From eee57a5d2ece31f9b99485f82a310b80d8fa3935 Mon Sep 17 00:00:00 2001 From: plegall Date: Thu, 31 Dec 2015 19:53:38 +0100 Subject: feature #392, authentication key, new table --- install/db/147-database.php | 46 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 install/db/147-database.php diff --git a/install/db/147-database.php b/install/db/147-database.php new file mode 100644 index 000000000..4c98c66c3 --- /dev/null +++ b/install/db/147-database.php @@ -0,0 +1,46 @@ + -- cgit v1.2.3 From 4aeedb5a2ea455c503721de29a35e8a3c1fa0a9d Mon Sep 17 00:00:00 2001 From: plegall Date: Thu, 31 Dec 2015 19:59:08 +0100 Subject: feature #392, authentication keys, album notification * On album notification (for a group), sends one distinct email for each user with a new authentication key. * When someone clicks the link with auth= in URL, if the user is not already connected, Piwigo will automatically connect the user. --- admin/album_notification.php | 26 ++-- include/config_default.inc.php | 4 + include/constants.php | 2 + include/functions_mail.inc.php | 30 +++-- include/functions_user.inc.php | 132 +++++++++++++++++++++ include/user.inc.php | 6 + .../template/mail/text/html/cat_group_info.tpl | 2 +- 7 files changed, 181 insertions(+), 21 deletions(-) diff --git a/admin/album_notification.php b/admin/album_notification.php index cafaad170..4dd578b1a 100644 --- a/admin/album_notification.php +++ b/admin/album_notification.php @@ -54,6 +54,8 @@ if (isset($_POST['submitEmail']) and !empty($_POST['group'])) is empty find child representative_picture_id */ if (!empty($category['representative_picture_id'])) { + $img = array(); + $query = ' SELECT id, file, path, representative_ext FROM '.IMAGES_TABLE.' @@ -65,21 +67,19 @@ SELECT id, file, path, representative_ext { $element = pwg_db_fetch_assoc($result); - $img_url = ''; + $img = array( + 'link' => make_picture_url( + array( + 'image_id' => $element['id'], + 'image_file' => $element['file'], + 'category' => $category + ) + ), + 'src' => DerivativeImage::url(IMG_THUMB, $element), + ); } } - if (!isset($img_url)) - { - $img_url = ''; - } - pwg_mail_group( $_POST['group'], array( @@ -90,7 +90,7 @@ SELECT id, file, path, representative_ext array( 'filename' => 'cat_group_info', 'assign' => array( - 'IMG_URL' => $img_url, + 'IMG' => $img, 'CAT_NAME' => trigger_change('render_category_name', $category['name'], 'admin_cat_list'), 'LINK' => make_index_url(array( 'category' => array( diff --git a/include/config_default.inc.php b/include/config_default.inc.php index eafb9d5a9..2de75764d 100644 --- a/include/config_default.inc.php +++ b/include/config_default.inc.php @@ -646,6 +646,10 @@ $conf['recent_post_dates'] = array( // the author shown in the RSS feed element $conf['rss_feed_author'] = 'Piwigo notifier'; +// how long does the authentication key stays valid, in seconds. 3 days by +// default. 0 to disable. +$conf['auth_key_duration'] = 3*24*60*60; + // +-----------------------------------------------------------------------+ // | Set admin layout | // +-----------------------------------------------------------------------+ diff --git a/include/constants.php b/include/constants.php index ef321a4bc..f9a032d0f 100644 --- a/include/constants.php +++ b/include/constants.php @@ -81,6 +81,8 @@ if (!defined('USER_FEED_TABLE')) define('USER_FEED_TABLE', $prefixeTable.'user_feed'); if (!defined('RATE_TABLE')) define('RATE_TABLE', $prefixeTable.'rate'); +if (!defined('USER_AUTH_KEYS_TABLE')) + define('USER_AUTH_KEYS_TABLE', $prefixeTable.'user_auth_keys'); if (!defined('USER_CACHE_TABLE')) define('USER_CACHE_TABLE', $prefixeTable.'user_cache'); if (!defined('USER_CACHE_CATEGORIES_TABLE')) diff --git a/include/functions_mail.inc.php b/include/functions_mail.inc.php index ed1081713..529f2da0d 100644 --- a/include/functions_mail.inc.php +++ b/include/functions_mail.inc.php @@ -514,6 +514,8 @@ SELECT DISTINCT language // get subset of users in this group for a specific language $query = ' SELECT + ui.user_id, + ui.status, u.'