| [ Index ] |
PHP Cross Reference of MyBB 1.8.36 |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * MyBB 1.8 4 * Copyright 2014 MyBB Group, All Rights Reserved 5 * 6 * Website: http://www.mybb.com 7 * License: http://www.mybb.com/about/license 8 * 9 */ 10 11 define("IN_MYBB", 1); 12 define("IN_ADMINCP", 1); 13 14 // Here you can change how much of an Admin CP IP address must match in a previous session for the user is validated (e.g. 3 means a.b.c need to match) 15 define("ADMIN_IP_SEGMENTS", 0); 16 define("ADMIN_IPV6_SEGMENTS", 0); 17 18 require_once dirname(dirname(__FILE__))."/inc/init.php"; 19 20 $shutdown_queries = $shutdown_functions = array(); 21 22 send_page_headers(); 23 24 header('X-Frame-Options: SAMEORIGIN'); 25 header('Referrer-Policy: no-referrer'); 26 27 if(!isset($config['admin_dir']) || !file_exists(MYBB_ROOT.$config['admin_dir']."/inc/class_page.php")) 28 { 29 $config['admin_dir'] = basename(dirname(__FILE__)); 30 } 31 32 define('MYBB_ADMIN_DIR', MYBB_ROOT.$config['admin_dir'].'/'); 33 34 define('COPY_YEAR', my_date('Y', TIME_NOW)); 35 36 require_once MYBB_ADMIN_DIR."inc/class_page.php"; 37 require_once MYBB_ADMIN_DIR."inc/class_form.php"; 38 require_once MYBB_ADMIN_DIR."inc/class_table.php"; 39 require_once MYBB_ADMIN_DIR."inc/functions.php"; 40 require_once MYBB_ROOT."inc/functions_user.php"; 41 42 // Set cookie path to our admin dir temporarily, i.e. so that it affects the ACP only 43 $loc = get_current_location('', '', true); 44 $mybb->settings['cookiepath'] = substr($loc, 0, strrpos($loc, "/{$config['admin_dir']}/"))."/{$config['admin_dir']}/"; 45 46 if(!isset($cp_language)) 47 { 48 $lang->set_language($mybb->settings['cplanguage'], "admin"); 49 } 50 51 // Load global language phrases 52 $lang->load("global"); 53 $lang->load("messages", true); 54 55 if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset'])) 56 { 57 @mb_internal_encoding($lang->settings['charset']); 58 } 59 60 header("Content-type: text/html; charset={$lang->settings['charset']}"); 61 62 $time = TIME_NOW; 63 $errors = null; 64 65 if(is_dir(MYBB_ROOT."install") && !file_exists(MYBB_ROOT."install/lock")) 66 { 67 $mybb->trigger_generic_error("install_directory"); 68 } 69 70 $ip_address = get_ip(); 71 unset($user); 72 73 // Load Admin CP style 74 if(!isset($cp_style)) 75 { 76 if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css")) 77 { 78 $cp_style = $mybb->settings['cpstyle']; 79 } 80 else 81 { 82 $cp_style = "default"; 83 } 84 } 85 86 $default_page = new DefaultPage; 87 88 $logged_out = false; 89 $fail_check = 0; 90 $post_verify = true; 91 92 foreach(array('action', 'do', 'module') as $input) 93 { 94 if(!isset($mybb->input[$input])) 95 { 96 $mybb->input[$input] = ''; 97 } 98 } 99 100 if($mybb->input['action'] == "unlock") 101 { 102 $user = array(); 103 $error = ''; 104 105 $plugins->run_hooks("admin_unlock_start"); 106 107 if($mybb->input['username']) 108 { 109 $user = get_user_by_username($mybb->input['username'], array('fields' => '*')); 110 111 if(!$user['uid']) 112 { 113 $error = $lang->error_invalid_username; 114 } 115 } 116 else if($mybb->input['uid']) 117 { 118 $user = get_user($mybb->input['uid']); 119 if(!$user['uid']) 120 { 121 $error = $lang->error_invalid_uid; 122 } 123 } 124 125 // Do we have the token? If so let's process it 126 if($mybb->input['token'] && $user['uid']) 127 { 128 $query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".(int)$user['uid']."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 129 130 $plugins->run_hooks("admin_unlock_end"); 131 132 // If we're good to go 133 if($db->fetch_field($query, "num") > 0) 134 { 135 $db->delete_query("awaitingactivation", "uid='".(int)$user['uid']."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 136 $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".(int)$user['uid']."'"); 137 138 admin_redirect("index.php"); 139 } 140 else 141 { 142 $error = $lang->error_invalid_token; 143 } 144 } 145 146 $default_page->show_lockout_unlock($error, 'error'); 147 } 148 elseif($mybb->input['do'] == "login") 149 { 150 $plugins->run_hooks("admin_login"); 151 152 // We have an adminsid cookie? 