Merge pull request #1493 from Alkarex/multiuser-token

Multi-user token

CHANGELOG.md

@@ -8,6 +8,7 @@
 		* Negative searches with `!` or `-` [#1381](https://github.com/FreshRSS/FreshRSS/issues/1381)
 			* Examples: `!intitle:unwanted`, `-intitle:unwanted`, `-inurl:unwanted`, `-author:unwanted`, `-#unwanted`, `-unwanted`
 		* Allow double-quotes, such as `author:"some name"`, in addition to single-quotes such as `author:'some name'` [#1478](https://github.com/FreshRSS/FreshRSS/pull/1478)
+	* Multi-user tokens (to access RSS outputs of any user) [#1390](https://github.com/FreshRSS/FreshRSS/issues/1390)
 * Compatibility:
 	* Add support for PHP 7.1 [#1471](https://github.com/FreshRSS/FreshRSS/issues/1471)
 	* PostgreSQL is not experimental anymore [#1476](https://github.com/FreshRSS/FreshRSS/pull/1476)

app/Controllers/authController.php

@@ -27,11 +27,6 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 		if (Minz_Request::isPost()) {
 			$ok = true;
 
-			$current_token = FreshRSS_Context::$user_conf->token;
-			$token = Minz_Request::param('token', $current_token);
-			FreshRSS_Context::$user_conf->token = $token;
-			$ok &= FreshRSS_Context::$user_conf->save();
-
 			$anon = Minz_Request::param('anon_access', false);
 			$anon = ((bool)$anon) && ($anon !== 'no');
 			$anon_refresh = Minz_Request::param('anon_refresh', false);
@@ -123,7 +118,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 			$challenge = Minz_Request::param('challenge', '');
 
 			$conf = get_user_configuration($username);
-			if (is_null($conf)) {
+			if ($conf == null) {
 				Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false);
 				return;
 			}
@@ -164,7 +159,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
 			}
 
 			$conf = get_user_configuration($username);
-			if (is_null($conf)) {
+			if ($conf == null) {
 				return;
 			}
 

app/Controllers/userController.php

@@ -74,6 +74,10 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 				FreshRSS_Context::$user_conf->apiPasswordHash = $passwordHash;
 			}
 
+			$current_token = FreshRSS_Context::$user_conf->token;
+			$token = Minz_Request::param('token', $current_token);
+			FreshRSS_Context::$user_conf->token = $token;
+
 			$ok &= FreshRSS_Context::$user_conf->save();
 
 			if ($ok) {

app/Models/Auth.php

@@ -74,6 +74,10 @@ class FreshRSS_Auth {
 	public static function giveAccess() {
 		$current_user = Minz_Session::param('currentUser');
 		$user_conf = get_user_configuration($current_user);
+		if ($user_conf == null) {
+			self::$login_ok = false;
+			return;
+		}
 		$system_conf = Minz_Configuration::get('system');
 
 		switch ($system_conf->auth_type) {
@@ -120,13 +124,28 @@ class FreshRSS_Auth {
 	 * Removes all accesses for the current user.
 	 */
 	public static function removeAccess() {
-		Minz_Session::_param('loginOk');
 		self::$login_ok = false;
-		$conf = Minz_Configuration::get('system');
-		Minz_Session::_param('currentUser', $conf->default_user);
+		Minz_Session::_param('loginOk');
 		Minz_Session::_param('csrf');
+		$system_conf = Minz_Configuration::get('system');
 
-		switch ($conf->auth_type) {
+		$username = '';
+		$token_param = Minz_Request::param('token', '');
+		if ($token_param != '') {
+			$username = trim(Minz_Request::param('user', ''));
+			if ($username != '') {
+				$conf = get_user_configuration($username);
+				if ($conf == null) {
+					$username = '';
+				}
+			}
+		}
+		if ($username == '') {
+			$username = $system_conf->default_user;
+		}
+		Minz_Session::_param('currentUser', $username);
+
+		switch ($system_conf->auth_type) {
 		case 'form':
 			Minz_Session::_param('passwordHash');
 			FreshRSS_FormAuth::deleteCookie();

app/layout/nav_menu.phtml

@@ -149,6 +149,7 @@
 		<?php
 			$url_output['a'] = 'rss';
 			if (FreshRSS_Context::$user_conf->token) {
+				$url_output['params']['user'] = Minz_Session::param('currentUser');
 				$url_output['params']['token'] = FreshRSS_Context::$user_conf->token;
 			}
 			if (FreshRSS_Context::$user_conf->since_hours_posts_per_rss) {

app/views/auth/index.phtml

@@ -52,19 +52,6 @@
 			</div>
 		</div>
 
-		<?php if (FreshRSS_Auth::accessNeedsAction()) { ?>
-		<div class="form-group">
-			<label class="group-name" for="token"><?php echo _t('admin.auth.token'); ?></label>
-			<?php $token = FreshRSS_Context::$user_conf->token; ?>
-			<div class="group-controls">
-				<input type="text" id="token" name="token" value="<?php echo $token; ?>" placeholder="<?php echo _t('gen.short.blank_to_disable'); ?>"<?php
-					echo FreshRSS_Auth::accessNeedsAction() ? '' : ' disabled="disabled"'; ?> data-leave-validation="<?php echo $token; ?>"/>
-				<?php echo _i('help'); ?> <?php echo _t('admin.auth.token_help'); ?>
-				<kbd><?php echo Minz_Url::display(array('a' => 'rss', 'params' => array('token' => $token, 'hours' => FreshRSS_Context::$user_conf->since_hours_posts_per_rss)), 'html', true); ?></kbd>
-			</div>
-		</div>
-		<?php } ?>
-
 		<div class="form-group">
 			<div class="group-controls">
 				<label class="checkbox" for="api_enabled">

app/views/user/profile.phtml

@@ -43,6 +43,19 @@
 		</div>
 		<?php } ?>
 
+		<?php if (FreshRSS_Auth::accessNeedsAction()) { ?>
+		<div class="form-group">
+			<label class="group-name" for="token"><?php echo _t('admin.auth.token'); ?></label>
+			<?php $token = FreshRSS_Context::$user_conf->token; ?>
+			<div class="group-controls">
+				<input type="text" id="token" name="token" value="<?php echo $token; ?>" placeholder="<?php echo _t('gen.short.blank_to_disable'); ?>"<?php
+					echo FreshRSS_Auth::accessNeedsAction() ? '' : ' disabled="disabled"'; ?> data-leave-validation="<?php echo $token; ?>"/>
+				<?php echo _i('help'); ?> <?php echo _t('admin.auth.token_help'); ?>
+				<kbd><?php echo Minz_Url::display(array('a' => 'rss', 'params' => array('user' => Minz_Session::param('currentUser'), 'token' => $token, 'hours' => FreshRSS_Context::$user_conf->since_hours_posts_per_rss)), 'html', true); ?></kbd>
+			</div>
+		</div>
+		<?php } ?>
+
 		<div class="form-group form-actions">
 			<div class="group-controls">
 				<button type="submit" class="btn btn-important"><?php echo _t('gen.action.submit'); ?></button>

lib/lib_rss.php

@@ -334,6 +334,9 @@ function max_registrations_reached() {
  * @return a Minz_Configuration object, null if the configuration cannot be loaded.
  */
 function get_user_configuration($username) {
+	if (!FreshRSS_user_Controller::checkUsername($username)) {
+		return null;
+	}
 	$namespace = 'user_' . $username;
 	try {
 		Minz_Configuration::register($namespace,