[ Index ] |
PHP Cross Reference of MyBB 1.8.38 |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * MyBB 1.8 4 * Copyright 2014 MyBB Group, All Rights Reserved 5 * 6 * Website: http://www.mybb.com 7 * License: http://www.mybb.com/about/license 8 * 9 */ 10 11 define("IN_MYBB", 1); 12 define("IN_ADMINCP", 1); 13 14 // Here you can change how much of an Admin CP IP address must match in a previous session for the user is validated (e.g. 3 means a.b.c need to match) 15 define("ADMIN_IP_SEGMENTS", 0); 16 define("ADMIN_IPV6_SEGMENTS", 0); 17 18 require_once dirname(dirname(__FILE__))."/inc/init.php"; 19 20 $shutdown_queries = $shutdown_functions = array(); 21 22 send_page_headers(); 23 24 header('X-Frame-Options: SAMEORIGIN'); 25 header('Referrer-Policy: no-referrer'); 26 27 if(!isset($config['admin_dir']) || !file_exists(MYBB_ROOT.$config['admin_dir']."/inc/class_page.php")) 28 { 29 $config['admin_dir'] = basename(dirname(__FILE__)); 30 } 31 32 define('MYBB_ADMIN_DIR', MYBB_ROOT.$config['admin_dir'].'/'); 33 34 define('COPY_YEAR', my_date('Y', TIME_NOW)); 35 36 require_once MYBB_ADMIN_DIR."inc/class_page.php"; 37 require_once MYBB_ADMIN_DIR."inc/class_form.php"; 38 require_once MYBB_ADMIN_DIR."inc/class_table.php"; 39 require_once MYBB_ADMIN_DIR."inc/functions.php"; 40 require_once MYBB_ROOT."inc/functions_user.php"; 41 42 // Set cookie path to our admin dir temporarily, i.e. so that it affects the ACP only 43 $loc = get_current_location('', '', true); 44 $mybb->settings['cookiepath'] = substr($loc, 0, strrpos($loc, "/{$config['admin_dir']}/"))."/{$config['admin_dir']}/"; 45 46 if(!isset($cp_language)) 47 { 48 $lang->set_language($mybb->settings['cplanguage'], "admin"); 49 } 50 51 // Load global language phrases 52 $lang->load("global"); 53 $lang->load("messages", true); 54 55 if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset'])) 56 { 57 @mb_internal_encoding($lang->settings['charset']); 58 } 59 60 header("Content-type: text/html; charset={$lang->settings['charset']}"); 61 62 $time = TIME_NOW; 63 $errors = null; 64 65 if(is_dir(MYBB_ROOT."install") && !file_exists(MYBB_ROOT."install/lock")) 66 { 67 $mybb->trigger_generic_error("install_directory"); 68 } 69 70 $ip_address = get_ip(); 71 unset($user); 72 73 // Load Admin CP style 74 if(!isset($cp_style)) 75 { 76 if(!empty($mybb->settings['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/".$mybb->settings['cpstyle']."/main.css")) 77 { 78 $cp_style = $mybb->settings['cpstyle']; 79 } 80 else 81 { 82 $cp_style = "default"; 83 } 84 } 85 86 $default_page = new DefaultPage; 87 88 $logged_out = false; 89 $fail_check = 0; 90 $post_verify = true; 91 92 foreach(array('action', 'do', 'module') as $input) 93 { 94 if(!isset($mybb->input[$input])) 95 { 96 $mybb->input[$input] = ''; 97 } 98 } 99 100 if($mybb->input['action'] == "unlock") 101 { 102 $user = array(); 103 $error = ''; 104 105 $plugins->run_hooks("admin_unlock_start"); 106 107 if($mybb->input['username']) 108 { 109 $user = get_user_by_username($mybb->input['username'], array('fields' => '*')); 110 111 if(!$user) 112 { 113 $error = $lang->error_invalid_username; 114 } 115 } 116 else if($mybb->input['uid']) 117 { 118 $user = get_user($mybb->input['uid']); 119 if(!$user) 120 { 121 $error = $lang->error_invalid_uid; 122 } 123 } 124 125 // Do we have the token? If so let's process it 126 if($mybb->input['token'] && $user['uid']) 127 { 128 $query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".(int)$user['uid']."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 129 130 $plugins->run_hooks("admin_unlock_end"); 131 132 // If we're good to go 133 if($db->fetch_field($query, "num") > 0) 134 { 135 $db->delete_query("awaitingactivation", "uid='".