Vergleich admin/index.php - 1.6.5 - 1.6.18

Keine Änderungen Hinzugefügt Modifiziert Entfernt
Zeile 6	Zeile 6
* Website: http://mybb.com * License: http://mybb.com/about/license *	* Website: http://mybb.com * License: http://mybb.com/about/license *
* $Id: index.php 5621 2011-09-26 18:35:54Z ralgith $	* $Id$
*/ define("IN_MYBB", 1);	*/ define("IN_MYBB", 1);
Zeile 62	Zeile 62
unset($user); // Load Admin CP style	unset($user); // Load Admin CP style
if(!$cp_style)	if(!isset($cp_style))
{ if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css")) {	{ if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css")) {
Zeile 80	Zeile 80
$fail_check = 0; $post_verify = true;	$fail_check = 0; $post_verify = true;
if($mybb->input['action'] == "logout")	foreach(array('action', 'do', 'module') as $input)
{	{
// Delete session from the database $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); my_setcookie("adminsid", ""); $logged_out = true;	if(!isset($mybb->input[$input])) { $mybb->input[$input] = ''; }
}	}
elseif($mybb->input['action'] == "unlock")	if($mybb->input['action'] == "unlock")
{ $user = array();	{ $user = array();
	$error = '';
if($mybb->input['username'])	if($mybb->input['username'])
{ $query = $db->simple_select("users", "*", "LOWER(username)='".$db->escape_string(my_strtolower($mybb->input['username']))."'"); $user = $db->fetch_array($query);	{ $username = $db->escape_string(my_strtolower($mybb->input['username'])); switch($mybb->settings['username_method']) { case 0: $query = $db->simple_select("users", "", "LOWER(username)='".$username."'", array('limit' => 1)); break; case 1: $query = $db->simple_select("users", "", "LOWER(email)='".$username."'", array('limit' => 1)); break; case 2: $query = $db->simple_select("users", "", "LOWER(username)='".$username."' OR LOWER(email)='".$username."'", array('limit' => 1)); break; default: $query = $db->simple_select("users", "", "LOWER(username)='".$username."'", array('limit' => 1)); break; } $user = $db->fetch_array($query);
if(!$user['uid']) {	if(!$user['uid']) {
$error[] = $lang->error_invalid_username;	$error = $lang->error_invalid_username;
} } else if($mybb->input['uid'])	} } else if($mybb->input['uid'])
{	{
$query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'"); $user = $db->fetch_array($query); if(!$user['uid'])	$query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'"); $user = $db->fetch_array($query); if(!$user['uid'])
{ $error[] = $lang->error_invalid_uid; }	{ $error = $lang->error_invalid_uid; }
}	}

// Do we have the token? If so let's process it if($mybb->input['token'] && $user['uid'])	// Do we have the token? If so let's process it if($mybb->input['token'] && $user['uid'])
{	{
$query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'");	$query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'");

// If we're good to go if($db->fetch_field($query, "num") > 0) { $db->delete_query("awaitingactivation", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".intval($user['uid'])."'");	// If we're good to go if($db->fetch_field($query, "num") > 0) { $db->delete_query("awaitingactivation", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".intval($user['uid'])."'");

admin_redirect("index.php"); } else {	admin_redirect("index.php"); } else {
$error[] = $lang->error_invalid_token;	$error = $lang->error_invalid_token;
} }	} }
$default_page->show_lockout_unlock();	$default_page->show_lockout_unlock($error, 'error');
} elseif($mybb->input['do'] == "login")	} elseif($mybb->input['do'] == "login")
{	{ // We have an adminsid cookie? if(isset($mybb->cookies['adminsid'])) { // Check admin session $query = $db->simple_select("adminsessions", "sid", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); $admin_session = $db->fetch_field($query, 'sid'); // Session found: redirect to index if($admin_session) { admin_redirect("index.php"); } }
$user = validate_password_from_username($mybb->input['username'], $mybb->input['password']); if($user['uid']) {	$user = validate_password_from_username($mybb->input['username'], $mybb->input['password']); if($user['uid']) {
Zeile 142	Zeile 173
if($mybb->user['uid']) { if(login_attempt_check_acp($mybb->user['uid']) == true)	if($mybb->user['uid']) { if(login_attempt_check_acp($mybb->user['uid']) == true)
{	{
$default_page->show_lockedout(); }	$default_page->show_lockedout(); }

