| [ Index ] |
PHP Cross Reference of MyBB 1.8.38 |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * MyBB 1.8 4 * Copyright 2014 MyBB Group, All Rights Reserved 5 * 6 * Website: http://www.mybb.com 7 * License: http://www.mybb.com/about/license 8 * 9 */ 10 11 /** 12 * The deal with this file is that it handles all of the XML HTTP Requests for MyBB. 13 * 14 * It contains a stripped down version of the MyBB core which does not load things 15 * such as themes, who's online data, all of the language packs and more. 16 * 17 * This is done to make response times when using XML HTTP Requests faster and 18 * less intense on the server. 19 */ 20 21 define("IN_MYBB", 1); 22 23 // We don't want visits here showing up on the Who's Online 24 define("NO_ONLINE", 1); 25 26 define('THIS_SCRIPT', 'xmlhttp.php'); 27 28 // Load MyBB core files 29 require_once dirname(__FILE__)."/inc/init.php"; 30 31 $shutdown_queries = $shutdown_functions = array(); 32 33 // Load some of the stock caches we'll be using. 34 $groupscache = $cache->read("usergroups"); 35 36 if(!is_array($groupscache)) 37 { 38 $cache->update_usergroups(); 39 $groupscache = $cache->read("usergroups"); 40 } 41 42 // Send no cache headers 43 header("Expires: Sat, 1 Jan 2000 01:00:00 GMT"); 44 header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 45 header("Cache-Control: no-cache, must-revalidate"); 46 header("Pragma: no-cache"); 47 48 // Create the session 49 require_once MYBB_ROOT."inc/class_session.php"; 50 $session = new session; 51 $session->init(); 52 53 // Load the language we'll be using 54 if(!isset($mybb->settings['bblanguage'])) 55 { 56 $mybb->settings['bblanguage'] = "english"; 57 } 58 if(isset($mybb->user['language']) && $lang->language_exists($mybb->user['language'])) 59 { 60 $mybb->settings['bblanguage'] = $mybb->user['language']; 61 } 62 $lang->set_language($mybb->settings['bblanguage']); 63 64 if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset'])) 65 { 66 @mb_internal_encoding($lang->settings['charset']); 67 } 68 69 // Load the theme 70 // 1. Check cookies 71 if(!$mybb->user['uid'] && !empty($mybb->cookies['mybbtheme'])) 72 { 73 $mybb->user['style'] = (int)$mybb->cookies['mybbtheme']; 74 } 75 76 // 2. Load style 77 if(isset($mybb->user['style']) && (int)$mybb->user['style'] != 0) 78 { 79 $loadstyle = "tid='".(int)$mybb->user['style']."'"; 80 } 81 else 82 { 83 $loadstyle = "def='1'"; 84 } 85 86 // Load basic theme information that we could be needing. 87 if($loadstyle != "def='1'") 88 { 89 $query = $db->simple_select('themes', 'name, tid, properties, allowedgroups', $loadstyle, array('limit' => 1)); 90 $theme = $db->fetch_array($query); 91 92 if($theme && !is_member($theme['allowedgroups']) && $theme['allowedgroups'] != 'all') 93 { 94 if(isset($mybb->cookies['mybbtheme'])) 95 { 96 my_unsetcookie('mybbtheme'); 97 } 98 99 $loadstyle = "def='1'"; 100 } 101 } 102 103 if($loadstyle == "def='1'") 104 { 105 if(!$cache->read('default_theme')) 106 { 107 $cache->update_default_theme(); 108 } 109 110 $theme = $cache->read('default_theme'); 111 } 112 113 // No theme was found - we attempt to load the master or any other theme 114 if(!isset($theme['tid']) || isset($theme['tid']) && !$theme['tid']) 115 { 116 // Missing theme was from a user, run a query to set any users using the theme to the default 117 $db->update_query('users', array('style' => 0), "style = '{$mybb->user['style']}'"); 118 119 // Attempt to load the master or any other theme if the master is not available 120 $query = $db->simple_select('themes', 'name, tid, properties, stylesheets', '', array('order_by' => 'tid', 'limit' => 1)); 121 $theme = $db->fetch_array($query); 122 } 123 $theme = @array_merge($theme, my_unserialize($theme['properties'])); 124 125 // Set the appropriate image language directory for this theme. 