(int)$user['uid']."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); 136 $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".(int)$user['uid']."'"); 137 138 admin_redirect("index.php"); 139 } 140 else 141 { 142 $error = $lang->error_invalid_token; 143 } 144 } 145 146 $default_page->show_lockout_unlock($error, 'error'); 147 } 148 elseif($mybb->input['do'] == "login") 149 { 150 $plugins->run_hooks("admin_login"); 151 152 // We have an adminsid cookie? 153 if(isset($mybb->cookies['adminsid'])) 154 { 155 // Check admin session 156 $query = $db->simple_select("adminsessions", "sid", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 157 $admin_session = $db->fetch_field($query, 'sid'); 158 159 // Session found: redirect to index 160 if($admin_session) 161 { 162 admin_redirect("index.php"); 163 } 164 } 165 166 require_once MYBB_ROOT."inc/datahandlers/login.php"; 167 $loginhandler = new LoginDataHandler("get"); 168 169 // Determine login method 170 $login_lang_string = $lang->error_invalid_username_password; 171 switch($mybb->settings['username_method']) 172 { 173 case 0: // Username only 174 $login_lang_string = $lang->sprintf($login_lang_string, $lang->login_username); 175 break; 176 case 1: // Email only 177 $login_lang_string = $lang->sprintf($login_lang_string, $lang->login_email); 178 break; 179 case 2: // Username and email 180 default: 181 $login_lang_string = $lang->sprintf($login_lang_string, $lang->login_username_and_password); 182 break; 183 } 184 185 // Validate PIN first 186 if(!empty($config['secret_pin']) && (empty($mybb->input['pin']) || $mybb->input['pin'] != $config['secret_pin'])) 187 { 188 $login_user = get_user_by_username($mybb->input['username'], array('fields' => array('email', 'username'))); 189 190 $plugins->run_hooks("admin_login_incorrect_pin"); 191 192 if($login_user['uid'] > 0) 193 { 194 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".(int)$login_user['uid']."'", '', true); 195 } 196 197 $loginattempts = login_attempt_check_acp($login_user['uid'], true); 198 199 // Have we attempted too many times? 200 if($loginattempts !== false && $loginattempts['loginattempts'] > 0) 201 { 202 // Have we set an expiry yet? 203 if($loginattempts['loginlockoutexpiry'] == 0) 204 { 205 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='".(int)$login_user['uid']."'"); 206 } 207 208 // Did we hit lockout for the first time? Send the unlock email to the administrator 209 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 210 { 211 $db->delete_query("awaitingactivation", "uid='".(int)$login_user['uid']."' AND type='l'"); 212 $lockout_array = array( 213 "uid" => $login_user['uid'], 214 "dateline" => TIME_NOW, 215 "code" => random_str(), 216 "type" => "l" 217 ); 218 $db->insert_query("awaitingactivation", $lockout_array); 219 220 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 221 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 222 my_mail($login_user['email'], $subject, $message); 223 } 224 225 log_admin_action(array( 226 'type' => 'admin_locked_out', 227 'uid' => (int)$login_user['uid'], 228 'username' => $login_user['username'], 229 ) 230 ); 231 232 $default_page->show_lockedout(); 233 } 234 else 235 { 236 $default_page->show_login($login_lang_string, "error"); 237 } 238 } 239 240 $loginhandler->set_data(array( 241 'username' => $mybb->input['username'], 242 'password' => $mybb->input['password'] 243 )); 244 245 if($loginhandler->validate_login() == true) 246 { 247 $mybb->user = get_user($loginhandler->login_data['uid']); 