153 if(isset($mybb->cookies['adminsid'])) 154 { 155 // Check admin session 156 $query = $db->simple_select("adminsessions", "sid", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 157 $admin_session = $db->fetch_field($query, 'sid'); 158 159 // Session found: redirect to index 160 if($admin_session) 161 { 162 admin_redirect("index.php"); 163 } 164 } 165 166 require_once MYBB_ROOT."inc/datahandlers/login.php"; 167 $loginhandler = new LoginDataHandler("get"); 168 169 // Determine login method 170 $login_lang_string = $lang->error_invalid_username_password; 171 switch($mybb->settings['username_method']) 172 { 173 case 0: // Username only 174 $login_lang_string = $lang->sprintf($login_lang_string, $lang->login_username); 175 break; 176 case 1: // Email only 177 $login_lang_string = $lang->sprintf($login_lang_string, $lang->login_email); 178 break; 179 case 2: // Username and email 180 default: 181 $login_lang_string = $lang->sprintf($login_lang_string, $lang->login_username_and_password); 182 break; 183 } 184 185 // Validate PIN first 186 if(!empty($config['secret_pin']) && (empty($mybb->input['pin']) || $mybb->input['pin'] != $config['secret_pin'])) 187 { 188 $login_user = get_user_by_username($mybb->input['username'], array('fields' => array('email', 'username'))); 189 190 $plugins->run_hooks("admin_login_incorrect_pin"); 191 192 if($login_user['uid'] > 0) 193 { 194 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".(int)$login_user['uid']."'", '', true); 195 } 196 197 $loginattempts = login_attempt_check_acp($login_user['uid'], true); 198 199 // Have we attempted too many times? 200 if($loginattempts !== false && $loginattempts['loginattempts'] > 0) 201 { 202 // Have we set an expiry yet? 203 if($loginattempts['loginlockoutexpiry'] == 0) 204 { 205 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='".(int)$login_user['uid']."'"); 206 } 207 208 // Did we hit lockout for the first time? Send the unlock email to the administrator 209 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 210 { 211 $db->delete_query("awaitingactivation", "uid='".(int)$login_user['uid']."' AND type='l'"); 212 $lockout_array = array( 213 "uid" => $login_user['uid'], 214 "dateline" => TIME_NOW, 215 "code" => random_str(), 216 "type" => "l" 217 ); 218 $db->insert_query("awaitingactivation", $lockout_array); 219 220 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 221 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 222 my_mail($login_user['email'], $subject, $message); 223 } 224 225 log_admin_action(array( 226 'type' => 'admin_locked_out', 227 'uid' => (int)$login_user['uid'], 228 'username' => $login_user['username'], 229 ) 230 ); 231 232 $default_page->show_lockedout(); 233 } 234 else 235 { 236 $default_page->show_login($login_lang_string, "error"); 237 } 238 } 239 240 $loginhandler->set_data(array( 241 'username' => $mybb->input['username'], 242 'password' => $mybb->input['password'] 243 )); 244 245 if($loginhandler->validate_login() == true) 246 { 247 $mybb->user = get_user($loginhandler->login_data['uid']); 248 } 249 250 if(!empty($mybb->user['uid'])) 251 { 252 if(login_attempt_check_acp($mybb->user['uid']) == true) 253 { 254 log_admin_action(array( 255 'type' => 'admin_locked_out', 256 'uid' => (int)$mybb->user['uid'], 257 'username' => $mybb->user['username'], 258 ) 259 ); 260 261 $default_page->show_lockedout(); 262 } 263 264 $plugins->run_hooks("admin_login_success"); 265 266 $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'"); 267 268 $sid = md5(random_str(50)); 269 270 $useragent = $_SERVER['HTTP_USER_AGENT']; 271 if(my_strlen($useragent) > 200) 272 { 273 $useragent = my_substr($useragent, 0, 200); 274 } 275 276 // Create a new admin session for this user 277 $admin_session = array( 278 "sid" => $sid, 279 "uid" => $mybb->user['uid'], 280 "loginkey" => $mybb->user['loginkey'], 281 "ip" => $db->escape_binary(my_inet_pton(get_ip())), 282 "dateline" => TIME_NOW, 283 "lastactive" => TIME_NOW, 284 "data" => my_serialize(array()), 285 "useragent" => $db->escape_string($useragent), 286 "authenticated" => 0, 287 ); 