.$conf['user_fields']['username'].' AS name, u.'.$conf['user_fields']['email'].' AS email FROM '.USER_GROUP_TABLE.' AS ug @@ -534,13 +536,27 @@ SELECT switch_lang_to($language); - $return&= pwg_mail(null, - array_merge( - $args, - array('Bcc' => $users) - ), - $tpl - ); + foreach ($users as $u) + { + $authkey = create_user_auth_key($u['user_id'], $u['status']); + + $user_tpl = $tpl; + + if ($authkey !== false) + { + $user_tpl['assign']['LINK'] = add_url_params($tpl['assign']['LINK'], array('auth' => $authkey['auth_key'])); + + if (isset($user_tpl['assign']['IMG']['link'])) + { + $user_tpl['assign']['IMG']['link'] = add_url_params( + $user_tpl['assign']['IMG']['link'], + array('auth' => $authkey['auth_key']) + ); + } + } + + $return &= pwg_mail($u['email'], $args, $user_tpl); + } switch_lang_back(); } diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index 5f503b36e..915b7dbd0 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1462,4 +1462,136 @@ function get_recent_photos_sql($db_field) .pwg_db_get_recent_period_expression($user['recent_period']) .','.pwg_db_get_recent_period_expression(1,$user['last_photo_date']).')'; } + +/** + * Performs auto-connection if authentication key is valid. + * + * @since 2.8 + * + * @return bool + */ +function auth_key_login($auth_key) +{ + global $conf, $user; + + if ($user['id'] != $conf['guest_id']) + { + return false; + } + + if (!preg_match('/^[a-z0-9]{30}$/i', $auth_key)) + { + return false; + } + + $query = ' +SELECT + *, + '.$conf['user_fields']['username'].' AS username, + NOW() AS dbnow + FROM '.USER_AUTH_KEYS_TABLE.' AS uak + JOIN '.USER_INFOS_TABLE.' AS ui ON uak.user_id = ui.user_id + JOIN '.USERS_TABLE.' AS u ON u.'.$conf['user_fields']['id'].' = ui.user_id + WHERE auth_key = \''.$auth_key.'\' +;'; + $keys = query2array($query); + + if (count($keys) == 0) + { + return false; + } + + $key = $keys[0]; + + // is the key still valid? + if (strtotime($key['expired_on']) < strtotime($key['dbnow'])) + { + return false; + } + + // admin/webmaster/guest can't get connected with authentication keys + if (!in_array($key['status'], array('normal','generic'))) + { + return false; + } + + $user['id'] = $key['user_id']; + log_user($user['id'], false); + trigger_notify('login_success', stripslashes($key['username'])); + + return true; +} + +/** + * Creates an authentication key. + * + * @since 2.8 + * @param int $user_id + * @return array + */ +function create_user_auth_key($user_id, $user_status=null) +{ + global $conf; + + if (0 == $conf['auth_key_duration']) + { + return false; + } + + if (!isset($user_status)) + { + // we have to find the user status + $query = ' +SELECT + status + FROM '.USER_INFOS_TABLE.' + WHERE user_id = '.$user_id.' +;'; + $user_infos = query2array($query); + + if (count($user_infos) == 0) + { + return false; + } + + $user_status = $user_infos[0]['status']; + } + + if (!in_array($user_status, array('normal','generic'))) + { + return false; + } + + $candidate = generate_key(30); + + $query = ' +SELECT + COUNT(*), + NOW(), + ADDDATE(NOW(), INTERVAL '.