248 } 249 250 if(!empty($mybb->user['uid'])) 251 { 252 if(login_attempt_check_acp($mybb->user['uid']) == true) 253 { 254 log_admin_action(array( 255 'type' => 'admin_locked_out', 256 'uid' => (int)$mybb->user['uid'], 257 'username' => $mybb->user['username'], 258 ) 259 ); 260 261 $default_page->show_lockedout(); 262 } 263 264 $plugins->run_hooks("admin_login_success"); 265 266 $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'"); 267 268 $sid = md5(random_str(50)); 269 270 $useragent = $_SERVER['HTTP_USER_AGENT']; 271 if(my_strlen($useragent) > 200) 272 { 273 $useragent = my_substr($useragent, 0, 200); 274 } 275 276 // Create a new admin session for this user 277 $admin_session = array( 278 "sid" => $sid, 279 "uid" => $mybb->user['uid'], 280 "loginkey" => $mybb->user['loginkey'], 281 "ip" => $db->escape_binary(my_inet_pton(get_ip())), 282 "dateline" => TIME_NOW, 283 "lastactive" => TIME_NOW, 284 "data" => my_serialize(array()), 285 "useragent" => $db->escape_string($useragent), 286 "authenticated" => 0, 287 ); 288 $db->insert_query("adminsessions", $admin_session); 289 $admin_session['data'] = array(); 290 291 // Only reset the loginattempts when we're really logged in and the user doesn't need to enter a 2fa code 292 $query = $db->simple_select("adminoptions", "authsecret", "uid='{$mybb->user['uid']}'"); 293 $admin_options = $db->fetch_array($query); 294 if(empty($admin_options['authsecret'])) 295 { 296 $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='{$mybb->user['uid']}'"); 297 } 298 299 my_setcookie("adminsid", $sid, '', true, "strict"); 300 my_setcookie('acploginattempts', 0); 301 $post_verify = false; 302 303 $mybb->request_method = "get"; 304 305 if(!empty($mybb->input['module'])) 306 { 307 // $query_string should contain the module 308 $query_string = '?module='.htmlspecialchars_uni($mybb->input['module']); 309 310 // Now we look for any paramters passed in $_SERVER['QUERY_STRING'] 311 if($_SERVER['QUERY_STRING']) 312 { 313 $qstring = '?'.preg_replace('#adminsid=(.{32})#i', '', $_SERVER['QUERY_STRING']); 314 $qstring = str_replace('action=logout', '', $qstring); 315 $qstring = preg_replace('#&+#', '&', $qstring); 316 $qstring = str_replace('?&', '?', $qstring); 317 318 // So what do we do? We know that parameters are devided by ampersands 319 // That means we must get to work! 320 $parameters = explode('&', $qstring); 321 322 // Remove our first member if it's for the module 323 if(substr($parameters[0], 0, 8) == '?module=') 324 { 325 unset($parameters[0]); 326 } 327 328 foreach($parameters as $key => $param) 329 { 330 $params = explode("=", $param); 331 332 $query_string .= '&'.htmlspecialchars_uni($params[0]); 333 334 if(isset($params[1])) 335 { 336 $query_string .= "=".htmlspecialchars_uni($params[1]); 337 } 338 } 339 } 340 341 admin_redirect("index.php".$query_string); 342 } 343 } 344 else 345 { 346 $login_user = get_user_by_username($mybb->input['username'], array('fields' => array('email', 'username'))); 347 348 $plugins->run_hooks("admin_login_fail"); 349 350 $loginattempts = false; 351 if(!empty($login_user['uid']) && $login_user['uid'] > 0) 352 { 353 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='".(int)$login_user['uid']."'", '', true); 354 $loginattempts = login_attempt_check_acp($login_user['uid'], true); 355 } 356 357 // Have we attempted too many times? 358 if($loginattempts !== false && $loginattempts['loginattempts'] > 0) 359 { 360 // Have we set an expiry yet? 361 if($loginattempts['loginlockoutexpiry'] == 0) 362 { 363 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='".