Don't fetch feeds via postload.php if they are not in the OPML file

Fixes #84.

2 files changed, 36 insertions, 14 deletions

diff --git a/app/app.php b/app/app.php
index 269d99c..ec4e446 100755
--- a/app/app.php
+++ b/app/app.php
@@ -34,3 +34,13 @@ $l10n = new Simplel10n($conf['locale']);
 function _g($str, $comment='') {
     return Simplel10n::getString($str);
 }
+
+function custom_path($file = '')
+{
+    return __DIR__.'/../custom' . (!empty($file) ? '/'.$file : '');
+}
+
+function ensure_installed()
+{
+    return file_exists(custom_path('config.yml')) && file_exists(custom_path('people.opml'));
+}
diff --git a/postload.php b/postload.php
index 717a146..389f1d8 100644
--- a/postload.php
+++ b/postload.php
@@ -1,17 +1,29 @@
 <?php
-include_once(__DIR__.'/app/app.php');
 
-$Planet->addPerson(
-    new PlanetFeed(
-        '',
-        htmlspecialchars_decode($_GET['url'], ENT_QUOTES),
-        '',
-        false
-    )
-);
+require_once __DIR__.'/app/app.php';
 
-//Load feeds
-$Planet->download(1);
-header("Content-type: image/png");
-readfile(__DIR__."/custom/img/feed.png");
-die();
+ensure_installed();
+
+$xml = new SimpleXMLElement(file_get_contents(custom_path('people.opml')));
+
+foreach ($xml->xpath('/opml/body/outline[@xmlUrl]') as $element)
+{
+    if ($element->attributes()->xmlUrl == $_GET['url'])
+    {
+        $Planet->addPerson(
+            new PlanetFeed(
+                '',
+                $_GET['url'],
+                '',
+                false
+            )
+        );
+
+        $Planet->download(1);
+        header('Content-type: image/png');
+        readfile(custom_path('img/feed.png'));
+        die();
+    }
+}
+
+echo 'Updating this URL is not allowed.';
\ No newline at end of file