From 850ad44e839fe7054e38aa90028ad3e12cf7958e Mon Sep 17 00:00:00 2001 From: Alex Cabal Date: Mon, 25 Jul 2022 12:26:29 -0500 Subject: [PATCH] Enable Patron login required for ebook feeds --- lib/User.php | 7 ++++--- www/feeds/download.php | 40 ++++++++++++++++++++++++---------------- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/lib/User.php b/lib/User.php index 0661fa63..3bce7361 100644 --- a/lib/User.php +++ b/lib/User.php @@ -114,14 +114,15 @@ class User extends PropertiesBase{ return $result[0]; } - public static function GetIfRegistered(?string $email): User{ + public static function GetIfRegistered(?string $identifier): User{ // We consider a user "registered" if they have a row in the Benefits table. // Emails without that row may only be signed up for the newsletter and thus are not "registered" users - if($email === null){ + // The identifier is either an email or a UUID (api key) + if($identifier === null){ throw new Exceptions\InvalidUserException(); } - $result = Db::Query('SELECT u.* from Users u inner join Benefits using (UserId) where u.Email = ?', [$email], 'User'); + $result = Db::Query('SELECT u.* from Users u inner join Benefits using (UserId) where u.Email = ? or u.Uuid = ?', [$identifier, $identifier], 'User'); if(sizeof($result) == 0){ throw new Exceptions\InvalidUserException(); diff --git a/www/feeds/download.php b/www/feeds/download.php index f4eb32e8..92835a3d 100644 --- a/www/feeds/download.php +++ b/www/feeds/download.php @@ -8,7 +8,6 @@ use function Safe\preg_match; // a valid user has a session. $path = HttpInput::Str(GET, 'path', false) ?? ''; -$isUserAgentAllowed = false; try{ $path = '/feeds/' . $path; @@ -17,24 +16,33 @@ try{ throw new Exceptions\InvalidFileException(); } - // Certain user agents may bypass login entirely - // if(isset($_SERVER['HTTP_USER_AGENT'])){ - // $isUserAgentAllowed = (bool)Db::QueryInt('select count(*) from FeedUserAgents where instr(?, UserAgent) limit 1', [$_SERVER['HTTP_USER_AGENT']]); - // } + // Access to the Atom/RSS new releases feed is open to the public + $isNewReleasesFeed = false; + if(preg_match('/^\/feeds\/(rss|atom)\/new-releases\.xml$/ius', $path)){ + $isNewReleasesFeed = true; + } - // if(!$isUserAgentAllowed){ - // if($GLOBALS['User'] === null){ - // throw new Exceptions\LoginRequiredException(); - // } + if(!$isNewReleasesFeed){ + // Certain user agents may bypass login entirely + $isUserAgentAllowed = false; + if(isset($_SERVER['HTTP_USER_AGENT'])){ + $isUserAgentAllowed = Db::QueryInt('select count(*) from FeedUserAgents where instr(?, UserAgent) limit 1', [$_SERVER['HTTP_USER_AGENT']]); + } - // if(!preg_match('/\.xml$/ius', $path)){ - // throw new Exceptions\InvalidPermissionsException(); - // } + if(!$isUserAgentAllowed){ + if($GLOBALS['User'] === null){ + throw new Exceptions\LoginRequiredException(); + } - // if(!$GLOBALS['User']->Benefits->CanAccessFeeds){ - // throw new Exceptions\InvalidPermissionsException(); - // } - // } + if(!preg_match('/\.xml$/ius', $path)){ + throw new Exceptions\InvalidPermissionsException(); + } + + if(!$GLOBALS['User']->Benefits->CanAccessFeeds){ + throw new Exceptions\InvalidPermissionsException(); + } + } + } // Everything OK, serve the file using Apache. // The xsendfile Apache module tells Apache to serve the file, including not-modified or etag headers.