126 // Are we linking to a remote theme server? 127 if(my_validate_url($theme['imgdir'])) 128 { 129 // If a language directory for the current language exists within the theme - we use it 130 if(!empty($mybb->user['language'])) 131 { 132 $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language']; 133 } 134 else 135 { 136 // Check if a custom language directory exists for this theme 137 if(!empty($mybb->settings['bblanguage'])) 138 { 139 $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage']; 140 } 141 // Otherwise, the image language directory is the same as the language directory for the theme 142 else 143 { 144 $theme['imglangdir'] = $theme['imgdir']; 145 } 146 } 147 } 148 else 149 { 150 $img_directory = $theme['imgdir']; 151 152 if($mybb->settings['usecdn'] && !empty($mybb->settings['cdnpath'])) 153 { 154 $img_directory = rtrim($mybb->settings['cdnpath'], '/') . '/' . ltrim($theme['imgdir'], '/'); 155 } 156 157 if(!@is_dir($img_directory)) 158 { 159 $theme['imgdir'] = 'images'; 160 } 161 162 // If a language directory for the current language exists within the theme - we use it 163 if(!empty($mybb->user['language']) && is_dir($img_directory.'/'.$mybb->user['language'])) 164 { 165 $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language']; 166 } 167 else 168 { 169 // Check if a custom language directory exists for this theme 170 if(is_dir($img_directory.'/'.$mybb->settings['bblanguage'])) 171 { 172 $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage']; 173 } 174 // Otherwise, the image language directory is the same as the language directory for the theme 175 else 176 { 177 $theme['imglangdir'] = $theme['imgdir']; 178 } 179 } 180 181 $theme['imgdir'] = $mybb->get_asset_url($theme['imgdir']); 182 $theme['imglangdir'] = $mybb->get_asset_url($theme['imglangdir']); 183 } 184 185 $templatelist = "postbit_editedby,xmlhttp_buddyselect_online,xmlhttp_buddyselect_offline,xmlhttp_buddyselect"; 186 $templates->cache($db->escape_string($templatelist)); 187 188 if($lang->settings['charset']) 189 { 190 $charset = $lang->settings['charset']; 191 } 192 // If not, revert to UTF-8 193 else 194 { 195 $charset = "UTF-8"; 196 } 197 198 $lang->load("global"); 199 $lang->load("xmlhttp"); 200 201 $closed_bypass = array("refresh_captcha", "validate_captcha"); 202 203 $mybb->input['action'] = $mybb->get_input('action'); 204 205 $plugins->run_hooks("xmlhttp"); 206 207 // If the board is closed, the user is not an administrator and they're not trying to login, show the board closed message 208 if($mybb->settings['boardclosed'] == 1 && $mybb->usergroup['canviewboardclosed'] != 1 && !in_array($mybb->input['action'], $closed_bypass)) 209 { 210 // Show error 211 if(!$mybb->settings['boardclosed_reason']) 212 { 213 $mybb->settings['boardclosed_reason'] = $lang->boardclosed_reason; 214 } 215 216 $lang->error_boardclosed .= "<br /><em>{$mybb->settings['boardclosed_reason']}</em>"; 217 218 xmlhttp_error($lang->error_boardclosed); 219 } 220 221 // Fetch a list of usernames beginning with a certain string (used for auto completion) 222 if($mybb->input['action'] == "get_users") 223 { 224 $mybb->input['query'] = ltrim($mybb->get_input('query')); 225 $search_type = $mybb->get_input('search_type', MyBB::INPUT_INT); // 0: starts with, 1: ends with, 2: contains 226 227 // If the string is less than 2 characters, quit. 228 if(my_strlen($mybb->input['query']) < 2) 229 { 230 exit; 231 } 232 233 if($mybb->get_input('getone', MyBB::INPUT_INT) == 1) 234 { 235 $limit = 1; 236 } 237 else 238 { 239 $limit = 15; 240 } 241 242 // Send our headers. 243 header("Content-type: application/json; charset={$charset}"); 244 245 // Query for any matching users. 