$conf['auth_key_duration'].' SECOND) + FROM '.USER_AUTH_KEYS_TABLE.' + WHERE auth_key = \''.$candidate.'\' +;'; + list($counter, $now, $expiration) = pwg_db_fetch_row(pwg_query($query)); + if (0 == $counter) + { + $key = array( + 'auth_key' => $candidate, + 'user_id' => $user_id, + 'created_on' => $now, + 'duration' => $conf['auth_key_duration'], + 'expired_on' => $expiration, + ); + + single_insert(USER_AUTH_KEYS_TABLE, $key); + + $key['auth_key_id'] = pwg_db_insert_id(); + + return $key; + } + else + { + return create_user_auth_key($user_id); + } +} ?> \ No newline at end of file diff --git a/include/user.inc.php b/include/user.inc.php index 4de5cc6c3..c02fcb0ac 100644 --- a/include/user.inc.php +++ b/include/user.inc.php @@ -65,6 +65,12 @@ if ($conf['apache_authentication']) } } +// automatic login by authentication key +if (isset($_GET['auth'])) +{ + auth_key_login($_GET['auth']); +} + $user = build_user( $user['id'], ( defined('IN_ADMIN') and IN_ADMIN ) ? false : true // use cache ? ); diff --git a/themes/default/template/mail/text/html/cat_group_info.tpl b/themes/default/template/mail/text/html/cat_group_info.tpl index e8d7d7c10..6a136c63c 100644 --- a/themes/default/template/mail/text/html/cat_group_info.tpl +++ b/themes/default/template/mail/text/html/cat_group_info.tpl @@ -1,6 +1,6 @@

{'Informations'|@translate}

-

{$IMG_URL}

+

{'Hello,'|@translate}

{'Discover album:'|@translate} {$CAT_NAME}

{$CPL_CONTENT}

-- cgit v1.2.3 From f4040a5a3a4fd371a230c54e17f819922c9a39b2 Mon Sep 17 00:00:00 2001 From: plegall Date: Fri, 1 Jan 2016 20:37:33 +0100 Subject: forgotten to give user_status on recursive call in create_user_auth_key, bug detected by @mistic100 --- include/functions_user.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index 915b7dbd0..ba4ed6808 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1591,7 +1591,7 @@ SELECT } else { - return create_user_auth_key($user_id); + return create_user_auth_key($user_id, $user_status); } } ?> \ No newline at end of file -- cgit v1.2.3 From f2f9e5ecb7d6c16332aaccf8bc7b1c4248e6e889 Mon Sep 17 00:00:00 2001 From: plegall Date: Mon, 4 Jan 2016 15:04:02 +0100 Subject: feature #392, authentication keys, history log When a user successfully performs an authentication with an auth_key, Piwigo registers it in the history table. For now, it is not shown/searchable in the history screen, but we can add it in the future and we can provide a plugin with specific details about authentication keys usage. --- include/functions.inc.php | 2 ++ include/functions_user.inc.php | 5 ++++- install/db/148-database.php | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 install/db/148-database.php diff --git a/include/functions.inc.php b/include/functions.inc.php index 2119abe8f..578830ba5 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -446,6 +446,7 @@ INSERT INTO '.HISTORY_TABLE.' image_id, image_type, format_id, + auth_key_id, tag_ids ) VALUES @@ -459,6 +460,7 @@ INSERT INTO '.HISTORY_TABLE.' '.(isset($image_id) ? $image_id : 'NULL').', '.(isset($image_type) ? "'".$image_type."'" : 'NULL').', '.(isset($format_id) ? $format_id : 'NULL').', + '.(isset($page['auth_key_id']) ? $page['auth_key_id'] : 'NULL').', '.(isset($tags_string) ? "'".