288 $db->insert_query("adminsessions", $admin_session); 289 $admin_session['data'] = array(); 290 291 // Only reset the loginattempts when we're really logged in and the user doesn't need to enter a 2fa code 292 $query = $db->simple_select("adminoptions", "authsecret", "uid='{$mybb->user['uid']}'"); 293 $admin_options = $db->fetch_array($query); 294 if(empty($admin_options['authsecret'])) 295 { 296 $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='{$mybb->user['uid']}'"); 297 } 298 299 my_setcookie("adminsid", $sid, '', true, "strict"); 300 my_setcookie('acploginattempts', 0); 301 $post_verify = false; 302 303 $mybb->request_method = "get"; 304 305 if(!empty($mybb->input['module'])) 306 { 307 // $query_string should contain the module 308 $query_string = '?module='.htmlspecialchars_uni($mybb->input['module']); 309 310 // Now we look for any paramters passed in $_SERVER['QUERY_STRING'] 311 if($_SERVER['QUERY_STRING']) 312 { 313 $qstring = '?'.preg_replace('#adminsid=(.{32})#i', '', $_SERVER['QUERY_STRING']); 314 $qstring = str_replace('action=logout', '', $qstring); 315 $qstring = preg_replace('#&+#', '&', $qstring); 316 $qstring = str_replace('?&', '?', $qstring); 317 318 // So what do we do? We know that parameters are devided by ampersands 319 // That means we must get to work! 320 $parameters = explode('&', $qstring); 321 322 // Remove our first member if it's for the module 323 if(substr($parameters[0], 0, 8) == '?module=') 324 { 325 unset($parameters[0]); 326 } 327 328 foreach($parameters as $key => $param) 329 { 330 $params = explode("=", $param); 331 332 $query_string .= '&'.htmlspecialchars_uni($params[0]); 333 334 if(isset($params[1])) 335 { 336 $query_string .= "=".htmlspecialchars_uni($params[1]); 337 } 338 } 339 } 340 341 admin_redirect("index.php".$query_string); 342 } 343 } 344 else 345 { 346 $login_user = get_user_by_username($mybb->input['username'], array('fields' => array('email', 'username'))); 347 348 $plugins->run_hooks("admin_login_fail"); 349 350 $loginattempts = false; 351 if(!empty($login_user['uid']) && $login_user['uid'] > 0) 352 { 353 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".(int)$login_user['uid']."'", '', true); 354 $loginattempts = login_attempt_check_acp($login_user['uid'], true); 355 } 356 357 // Have we attempted too many times? 358 if($loginattempts !== false && $loginattempts['loginattempts'] > 0) 359 { 360 // Have we set an expiry yet? 361 if($loginattempts['loginlockoutexpiry'] == 0) 362 { 363 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='".(int)$login_user['uid']."'"); 364 } 365 366 $plugins->run_hooks("admin_login_lockout"); 367 368 // Did we hit lockout for the first time? Send the unlock email to the administrator 369 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 370 { 371 $db->delete_query("awaitingactivation", "uid='".(int)$login_user['uid']."' AND type='l'"); 372 $lockout_array = array( 373 "uid" => $login_user['uid'], 374 "dateline" => TIME_NOW, 375 "code" => random_str(), 376 "type" => "l" 377 ); 378 $db->insert_query("awaitingactivation", $lockout_array); 379 380 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 381 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 382 my_mail($login_user['email'], $subject, $message); 383 } 384 385 log_admin_action(array( 386 'type' => 'admin_locked_out', 387 'uid' => (int)$login_user['uid'], 388 'username' => $login_user['username'], 389 ) 390 ); 391 392 $default_page->show_lockedout(); 393 } 394 395 $fail_check = 1; 396 } 397 } 398 else 399 { 400 // No admin session - show message on the login screen 401 if(!isset($mybb->cookies['adminsid'])) 402 { 403 $login_message = ""; 404 } 405 // Otherwise, check admin session 406 else 407 { 408 $query = $db->simple_select("adminsessions", "*", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 409 $admin_session = $db->fetch_array($query); 410 411 // No matching admin session found - show message on login screen 412 if(empty($admin_session) || !