246 $query_options = array( 247 "order_by" => "username", 248 "order_dir" => "asc", 249 "limit_start" => 0, 250 "limit" => $limit 251 ); 252 253 $plugins->run_hooks("xmlhttp_get_users_start"); 254 255 $likestring = $db->escape_string_like($mybb->input['query']); 256 if($search_type == 1) 257 { 258 $likestring = '%'.$likestring; 259 } 260 elseif($search_type == 2) 261 { 262 $likestring = '%'.$likestring.'%'; 263 } 264 else 265 { 266 $likestring .= '%'; 267 } 268 269 $query = $db->simple_select("users", "uid, username", "username LIKE '{$likestring}'", $query_options); 270 if($limit == 1) 271 { 272 $user = $db->fetch_array($query); 273 $data = array('uid' => $user['uid'], 'id' => $user['username'], 'text' => $user['username']); 274 } 275 else 276 { 277 $data = array(); 278 while($user = $db->fetch_array($query)) 279 { 280 $data[] = array('uid' => $user['uid'], 'id' => $user['username'], 'text' => $user['username']); 281 } 282 } 283 284 $plugins->run_hooks("xmlhttp_get_users_end"); 285 286 echo json_encode($data); 287 exit; 288 } 289 // This action provides editing of thread/post subjects from within their respective list pages. 290 else if($mybb->input['action'] == "edit_subject" && $mybb->request_method == "post") 291 { 292 // Verify POST request 293 if(!verify_post_check($mybb->get_input('my_post_key'), true)) 294 { 295 xmlhttp_error($lang->invalid_post_code); 296 } 297 298 // We're editing a thread subject. 299 if($mybb->get_input('tid', MyBB::INPUT_INT)) 300 { 301 // Fetch the thread. 302 $thread = get_thread($mybb->get_input('tid', MyBB::INPUT_INT)); 303 if(!$thread) 304 { 305 xmlhttp_error($lang->thread_doesnt_exist); 306 } 307 308 // Fetch some of the information from the first post of this thread. 309 $query_options = array( 310 "order_by" => "dateline, pid", 311 ); 312 $query = $db->simple_select("posts", "pid,uid,dateline", "tid='".$thread['tid']."'", $query_options); 313 $post = $db->fetch_array($query); 314 } 315 else 316 { 317 exit; 318 } 319 320 // Fetch the specific forum this thread/post is in. 321 $forum = get_forum($thread['fid']); 322 323 // Missing thread, invalid forum? Error. 324 if(!$forum || $forum['type'] != "f") 325 { 326 xmlhttp_error($lang->thread_doesnt_exist); 327 } 328 329 // Fetch forum permissions. 330 $forumpermissions = forum_permissions($forum['fid']); 331 332 $plugins->run_hooks("xmlhttp_edit_subject_start"); 333 334 // If this user is not a moderator with "caneditposts" permissions. 335 if(!is_moderator($forum['fid'], "caneditposts")) 336 { 337 // Thread is closed - no editing allowed. 338 if($thread['closed'] == 1) 339 { 340 xmlhttp_error($lang->thread_closed_edit_subjects); 341 } 342 // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing. 343 else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0) 344 { 345 xmlhttp_error($lang->no_permission_edit_subject); 346 } 347 // If we're past the edit time limit - don't allow editing. 348 else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60))) 349 { 350 $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']); 351 xmlhttp_error($lang->edit_time_limit); 352 } 353 $ismod = false; 354 } 355 else 356 { 357 $ismod = true; 358 } 359 $subject = $mybb->get_input('value'); 360 if(my_strtolower($charset) != "utf-8") 361 { 362 if(function_exists("iconv")) 363 { 364 $subject = iconv($charset, "UTF-8//IGNORE", $subject); 365 } 366 else if(function_exists("mb_convert_encoding")) 367 { 368 $subject = @mb_convert_encoding($subject, $charset, "UTF-8"); 369 } 370 else if(my_strtolower($charset) == "iso-8859-1") 371 { 372 $subject = utf8_decode($subject); 373 } 374 } 375 376 // Only edit subject if subject has actually been changed 377 if($thread['subject'] != $subject) 378 { 379 // Set up posthandler. 380 require_once MYBB_ROOT."inc/datahandlers/post.php"; 381 $posthandler = new PostDataHandler("update"); 382 $posthandler->action = "post"; 383 384 // Set the post data that came from the input to the $post array. 