| [ Index ] |
PHP Cross Reference of MyBB 1.6.5 |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * MyBB 1.6 4 * Copyright 2010 MyBB Group, All Rights Reserved 5 * 6 * Website: http://mybb.com 7 * License: http://mybb.com/about/license 8 * 9 * $Id: index.php 5621 2011-09-26 18:35:54Z ralgith $ 10 */ 11 12 define("IN_MYBB", 1); 13 define("IN_ADMINCP", 1); 14 15 // Here you can change how much of an Admin CP IP address must match in a previous session for the user is validated (defaults to 3 which matches a.b.c) 16 define("ADMIN_IP_SEGMENTS", 3); 17 18 require_once dirname(dirname(__FILE__))."/inc/init.php"; 19 20 send_page_headers(); 21 22 if(!isset($config['admin_dir']) || !file_exists(MYBB_ROOT.$config['admin_dir']."/inc/class_page.php")) 23 { 24 $config['admin_dir'] = "admin"; 25 } 26 27 define('MYBB_ADMIN_DIR', MYBB_ROOT.$config['admin_dir'].'/'); 28 29 define('COPY_YEAR', my_date('Y', TIME_NOW)); 30 31 require_once MYBB_ADMIN_DIR."inc/class_page.php"; 32 require_once MYBB_ADMIN_DIR."inc/class_form.php"; 33 require_once MYBB_ADMIN_DIR."inc/class_table.php"; 34 require_once MYBB_ADMIN_DIR."inc/functions.php"; 35 require_once MYBB_ROOT."inc/functions_user.php"; 36 37 if(!file_exists(MYBB_ROOT."inc/languages/".$mybb->settings['cplanguage']."/admin/home_dashboard.lang.php")) 38 { 39 $mybb->settings['cplanguage'] = "english"; 40 } 41 $lang->set_language($mybb->settings['cplanguage'], "admin"); 42 43 // Load global language phrases 44 $lang->load("global"); 45 46 if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset'])) 47 { 48 @mb_internal_encoding($lang->settings['charset']); 49 } 50 51 header("Content-type: text/html; charset={$lang->settings['charset']}"); 52 53 $time = TIME_NOW; 54 $errors = null; 55 56 if(is_dir(MYBB_ROOT."install") && !file_exists(MYBB_ROOT."install/lock")) 57 { 58 $mybb->trigger_generic_error("install_directory"); 59 } 60 61 $ip_address = get_ip(); 62 unset($user); 63 64 // Load Admin CP style 65 if(!$cp_style) 66 { 67 if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css")) 68 { 69 $cp_style = $mybb->settings['cpstyle']; 70 } 71 else 72 { 73 $cp_style = "default"; 74 } 75 } 76 77 $default_page = new DefaultPage; 78 79 $logged_out = false; 80 $fail_check = 0; 81 $post_verify = true; 82 83 if($mybb->input['action'] == "logout") 84 { 85 // Delete session from the database 86 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 87 my_setcookie("adminsid", ""); 88 $logged_out = true; 89 } 90 elseif($mybb->input['action'] == "unlock") 91 { 92 $user = array(); 93 if($mybb->input['username']) 94 { 95 $query = $db->simple_select("users", "*", "LOWER(username)='".$db->escape_string(my_strtolower($mybb->input['username']))."'"); 96 $user = $db->fetch_array($query); 97 if(!$user['uid']) 98 { 99 $error[] = $lang->error_invalid_username; 100 } 101 } 102 else if($mybb->input['uid']) 103 { 104 $query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'"); 105 $user = $db->fetch_array($query); 106 if(!$user['uid']) 107 { 108 $error[] = $lang->error_invalid_uid; 109 } 110 } 111 112 // Do we have the token? If so let's process it 113 if($mybb->input['token'] && $user['uid']) 114 { 115 $query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 116 117 // If we're good to go 118 if($db->fetch_field($query, "num") > 0) 119 { 120 $db->delete_query("awaitingactivation", "uid='".intval($user['uid'])."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 121 $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".intval($user['uid'])."'"); 122 123 admin_redirect("index.php"); 124 } 125 else 126 { 127 $error[] = $lang->error_invalid_token; 128 } 129 } 130 131 $default_page->show_lockout_unlock(); 132 } 133 elseif($mybb->input['do'] == "login") 134 { 135 $user = validate_password_from_username($mybb->input['username'], $mybb->input['password']); 136 if($user['uid']) 137 { 138 $query = $db->simple_select("users", "*", "uid='".