$db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");	$db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");

$sid = md5(uniqid(microtime(true)));	$sid = md5(uniqid(microtime(true)));

// Create a new admin session for this user $admin_session = array( "sid" => $sid,	// Create a new admin session for this user $admin_session = array( "sid" => $sid,
Zeile 158	Zeile 189
"ip" => $db->escape_string(get_ip()), "dateline" => TIME_NOW, "lastactive" => TIME_NOW,	"ip" => $db->escape_string(get_ip()), "dateline" => TIME_NOW, "lastactive" => TIME_NOW,
"data" => "",	"data" => serialize(array()),
); $db->insert_query("adminsessions", $admin_session);	); $db->insert_query("adminsessions", $admin_session);
$db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='".intval($mybb->user['uid'])."'", 1); my_setcookie("adminsid", $sid);	$admin_session['data'] = array(); $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='".intval($mybb->user['uid'])."'"); my_setcookie("adminsid", $sid, '', true);
my_setcookie('acploginattempts', 0); $post_verify = false;	my_setcookie('acploginattempts', 0); $post_verify = false;

$mybb->request_method = "get";	$mybb->request_method = "get";

if(!empty($mybb->input['module'])) { // $query_string should contain the module	if(!empty($mybb->input['module'])) { // $query_string should contain the module
$query_string = '?module='.htmlspecialchars($mybb->input['module']);	$query_string = '?module='.htmlspecialchars_uni($mybb->input['module']);
// Now we look for any paramters passed in $_SERVER['QUERY_STRING'] if($_SERVER['QUERY_STRING']) {	// Now we look for any paramters passed in $_SERVER['QUERY_STRING'] if($_SERVER['QUERY_STRING']) {
Zeile 180	Zeile 212
$qstring = str_replace('action=logout', '', $qstring); $qstring = preg_replace('#&+#', '&', $qstring); $qstring = str_replace('?&', '?', $qstring);	$qstring = str_replace('action=logout', '', $qstring); $qstring = preg_replace('#&+#', '&', $qstring); $qstring = str_replace('?&', '?', $qstring);

// So what do we do? We know that parameters are devided by ampersands // That means we must get to work! $parameters = explode('&', $qstring);	// So what do we do? We know that parameters are devided by ampersands // That means we must get to work! $parameters = explode('&', $qstring);

// Remove our first member if it's for the module if(substr($parameters[0], 0, 8) == '?module=')	// Remove our first member if it's for the module if(substr($parameters[0], 0, 8) == '?module=')
{	{
unset($parameters[0]); }	unset($parameters[0]); }

foreach($parameters as $key => $param) { $params = explode("=", $param);	foreach($parameters as $key => $param) { $params = explode("=", $param);
$query_string .= '&'.htmlspecialchars($params[0])."=".htmlspecialchars($params[1]);	$query_string .= '&'.htmlspecialchars_uni($params[0])."=".htmlspecialchars_uni($params[1]);
} }	} }

admin_redirect("index.php".$query_string);	admin_redirect("index.php".$query_string);
} } else	} } else
{	{
$query = $db->simple_select("users", "uid,email", "LOWER(username) = '".$db->escape_string(my_strtolower($mybb->input['username']))."'");	$username = $db->escape_string(my_strtolower($mybb->input['username'])); switch($mybb->settings['username_method']) { case 0: $query = $db->simple_select("users", "uid,email", "LOWER(username)='".$username."'", array('limit' => 1)); break; case 1: $query = $db->simple_select("users", "uid,email", "LOWER(email)='".$username."'", array('limit' => 1)); break; case 2: $query = $db->simple_select("users", "uid,email", "LOWER(username)='".$username."' OR LOWER(email)='".$username."'", array('limit' => 1)); break; default: $query = $db->simple_select("users", "uid,email", "LOWER(username)='".$username."'", array('limit' => 1)); break; }
$login_user = $db->fetch_array($query);	$login_user = $db->fetch_array($query);

if($login_user['uid'] > 0)	if($login_user['uid'] > 0)
{ $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".intval($login_user['uid'])."'", 1, true);	{ $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".intval($login_user['uid'])."'", '', true);
}	}