385 $updatepost = array( 386 "pid" => $post['pid'], 387 "tid" => $thread['tid'], 388 "fid" => $forum['fid'], 389 "prefix" => $thread['prefix'], 390 "subject" => $subject, 391 "edit_uid" => $mybb->user['uid'] 392 ); 393 $posthandler->set_data($updatepost); 394 395 // Now let the post handler do all the hard work. 396 if(!$posthandler->validate_post()) 397 { 398 $post_errors = $posthandler->get_friendly_errors(); 399 xmlhttp_error($post_errors); 400 } 401 // No errors were found, we can call the update method. 402 else 403 { 404 $posthandler->update_post(); 405 if($ismod == true) 406 { 407 $modlogdata = array( 408 "tid" => $thread['tid'], 409 "fid" => $forum['fid'] 410 ); 411 log_moderator_action($modlogdata, $lang->edited_post); 412 } 413 } 414 } 415 416 require_once MYBB_ROOT."inc/class_parser.php"; 417 $parser = new postParser; 418 419 // Send our headers. 420 header("Content-type: application/json; charset={$charset}"); 421 422 $plugins->run_hooks("xmlhttp_edit_subject_end"); 423 424 $mybb->input['value'] = $parser->parse_badwords($mybb->get_input('value')); 425 426 // Spit the subject back to the browser. 427 $subject = substr($mybb->input['value'], 0, 120); // 120 is the varchar length for the subject column 428 echo json_encode(array("subject" => '<a href="'.get_thread_link($thread['tid']).'">'.htmlspecialchars_uni($subject).'</a>')); 429 430 // Close the connection. 431 exit; 432 } 433 else if($mybb->input['action'] == "edit_post") 434 { 435 // Fetch the post from the database. 436 $post = get_post($mybb->get_input('pid', MyBB::INPUT_INT)); 437 438 // No result, die. 439 if(!$post || $post['visible'] == -1) 440 { 441 xmlhttp_error($lang->post_doesnt_exist); 442 } 443 444 // Fetch the thread associated with this post. 445 $thread = get_thread($post['tid']); 446 447 // Fetch the specific forum this thread/post is in. 448 $forum = get_forum($thread['fid']); 449 450 // Missing thread, invalid forum? Error. 451 if(!$thread || !$forum || $forum['type'] != "f") 452 { 453 xmlhttp_error($lang->thread_doesnt_exist); 454 } 455 456 // Check if this forum is password protected and we have a valid password 457 if(check_forum_password($forum['fid'], 0, true)) 458 { 459 xmlhttp_error($lang->wrong_forum_password); 460 } 461 462 // Fetch forum permissions. 463 $forumpermissions = forum_permissions($forum['fid']); 464 465 $plugins->run_hooks("xmlhttp_edit_post_start"); 466 467 // If this user is not a moderator with "caneditposts" permissions. 468 if(!is_moderator($forum['fid'], "caneditposts")) 469 { 470 // Thread is closed - no editing allowed. 471 if($thread['closed'] == 1) 472 { 473 xmlhttp_error($lang->thread_closed_edit_message); 474 } 475 // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing. 476 else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0 || $mybb->user['suspendposting'] == 1) 477 { 478 xmlhttp_error($lang->no_permission_edit_post); 479 } 480 // If we're past the edit time limit - don't allow editing. 481 else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60))) 482 { 483 $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']); 484 xmlhttp_error($lang->edit_time_limit); 485 } 486 // User can't edit unapproved post unless permitted for own 487 if($post['visible'] == 0 && !($mybb->settings['showownunapproved'] && $post['uid'] == $mybb->user['uid'])) 488 { 489 xmlhttp_error($lang->post_moderation); 490 } 491 } 492 493 $plugins->run_hooks("xmlhttp_edit_post_end"); 494 495 if($mybb->get_input('do') == "get_post") 496 { 497 // Send our headers. 