$user['uid']."'"); 139 $mybb->user = $db->fetch_array($query); 140 } 141 142 if($mybb->user['uid']) 143 { 144 if(login_attempt_check_acp($mybb->user['uid']) == true) 145 { 146 $default_page->show_lockedout(); 147 } 148 149 $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'"); 150 151 $sid = md5(uniqid(microtime(true))); 152 153 // Create a new admin session for this user 154 $admin_session = array( 155 "sid" => $sid, 156 "uid" => $mybb->user['uid'], 157 "loginkey" => $mybb->user['loginkey'], 158 "ip" => $db->escape_string(get_ip()), 159 "dateline" => TIME_NOW, 160 "lastactive" => TIME_NOW, 161 "data" => "", 162 ); 163 $db->insert_query("adminsessions", $admin_session); 164 $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='".intval($mybb->user['uid'])."'", 1); 165 my_setcookie("adminsid", $sid); 166 my_setcookie('acploginattempts', 0); 167 $post_verify = false; 168 169 $mybb->request_method = "get"; 170 171 if(!empty($mybb->input['module'])) 172 { 173 // $query_string should contain the module 174 $query_string = '?module='.htmlspecialchars($mybb->input['module']); 175 176 // Now we look for any paramters passed in $_SERVER['QUERY_STRING'] 177 if($_SERVER['QUERY_STRING']) 178 { 179 $qstring = '?'.preg_replace('#adminsid=(.{32})#i', '', $_SERVER['QUERY_STRING']); 180 $qstring = str_replace('action=logout', '', $qstring); 181 $qstring = preg_replace('#&+#', '&', $qstring); 182 $qstring = str_replace('?&', '?', $qstring); 183 184 // So what do we do? We know that parameters are devided by ampersands 185 // That means we must get to work! 186 $parameters = explode('&', $qstring); 187 188 // Remove our first member if it's for the module 189 if(substr($parameters[0], 0, 8) == '?module=') 190 { 191 unset($parameters[0]); 192 } 193 194 foreach($parameters as $key => $param) 195 { 196 $params = explode("=", $param); 197 198 $query_string .= '&'.htmlspecialchars($params[0])."=".htmlspecialchars($params[1]); 199 } 200 } 201 202 admin_redirect("index.php".$query_string); 203 } 204 } 205 else 206 { 207 $query = $db->simple_select("users", "uid,email", "LOWER(username) = '".$db->escape_string(my_strtolower($mybb->input['username']))."'"); 208 $login_user = $db->fetch_array($query); 209 210 if($login_user['uid'] > 0) 211 { 212 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".intval($login_user['uid'])."'", 1, true); 213 } 214 215 $loginattempts = login_attempt_check_acp($login_user['uid'], true); 216 217 // Have we attempted too many times? 218 if($loginattempts['loginattempts'] > 0) 219 { 220 // Have we set an expiry yet? 221 if($loginattempts['loginlockoutexpiry'] == 0) 222 { 223 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+(intval($mybb->settings['loginattemptstimeout'])*60)), "uid='".intval($login_user['uid'])."'", 1); 224 } 225 226 // Did we hit lockout for the first time? Send the unlock email to the administrator 227 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 228 { 229 $db->delete_query("awaitingactivation", "uid='".intval($login_user['uid'])."' AND type='l'"); 230 $lockout_array = array( 231 "uid" => $login_user['uid'], 232 "dateline" => TIME_NOW, 233 "code" => random_str(), 234 "type" => "l" 235 ); 236 $db->insert_query("awaitingactivation", $lockout_array); 237 238 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 239 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code']); 240 my_mail($login_user['email'], $subject, $message); 241 } 242 243 $default_page->show_lockedout(); 244 } 245 246 $fail_check = 1; 247 } 248 } 249 else 250 { 251 // No admin session - show message on the login screen 252 if(!isset($mybb->cookies['adminsid'])) 253 { 254 $login_message = ""; 255 } 256 // Otherwise, check admin session 257 else 258 { 259 $query = $db->simple_select("adminsessions", "*", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 260 $admin_session = $db->fetch_array($query); 261 262 // No matching admin session found - show message on login screen 263 if(!