(int)$login_user['uid']."'"); 364 } 365 366 $plugins->run_hooks("admin_login_lockout"); 367 368 // Did we hit lockout for the first time? Send the unlock email to the administrator 369 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 370 { 371 $db->delete_query("awaitingactivation", "uid='".(int)$login_user['uid']."' AND type='l'"); 372 $lockout_array = array( 373 "uid" => $login_user['uid'], 374 "dateline" => TIME_NOW, 375 "code" => random_str(), 376 "type" => "l" 377 ); 378 $db->insert_query("awaitingactivation", $lockout_array); 379 380 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 381 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->input['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 382 my_mail($login_user['email'], $subject, $message); 383 } 384 385 log_admin_action(array( 386 'type' => 'admin_locked_out', 387 'uid' => (int)$login_user['uid'], 388 'username' => $login_user['username'], 389 ) 390 ); 391 392 $default_page->show_lockedout(); 393 } 394 395 $fail_check = 1; 396 } 397 } 398 else 399 { 400 // No admin session - show message on the login screen 401 if(!isset($mybb->cookies['adminsid'])) 402 { 403 $login_message = ""; 404 } 405 // Otherwise, check admin session 406 else 407 { 408 $query = $db->simple_select("adminsessions", "*", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 409 $admin_session = $db->fetch_array($query); 410 411 // No matching admin session found - show message on login screen 412 if(empty($admin_session) || !$admin_session['sid']) 413 { 414 $login_message = $lang->error_invalid_admin_session; 415 } 416 else 417 { 418 $admin_session['data'] = my_unserialize($admin_session['data']); 419 420 // Fetch the user from the admin session 421 $mybb->user = get_user($admin_session['uid']); 422 423 // Login key has changed - force logout 424 if(!$mybb->user['uid'] || $mybb->user['loginkey'] !== $admin_session['loginkey']) 425 { 426 unset($mybb->user); 427 } 428 else 429 { 430 // Admin CP sessions 2 hours old are expired 431 if($admin_session['lastactive'] < TIME_NOW-7200) 432 { 433 $login_message = $lang->error_admin_session_expired; 434 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 435 unset($mybb->user); 436 } 437 // If IP matching is set - check IP address against the session IP 438 else if(ADMIN_IP_SEGMENTS > 0 && strpos($ip_address, ':') === false) 439 { 440 $exploded_ip = explode(".", $ip_address); 441 $exploded_admin_ip = explode(".", my_inet_ntop($admin_session['ip'])); 442 $matches = 0; 443 $valid_ip = false; 444 for($i = 0; $i < ADMIN_IP_SEGMENTS; ++$i) 445 { 446 if($exploded_ip[$i] == $exploded_admin_ip[$i]) 447 { 448 ++$matches; 449 } 450 if($matches == ADMIN_IP_SEGMENTS) 451 { 452 $valid_ip = true; 453 break; 454 } 455 } 456 457 // IP doesn't match properly - show message on logon screen 458 if(!$valid_ip) 459 { 460 $login_message = $lang->error_invalid_ip; 461 unset($mybb->user); 462 } 463 } 464 else if(ADMIN_IPV6_SEGMENTS > 0 && strpos($ip_address, ':') !== false) 465 { 466 // Expand IPv6 addresses 467 $hex = unpack("H*hex", my_inet_pton($ip_address)); 468 $expanded_ip = substr(preg_replace("/([A-f0-9]{4})/", "$1:", $hex['hex']), 0, -1); 469 $hex_admin = unpack("H*hex", $admin_session['ip']); 470 $expanded_admin_ip = substr(preg_replace("/([A-f0-9]{4})/", "$1:", $hex_admin['hex']), 0, -1); 471 472 $exploded_ip = explode(":", $expanded_ip); 473 $exploded_admin_ip = explode(":", $expanded_admin_ip); 474 $matches = 0; 475 $valid_ip = false; 476 for($i = 0; $i < ADMIN_IPV6_SEGMENTS; ++$i) 477 { 478 if($exploded_ip[$i] == $exploded_admin_ip[$i]) 479 { 480 ++$matches; 481 } 482 if($matches == ADMIN_IPV6_SEGMENTS) 483 { 484 $valid_ip = true; 485 break; 486 } 487 } 488 489 // IP doesn't match properly - show message on logon screen 490 if(!