$loginattempts = login_attempt_check_acp($login_user['uid'], true);	$loginattempts = login_attempt_check_acp($login_user['uid'], true);

// Have we attempted too many times? if($loginattempts['loginattempts'] > 0) { // Have we set an expiry yet? if($loginattempts['loginlockoutexpiry'] == 0) {	// Have we attempted too many times? if($loginattempts['loginattempts'] > 0) { // Have we set an expiry yet? if($loginattempts['loginlockoutexpiry'] == 0) {
$db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+(intval($mybb->settings['loginattemptstimeout'])*60)), "uid='".intval($login_user['uid'])."'", 1);	$db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+(intval($mybb->settings['loginattemptstimeout'])*60)), "uid='".intval($login_user['uid'])."'");
}	}
// Did we hit lockout for the first time? Send the unlock email to the administrator	// Did we hit lockout for the first time? Send the unlock email to the administrator
if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts'])	if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts'])
{	{
$db->delete_query("awaitingactivation", "uid='".intval($login_user['uid'])."' AND type='l'"); $lockout_array = array( "uid" => $login_user['uid'],	$db->delete_query("awaitingactivation", "uid='".intval($login_user['uid'])."' AND type='l'"); $lockout_array = array( "uid" => $login_user['uid'],
Zeile 234	Zeile 281
"type" => "l" ); $db->insert_query("awaitingactivation", $lockout_array);	"type" => "l" ); $db->insert_query("awaitingactivation", $lockout_array);

$subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']);	$subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']);
$message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code']);	$message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']);
my_mail($login_user['email'], $subject, $message); }	my_mail($login_user['email'], $subject, $message); }

$default_page->show_lockedout(); }	$default_page->show_lockedout(); }

$fail_check = 1; } }	$fail_check = 1; } }
Zeile 262	Zeile 309
// No matching admin session found - show message on login screen if(!$admin_session['sid']) {	// No matching admin session found - show message on login screen if(!$admin_session['sid']) {
$login_message = $lang->invalid_admin_session;	$login_message = $lang->error_invalid_admin_session;
} else {	} else {
Zeile 305	Zeile 352
break; } }	break; } }

// IP doesn't match properly - show message on logon screen if(!$valid_ip) {	// IP doesn't match properly - show message on logon screen if(!$valid_ip) {
Zeile 318	Zeile 365
} }	} }
if(!$mybb->user['usergroup'])	if($mybb->input['action'] == "logout" && $mybb->user) { if(verify_post_check($mybb->input['my_post_key'])) { $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); my_unsetcookie('adminsid'); $logged_out = true; } } if(!isset($mybb->user['usergroup']))
{ $mybbgroups = 1; }	{ $mybbgroups = 1; }
Zeile 327	Zeile 384
$mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups']; } $mybb->usergroup = usergroup_permissions($mybbgroups);	$mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups']; } $mybb->usergroup = usergroup_permissions($mybbgroups);
if($mybb->usergroup['cancp'] != 1 \|\| !$mybb->user['uid']) { $db->delete_query("adminsessions", "uid='".intval($mybb->user['uid'])."'");	$is_super_admin = is_super_admin($mybb->user['uid']); if($mybb->usergroup['cancp'] != 1 && !$is_super_admin \|\| !$mybb->user['uid']) { $uid = 0; if(isset($mybb->user['uid'])) { $uid = intval($mybb->user['uid']); } $db->delete_query("adminsessions", "uid = '{$uid}'");
unset($mybb->user);	unset($mybb->user);
my_setcookie("adminsid", "");	my_unsetcookie('adminsid');
} if($mybb->user['uid']) { $query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'"); $admin_options = $db->fetch_array($query);	} if($mybb->user['uid']) { $query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'"); $admin_options = $db->fetch_array($query);

