PageRenderTime 77ms CodeModel.GetById 26ms RepoModel.GetById 1ms app.codeStats 0ms

/www/index.php

https://github.com/scoates/blogcollab
PHP | 211 lines | 117 code | 19 blank | 75 comment | 36 complexity | a9e3738275076b22c5700b9490dc1399 MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * Really simple blog collaboration system.
    4. 

  4.  * The code is nothing special (I whipped it up in an hour or so, one day, and
    5. 

  5.  * spent a whole bunch more time making it ready for public consumption), but
    6. 

  6.  * the app is really useful for collaboration/preview.
    7. 

  7.  *
    8. 

  8.  * Put user templates in ../templates/{username}
    9. 

  9.  * Put content in ../content/{username}/{Title Goes Here}.html
    10. 

  10.  */
    11. 

  11. 

  12. /**
    13. 

  13.  * Authentication constants
    14. 

  14.  */
    15. 

  15. define('AUTH_USER', 'collab'); // set to false to skip auth check
    16. 

  16. define('AUTH_PASS', 'd5029374377771fd628239fd1f4e9d02'); // md5('collab');
    17. 

  17. 

  18. $AUTHENTICATED = false;
    19. 

  19. 

  20. /**
    21. 

  21.  * Library code
    22. 

  22.  */
    23. 

  23. require dirname(__DIR__) . DIRECTORY_SEPARATOR . 'blogcollab.php';
    24. 

  24. 

  25. /**
    26. 

  26.  * Check auth
    27. 

  27.  */
    28. 

  28. if (AUTH_USER) {
    29. 

  29. 	if (
    30. 

  30. 		isset($_SERVER['PHP_AUTH_USER'])
    31. 

  31. 		&& AUTH_USER == $_SERVER['PHP_AUTH_USER']
    32. 

  32. 		&& isset($_SERVER['PHP_AUTH_PW'])
    33. 

  33. 		&& AUTH_PASS == md5($_SERVER['PHP_AUTH_PW'])
    34. 

  34. 	) {
    35. 

  35. 		$AUTHENTICATED = true;
    36. 

  36. 	} else {
    37. 

  37. 		$AUTHENTICATED = false;
    38. 

  38. 		if (isset($_GET['dologin']) && $_GET['dologin']) {
    39. 

  39. 			header('WWW-Authenticate: Basic realm="Blogcollab"');
    40. 

  40. 			header('HTTP/1.0 401 Unauthorized');
    41. 

  41. 			exit;
    42. 

  42. 		}
    43. 

  43. 	}
    44. 

  44. } else {
    45. 

  45. 	// AUTH_USER is false, pretend we're authenticated
    46. 

  46. 	$AUTHENTICATED = true;
    47. 

  47. }
    48. 

  48. 

  49. /**
    50. 

  50.  * Ensure we're in UTF-8.. Unicode is haaaaard.
    51. 

  51.  */
    52. 

  52. header('Content-type: text/html;charset=UTF-8');
    53. 

  53. 

  54. /**
    55. 

  55.  * When not authenticated, show the instructions
    56. 

  56.  */
    57. 

  57. if (!$AUTHENTICATED) {
    58. 

  58. 	render('_instructions', array());
    59. 

  59. 	exit();
    60. 

  60. }
    61. 

  61. 

  62. /**
    63. 

  63.  * Collect users
    64. 

  64.  */
    65. 

  65. $users = array();
    66. 

  66. foreach (new DirectoryIterator(USERDIR) as $fi) {
    67. 

  67. 	if (!$fi->isDot()) {
    68. 

  68. 		$users[] = $fi->getFilename();
    69. 

  69. 	}
    70. 

  70. }
    71. 

  71. 

  72. /**
    73. 

  73.  * $who will be the current user, if valid
    74. 

  74.  */
    75. 

  75. $who = null;
    76. 

  76. 

  77. /**
    78. 

  78.  * $entry will be the currently-selected template, if valid and set
    79. 

  79.  */
    80. 

  80. $entry = null;
    81. 

  81. 

  82. /**
    83. 

  83.  * Split out the path
    84. 

  84.  */
    85. 

  85. if (isset($_SERVER['PATH_INFO'])) {
    86. 

  86. 	// apache
    87. 

  87. 	$parts = explode('/', preg_replace('/\?.*$/', '', $_SERVER['PATH_INFO']));
    88. 

  88. } elseif (isset($_SERVER['REQUEST_URI'])) {
    89. 

  89. 	// nginx (orchestra.io)
    90. 

  90. 	// massage the script name's directory out of the path
    91. 

  91. 	$requestUri = preg_replace('/\?.*$/', '', $_SERVER['REQUEST_URI']);
    92. 

  92. 	$scriptDir = dirname($_SERVER['SCRIPT_NAME']);
    93. 

  93. 	if (isset($_SERVER['SCRIPT_NAME']) && 0 === strpos($requestUri, $scriptDir)) {
    94. 

  94. 		$requestUri = substr($requestUri, strlen($scriptDir));
    95. 

  95. 	}
    96. 

  96. 	$parts = explode('/', urldecode($requestUri));
    97. 

  97. } else {
    98. 

  98. 	$parts = array();
    99. 

  99. }
    100. 

