diff --git a/components/ILIAS/Feeds/resources/privfeed.php b/components/ILIAS/Feeds/resources/privfeed.php index 8abbbd09c973..87ca00d08644 100644 --- a/components/ILIAS/Feeds/resources/privfeed.php +++ b/components/ILIAS/Feeds/resources/privfeed.php @@ -29,75 +29,95 @@ ilInitialisation::initILIAS(); -global $lng, $ilSetting; +global $lng, $ilSetting, $DIC; -$feed_set = new ilSetting("news"); +$feed_set = new ilSetting('news'); +$query = $DIC->http()->wrapper()->query(); +$refinery = $DIC->refinery(); + +function sendUnauthorized() +{ + header('WWW-Authenticate: Basic realm="ILIAS Newsfeed"'); + header('HTTP/1.0 401 Unauthorized'); + exit; +}; if (!isset($_SERVER['PHP_AUTH_PW']) || !isset($_SERVER['PHP_AUTH_USER'])) { - Header("WWW-Authenticate: Basic realm=\"ILIAS Newsfeed\""); - Header("HTTP/1.0 401 Unauthorized"); + sendUnauthorized(); +} - exit; -} else { - if ($_GET["user_id"] != "" && ilObjUser::_getFeedPass($_GET["user_id"]) != "" && - (md5($_SERVER['PHP_AUTH_PW']) == ilObjUser::_getFeedPass($_GET["user_id"]) && - $_SERVER['PHP_AUTH_USER'] == ilObjUser::_lookupLogin($_GET["user_id"])) - && $feed_set->get("enable_private_feed")) { - include_once("./Services/Feeds/classes/class.ilUserFeedWriter.php"); - // Third parameter is true for private feed - $writer = new ilUserFeedWriter($_GET["user_id"], $_GET["hash"], true); +$auth_password_hash = md5($_SERVER['PHP_AUTH_PW']); +$auth_username = $_SERVER['PHP_AUTH_USER']; + +$check_private_feed_auth = function ($user_id, $feed_pass, $login_name) use ($auth_password_hash, $auth_username, $feed_set) { + return $user_id > 0 + && $feed_pass !== '' + && $feed_pass !== null + && $auth_password_hash === $feed_pass + && $auth_username === $login_name + && $feed_set->get('enable_private_feed'); +}; + +$request_user_id = $query->retrieve('user_id', $refinery->byTrying([ + $refinery->kindlyTo()->int(), + $refinery->always(0) +])); + +if ($request_user_id > 0) { + $request_feed_pass = ilObjUser::_getFeedPass($request_user_id); + $request_login_name = ilObjUser::_lookupLogin($request_user_id); + + if ( + $feed_pass !== '' + && $feed_pass !== null + && $auth_password_hash === $feed_pass + && $auth_username === $login_name + && $feed_set->get('enable_private_feed') + ) { + $request_hash = $query->retrieve('hash', $refinery->byTrying([ + $refinery->kindlyTo()->string(), + $refinery->always('') + ])); + $writer = new ilUserFeedWriter($request_user_id, $request_hash, true); $writer->showFeed(); - } elseif ($_GET["ref_id"] != "" && md5($_SERVER['PHP_AUTH_PW']) == ilObjUser::_getFeedPass(ilObjUser::_lookupId($_SERVER['PHP_AUTH_USER']))) { - include_once("./Services/Feeds/classes/class.ilObjectFeedWriter.php"); - // Second parameter is optional to pass on to database-level to get news for logged-in users - $writer = new ilObjectFeedWriter($_GET["ref_id"], ilObjUser::_lookupId($_SERVER['PHP_AUTH_USER'])); - $writer->showFeed(); - } else { - // send appropriate header, if password is wrong, otherwise - // there is no chance to re-enter it (unless, e.g. the browser is closed) - if (md5($_SERVER['PHP_AUTH_PW']) != ilObjUser::_getFeedPass(ilObjUser::_lookupId($_SERVER['PHP_AUTH_USER']))) { - Header("WWW-Authenticate: Basic realm=\"ILIAS Newsfeed\""); - Header("HTTP/1.0 401 Unauthorized"); - exit; - } - - include_once("./Services/Feeds/classes/class.ilFeedItem.php"); - include_once("./Services/Feeds/classes/class.ilFeedWriter.php"); - - $blankFeedWriter = new ilFeedWriter(); - $feed_item = new ilFeedItem(); - $lng->loadLanguageModule("news"); - - if ($ilSetting->get('short_inst_name') != "") { - $blankFeedWriter->setChannelTitle($ilSetting->get('short_inst_name')); - } else { - $blankFeedWriter->setChannelTitle("ILIAS"); - } - - - - - if (!$feed_set->get("enable_private_feed")) { - $blankFeedWriter->setChannelAbout(ILIAS_HTTP_PATH); - $blankFeedWriter->setChannelLink(ILIAS_HTTP_PATH); - // title - $feed_item->setTitle($lng->txt("priv_feed_no_access_title")); - - // description - $feed_item->setDescription($lng->txt("priv_feed_no_access_body")); - $feed_item->setLink(ILIAS_HTTP_PATH); - } else { - $blankFeedWriter->setChannelAbout(ILIAS_HTTP_PATH); - $blankFeedWriter->setChannelLink(ILIAS_HTTP_PATH); - // title - $feed_item->setTitle($lng->txt("priv_feed_no_auth_title")); - - // description - $feed_item->setDescription($lng->txt("priv_feed_no_auth_body")); - $feed_item->setLink(ILIAS_HTTP_PATH); - } - $blankFeedWriter->addItem($feed_item); - $blankFeedWriter->showFeed(); + exit; } } + +$request_ref_id = $query->retrieve('ref_id', $refinery->byTrying([ + $refinery->kindlyTo()->int(), + $refinery->always(0) +])); + +$server_user_id = ilObjUser::_lookupId($auth_username); +if ($server_user_id === null || $server_user_id === 0) { + sendUnauthorized(); +} + +$server_feed_pass = ilObjUser::_getFeedPass($server_user_id); +if ($server_feed_pass === null || $auth_password_hash !== $server_feed_pass) { + sendUnauthorized(); +} + +if ($request_ref_id > 0) { + $writer = new ilObjectFeedWriter($request_ref_id, $server_user_id); + $writer->showFeed(); + exit; +} + +$blank_feed_writer = new ilFeedWriter(); +$feed_item = new ilFeedItem(); +$lng->loadLanguageModule('news'); + +$channel_title = $ilSetting->get('short_inst_name'); +$blank_feed_writer->setChannelTitle($channel_title !== '' ? $channel_title : 'ILIAS'); +$blank_feed_writer->setChannelAbout(ILIAS_HTTP_PATH); +$blank_feed_writer->setChannelLink(ILIAS_HTTP_PATH); + +$enable_private_feed = $feed_set->get('enable_private_feed'); +$feed_item->setTitle($lng->txt($enable_private_feed ? 'priv_feed_no_auth_title' : 'priv_feed_no_access_title')); +$feed_item->setDescription($lng->txt($enable_private_feed ? 'priv_feed_no_auth_body' : 'priv_feed_no_access_body')); +$feed_item->setLink(ILIAS_HTTP_PATH); +$blank_feed_writer->addItem($feed_item); +$blank_feed_writer->showFeed();