| [ Index ] |
PHP Cross Reference of MyBB |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * MyBB 1.6 4 * Copyright 2010 MyBB Group, All Rights Reserved 5 * 6 * Website: http://mybb.com 7 * License: http://mybb.com/about/license 8 * 9 * $Id$ 10 */ 11 12 define("IN_MYBB", 1); 13 define("IN_ADMINCP", 1); 14 15 // Here you can change how much of an Admin CP IP address must match in a previous session for the user is validated (defaults to 3 which matches a.b.c) 16 define("ADMIN_IP_SEGMENTS", 3); 17 18 require_once dirname(dirname(__FILE__))."/inc/init.php"; 19 20 send_page_headers(); 21 22 if(!isset($config['admin_dir']) || !file_exists(MYBB_ROOT.$config['admin_dir']."/inc/class_page.php")) 23 { 24 $config['admin_dir'] = "admin"; 25 } 26 27 define('MYBB_ADMIN_DIR', MYBB_ROOT.$config['admin_dir'].'/'); 28 29 define('COPY_YEAR', my_date('Y', TIME_NOW)); 30 31 require_once MYBB_ADMIN_DIR."inc/class_page.php"; 32 require_once MYBB_ADMIN_DIR."inc/class_form.php"; 33 require_once MYBB_ADMIN_DIR."inc/class_table.php"; 34 require_once MYBB_ADMIN_DIR."inc/functions.php"; 35 require_once MYBB_ROOT."inc/functions_user.php"; 36 37 if(!file_exists(MYBB_ROOT."inc/languages/".$mybb->settings['cplanguage']."/admin/home_dashboard.lang.php")) 38 { 39 $mybb->settings['cplanguage'] = "english"; 40 } 41 $lang->set_language($mybb->settings['cplanguage'], "admin"); 42 43 // Load global language phrases 44 $lang->load("global"); 45 46 if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset'])) 47 { 48 @mb_internal_encoding($lang->settings['charset']); 49 } 50 51 header("Content-type: text/html; charset={$lang->settings['charset']}"); 52 53 $time = TIME_NOW; 54 $errors = null; 55 56 if(is_dir(MYBB_ROOT."install") && !file_exists(MYBB_ROOT."install/lock")) 57 { 58 $mybb->trigger_generic_error("install_directory"); 59 } 60 61 $ip_address = get_ip(); 62 unset($user); 63 64 // Load Admin CP style 65 if(!isset($cp_style)) 66 { 67 if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css")) 68 { 69 $cp_style = $mybb->settings['cpstyle']; 70 } 71 else 72 { 73 $cp_style = "default"; 74 } 75 } 76 77 $default_page = new DefaultPage; 78 79 $logged_out = false; 80 $fail_check = 0; 81 $post_verify = true; 82 83 foreach(array('action', 'do', 'module') as $input) 84 { 85 if(!isset($mybb->input[$input])) 86 { 87 $mybb->input[$input] = ''; 88 } 89 } 90 91 if($mybb->input['action'] == "unlock") 92 { 93 $user = array(); 94 $error = ''; 95 if($mybb->input['username']) 96 { 97 $username = $db->escape_string(my_strtolower($mybb->input['username'])); 98 switch($mybb->settings['username_method']) 99 { 100 case 0: 101 $query = $db->simple_select("users", "*", "LOWER(username)='".$username."'", array('limit' => 1)); 102 break; 103 case 1: 104 $query = $db->simple_select("users", "*", "LOWER(email)='".$username."'", array('limit' => 1)); 105 break; 106 case 2: 107 $query = $db->simple_select("users", "*", "LOWER(username)='".$username."' OR LOWER(email)='".$username."'", array('limit' => 1)); 108 break; 109 default: 110 $query = $db->simple_select("users", "*", "LOWER(username)='".$username."'", array('limit' => 1)); 111 break; 112 } 113 $user = $db->fetch_array($query); 114 if(!$user['uid']) 115 { 116 $error = $lang->error_invalid_username; 117 } 118 } 119 else if($mybb->input['uid']) 120 { 121 $query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'"); 122 $user = $db->fetch_array($query); 123 if(!$user['uid']) 124 { 125 $error = $lang->error_invalid_uid; 126 } 127 } 128 129 // Do we have the token? If so let's process it 130 if($mybb->input['token'] && $user['uid']) 131 { 132 $query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 133 134 // If we're good to go 135 if($db->fetch_field($query, "num") > 0) 136 { 137 $db->delete_query("awaitingactivation", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 138 $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".intval($user['uid'])."'"); 139 140 admin_redirect("index.php"); 141 } 142 else 143 { 144 $error = $lang->error_invalid_token; 145 } 146 } 147 148 $default_page->show_lockout_unlock($error, 'error'); 149 } 150 elseif($mybb->input['do'] == "login") 151 { 152 $user = validate_password_from_username($mybb->input['username'], $mybb->input['password']); 153 if($user['uid']) 154 { 155 $query = $db->simple_select("users", "*", "uid='".