if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css")) {	if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css")) {
$page->style = $cp_style = $admin_options['cpstyle'];	$cp_style = $admin_options['cpstyle'];
} // Update the session information in the DB	} // Update the session information in the DB
Zeile 357	Zeile 421
// Include the layout generation class overrides for this style if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"))	// Include the layout generation class overrides for this style if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"))
{	{
require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; }	require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; }
Zeile 376	Zeile 440
if(!class_exists($style_name)) { eval("class {$style_name} extends {$default_name} { }");	if(!class_exists($style_name)) { eval("class {$style_name} extends {$default_name} { }");
} }	} }
$page = new Page; $page->style = $cp_style; // Do not have a valid Admin user, throw back to login page.	$page = new Page; $page->style = $cp_style; // Do not have a valid Admin user, throw back to login page.
if(!$mybb->user['uid'] \|\| $logged_out == true) {	if(!isset($mybb->user['uid']) \|\| $logged_out == true) {
if($logged_out == true) { $page->show_login($lang->success_logged_out); } elseif($fail_check == 1)	if($logged_out == true) { $page->show_login($lang->success_logged_out); } elseif($fail_check == 1)
{	{
$page->show_login($lang->error_invalid_username_password, "error"); } else { // If we have this error while retreiving it from an AJAX request, then send back a nice error	$page->show_login($lang->error_invalid_username_password, "error"); } else { // If we have this error while retreiving it from an AJAX request, then send back a nice error
if($mybb->input['ajax'] == 1)	if(isset($mybb->input['ajax']) && $mybb->input['ajax'] == 1)
{ echo "<error>login</error>"; die; } $page->show_login($login_message, "error");	{ echo "<error>login</error>"; die; } $page->show_login($login_message, "error");
} }	} }
$page->add_breadcrumb_item($lang->home, "index.php"); // Begin dealing with the modules	$page->add_breadcrumb_item($lang->home, "index.php"); // Begin dealing with the modules
Zeile 415	Zeile 479
if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php")) { require_once $modules_dir."/".$module."/module_meta.php";	if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php")) { require_once $modules_dir."/".$module."/module_meta.php";

// Need to always load it for admin permissions / quick access $lang->load($module."_module_meta", false, true);	// Need to always load it for admin permissions / quick access $lang->load($module."_module_meta", false, true);

$has_permission = false; if(function_exists($module."_admin_permissions")) {	$has_permission = false; if(function_exists($module."_admin_permissions")) {
if(isset($mybb->admin['permissions'][$module]))	if(isset($mybb->admin['permissions'][$module]) \|\| $is_super_admin == true)
{ $has_permission = true; }	{ $has_permission = true; }
Zeile 432	Zeile 496
{ $has_permission = true; }	{ $has_permission = true; }

// Do we have permissions to run this module (Note: home is accessible by all) if($module == "home" \|\| $has_permission == true) {	// Do we have permissions to run this module (Note: home is accessible by all) if($module == "home" \|\| $has_permission == true) {
Zeile 442	Zeile 506
{ $modules[$module] = 1; }	{ $modules[$module] = 1; }
}	}
else { $modules[$module] = 0;	else { $modules[$module] = 0;
Zeile 453	Zeile 517
$modules = $plugins->run_hooks("admin_tabs", $modules); closedir($dir);	$modules = $plugins->run_hooks("admin_tabs", $modules); closedir($dir);

if(strpos($mybb->input['module'], "/") !== false)	if(strpos($mybb->input['module'], "/") !== false)
{	{
$current_module = explode("/", $mybb->input['module'], 2);	$current_module = explode("/", $mybb->input['module'], 2);
} else {	} else {
$current_module = explode("-", $mybb->input['module'], 2);	$current_module = explode("-", $mybb->input['module'], 2);
	} if(!isset($current_module[1])) { $current_module[1] = 'home';
} if($mybb->input['module'] && isset($modules[$current_module[0]]))	} if($mybb->input['module'] && isset($modules[$current_module[0]]))
{	{
$run_module = $current_module[0]; } else { $run_module = "home";	$run_module = $current_module[0]; } else { $run_module = "home";
}	}
$action_handler = $run_module."_action_handler"; $action_file = $action_handler($current_module[1]);	$action_handler = $run_module."_action_handler"; $action_file = $action_handler($current_module[1]);
	// Set our POST validation code here $mybb->post_code = generate_post_check();
if($run_module != "home") { check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action)); }	if($run_module != "home") { check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action)); }
// Set our POST validation code here $mybb->post_code = generate_post_check();
// Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. $post_check_ignores = array(	// Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. $post_check_ignores = array(
Zeile 498	Zeile 567
$post_verify = false; } }	$post_verify = false; } }

if($post_verify == true) { // If the post key does not match we switch the action to GET and set a message to show the user	if($post_verify == true) { // If the post key does not match we switch the action to GET and set a message to show the user