$valid_ip) 491 { 492 $login_message = $lang->error_invalid_ip; 493 unset($mybb->user); 494 } 495 } 496 } 497 } 498 } 499 } 500 501 if($mybb->input['action'] == "logout" && $mybb->user) 502 { 503 $plugins->run_hooks("admin_logout"); 504 505 if(verify_post_check($mybb->get_input('my_post_key'))) 506 { 507 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 508 my_unsetcookie('adminsid'); 509 $logged_out = true; 510 } 511 } 512 513 if(!isset($mybb->user['usergroup'])) 514 { 515 $mybbgroups = 1; 516 } 517 else 518 { 519 $mybbgroups = $mybb->user['usergroup'].",".$mybb->user['additionalgroups']; 520 } 521 $mybb->usergroup = usergroup_permissions($mybbgroups); 522 523 $is_super_admin = false; 524 if(isset($mybb->user['uid'])) 525 { 526 $is_super_admin = is_super_admin($mybb->user['uid']); 527 } 528 529 if(empty($mybb->usergroup['cancp']) && !$is_super_admin || !$mybb->user['uid']) 530 { 531 $uid = 0; 532 if(isset($mybb->user['uid'])) 533 { 534 $uid = (int)$mybb->user['uid']; 535 } 536 $db->delete_query("adminsessions", "uid = '{$uid}'"); 537 unset($mybb->user); 538 my_unsetcookie('adminsid'); 539 if($mybb->get_input('do') == 'login') 540 { 541 $login_message = $lang->error_mybb_not_admin_account; 542 } 543 } 544 545 if(!empty($mybb->user['uid'])) 546 { 547 $query = $db->simple_select("adminoptions", "*", "uid='".$mybb->user['uid']."'"); 548 $admin_options = $db->fetch_array($query); 549 550 // Only update language / theme once fully authenticated 551 if(empty($admin_options['authsecret']) || $admin_session['authenticated'] == 1) 552 { 553 if(!empty($admin_options['cplanguage'])) 554 { 555 $cp_language = $admin_options['cplanguage']; 556 $lang->set_language($cp_language, "admin"); 557 $lang->load("global"); // Reload global language vars 558 $lang->load("messages", true); 559 } 560 561 if(!empty($admin_options['cpstyle']) && file_exists(MYBB_ADMIN_DIR."/styles/{$admin_options['cpstyle']}/main.css")) 562 { 563 $cp_style = $admin_options['cpstyle']; 564 } 565 } 566 567 // Update the session information in the DB 568 if($admin_session['sid']) 569 { 570 $db->update_query("adminsessions", array('lastactive' => TIME_NOW, 'ip' => $db->escape_binary(my_inet_pton(get_ip()))), "sid='".$db->escape_string($admin_session['sid'])."'"); 571 } 572 573 // Fetch administrator permissions 574 $mybb->admin['permissions'] = get_admin_permissions($mybb->user['uid']); 575 } 576 577 // Include the layout generation class overrides for this style 578 if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php")) 579 { 580 require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; 581 } 582 583 // Check if any of the layout generation classes we can override exist in the style file 584 $classes = array( 585 "Page" => "DefaultPage", 586 "SidebarItem" => "DefaultSidebarItem", 587 "PopupMenu" => "DefaultPopupMenu", 588 "Table" => "DefaultTable", 589 "Form" => "DefaultForm", 590 "FormContainer" => "DefaultFormContainer" 591 ); 592 foreach($classes as $style_name => $default_name) 593 { 594 // Style does not have this layout generation class, create it 595 if(!class_exists($style_name)) 596 { 597 eval("class {$style_name} extends {$default_name} { }"); 598 } 599 } 600 601 $page = new Page; 602 $page->style = $cp_style; 603 604 // Do not have a valid Admin user, throw back to login page. 605 if(!isset($mybb->user['uid']) || $logged_out == true) 606 { 607 if($logged_out == true) 608 { 609 $page->show_login($lang->success_logged_out); 