From 66003613153efa09c2ecc192f975f19a55fd3cd8 Mon Sep 17 00:00:00 2001
From: Matteo Gheza <matteo.gheza07@gmail.com>
Date: Sat, 3 Apr 2021 17:47:34 +0200
Subject: [PATCH] fixes for flutter client

---
 server/core.php            | 4 ++--
 server/templates/base.html | 4 ++++
 server/ui.php              | 3 +++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/server/core.php b/server/core.php
index 862495b..dddc243 100644
--- a/server/core.php
+++ b/server/core.php
@@ -353,7 +353,8 @@ class user
         $this->database = $database;
         $this->tools = $tools;
         $this->auth = new \Delight\Auth\Auth($database->connection, $tools->get_ip(), DB_PREFIX."_", false);
-        if(isset($_REQUEST["apiKey"])){
+        \header_remove('X-Frame-Options');
+        if(isset($_REQUEST["apiKey"]) && !is_null($_REQUEST["apiKey"])){
             $api_key_row = $this->database->exec("SELECT * FROM `%PREFIX%_api_keys` WHERE apikey = :apikey;", true, [":apikey" => $_REQUEST["apiKey"]]);
             if(!empty($api_key_row)){
                 $user = $this->database->exec("SELECT * FROM `%PREFIX%_profiles` WHERE id = :id;", true, [":id" => $api_key_row[0]["user"]]);
@@ -834,7 +835,6 @@ function init_class($enableDebugger=true, $headers=true)
         header("X-Content-Security-Policy: $csp");
         header("X-WebKit-CSP: $csp");
         header("X-XSS-Protection: 1; mode=block");
-        header("X-Frame-Options: DENY");
         header("X-Content-Type-Options: nosniff");
         header("Feature-Policy: autoplay 'none'; camera 'none'; microphone 'none'; payment 'none'");
     }
diff --git a/server/templates/base.html b/server/templates/base.html
index 89d392f..d454f55 100644
--- a/server/templates/base.html
+++ b/server/templates/base.html
@@ -91,6 +91,7 @@
   {% if enable_debug_bar %}{{ debug_bar_head|raw }}{% endif %}
 </head>
 <body>
+{% if show_menu %}
   {% block menu %}
   <!-- Menu -->
   <div class="topnav" id="topNavBar">
@@ -107,6 +108,7 @@
   </div>
   <!-- /Menu -->
   {% endblock %}
+{% endif %}
   <div class="alert alert-danger m-3" id="offline_alert" style="display: none" role="alert">
     <b>{{ 'You are offline'|t }}.</b> {{ 'Last update'|t }}: <p style="display: inline" id="offline_update"></p>
   </div>
@@ -119,6 +121,7 @@
   </div>
   <!-- /Content -->
   {% if enable_debug_bar %}{{ debug_bar|raw }}{% endif %}
+{% if show_footer %}
   {% block footer %}
   <!-- Footer -->
   <div class="text-center p-3" style="background-color: rgba(0, 0, 0, 0.2);">
@@ -127,5 +130,6 @@
   </div>
   <!-- /Footer -->
   {% endblock %}
+{% endif %}
 </body>
 </html>
\ No newline at end of file
diff --git a/server/ui.php b/server/ui.php
index ebdf8cc..f647550 100644
--- a/server/ui.php
+++ b/server/ui.php
@@ -77,6 +77,8 @@ function loadtemplate($templatename, $data, $requirelogin=true)
     $data['enable_technical_support'] = $database->get_option("enable_technical_support");
     $data['technical_support_key'] = $database->get_option("technical_support_key");
     $data['technical_support_open'] = isset($_COOKIE["chat"]);
+    $data['show_menu'] = !isset($_REQUEST["hide_menu"]);
+    $data['show_footer'] = !isset($_REQUEST["hide_footer"]);
     if($database->get_option("use_custom_error_sound")) {
         $data['error_sound'] = "custom-error.mp3";
     } else {
@@ -87,6 +89,7 @@ function loadtemplate($templatename, $data, $requirelogin=true)
     } else {
         $data['error_image'] = "error.gif";
     }
+    \header_remove('X-Frame-Options');
     $template = $twig->load($templatename);
     if(isset($_SERVER["HTTP_X_PJAX"]) || isset($_GET["X_PJAX"]) || isset($_GET["_PJAX"])) {
         $data["pjax_requested"] = true;