$admin_session['sid']) 264 { 265 $login_message = $lang->invalid_admin_session; 266 } 267 else 268 { 269 $admin_session['data'] = @unserialize($admin_session['data']); 270 271 // Fetch the user from the admin session 272 $query = $db->simple_select("users", "*", "uid='{$admin_session['uid']}'"); 273 $mybb->user = $db->fetch_array($query); 274 275 // Login key has changed - force logout 276 if(!$mybb->user['uid'] || $mybb->user['loginkey'] != $admin_session['loginkey']) 277 { 278 unset($mybb->user); 279 } 280 else 281 { 282 // Admin CP sessions 2 hours old are expired 283 if($admin_session['lastactive'] < TIME_NOW-7200) 284 { 285 $login_message = $lang->error_admin_session_expired; 286 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 287 unset($mybb->user); 288 } 289 // If IP matching is set - check IP address against the session IP 290 else if(ADMIN_IP_SEGMENTS > 0) 291 { 292 $exploded_ip = explode(".", $ip_address); 293 $exploded_admin_ip = explode(".", $admin_session['ip']); 294 $matches = 0; 295 $valid_ip = false; 296 for($i = 0; $i < ADMIN_IP_SEGMENTS; ++$i) 297 { 298 if($exploded_ip[$i] == $exploded_admin_ip[$i]) 299 { 300 ++$matches; 301 } 302 if($matches == ADMIN_IP_SEGMENTS) 303 { 304 $valid_ip = true; 305 break; 306 } 307 } 308 309 // IP doesn't match properly - show message on logon screen 310 if(!$valid_ip) 311 { 312 $login_message = $lang->error_invalid_ip; 313 unset($mybb->user); 314 } 315 } 316 } 317 } 318 } 319 } 320 321 if(!$mybb->user['usergroup']) 322 { 323 $mybbgroups = 1; 324 } 325 else 326 { 327 $mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups']; 328 } 329 $mybb->usergroup = usergroup_permissions($mybbgroups); 330 331 if($mybb->usergroup['cancp'] != 1 || !$mybb->user['uid']) 332 { 333 $db->delete_query("adminsessions", "uid='".intval($mybb->user['uid'])."'"); 334 unset($mybb->user); 335 my_setcookie("adminsid", ""); 336 } 337 338 if($mybb->user['uid']) 339 { 340 $query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'"); 341 $admin_options = $db->fetch_array($query); 342 343 if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css")) 344 { 345 $page->style = $cp_style = $admin_options['cpstyle']; 346 } 347 348 // Update the session information in the DB 349 if($admin_session['sid']) 350 { 351 $db->update_query("adminsessions", array('lastactive' => TIME_NOW, 'ip' => $db->escape_string(get_ip())), "sid='".$db->escape_string($admin_session['sid'])."'"); 352 } 353 354 // Fetch administrator permissions 355 $mybb->admin['permissions'] = get_admin_permissions($mybb->user['uid']); 356 } 357 358 // Include the layout generation class overrides for this style 359 if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php")) 360 { 361 require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; 362 } 363 364 // Check if any of the layout generation classes we can override exist in the style file 365 $classes = array( 366 "Page" => "DefaultPage", 367 "SidebarItem" => "DefaultSidebarItem", 368 "PopupMenu" => "DefaultPopupMenu", 369 "Table" => "DefaultTable", 370 "Form" => "DefaultForm", 371 "FormContainer" => "DefaultFormContainer" 372 ); 373 foreach($classes as $style_name => $default_name) 374 { 375 // Style does not have this layout generation class, create it 376 if(!class_exists($style_name)) 377 { 378 eval("class {$style_name} extends {$default_name} { }"); 379 } 380 } 381 382 $page = new Page; 383 $page->style = $cp_style; 384 385 // Do not have a valid Admin user, throw back to login page. 386 if(!