498 header("Content-type: application/json; charset={$charset}"); 499 500 // Send the contents of the post. 501 echo json_encode($post['message']); 502 exit; 503 } 504 else if($mybb->get_input('do') == "update_post") 505 { 506 // Verify POST request 507 if(!verify_post_check($mybb->get_input('my_post_key'), true)) 508 { 509 xmlhttp_error($lang->invalid_post_code); 510 } 511 512 $message = $mybb->get_input('value'); 513 $editreason = $mybb->get_input('editreason'); 514 if(my_strtolower($charset) != "utf-8") 515 { 516 if(function_exists("iconv")) 517 { 518 $message = iconv($charset, "UTF-8//IGNORE", $message); 519 $editreason = iconv($charset, "UTF-8//IGNORE", $editreason); 520 } 521 else if(function_exists("mb_convert_encoding")) 522 { 523 $message = @mb_convert_encoding($message, $charset, "UTF-8"); 524 $editreason = @mb_convert_encoding($editreason, $charset, "UTF-8"); 525 } 526 else if(my_strtolower($charset) == "iso-8859-1") 527 { 528 $message = utf8_decode($message); 529 $editreason = utf8_decode($editreason); 530 } 531 } 532 533 // Set up posthandler. 534 require_once MYBB_ROOT."inc/datahandlers/post.php"; 535 $posthandler = new PostDataHandler("update"); 536 $posthandler->action = "post"; 537 538 // Set the post data that came from the input to the $post array. 539 $updatepost = array( 540 "pid" => $post['pid'], 541 "message" => $message, 542 "editreason" => $editreason, 543 "edit_uid" => $mybb->user['uid'] 544 ); 545 546 // If this is the first post set the prefix. If a forum requires a prefix the quick edit would throw an error otherwise 547 if($post['pid'] == $thread['firstpost']) 548 { 549 $updatepost['prefix'] = $thread['prefix']; 550 } 551 552 $posthandler->set_data($updatepost); 553 554 // Now let the post handler do all the hard work. 555 if(!$posthandler->validate_post()) 556 { 557 $post_errors = $posthandler->get_friendly_errors(); 558 xmlhttp_error($post_errors); 559 } 560 // No errors were found, we can call the update method. 561 else 562 { 563 $postinfo = $posthandler->update_post(); 564 $visible = $postinfo['visible']; 565 if($visible == 0 && !is_moderator($post['fid'], "canviewunapprove")) 566 { 567 // Is it the first post? 568 if($thread['firstpost'] == $post['pid']) 569 { 570 echo json_encode(array("moderation_thread" => $lang->thread_moderation, 'url' => $mybb->settings['bburl'].'/'.get_forum_link($thread['fid']), "message" => $post['message'])); 571 exit; 572 } 573 else 574 { 575 echo json_encode(array("moderation_post" => $lang->post_moderation, 'url' => $mybb->settings['bburl'].'/'.get_thread_link($thread['tid']), "message" => $post['message'])); 576 exit; 577 } 578 } 579 } 580 581 require_once MYBB_ROOT."inc/class_parser.php"; 582 $parser = new postParser; 583 584 $parser_options = array( 585 "allow_html" => $forum['allowhtml'], 586 "allow_mycode" => $forum['allowmycode'], 587 "allow_smilies" => $forum['allowsmilies'], 588 "allow_imgcode" => $forum['allowimgcode'], 589 "allow_videocode" => $forum['allowvideocode'], 590 "me_username" => $post['username'], 591 "filter_badwords" => 1 592 ); 593 594 $post['username'] = htmlspecialchars_uni($post['username']); 595 596 if($post['smilieoff'] == 1) 597 { 598 $parser_options['allow_smilies'] = 0; 599 } 600 601 if($mybb->user['uid'] != 0 && $mybb->user['showimages'] != 1 || $mybb->settings['guestimages'] != 1 && $mybb->user['uid'] == 0) 602 { 603 $parser_options['allow_imgcode'] = 0; 604 } 605 606 if($mybb->user['uid'] != 0 && $mybb->user['showvideos'] != 1 || $mybb->settings['guestvideos'] != 1 && $mybb->user['uid'] == 0) 607 { 608 $parser_options['allow_videocode'] = 0; 609 } 610 611 $post['message'] = $parser->parse_message($message, $parser_options); 612 613 // Now lets fetch all of the attachments for these posts. 