('#id_send_stream option').eq(2).attr('selected','selected'); $('#id_post_wall option').eq(1).attr('selected','selected'); $('#id_post_comments option').eq(2).attr('selected','selected'); @@ -95,12 +95,12 @@ function channel_privacy_macro(n) { $('#id_profile_in_directory').val(1); } if(n == 3) { - $('#id_view_stream option').eq(5).attr('selected','selected'); - $('#id_view_profile option').eq(5).attr('selected','selected'); - $('#id_view_photos option').eq(5).attr('selected','selected'); - $('#id_view_contacts option').eq(5).attr('selected','selected'); - $('#id_view_storage option').eq(5).attr('selected','selected'); - $('#id_view_pages option').eq(5).attr('selected','selected'); + $('#id_view_stream option').eq(6).attr('selected','selected'); + $('#id_view_profile option').eq(6).attr('selected','selected'); + $('#id_view_photos option').eq(6).attr('selected','selected'); + $('#id_view_contacts option').eq(6).attr('selected','selected'); + $('#id_view_storage option').eq(6).attr('selected','selected'); + $('#id_view_pages option').eq(6).attr('selected','selected'); $('#id_send_stream option').eq(4).attr('selected','selected'); $('#id_post_wall option').eq(4).attr('selected','selected'); $('#id_post_comments option').eq(4).attr('selected','selected'); diff --git a/view/tpl/filestorage.tpl b/view/tpl/filestorage.tpl index 7b88c6440..1995b95e1 100644 --- a/view/tpl/filestorage.tpl +++ b/view/tpl/filestorage.tpl @@ -2,13 +2,14 @@ <div class="generic-content-wrapper"> {{if $limit}}{{$limitlabel}}{{$limit}}{{/if}} {{if $used}} {{$usedlabel}}{{$used}}{{/if}} - + <br /> + <br /> {{foreach $files as $key => $items}} {{foreach $items as $item}} <div class="files-list-item"> - <a href="{{$baseurl}}/{{$item.id}}/edit">{{$edit}}</a> | - <a href="{{$baseurl}}/{{$item.id}}/delete">{{$delete}}</a> | + <a href="{{$baseurl}}/{{$item.id}}/edit" title="{{$edit}}"><i class="icon-pencil"></i></a> + <a href="{{$baseurl}}/{{$item.id}}/delete" title="{{$delete}}"><i class="icon-remove drop-icons"></i></a> {{if ! $item.dir}}<a href="attach/{{$item.download}}">{{/if}}{{$item.title}}{{if ! $item.dir}}</a>{{/if}} {{if ! $item.dir}} | {{$item.size}} bytes{{else}}{{$directory}}{{/if}} diff --git a/view/tpl/mitemlist.tpl b/view/tpl/mitemlist.tpl index 057665d49..421b610f1 100644 --- a/view/tpl/mitemlist.tpl +++ b/view/tpl/mitemlist.tpl @@ -5,11 +5,12 @@ <a href="mitem/{{$menu_id}}/new" title="{{$hintnew}}">{{$hintnew}}</a> <br /> +<br /> {{if $mlist }} -<ul id="mitemlist"> +<ul id="mitemlist" class="menu-item-list"> {{foreach $mlist as $m }} -<li><a href="mitem/{{$menu_id}}/{{$m.mitem_id}}" title="{{$hintedit}}">{{$edit}}</a> | <a href="mitem/{{$menu_id}}/{{$m.mitem_id}}/drop" title={{$hintdrop}}>{{$drop}}</a> <a href="mitem/{{$menu_id}}/{{$m.mitem_id}}" title="{{$hintcontent}}">{{$m.mitem_desc}}</a> ({{$m.mitem_link}})</li> +<li><a href="mitem/{{$menu_id}}/{{$m.mitem_id}}" title="{{$hintedit}}"><i class="icon-pencil mitem-edit"></i></a><a href="mitem/{{$menu_id}}/{{$m.mitem_id}}/drop" title={{$hintdrop}}><i class="icon-remove"></i></a> <a href="mitem/{{$menu_id}}/{{$m.mitem_id}}" title="{{$hintcontent}}">{{$m.mitem_desc}}</a> ({{$m.mitem_link}})</li> {{/foreach}} </ul> {{/if}} diff --git a/view/tpl/usermenu.tpl b/view/tpl/usermenu.tpl index 3904f4696..80e160fdf 100644 --- a/view/tpl/usermenu.tpl +++ b/view/tpl/usermenu.tpl @@ -2,6 +2,9 @@ {{if $menu.menu_desc}} <h3 class="pmenu-title">{{$menu.menu_desc}}</h3> {{/if}} +{{if $edit}} +<a href="mitem/{{$menu.menu_id}}" title="{{$edit}}"><i class="icon-pencil fakelink" title="{{$edit}}"></i></a> +{{/if}} {{if $items }} <ul class="pmenu-body"> {{foreach $items as $mitem }} |