$mybb->user['uid'] || $logged_out == true) 387 { 388 if($logged_out == true) 389 { 390 $page->show_login($lang->success_logged_out); 391 } 392 elseif($fail_check == 1) 393 { 394 $page->show_login($lang->error_invalid_username_password, "error"); 395 } 396 else 397 { 398 // If we have this error while retreiving it from an AJAX request, then send back a nice error 399 if($mybb->input['ajax'] == 1) 400 { 401 echo "<error>login</error>"; 402 die; 403 } 404 $page->show_login($login_message, "error"); 405 } 406 } 407 408 $page->add_breadcrumb_item($lang->home, "index.php"); 409 410 // Begin dealing with the modules 411 $modules_dir = MYBB_ADMIN_DIR."modules"; 412 $dir = opendir($modules_dir); 413 while(($module = readdir($dir)) !== false) 414 { 415 if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php")) 416 { 417 require_once $modules_dir."/".$module."/module_meta.php"; 418 419 // Need to always load it for admin permissions / quick access 420 $lang->load($module."_module_meta", false, true); 421 422 $has_permission = false; 423 if(function_exists($module."_admin_permissions")) 424 { 425 if(isset($mybb->admin['permissions'][$module])) 426 { 427 $has_permission = true; 428 } 429 } 430 // This module doesn't support permissions 431 else 432 { 433 $has_permission = true; 434 } 435 436 // Do we have permissions to run this module (Note: home is accessible by all) 437 if($module == "home" || $has_permission == true) 438 { 439 $meta_function = $module."_meta"; 440 $initialized = $meta_function(); 441 if($initialized == true) 442 { 443 $modules[$module] = 1; 444 } 445 } 446 else 447 { 448 $modules[$module] = 0; 449 } 450 } 451 } 452 453 $modules = $plugins->run_hooks("admin_tabs", $modules); 454 455 closedir($dir); 456 457 if(strpos($mybb->input['module'], "/") !== false) 458 { 459 $current_module = explode("/", $mybb->input['module'], 2); 460 } 461 else 462 { 463 $current_module = explode("-", $mybb->input['module'], 2); 464 } 465 466 if($mybb->input['module'] && isset($modules[$current_module[0]])) 467 { 468 $run_module = $current_module[0]; 469 } 470 else 471 { 472 $run_module = "home"; 473 } 474 475 $action_handler = $run_module."_action_handler"; 476 $action_file = $action_handler($current_module[1]); 477 478 if($run_module != "home") 479 { 480 check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action)); 481 } 482 483 // Set our POST validation code here 484 $mybb->post_code = generate_post_check(); 485 486 // Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. 487 $post_check_ignores = array( 488 "example/page" => array("action") 489 ); // An array of modules/actions to ignore POST checks for. 490 491 if($mybb->request_method == "post") 492 { 493 if(in_array($mybb->input['module'], $post_check_ignores)) 494 { 495 $k = array_search($mybb->input['module'], $post_check_ignores); 496 if(in_array($mybb->input['action'], $post_check_ignores[$k])) 497 { 498 $post_verify = false; 499 } 500 } 501 502 if($post_verify == true) 503 { 504 // If the post key does not match we switch the action to GET and set a message to show the user 505 if(!isset($mybb->input['my_post_key']) || $mybb->post_code != $mybb->input['my_post_key']) 506 { 507 $mybb->request_method = "get"; 508 $page->show_post_verify_error = true; 509 } 510 } 511 } 512 513 $lang->load("{$run_module}_{$page->active_action}", false, true); 514 515 $plugins->run_hooks("admin_load"); 516 517 require $modules_dir."/".$run_module."/".$action_file; 518 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Sun Dec 11 14:16:27 2011 | Cross-referenced by PHPXref 0.7.1 |