miniflux-legacy/controllers/common.php

<?php

// Called before each action
Router\before(function ($action) {
    Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH, 0);

    // Select the requested database either from post param database or from the
    // session variable. If it fails, logout to destroy session and
    // 'remember me' cookie
    if (Request\value('database') !== null && ! Model\Database\select(Request\value('database'))) {
        Model\User\logout();
        Response\redirect('?action=login');
    } elseif (! empty($_SESSION['database'])) {
        if (! Model\Database\select($_SESSION['database'])) {
            Model\User\logout();
            Response\redirect('?action=login');
        }
    }

    // These actions are considered to be safe even for unauthenticated users
    $safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');

    if (! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {
        if (! Model\RememberMe\authenticate()) {
            Model\User\logout();
            Response\redirect('?action=login');
        }
    } elseif (Model\RememberMe\has_cookie()) {
        Model\RememberMe\refresh();
    }

    // Load translations
    $language = Model\Config\get('language') ?: 'en_US';
    Translator\load($language);

    // Set timezone
    date_default_timezone_set(Model\Config\get('timezone') ?: 'UTC');

    // HTTP secure headers
    Response\csp(array(
        'media-src' => '*',
        'img-src' => '* data:',
        'frame-src' => Model\Config\get_iframe_whitelist(),
        'referrer' => 'no-referrer',
    ));

    Response\xframe();
    Response\xss();
    Response\nosniff();

    if (ENABLE_HSTS && Helper\is_secure_connection()) {
        Response\hsts();
    }
});

// Show help
Router\get_action('show-help', function () {
    Response\html(Template\load('show_help'));
});

// Show the menu for the mobile view
Router\get_action('more', function () {
    Response\html(Template\layout('show_more', array('menu' => 'more')));
});

// Image proxy (avoid SSL mixed content warnings)
Router\get_action('proxy', function () {
    Model\Proxy\download(rawurldecode(Request\param('url')));
    exit;
});
Split models and controllers in different files 2013-12-23 02:55:53 +01:00			`<?php`

			`// Called before each action`
Run php-cs-fixer on the code base 2016-04-18 01:44:45 +02:00			`Router\before(function ($action) {`
Change session lifetime and do not use the image proxy for https urls 2015-01-18 01:17:44 +01:00			`Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH, 0);`
Improve files organization 2014-02-08 20:13:14 +01:00
use radio buttons to select the login database allows one click logins to not default databases using passwordmanagers like keefox. 2015-01-18 01:53:54 +01:00			`// Select the requested database either from post param database or from the`
			`// session variable. If it fails, logout to destroy session and`
Fix database hijacking Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code. 2015-01-17 19:35:59 +01:00			`// 'remember me' cookie`
Tiny performance tweaks 2016-05-03 10:45:07 +02:00			`if (Request\value('database') !== null && ! Model\Database\select(Request\value('database'))) {`
use radio buttons to select the login database allows one click logins to not default databases using passwordmanagers like keefox. 2015-01-18 01:53:54 +01:00			`Model\User\logout();`
			`Response\redirect('?action=login');`
Run php-cs-fixer on the code base 2016-04-18 01:44:45 +02:00			`} elseif (! empty($_SESSION['database'])) {`
Fix database hijacking Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code. 2015-01-17 19:35:59 +01:00			`if (! Model\Database\select($_SESSION['database'])) {`
			`Model\User\logout();`
Add RememberMe authentication 2014-05-27 02:47:40 +02:00			`Response\redirect('?action=login');`
			`}`
			`}`
Check if the session username and database username are the same 2014-11-19 01:00:53 +01:00
Fix database hijacking Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code. 2015-01-17 19:35:59 +01:00			`// These actions are considered to be safe even for unauthenticated users`
			`$safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');`
Check if the session username and database username are the same 2014-11-19 01:00:53 +01:00
Minor cleanups 2015-01-18 00:53:40 +01:00			`if (! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {`
Fix database hijacking Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code. 2015-01-17 19:35:59 +01:00			`if (! Model\RememberMe\authenticate()) {`
			`Model\User\logout();`
			`Response\redirect('?action=login');`
Check if the session username and database username are the same 2014-11-19 01:00:53 +01:00			`}`
Run php-cs-fixer on the code base 2016-04-18 01:44:45 +02:00			`} elseif (Model\RememberMe\has_cookie()) {`
Fix database hijacking Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code. 2015-01-17 19:35:59 +01:00			`Model\RememberMe\refresh();`
			`}`
Split models and controllers in different files 2013-12-23 02:55:53 +01:00
			`// Load translations`
			`$language = Model\Config\get('language') ?: 'en_US';`
add multiple plural support for translations fixes #242 2015-01-30 19:45:23 +01:00			`Translator\load($language);`
Split models and controllers in different files 2013-12-23 02:55:53 +01:00
Add timezone configuration option 2014-02-26 01:03:46 +01:00			`// Set timezone`
			`date_default_timezone_set(Model\Config\get('timezone') ?: 'UTC');`

Split models and controllers in different files 2013-12-23 02:55:53 +01:00			`// HTTP secure headers`
			`Response\csp(array(`
			`'media-src' => '*',`
Change CSP directives to allow data url 2015-08-22 00:18:08 +02:00			`'img-src' => '* data:',`
Remove Google auth (openid is deprecated) and Persona auth (useless) 2014-11-08 02:53:50 +01:00			`'frame-src' => Model\Config\get_iframe_whitelist(),`
remove referrer by default The referrer CSP is supported by chrome and firefox 38+. Suppressing the referrer increases the users privacy and the image proxy isn't any longer required to cloak the referrer on websites which are using hotlinking protection based on referrers. 2015-05-16 09:35:50 +02:00			`'referrer' => 'no-referrer',`
Split models and controllers in different files 2013-12-23 02:55:53 +01:00			`));`

			`Response\xframe();`
			`Response\xss();`
			`Response\nosniff();`
Enable Strict-Transport-Security header for HTTPS 2015-05-17 19:40:56 +02:00
			`if (ENABLE_HSTS && Helper\is_secure_connection()) {`
			`Response\hsts();`
			`}`
Split models and controllers in different files 2013-12-23 02:55:53 +01:00			`});`

			`// Show help`
Run php-cs-fixer on the code base 2016-04-18 01:44:45 +02:00			`Router\get_action('show-help', function () {`
Split models and controllers in different files 2013-12-23 02:55:53 +01:00			`Response\html(Template\load('show_help'));`
Improve mobile layout 2014-02-05 03:47:59 +01:00			`});`

Improve files organization 2014-02-08 20:13:14 +01:00			`// Show the menu for the mobile view`
Run php-cs-fixer on the code base 2016-04-18 01:44:45 +02:00			`Router\get_action('more', function () {`
Improve mobile layout 2014-02-05 03:47:59 +01:00			`Response\html(Template\layout('show_more', array('menu' => 'more')));`
			`});`
Add support for multiple users/databases 2014-04-06 02:24:13 +02:00
Add image proxy to avoid https mixed content warnings 2014-12-24 21:58:24 +01:00			`// Image proxy (avoid SSL mixed content warnings)`
Run php-cs-fixer on the code base 2016-04-18 01:44:45 +02:00			`Router\get_action('proxy', function () {`
improve image-proxy - use passthrough mode for image proxy (fixes #295) - add image proxy when rendering an article (fixes #314) - add referrer cloaking option to feed options (fixes #319) 2015-02-01 22:54:57 +01:00			`Model\Proxy\download(rawurldecode(Request\param('url')));`
			`exit;`
Add image proxy to avoid https mixed content warnings 2014-12-24 21:58:24 +01:00			`});`