[Summary view] [Print] [Text view]

   1  <?php
   2  # MantisBT - A PHP based bugtracking system
   3  
   4  # MantisBT is free software: you can redistribute it and/or modify
   5  # it under the terms of the GNU General Public License as published by
   6  # the Free Software Foundation, either version 2 of the License, or
   7  # (at your option) any later version.
   8  #
   9  # MantisBT is distributed in the hope that it will be useful,
  10  # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  # GNU General Public License for more details.
  13  #
  14  # You should have received a copy of the GNU General Public License
  15  # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  
  18  /**
  19   * RSS API
  20   *
  21   * @package CoreAPI
  22   * @subpackage RSSAPI
  23   * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
  24   * @copyright Copyright (C) 2002 - 2011  MantisBT Team - mantisbt-dev@lists.sourceforge.net
  25   * @link http://www.mantisbt.org
  26   *
  27   * @uses authentication_api.php
  28   * @uses config_api.php
  29   * @uses constant_inc.php
  30   * @uses crypto_api.php
  31   * @uses current_user_api.php
  32   * @uses helper_api.php
  33   * @uses user_api.php
  34   */
  35  
  36  require_api( 'authentication_api.php' );
  37  require_api( 'config_api.php' );
  38  require_api( 'constant_inc.php' );
  39  require_api( 'crypto_api.php' );
  40  require_api( 'current_user_api.php' );
  41  require_api( 'helper_api.php' );
  42  require_api( 'user_api.php' );
  43  
  44  /**
  45   * Calculates a key to be used for RSS authentication based on user name,
  46   * cookie and password. If the user changes their user name or password, this
  47   * RSS authentication key will become invalidated.
  48   * @param int $p_user_id User ID for the user which the key is being calculated for
  49   * @return string RSS authentication key (384bit) encoded according to the base64 with URI safe alphabet approach described in RFC4648
  50   */
  51  function rss_calculate_key( $p_user_id = null ) {
  52      if( $p_user_id === null ) {
  53          $t_user_id = auth_get_current_user_id();
  54      } else {
  55          $t_user_id = $p_user_id;
  56      }
  57  
  58      $t_username = user_get_field( $t_user_id, 'username' );
  59      $t_password = user_get_field( $t_user_id, 'password' );
  60      $t_cookie = user_get_field( $t_user_id, 'cookie_string' );
  61  
  62      $t_key_raw = hash( 'whirlpool', 'rss_key' . config_get_global( 'crypto_master_salt' ) . $t_username . $t_password . $t_cookie, true );
  63      # Note: We truncate the last 8 bits from the hash output so that base64
  64      # encoding can be performed without any trailing padding.
  65      $t_key_base64_encoded = base64_encode( substr( $t_key_raw, 0, 63 ) );
  66      $t_key = strtr( $t_key_base64_encoded, '+/', '-_' );
  67  
  68      return $t_key;
  69  }
  70  
  71  /**
  72   * Given the user name and the rss key, this method attempts to login the user.  If successful, it
  73   * return true, otherwise, returns false.
  74   * @param string $p_username
  75   * @param string $p_key
  76   * @return bool
  77   */
  78  function rss_login( $p_username, $p_key ) {
  79      if(( $p_username === null ) || ( $p_key === null ) ) {
  80          return false;
  81      }
  82  
  83      $t_user_id = user_get_id_by_name( $p_username );
  84  
  85      if( false === $t_user_id ) {
  86          return false;
  87      }
  88  
  89      $t_correct_key = rss_calculate_key( $t_user_id );
  90      if( $p_key != $t_correct_key ) {
  91          return false;
  92      }
  93  
  94      if( !auth_attempt_script_login( $p_username ) ) {
  95          return false;
  96      }
  97  
  98      return true;
  99  }
 100  
 101  /**
 102   * return rss issues feed url
 103   * @param int $p_project_id
 104   * @param string $p_username
 105   * @param int $p_filter_id
 106   * @param bool $p_relative
 107   * @return string
 108   */
 109  function rss_get_issues_feed_url( $p_project_id = null, $p_username = null, $p_filter_id = null, $p_relative = true ) {
 110      if( $p_username === null ) {
 111          $t_username = current_user_get_field( 'username' );
 112      } else {
 113          $t_username = $p_username;
 114      }
 115  
 116      if( $p_project_id === null ) {
 117          $t_project_id = helper_get_current_project();
 118      } else {
 119          $t_project_id = (integer) $p_project_id;
 120      }
 121  
 122      $t_user_id = user_get_id_by_name( $t_username );
 123  
 124      if( $p_relative ) {
 125          $t_url = config_get( 'path' );
 126      } else {
 127          $t_url = '';
 128      }
 129  
 130      if( user_is_anonymous( $t_user_id ) ) {
 131          $t_url .= 'issues_rss.php?';
 132  
 133          if( $t_project_id == ALL_PROJECTS ) {
 134              $t_url .= 'project_id=' . $t_project_id;
 135          }
 136      } else {
 137          $t_url .= 'issues_rss.php?username=' . $t_username . '&key=' . rss_calculate_key( $t_user_id );
 138  
 139          if( $t_project_id != ALL_PROJECTS ) {
 140              $t_url .= '&project_id=' . $t_project_id;
 141          }
 142      }
 143  
 144      if( $p_filter_id !== null ) {
 145          $t_url .= '&filter_id=' . $p_filter_id;
 146      }
 147  
 148      return $t_url;
 149  }
 150  
 151  /**
 152   * return rss news feed url
 153   * @param int $p_project_id
 154   * @param string $p_username
 155   * @param bool $p_relative
 156   * @return string
 157   */
 158  function rss_get_news_feed_url( $p_project_id = null, $p_username = null, $p_relative = true ) {
 159      if( $p_username === null ) {
 160          $t_username = current_user_get_field( 'username' );
 161      } else {
 162          $t_username = $p_username;
 163      }
 164  
 165      if( $p_project_id === null ) {
 166          $t_project_id = helper_get_current_project();
 167      } else {
 168          $t_project_id = (integer) $p_project_id;
 169      }
 170  
 171      if( $p_relative ) {
 172          $t_rss_link = '';
 173      } else {
 174          $t_rss_link = config_get( 'path' );
 175      }
 176  
 177      $t_user_id = user_get_id_by_name( $t_username );
 178  
 179      // If we have a logged in user then they can be given a 'proper' feed, complete with auth string.
 180      if( user_is_anonymous( $t_user_id ) ) {
 181          $t_rss_link .= "news_rss.php";
 182  
 183          if( $t_project_id != ALL_PROJECTS ) {
 184              $t_rss_link .= "?project_id=$t_project_id";
 185          }
 186      } else {
 187          $t_rss_link .= "news_rss.php?username=$t_username&key=" . rss_calculate_key( $t_user_id );
 188  
 189          if( $t_project_id != ALL_PROJECTS ) {
 190              $t_rss_link .= "&project_id=$t_project_id";
 191          }
 192      }
 193  
 194      return $t_rss_link;
 195  }