610 } 611 elseif($fail_check == 1) 612 { 613 $page->show_login($login_lang_string, "error"); 614 } 615 else 616 { 617 // If we have this error while retreiving it from an AJAX request, then send back a nice error 618 if(isset($mybb->input['ajax']) && $mybb->input['ajax'] == 1) 619 { 620 echo json_encode(array("errors" => array("login"))); 621 exit; 622 } 623 $page->show_login($login_message, "error"); 624 } 625 } 626 627 // Time to check for Two-Factor Authentication 628 // First: are we trying to verify a code? 629 if($mybb->input['do'] == "do_2fa" && $mybb->request_method == "post") 630 { 631 // Test whether it's a recovery code 632 $recovery = false; 633 $codes = my_unserialize($admin_options['recovery_codes']); 634 if(!empty($codes) && in_array($mybb->get_input('code'), $codes)) 635 { 636 $recovery = true; 637 $ncodes = array_diff($codes, array($mybb->input['code'])); // Removes our current code from the codes array 638 $db->update_query("adminoptions", array("recovery_codes" => $db->escape_string(my_serialize($ncodes))), "uid='{$mybb->user['uid']}'"); 639 640 if(count($ncodes) == 0) 641 { 642 flash_message($lang->my2fa_no_codes, "error"); 643 } 644 } 645 646 // Validate the code 647 require_once MYBB_ROOT."inc/3rdparty/2fa/GoogleAuthenticator.php"; 648 $auth = new PHPGangsta_GoogleAuthenticator; 649 650 $test = $auth->verifyCode($admin_options['authsecret'], $mybb->get_input('code')); 651 652 // Either the code was okay or it was a recovery code 653 if($test === true || $recovery === true) 654 { 655 // Correct code -> session authenticated 656 $db->update_query("adminsessions", array("authenticated" => 1), "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 657 $admin_session['authenticated'] = 1; 658 $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='{$mybb->user['uid']}'"); 659 my_setcookie('acploginattempts', 0); 660 admin_redirect("index.php"); 661 } 662 else 663 { 664 // Wrong code -> close session (aka logout) 665 $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); 666 my_unsetcookie('adminsid'); 667 668 // Now test whether we need to lock this guy completly 669 $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='{$mybb->user['uid']}'", '', true); 670 671 $loginattempts = login_attempt_check_acp($mybb->user['uid'], true); 672 673 // Have we attempted too many times? 674 if($loginattempts !== false && $loginattempts['loginattempts'] > 0) 675 { 676 // Have we set an expiry yet? 677 if($loginattempts['loginlockoutexpiry'] == 0) 678 { 679 $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='{$mybb->user['uid']}'"); 680 } 681 682 // Did we hit lockout for the first time? Send the unlock email to the administrator 683 if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) 684 { 685 $db->delete_query("awaitingactivation", "uid='{$mybb->user['uid']}' AND type='l'"); 686 $lockout_array = array( 687 "uid" => $mybb->user['uid'], 688 "dateline" => TIME_NOW, 689 "code" => random_str(), 690 "type" => "l" 691 ); 692 $db->insert_query("awaitingactivation", $lockout_array); 693 694 $subject = $lang->sprintf($lang->locked_out_subject, $mybb->settings['bbname']); 695 $message = $lang->sprintf($lang->locked_out_message, htmlspecialchars_uni($mybb->user['username']), $mybb->settings['bbname'], $mybb->settings['maxloginattempts'], $mybb->settings['bburl'], $mybb->config['admin_dir'], $lockout_array['code'], $lockout_array['uid']); 696 my_mail($mybb->user['email'], $subject, $message); 697 } 698 699 log_admin_action(array( 700 'type' => 'admin_locked_out', 701 'uid' => $mybb->user['uid'], 702 'username' => $mybb->user['username'], 703 ) 704 ); 705 706 $page->show_lockedout(); 707 } 708 709 // Still here? Show a custom login page 710 $page->show_login($lang->my2fa_failed, "error"); 711 } 712 } 713 714 // Show our 2FA page 715 if(!empty($admin_options['authsecret']) && $admin_session['authenticated'] != 1) 716 { 717 $page->show_2fa(); 718 } 719 720 $page->add_breadcrumb_item($lang->home, "index.php"); 721 722 // Begin dealing with the modules 723 $modules_dir = MYBB_ADMIN_DIR."modules"; 724 $dir = opendir($modules_dir); 725 while(($module = readdir($dir)) !