$admin_session['sid']) 413 { 414 $login_message = $lang->error_invalid_admin_session; 415 } 416 else 417 { 418 $admin_session['data'] = my_unserialize($admin_session['data']); 419 420 // Fetch the user from the admin session 421 $mybb->user = get_user($admin_session['uid']); 422 423 // Login key has changed - force logout 424 if(!$mybb->user['uid'] || $mybb->user['loginkey'] !== $admin_session['loginkey']) 425 { 426 unset($mybb->user); 427 } 428 else 429 { 430 // Admin CP sessions 2 hours old are expired 431 if($admin_session['lastactive'] < TIME_NOW-7200) 432 { 433 $login_message = $lang->error_admin_session_expired; 434 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 435 unset($mybb->user); 436 } 437 // If IP matching is set - check IP address against the session IP 438 else if(ADMIN_IP_SEGMENTS > 0 && strpos($ip_address, ':') === false) 439 { 440 $exploded_ip = explode(".", $ip_address); 441 $exploded_admin_ip = explode(".", my_inet_ntop($admin_session['ip'])); 442 $matches = 0; 443 $valid_ip = false; 444 for($i = 0; $i < ADMIN_IP_SEGMENTS; ++$i) 445 { 446 if($exploded_ip[$i] == $exploded_admin_ip[$i]) 447 { 448 ++$matches; 449 } 450 if($matches == ADMIN_IP_SEGMENTS) 451 { 452 $valid_ip = true; 453 break; 454 } 455 } 456 457 // IP doesn't match properly - show message on logon screen 458 if(!$valid_ip) 459 { 460 $login_message = $lang->error_invalid_ip; 461 unset($mybb->user); 462 } 463 } 464 else if(ADMIN_IPV6_SEGMENTS > 0 && strpos($ip_address, ':') !== false) 465 { 466 // Expand IPv6 addresses 467 $hex = unpack("H*hex", my_inet_pton($ip_address)); 468 $expanded_ip = substr(preg_replace("/([A-f0-9]{4})/", "$1:", $hex['hex']), 0, -1); 469 $hex_admin = unpack("H*hex", $admin_session['ip']); 470 $expanded_admin_ip = substr(preg_replace("/([A-f0-9]{4})/", "$1:", $hex_admin['hex']), 0, -1); 471 472 $exploded_ip = explode(":", $expanded_ip); 473 $exploded_admin_ip = explode(":", $expanded_admin_ip); 474 $matches = 0; 475 $valid_ip = false; 476 for($i = 0; $i < ADMIN_IPV6_SEGMENTS; ++$i) 477 { 478 if($exploded_ip[$i] == $exploded_admin_ip[$i]) 479 { 480 ++$matches; 481 } 482 if($matches == ADMIN_IPV6_SEGMENTS) 483 { 484 $valid_ip = true; 485 break; 486 } 487 } 488 489 // IP doesn't match properly - show message on logon screen 490 if(!$valid_ip) 491 { 492 $login_message = $lang->error_invalid_ip; 493 unset($mybb->user); 494 } 495 } 496 } 497 } 498 } 499 } 500 501 if($mybb->input['action'] == "logout" && $mybb->user) 502 { 503 $plugins->run_hooks("admin_logout"); 504 505 if(verify_post_check($mybb->get_input('my_post_key'))) 506 { 507 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 508 my_unsetcookie('adminsid'); 509 $logged_out = true; 510 } 511 } 512 513 if(!isset($mybb->user['usergroup'])) 514 { 515 $mybbgroups = 1; 516 } 517 else 518 { 519 $mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups']; 520 } 521 $mybb->usergroup = usergroup_permissions($mybbgroups); 522 523 $is_super_admin = false; 524 if(isset($mybb->user['uid'])) 525 { 526 $is_super_admin = is_super_admin($mybb->user['uid']); 527 } 528 529 if(empty($mybb->usergroup['cancp']) && !$is_super_admin || !$mybb->user['uid']) 530 { 531 $uid = 0; 532 if(isset($mybb->user['uid'])) 533 { 534 $uid = (int)$mybb->user['uid']; 535 } 536 $db->delete_query("adminsessions", "uid = '{$uid}'"); 537 unset($mybb->user); 538 my_unsetcookie('adminsid'); 539 } 540 541 if(!empty($mybb->user['uid'])) 542 { 543 $query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'"); 544 $admin_options = $db->fetch_array($query); 545 546 // Only update language / theme once fully authenticated 547 if(empty($admin_options['authsecret']) || $admin_session['authenticated'] == 1) 548 { 549 if(!empty($admin_options['cplanguage'])) 550 { 551 $cp_language = $admin_options['cplanguage']; 552 $lang->set_language($cp_language, "admin"); 553 $lang->load("global"); // Reload global language vars 554 $lang->load("messages", true); 555 } 556 557 if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css")) 558 { 559 $cp_style = $admin_options['cpstyle']; 560 } 561 } 562 563 // Update the session information in the DB 564 if($admin_session['sid']) 565 { 566 $db->update_query("adminsessions", array('lastactive' => TIME_NOW, 'ip' => $db->escape_binary(my_inet_pton(get_ip()))), "sid='".