$user['uid']."'"); 156 $mybb->user = $db->fetch_array($query); 157 } 158 159 if($mybb->user['uid']) 160 { 161 if(login_attempt_check_acp($mybb->user['uid']) == true) 162 { 163 $default_page->show_lockedout(); 164 } 165 166 $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'"); 167 168 $sid = md5(uniqid(microtime(true))); 169 170 // Create a new admin session for this user 171 $admin_session = array( 172 "sid" => $sid, 173 "uid" => $mybb->user['uid'], 174 "loginkey" => $mybb->user['loginkey'], 175 "ip" => $db->escape_string(get_ip()), 176 "dateline" => TIME_NOW, 177 "lastactive" => TIME_NOW, 178 "data" => serialize(array()), 179 ); 180 $db->insert_query("adminsessions", $admin_session); 181 $admin_session['data'] = array(); 182 $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='".intval($mybb->user['uid'])."'", 1); 183 my_setcookie("adminsid", $sid); 184 my_setcookie('acploginattempts', 0); 185 $post_verify = false; 186 187 $mybb->request_method = "get"; 188 189 if(!empty($mybb->input['module'])) 190 { 191 // $query_string should contain the module 192 $query_string = '?module='.htmlspecialchars_uni($mybb->input['module']); 193 194 // Now we look for any paramters passed in $_SERVER['QUERY_STRING'] 195 if($_SERVER['QUERY_STRING']) 196 { 197 $qstring = '?'.preg_replace('#adminsid=(.{32})#i', '', $_SERVER['QUERY_STRING']); 198 $qstring = str_replace('action=logout', '', $qstring); 199 $qstring = preg_replace('#&+#', '&', $qstring); 200 $qstring = str_replace('?&', '?', $qstring); 201 202 // So what do we do? We know that parameters are devided by ampersands 203 // That means we must get to work! 204 $parameters = explode('&', $qstring); 205 206 // Remove our first member if it's for the module 207 if(substr($parameters[0], 0, 8) == '?module=') 208 { 209 unset($parameters[0]); 210 } 211 212 foreach($parameters as $key => $param) 213 { 214 $params = explode("=", $param); 215 216 $query_string .= '&'.htmlspecialchars_uni($params[0])."=".htmlspecialchars_uni($params[1]); 217 } 218 } 219 220 admin_redirect("index.php".$query_string); 221 } 222 } 223 else 224 { 225 $username = $db->escape_string(my_strtolower($mybb->input['username'])); 226 switch($mybb->settings['username_method']) 227 { 228 case 0: 229 $query = $db->simple_select("users", "uid,email", "LOWER(username)='".$username."'", array('limit' => 1)); 230 break; 231 case 1: 232 $query = $db->simple_select("users", "uid,email", "LOWER(email)='".$username."'", array('limit' => 1)); 233 break; 234 case 2: 235 $query = $db->simple_select("users", "uid,email", "LOWER(username)='".$username."' OR LOWER(email)='".$username."'", array('limit' => 1)); 236 break; 237 default: 238 $query = $db->simple_select("users", "uid,email", "LOWER(username)='".$username."'", array('limit' => 1)); 239 break; 240 } 241 $login_user = $db->fetch_array($query); 242 243 if($login_user['uid'] > 0) 244 { 245 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".intval($login_user['uid'])."'", 1, true); 246 } 247 248 $loginattempts = login_attempt_check_acp($login_user['uid'], true); 249 250 // Have we attempted too many times? 251 if($loginattempts['loginattempts'] > 0) 252 { 253 // Have we set an expiry yet? 254 if($loginattempts['loginlockoutexpiry'] == 0) 255 { 256 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+(intval($mybb->settings['loginattemptstimeout'])*60)), "uid='".intval($login_user['uid'])."'", 1); 257 } 258 259 // Did we hit lockout for the first time? Send the unlock email to the administrator 260 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 261 { 262 $db->delete_query("awaitingactivation", "uid='".intval($login_user['uid'])."' AND type='l'"); 263 $lockout_array = array( 264 "uid" => $login_user['uid'], 265 "dateline" => TIME_NOW, 266 "code" => random_str(), 267 "type" => "l" 268 ); 269 $db->insert_query("awaitingactivation", $lockout_array); 270 271 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 