== false) 726 { 727 if(is_dir($modules_dir."/".$module) && !in_array($module, array(".", "..")) && file_exists($modules_dir."/".$module."/module_meta.php")) 728 { 729 require_once $modules_dir."/".$module."/module_meta.php"; 730 731 // Need to always load it for admin permissions / quick access 732 $lang->load($module."_module_meta", false, true); 733 734 $has_permission = false; 735 if(function_exists($module."_admin_permissions")) 736 { 737 if(isset($mybb->admin['permissions'][$module]) || $is_super_admin == true) 738 { 739 $has_permission = true; 740 } 741 } 742 // This module doesn't support permissions 743 else 744 { 745 $has_permission = true; 746 } 747 748 // Do we have permissions to run this module (Note: home is accessible by all) 749 if($module == "home" || $has_permission == true) 750 { 751 $meta_function = $module."_meta"; 752 $initialized = $meta_function(); 753 if($initialized == true) 754 { 755 $modules[$module] = 1; 756 } 757 } 758 else 759 { 760 $modules[$module] = 0; 761 } 762 } 763 } 764 765 $modules = $plugins->run_hooks("admin_tabs", $modules); 766 767 closedir($dir); 768 769 if(strpos($mybb->input['module'], "/") !== false) 770 { 771 $current_module = explode("/", $mybb->input['module'], 2); 772 } 773 else 774 { 775 $current_module = explode("-", $mybb->input['module'], 2); 776 } 777 778 if(!isset($current_module[1])) 779 { 780 $current_module[1] = 'home'; 781 } 782 783 if($mybb->input['module'] && isset($modules[$current_module[0]])) 784 { 785 $run_module = $current_module[0]; 786 } 787 else 788 { 789 $run_module = "home"; 790 } 791 792 $action_handler = $run_module."_action_handler"; 793 $action_file = $action_handler($current_module[1]); 794 795 // Set our POST validation code here 796 $mybb->post_code = generate_post_check(); 797 798 if($run_module != "home") 799 { 800 check_admin_permissions(array('module' => $page->active_module, 'action' => $page->active_action)); 801 } 802 803 // Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. 804 $post_check_ignores = array( 805 "example/page" => array("action") 806 ); // An array of modules/actions to ignore POST checks for. 807 808 if($mybb->request_method == "post") 809 { 810 if(in_array($mybb->input['module'], $post_check_ignores)) 811 { 812 $k = array_search($mybb->input['module'], $post_check_ignores); 813 if(in_array($mybb->input['action'], $post_check_ignores[$k])) 814 { 815 $post_verify = false; 816 } 817 } 818 819 if($post_verify == true) 820 { 821 // If the post key does not match we switch the action to GET and set a message to show the user 822 if(!verify_post_check($mybb->get_input('my_post_key'), true)) 823 { 824 $mybb->request_method = "get"; 825 $page->show_post_verify_error = true; 826 } 827 } 828 } 829 830 $lang->load("{$run_module}_{$page->active_action}", false, true); 831 832 $plugins->run_hooks("admin_load"); 833 834 require $modules_dir."/".$run_module."/".$action_file; 835
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
2005 - 2021 © MyBB.de | Alle Rechte vorbehalten! | Sponsor: netcup | Cross-referenced by PHPXref |