$db->escape_string($admin_session['sid'])."'"); 567 } 568 569 // Fetch administrator permissions 570 $mybb->admin['permissions'] = get_admin_permissions($mybb->user['uid']); 571 } 572 573 // Include the layout generation class overrides for this style 574 if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php")) 575 { 576 require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; 577 } 578 579 // Check if any of the layout generation classes we can override exist in the style file 580 $classes = array( 581 "Page" => "DefaultPage", 582 "SidebarItem" => "DefaultSidebarItem", 583 "PopupMenu" => "DefaultPopupMenu", 584 "Table" => "DefaultTable", 585 "Form" => "DefaultForm", 586 "FormContainer" => "DefaultFormContainer" 587 ); 588 foreach($classes as $style_name => $default_name) 589 { 590 // Style does not have this layout generation class, create it 591 if(!class_exists($style_name)) 592 { 593 eval("class {$style_name} extends {$default_name} { }"); 594 } 595 } 596 597 $page = new Page; 598 $page->style = $cp_style; 599 600 // Do not have a valid Admin user, throw back to login page. 601 if(!isset($mybb->user['uid']) || $logged_out == true) 602 { 603 if($logged_out == true) 604 { 605 $page->show_login($lang->success_logged_out); 606 } 607 elseif($fail_check == 1) 608 { 609 $page->show_login($login_lang_string, "error"); 610 } 611 else 612 { 613 // If we have this error while retreiving it from an AJAX request, then send back a nice error 614 if(isset($mybb->input['ajax']) && $mybb->input['ajax'] == 1) 615 { 616 echo json_encode(array("errors" => array("login"))); 617 exit; 618 } 619 $page->show_login($login_message, "error"); 620 } 621 } 622 623 // Time to check for Two-Factor Authentication 624 // First: are we trying to verify a code? 625 if($mybb->input['do'] == "do_2fa" && $mybb->request_method == "post") 626 { 627 // Test whether it's a recovery code 628 $recovery = false; 629 $codes = my_unserialize($admin_options['recovery_codes']); 630 if(!empty($codes) && in_array($mybb->get_input('code'), $codes)) 631 { 632 $recovery = true; 633 $ncodes = array_diff($codes, array($mybb->input['code'])); // Removes our current code from the codes array 634 $db->update_query("adminoptions", array("recovery_codes" => $db->escape_string(my_serialize($ncodes))), "uid='{$mybb->user['uid']}'"); 635 636 if(count($ncodes) == 0) 637 { 638 flash_message($lang->my2fa_no_codes, "error"); 639 } 640 } 641 642 // Validate the code 643 require_once MYBB_ROOT."inc/3rdparty/2fa/GoogleAuthenticator.php"; 644 $auth = new PHPGangsta_GoogleAuthenticator; 645 646 $test = $auth->verifyCode($admin_options['authsecret'], $mybb->get_input('code')); 647 648 // Either the code was okay or it was a recovery code 649 if($test === true || $recovery === true) 650 { 651 // Correct code -> session authenticated 652 $db->update_query("adminsessions", array("authenticated" => 1), "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 653 $admin_session['authenticated'] = 1; 654 $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='{$mybb->user['uid']}'"); 655 my_setcookie('acploginattempts', 0); 656 admin_redirect("index.php"); 657 } 658 else 659 { 660 // Wrong code -> close session (aka logout) 661 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 662 my_unsetcookie('adminsid'); 663 664 // Now test whether we need to lock this guy completly 665 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='{$mybb->user['uid']}'", '', true); 666 667 $loginattempts = login_attempt_check_acp($mybb->user['uid'], true); 668 669 // Have we attempted too many times? 670 if($loginattempts !