$tags_string."'" : 'NULL').' ) ;'; diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index ba4ed6808..cd186183a 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1472,7 +1472,7 @@ function get_recent_photos_sql($db_field) */ function auth_key_login($auth_key) { - global $conf, $user; + global $conf, $user, $page; if ($user['id'] != $conf['guest_id']) { @@ -1519,6 +1519,9 @@ SELECT log_user($user['id'], false); trigger_notify('login_success', stripslashes($key['username'])); + // to be registered in history table by pwg_log function + $page['auth_key_id'] = $key['auth_key_id']; + return true; } diff --git a/install/db/148-database.php b/install/db/148-database.php new file mode 100644 index 000000000..79edebdbc --- /dev/null +++ b/install/db/148-database.php @@ -0,0 +1,39 @@ + -- cgit v1.2.3 From 67e142f33197af955e179a1ad09b990ac80b6698 Mon Sep 17 00:00:00 2001 From: plegall Date: Mon, 4 Jan 2016 19:54:40 +0100 Subject: feature #392, add authentication key in NBM mails There are many links in NBM (Notification By Mail, see screen [Administration > Users > Notification]). I had to change several functions to take this authentication key into account. --- .../include/functions_notification_by_mail.inc.php | 14 ++--- admin/notification_by_mail.php | 18 +++++- include/functions_html.inc.php | 16 +++++- include/functions_mail.inc.php | 9 ++- include/functions_notification.inc.php | 67 ++++++++++++++++------ 5 files changed, 91 insertions(+), 33 deletions(-) diff --git a/admin/include/functions_notification_by_mail.inc.php b/admin/include/functions_notification_by_mail.inc.php index 8d0fe2621..7dc113b0f 100644 --- a/admin/include/functions_notification_by_mail.inc.php +++ b/admin/include/functions_notification_by_mail.inc.php @@ -125,12 +125,12 @@ select U.'.$conf['user_fields']['username'].' as username, U.'.$conf['user_fields']['email'].' as mail_address, N.enabled, - N.last_send -from - '.USER_MAIL_NOTIFICATION_TABLE.' as N, - '.USERS_TABLE.' as U -where - N.user_id = U.'.$conf['user_fields']['id']; + N.last_send, + UI.status +from '.USER_MAIL_NOTIFICATION_TABLE.' as N + JOIN '.USERS_TABLE.' as U on N.user_id = U.'.$conf['user_fields']['id'].' + JOIN '.USER_INFOS_TABLE.' as UI on UI.user_id = N.user_id +where 1=1'; if ($action == 'send') { @@ -159,7 +159,7 @@ order by'; else { $query .= ' - username;'; + username'; } $query .= ';'; diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php index 38cadff6c..f146ba30f 100644 --- a/admin/notification_by_mail.php +++ b/admin/notification_by_mail.php @@ -289,13 +289,24 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l if ($is_action_send) { + $auth = null; + $add_url_params = array(); + + $auth_key = create_user_auth_key($nbm_user['user_id'], $nbm_user['status']); + + if ($auth_key !== false) + { + $auth = $auth_key['auth_key']; + $add_url_params['auth'] = $auth; + } + set_make_full_url(); // Fill return list of "treated" check_key for 'send' $return_list[] = $nbm_user['check_key']; if ($conf['nbm_send_detailed_content']) { - $news = news($nbm_user['last_send'], $dbnow, false, $conf['nbm_send_html_mail']); + $news = news($nbm_user['last_send'], $dbnow, false, $conf['nbm_send_html_mail'], $auth); $exist_data = count($news) > 0; } else @@ -362,7 +373,7 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l array ( 'TITLE' => get_title_recent_post_date($date_detail), - 'HTML_DATA' => get_html_description_recent_post_date($date_detail) + 'HTML_DATA' => get_html_description_recent_post_date($date_detail, $auth) ) ); } @@ -373,7 +384,7 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l array ( 'GOTO_GALLERY_TITLE' => $conf['gallery_title'], - 'GOTO_GALLERY_URL' => get_gallery_home_url(), + 'GOTO_GALLERY_URL' => add_url_params(get_gallery_home_url(), $add_url_params), 