  100. if (isset($parts[0]) && '' === $parts[0]) {
    101. 

  101. 	// trim off the first (empty) element
    102. 

  102. 	array_shift($parts);
    103. 

  103. }
    104. 

  104. $size = count($parts);
    105. 

  105. if ($size > 0) {
    106. 

  106. 	$who = $parts[0];
    107. 

  107. }
    108. 

  108. if ($size > 1) {
    109. 

  109. 	$entry = $parts[1];
    110. 

  110. }
    111. 

  111. 

  112. /**
    113. 

  113.  * Ensure there are no path shenanigans
    114. 

  114.  */
    115. 

  115. if (false !== strpos($who, '../') || false !== strpos($entry, '../')) {
    116. 

  116. 	do_404();
    117. 

  117. 	$title = $content = 'Invalid path';
    118. 

  118. 	render(null, compact('content', 'title'));
    119. 

  119. }
    120. 

  120. 

  121. /**
    122. 

  122.  * Trap invalid users -> 404
    123. 

  123.  */
    124. 

  124. if ($who && !in_array($who, $users)) {
    125. 

  125. 	do_404();
    126. 

  126. 	$content = 'invalid user <a href="' . escape($_SERVER['SCRIPT_NAME']) . '">try again?</a>';
    127. 

  127. 	$title = 'Invalid user';
    128. 

  128. 	render(null, compact('content', 'title'));
    129. 

  129. }
    130. 

  130. 

  131. /**
    132. 

  132.  * no user or entry; have the viewer select a user
    133. 

  133.  */
    134. 

  134. if (!$who) {
    135. 

  135. 	$title = 'Select a user';
    136. 

  136. 	render('_users', compact('title', 'users'));
    137. 

  137. }
    138. 

  138. 

  139. /**
    140. 

  140.  * visitor has selected a user, but not an entry
    141. 

  141.  */
    142. 

  142. $contentdir = USERDIR . DIRECTORY_SEPARATOR . $who;
    143. 

  143. if (!$entry) {
    144. 

  144. 	if (!file_exists($contentdir)) {
    145. 

  145. 		$content = "User " . escape($who) . " has no content directory.";
    146. 

  146. 		$title = 'Error';
    147. 

  147. 		render(null, compact('title', 'content'));
    148. 

  148. 	}
    149. 

  149. 	$entries = array();
    150. 

  150. 	foreach (new DirectoryIterator($contentdir) as $fi) {
    151. 

  151. 		if (!$fi->isDot()) {
    152. 

  152. 			$fName = $fi->getFilename();
    153. 

  153. 			if ($fName[0] != '.') { // ignore hidden files
    154. 

  154. 				$entries[] = $fName;
    155. 

  155. 			}
    156. 

  156. 		}
    157. 

  157. 	}
    158. 

  158. 	$title = 'Select an entry for ' . escape($who);
    159. 

  159. 	$user = $who;
    160. 

  160. 	render('_entries', compact('title', 'entries', 'user'));
    161. 

  161. }
    162. 

  162. 

  163. /**
    164. 

  164.  * collect templates
    165. 

  165.  */
    166. 

  166. $templates = array();
    167. 

  167. foreach (new DirectoryIterator(TEMPLATEDIR) as $fi) {
    168. 

  168. 	if (!$fi->isDot()) {
    169. 

  169. 		$name = $fi->getFilename();
    170. 

  170. 		if ($name[0] != '_') {
    171. 

  171. 			$templates[] = $name;
    172. 

  172. 		}
    173. 

  173. 	}
    174. 

  174. }
    175. 

  175. /**
    176. 

  176.  * determine display template
    177. 

  177.  */
    178. 

  178. $displayTemplate = $who;
    179. 

  179. if (!in_array($displayTemplate . '.html.php', $templates)) {
    180. 

  180. 	$displayTemplate = null;
    181. 

  181. }
    182. 

  182. 

  183. /**
    184. 

  184.  * validate requested content
    185. 

  185.  */
    186. 

  186. $contentFile = $contentdir . DIRECTORY_SEPARATOR . $entry;
    187. 

  187. if (!is_readable($contentFile)) {
    188. 

  188. 	do_404();
    189. 

  189. 	$title = 'Entry not found';
    190. 

  190. 	$content = $title;
    191. 

  191. 	render(null, compact('title', 'content'));
    192. 

  192. }
    193. 

  193. 

  194. /**
    195. 

  195.  * actually load content from disk (the repository)
    196. 

  196.  *
    197. 

  197.  * Note: this content is often intentionally not escaped (depends on the
    198. 

  198.  * template), so it opens the door to XSS and other nastiness. The assumption
    199. 

  199.  * here is that authors (committers) are to be trusted; visitors are not
    200. 

  200.  */
    201. 

  201. $content = file_get_contents($contentFile);
    202. 

  202. /**
    203. 

  203.  * Set title from the file name
    204. 

  204.  */
    205. 

  205. $title = escape(substr($entry, 0, strrpos($entry, '.')));
    206. 

  206. 

  207. /**
    208. 

  208.  * and finally, render the template
    209. 

  209.  */
    210. 

  210. render($displayTemplate, compact('title', 'content'), false);
    211. 

  211. 

  212.