== false && $loginattempts['loginattempts'] > 0) 671 { 672 // Have we set an expiry yet? 673 if($loginattempts['loginlockoutexpiry'] == 0) 674 { 675 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='{$mybb->user['uid']}'"); 676 } 677 678 // Did we hit lockout for the first time? Send the unlock email to the administrator 679 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 680 { 681 $db->delete_query("awaitingactivation", "uid='{$mybb->user['uid']}' AND type='l'"); 682 $lockout_array = array( 683 "uid" => $mybb->user['uid'], 684 "dateline" => TIME_NOW, 685 "code" => random_str(), 686 "type" => "l" 687 ); 688 $db->insert_query("awaitingactivation", $lockout_array); 689 690 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 691 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->user['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 692 my_mail($mybb->user['email'], $subject, $message); 693 } 694 695 log_admin_action(array( 696 'type' => 'admin_locked_out', 697 'uid' => $mybb->user['uid'], 698 'username' => $mybb->user['username'], 699 ) 700 ); 701 702 $page->show_lockedout(); 703 } 704 705 // Still here? Show a custom login page 706 $page->show_login($lang->my2fa_failed, "error"); 707 } 708 } 709 710 // Show our 2FA page 711 if(!empty($admin_options['authsecret']) && $admin_session['authenticated'] != 1) 712 { 713 $page->show_2fa(); 714 } 715 716 $page->add_breadcrumb_item($lang->home, "index.php"); 717 718 // Begin dealing with the modules 719 $modules_dir = MYBB_ADMIN_DIR."modules"; 720 $dir = opendir($modules_dir); 721 while(($module = readdir($dir)) !== false) 722 { 723 if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php")) 724 { 725 require_once $modules_dir."/".$module."/module_meta.php"; 726 727 // Need to always load it for admin permissions / quick access 728 $lang->load($module."_module_meta", false, true); 729 730 $has_permission = false; 731 if(function_exists($module."_admin_permissions")) 732 { 733 if(isset($mybb->admin['permissions'][$module]) || $is_super_admin == true) 734 { 735 $has_permission = true; 736 } 737 } 738 // This module doesn't support permissions 739 else 740 { 741 $has_permission = true; 742 } 743 744 // Do we have permissions to run this module (Note: home is accessible by all) 745 if($module == "home" || $has_permission == true) 746 { 747 $meta_function = $module."_meta"; 748 $initialized = $meta_function(); 749 if($initialized == true) 750 { 751 $modules[$module] = 1; 752 } 753 } 754 else 755 { 756 $modules[$module] = 0; 757 } 758 } 759 } 760 761 $modules = $plugins->run_hooks("admin_tabs", $modules); 762 763 closedir($dir); 764 765 if(strpos($mybb->input['module'], "/") !== false) 766 { 767 $current_module = explode("/", $mybb->input['module'], 2); 768 } 769 else 770 { 771 $current_module = explode("-", $mybb->input['module'], 2); 772 } 773 774 if(!isset($current_module[1])) 775 { 776 $current_module[1] = 'home'; 777 } 778 779 if($mybb->input['module'] && isset($modules[$current_module[0]])) 780 { 781 $run_module = $current_module[0]; 782 } 783 else 784 { 785 $run_module = "home"; 786 } 787 788 $action_handler = $run_module."_action_handler"; 789 $action_file = $action_handler($current_module[1]); 790 791 // Set our POST validation code here 792 $mybb->post_code = generate_post_check(); 793 794 if($run_module != "home") 795 { 796 check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action)); 797 } 798 799 // Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. 800 $post_check_ignores = array( 801 "example/page" => array("action") 802 ); // An array of modules/actions to ignore POST checks for. 803 804 if($mybb->request_method == "post") 805 { 806 if(in_array($mybb->input['module'], $post_check_ignores)) 807 { 808 $k = array_search($mybb->input['module'], $post_check_ignores); 809 if(in_array($mybb->input['action'], $post_check_ignores[$k])) 810 { 811 $post_verify = false; 812 } 813 } 814 815 if($post_verify == true) 816 { 817 // If the post key does not match we switch the action to GET and set a message to show the user 818 if(!verify_post_check($mybb->get_input('my_post_key'), true)) 819 { 820 $mybb->request_method = "get"; 821 $page->show_post_verify_error = true; 822 } 823 } 824 } 825 826 $lang->load("{$run_module}_{$page->active_action}", false, true); 827 828 $plugins->run_hooks("admin_load"); 829 830 require $modules_dir."/".$run_module."/".$action_file; 831
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| 2005 - 2021 © MyBB.de | Alle Rechte vorbehalten! | Sponsor: netcup | Cross-referenced by PHPXref |