272 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 273 my_mail($login_user['email'], $subject, $message); 274 } 275 276 $default_page->show_lockedout(); 277 } 278 279 $fail_check = 1; 280 } 281 } 282 else 283 { 284 // No admin session - show message on the login screen 285 if(!isset($mybb->cookies['adminsid'])) 286 { 287 $login_message = ""; 288 } 289 // Otherwise, check admin session 290 else 291 { 292 $query = $db->simple_select("adminsessions", "*", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 293 $admin_session = $db->fetch_array($query); 294 295 // No matching admin session found - show message on login screen 296 if(!$admin_session['sid']) 297 { 298 $login_message = $lang->error_invalid_admin_session; 299 } 300 else 301 { 302 $admin_session['data'] = @unserialize($admin_session['data']); 303 304 // Fetch the user from the admin session 305 $query = $db->simple_select("users", "*", "uid='{$admin_session['uid']}'"); 306 $mybb->user = $db->fetch_array($query); 307 308 // Login key has changed - force logout 309 if(!$mybb->user['uid'] || $mybb->user['loginkey'] != $admin_session['loginkey']) 310 { 311 unset($mybb->user); 312 } 313 else 314 { 315 // Admin CP sessions 2 hours old are expired 316 if($admin_session['lastactive'] < TIME_NOW-7200) 317 { 318 $login_message = $lang->error_admin_session_expired; 319 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 320 unset($mybb->user); 321 } 322 // If IP matching is set - check IP address against the session IP 323 else if(ADMIN_IP_SEGMENTS > 0) 324 { 325 $exploded_ip = explode(".", $ip_address); 326 $exploded_admin_ip = explode(".", $admin_session['ip']); 327 $matches = 0; 328 $valid_ip = false; 329 for($i = 0; $i < ADMIN_IP_SEGMENTS; ++$i) 330 { 331 if($exploded_ip[$i] == $exploded_admin_ip[$i]) 332 { 333 ++$matches; 334 } 335 if($matches == ADMIN_IP_SEGMENTS) 336 { 337 $valid_ip = true; 338 break; 339 } 340 } 341 342 // IP doesn't match properly - show message on logon screen 343 if(!$valid_ip) 344 { 345 $login_message = $lang->error_invalid_ip; 346 unset($mybb->user); 347 } 348 } 349 } 350 } 351 } 352 } 353 354 if($mybb->input['action'] == "logout" && $mybb->user) 355 { 356 if(verify_post_check($mybb->input['my_post_key'])) 357 { 358 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 359 my_unsetcookie('adminsid'); 360 $logged_out = true; 361 } 362 } 363 364 if(!isset($mybb->user['usergroup'])) 365 { 366 $mybbgroups = 1; 367 } 368 else 369 { 370 $mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups']; 371 } 372 $mybb->usergroup = usergroup_permissions($mybbgroups); 373 374 if($mybb->usergroup['cancp'] != 1 || !$mybb->user['uid']) 375 { 376 $uid = 0; 377 if(isset($mybb->user['uid'])) 378 { 379 $uid = intval($mybb->user['uid']); 380 } 381 $db->delete_query("adminsessions", "uid = '{$uid}'"); 382 unset($mybb->user); 383 my_unsetcookie('adminsid'); 384 } 385 386 if($mybb->user['uid']) 387 { 388 $query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'"); 389 $admin_options = $db->fetch_array($query); 390 391 if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css")) 392 { 393 $cp_style = $admin_options['cpstyle']; 394 } 395 396 // Update the session information in the DB 397 if($admin_session['sid']) 398 { 399 $db->update_query("adminsessions", array('lastactive' => TIME_NOW, 'ip' => $db->escape_string(get_ip())), "sid='".$db->escape_string($admin_session['sid'])."'"); 400 } 401 402 // Fetch administrator permissions 403 $mybb->admin['permissions'] = get_admin_permissions($mybb->user['uid']); 404 } 405 406 // Include the layout generation class overrides for this style 407 if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php")) 408 { 409 require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; 410 } 411 412 // Check if any of the layout generation classes we can override exist in the style file 413 $classes = array( 414 "Page" => "DefaultPage", 415 "SidebarItem" => "DefaultSidebarItem", 416 "PopupMenu" => "DefaultPopupMenu", 417 "Table" => "DefaultTable", 418 "Form" => "DefaultForm", 419 "FormContainer" => "DefaultFormContainer" 420 ); 421 foreach($classes as $style_name => $default_name) 422 { 423 // Style does not have this layout generation class, create it 424 if(!class_exists($style_name)) 425 { 426 eval("class {$style_name} extends {$default_name} { }"); 427 } 428 } 429 430 $page = new Page; 431 $page->style = $cp_style; 432 433 // Do not have a valid Admin user, throw back to login page. 434 if(!isset($mybb->user['uid']) || $logged_out == true) 435 { 436 if($logged_out == true) 437 { 438 $page->show_login($lang->success_logged_out); 439 } 440 elseif($fail_check == 1) 441 { 442 $page->show_login($lang->error_invalid_username_password, "error"); 443 } 444 else 445 { 446 // If we have this error while retreiving it from an AJAX request, then send back a nice error 447 if(isset($mybb->input['ajax']) && $mybb->input['ajax'] == 1) 448 { 449 echo "<error>login</error>"; 450 die; 451 } 452 $page->show_login($login_message, "error"); 453 } 454 } 455 456 $page->add_breadcrumb_item($lang->home, "index.php"); 457 458 // Begin dealing with the modules 459 $is_super_admin = is_super_admin($mybb->user['uid']); 460 461 $modules_dir = MYBB_ADMIN_DIR."modules"; 462 $dir = opendir($modules_dir); 463 while(($module = readdir($dir)) !== false) 464 { 465 if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php")) 466 { 467 require_once $modules_dir."/".$module."/module_meta.php"; 468 469 // Need to always load it for admin permissions / quick access 470 $lang->load($module."_module_meta", false, true); 471 472 $has_permission = false; 473 if(function_exists($module."_admin_permissions")) 474 { 475 if(isset($mybb->admin['permissions'][$module]) || $is_super_admin == true) 476 { 477 $has_permission = true; 478 } 479 } 480 // This module doesn't support permissions 481 else 482 { 483 $has_permission = true; 484 } 485 486 // Do we have permissions to run this module (Note: home is accessible by all) 487 if($module == "home" || $has_permission == true) 488 { 489 $meta_function = $module."_meta"; 490 $initialized = $meta_function(); 491 if($initialized == true) 492 { 493 $modules[$module] = 1; 494 } 495 } 496 else 497 { 498 $modules[$module] = 0; 499 } 500 } 501 } 502 503 $modules = $plugins->run_hooks("admin_tabs", $modules); 504 505 closedir($dir); 506 507 if(strpos($mybb->input['module'], "/") !== false) 508 { 509 $current_module = explode("/", $mybb->input['module'], 2); 510 } 511 else 512 { 513 $current_module = explode("-", $mybb->input['module'], 2); 514 } 515 516 if(!isset($current_module[1])) 517 { 518 $current_module[1] = 'home'; 519 } 520 521 if($mybb->input['module'] && isset($modules[$current_module[0]])) 522 { 523 $run_module = $current_module[0]; 524 } 525 else 526 { 527 $run_module = "home"; 528 } 529 530 $action_handler = $run_module."_action_handler"; 531 $action_file = $action_handler($current_module[1]); 532 533 // Set our POST validation code here 534 $mybb->post_code = generate_post_check(); 535 536 if($run_module != "home") 537 { 538 check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action)); 539 } 540 541 // Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. 542 $post_check_ignores = array( 543 "example/page" => array("action") 544 ); // An array of modules/actions to ignore POST checks for. 545 546 if($mybb->request_method == "post") 547 { 548 if(in_array($mybb->input['module'], $post_check_ignores)) 549 { 550 $k = array_search($mybb->input['module'], $post_check_ignores); 551 if(in_array($mybb->input['action'], $post_check_ignores[$k])) 552 { 553 $post_verify = false; 554 } 555 } 556 557 if($post_verify == true) 558 { 559 // If the post key does not match we switch the action to GET and set a message to show the user 560 if(!isset($mybb->input['my_post_key']) || $mybb->post_code != $mybb->input['my_post_key']) 561 { 562 $mybb->request_method = "get"; 563 $page->show_post_verify_error = true; 564 } 565 } 566 } 567 568 $lang->load("{$run_module}_{$page->active_action}", false, true); 569 570 $plugins->run_hooks("admin_load"); 571 572 require $modules_dir."/".$run_module."/".$action_file; 573 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Tue Oct 8 19:19:50 2013 | Cross-referenced by PHPXref 0.7.1 |