'SEND_AS_NAME' => $env_nbm['send_as_name'], ) ); @@ -389,6 +400,7 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l 'email_format' => $env_nbm['email_format'], 'content' => $env_nbm['mail_template']->parse('notification_by_mail', true), 'content_format' => $env_nbm['email_format'], + 'auth_key' => $auth, ) ); diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php index 8668e68ad..59861c46d 100644 --- a/include/functions_html.inc.php +++ b/include/functions_html.inc.php @@ -103,10 +103,17 @@ function get_cat_display_name($cat_informations, $url='') function get_cat_display_name_cache($uppercats, $url = '', $single_link = false, - $link_class = null) + $link_class = null, + $auth_key=null) { global $cache, $conf; + $add_url_params = array(); + if (isset($auth_key)) + { + $add_url_params['auth'] = $auth_key; + } + if (!isset($cache['cat_names'])) { $query = ' @@ -119,7 +126,7 @@ SELECT id, name, permalink $output = ''; if ($single_link) { - $single_url = get_root_url().$url.array_pop(explode(',', $uppercats)); + $single_url = add_url_params(get_root_url().$url.array_pop(explode(',', $uppercats)), $add_url_params); $output.= ' $cat, ) + ), + $add_url_params ) .'">'.$cat['name'].''; } diff --git a/include/functions_mail.inc.php b/include/functions_mail.inc.php index 529f2da0d..01a65091b 100644 --- a/include/functions_mail.inc.php +++ b/include/functions_mail.inc.php @@ -579,6 +579,7 @@ SELECT * o theme: theme to use [default value $conf_mail['mail_theme']] * o mail_title: main title of the mail [default value $conf['gallery_title']] * o mail_subtitle: subtitle of the mail [default value subject] + * o auth_key: authentication key to add on footer link [default value null] * @param array $tpl - use these options to define a custom content template file * o filename * o dirname (optional) @@ -725,9 +726,15 @@ function pwg_mail($to, $args=array(), $tpl=array()) $template->set_filename('mail_header', 'header.tpl'); $template->set_filename('mail_footer', 'footer.tpl'); + $add_url_params = array(); + if (!empty($args['auth_key'])) + { + $add_url_params['auth'] = $args['auth_key']; + } + $template->assign( array( - 'GALLERY_URL' => get_gallery_home_url(), + 'GALLERY_URL' => add_url_params(get_gallery_home_url(), $add_url_params), 'GALLERY_TITLE' => isset($page['gallery_title']) ? $page['gallery_title'] : $conf['gallery_title'], 'VERSION' => $conf['show_version'] ? PHPWG_VERSION : '', 'PHPWG_URL' => defined('PHPWG_URL') ? PHPWG_URL : '', diff --git a/include/functions_notification.inc.php b/include/functions_notification.inc.php index bc4d1a374..c7bbb66b3 100644 --- a/include/functions_notification.inc.php +++ b/include/functions_notification.inc.php @@ -395,27 +395,45 @@ function add_news_line(&$news, $count, $singular_key, $plural_key, $url='', $add * @param bool $add_url add html link around news * @return array */ -function news($start=null, $end=null, $exclude_img_cats=false, $add_url=false) +function news($start=null, $end=null, $exclude_img_cats=false, $add_url=false, $auth_key=null) { $news = array(); - if (!$exclude_img_cats) + $add_url_params = array(); + if (isset($auth_key)) { - add_news_line( $news, - nb_new_elements($start, $end), '%d new photo', '%d new photos', - make_index_url(array('section'=>'recent_pics')), $add_url ); + $add_url_params['auth'] = $auth_key; } if (!$exclude_img_cats) { - add_news_line( $news, - nb_updated_categories($start, $end), '%d album updated', '%d albums updated', - make_index_url(array('section'=>'recent_cats')), $add_url ); + add_news_line( + $news, + nb_new_elements($start, $end), + '%d new photo', + '%d new photos', + add_url_params(make_index_url(array('section'=>'recent_pics')), $add_url_params), + $add_url + ); + + add_news_line( + $news, + nb_updated_categories($start, $end), + '%d album updated', + '%d albums updated', + add_url_params(make_index_url(array('section'=>'recent_cats')), $add_url_params), + $add_url + ); } - add_news_line( $news, - nb_new_comments($start, $end), '%d new comment', '%d new comments', - get_root_url().'comments.php', $add_url ); + add_news_line( + $news, + nb_new_comments($start, $end), + '%d new comment', + '%d new comments', + add_url_params(get_root_url().'comments.php', $add_url_params), + $add_url + ); if (is_admin()) { @@ -527,17 +545,23 @@ function get_recent_post_dates_array($args) * @param array $date_detail returned value of get_recent_post_dates() * @return string */ -function get_html_description_recent_post_date($date_detail) +function get_html_description_recent_post_date($date_detail, $auth_key=null) { global $conf; + $add_url_params = array(); + if (isset($auth_key)) + { + $add_url_params['auth'] = $auth_key; + } + $description = '
    '; $description .= '
  • ' .l10n_dec('%d new photo', '%d new photos', $date_detail['nb_elements']) .' (' - .'' + .'' .l10n('Recent photos').'' .')' .'

    • '; @@ -546,11 +570,16 @@ function get_html_description_recent_post_date($date_detail) { $tn_src = DerivativeImage::thumb_url($element); $description .= ''; + add_url_params( + make_picture_url( + array( + 'image_id' => $element['id'], + 'image_file' => $element['file'], + ) + ), + $add_url_params + ) + .'">'; } $description .= '...
    '; @@ -564,7 +593,7 @@ function get_html_description_recent_post_date($date_detail) { $description .= '
  • ' - .get_cat_display_name_cache($cat['uppercats']) + .get_cat_display_name_cache($cat['uppercats'],'', false, null, $auth_key) .' ('. l10n_dec('%d new photo', '%d new photos', $cat['img_count']).')' .'
    • '; -- cgit v1.2.3 From c42f15dfa816912a1b09ec2a71e5ed0b39ff0d86 Mon Sep 17 00:00:00 2001 From: plegall Date: Wed, 6 Jan 2016 14:29:32 +0100 Subject: add auth_key in mail footer for pwg_mail_group --- include/functions_mail.inc.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/functions_mail.inc.php b/include/functions_mail.inc.php index 01a65091b..cf982bcf3 100644 --- a/include/functions_mail.inc.php +++ b/include/functions_mail.inc.php @@ -555,7 +555,13 @@ SELECT } } - $return &= pwg_mail($u['email'], $args, $user_tpl); + $user_args = $args; + if ($authkey !== false) + { + $user_args['auth_key'] = $authkey['auth_key']; + } + + $return &= pwg_mail($u['email'], $user_args, $user_tpl); } switch_lang_back(); -- cgit v1.2.3 From 426e10e235689211fc52ee0077dce32ea3124bd6 Mon Sep 17 00:00:00 2001 From: plegall Date: Wed, 6 Jan 2016 14:30:05 +0100 Subject: feature #392, bug fixed on footer link Use auth_key in mail cache key to avoid using the auth key of the first user. --- include/functions_mail.inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/functions_mail.inc.php b/include/functions_mail.inc.php index cf982bcf3..67be16c15 100644 --- a/include/functions_mail.inc.php +++ b/include/functions_mail.inc.php @@ -718,6 +718,10 @@ function pwg_mail($to, $args=array(), $tpl=array()) { // key compose of indexes witch allow to cache mail data $cache_key = $content_type.'-'.$lang_info['code']; + if (!empty($args['auth_key'])) + { + $cache_key.= '-'.$args['auth_key']; + } if (!isset($conf_mail[$cache_key])) { -- cgit v1.2.3