614 if($mybb->settings['enableattachments'] != 0) 615 { 616 $query = $db->simple_select("attachments", "*", "pid='{$post['pid']}'"); 617 while($attachment = $db->fetch_array($query)) 618 { 619 $attachcache[$attachment['pid']][$attachment['aid']] = $attachment; 620 } 621 622 require_once MYBB_ROOT."inc/functions_post.php"; 623 624 get_post_attachments($post['pid'], $post); 625 } 626 627 // Figure out if we need to show an "edited by" message 628 // Only show if at least one of "showeditedby" or "showeditedbyadmin" is enabled 629 if($mybb->settings['showeditedby'] != 0 && $mybb->settings['showeditedbyadmin'] != 0) 630 { 631 $post['editdate'] = my_date('relative', TIME_NOW); 632 $post['editnote'] = $lang->sprintf($lang->postbit_edited, $post['editdate']); 633 $mybb->user['username'] = htmlspecialchars_uni($mybb->user['username']); 634 $post['editedprofilelink'] = build_profile_link($mybb->user['username'], $mybb->user['uid']); 635 $post['editreason'] = trim($editreason); 636 $editreason = ""; 637 if($post['editreason'] != "") 638 { 639 $post['editreason'] = $parser->parse_badwords($post['editreason']); 640 $post['editreason'] = htmlspecialchars_uni($post['editreason']); 641 eval("\$editreason = \"".$templates->get("postbit_editedby_editreason")."\";"); 642 } 643 eval("\$editedmsg = \"".$templates->get("postbit_editedby")."\";"); 644 } 645 646 // Send our headers. 647 header("Content-type: application/json; charset={$charset}"); 648 649 $editedmsg_response = null; 650 if(!empty($editedmsg)) 651 { 652 $editedmsg_response = str_replace(array("\r", "\n"), "", $editedmsg); 653 } 654 655 $plugins->run_hooks("xmlhttp_update_post"); 656 657 echo json_encode(array("message" => $post['message']."\n", "editedmsg" => $editedmsg_response)); 658 exit; 659 } 660 } 661 // Fetch the list of multiquoted posts which are not in a specific thread 662 else if($mybb->input['action'] == "get_multiquoted") 663 { 664 // If the cookie does not exist, exit 665 if(!array_key_exists("multiquote", $mybb->cookies)) 666 { 667 exit; 668 } 669 // Divide up the cookie using our delimeter 670 $multiquoted = explode("|", $mybb->cookies['multiquote']); 671 672 $plugins->run_hooks("xmlhttp_get_multiquoted_start"); 673 674 // No values - exit 675 if(!is_array($multiquoted)) 676 { 677 exit; 678 } 679 680 // Loop through each post ID and sanitize it before querying 681 foreach($multiquoted as $post) 682 { 683 $quoted_posts[$post] = (int)$post; 684 } 685 686 // Join the post IDs back together 687 $quoted_posts = implode(",", $quoted_posts); 688 689 // Fetch unviewable forums 690 $unviewable_forums = get_unviewable_forums(); 691 $inactiveforums = get_inactive_forums(); 692 if($unviewable_forums) 693 { 694 $unviewable_forums = "AND t.fid NOT IN ({$unviewable_forums})"; 695 } 696 if($inactiveforums) 697 { 698 $inactiveforums = "AND t.fid NOT IN ({$inactiveforums})"; 699 } 700 701 // Check group permissions if we can't view threads not started by us 702 $group_permissions = forum_permissions(); 703 $onlyusfids = array(); 704 foreach($group_permissions as $gpfid => $forum_permissions) 705 { 706 if(isset($forum_permissions['canonlyviewownthreads']) && $forum_permissions['canonlyviewownthreads'] == 1) 707 { 708 $onlyusfids[] = $gpfid; 709 } 710 } 711 712 $message = ''; 713 714 // Are we loading all quoted posts or only those not in the current thread? 715 if(empty($mybb->input['load_all'])) 716 { 717 $from_tid = "p.tid != '".$mybb->get_input('tid', MyBB::INPUT_INT)."' AND "; 718 } 719 else 720 { 721 $from_tid = ''; 722 } 723 724 require_once MYBB_ROOT."inc/class_parser.php"; 725 $parser = new postParser; 726 727 require_once MYBB_ROOT."inc/functions_posting.php"; 728 729 $plugins->run_hooks("xmlhttp_get_multiquoted_intermediate"); 730 731 // Query for any posts in the list which are not within the specified thread 732 $query = $db->query(" 733 SELECT p.subject, p.message, p.pid, p.tid, p.username, p.dateline, t.fid, t.uid AS thread_uid, p.visible, u.username AS userusername 734 FROM ".TABLE_PREFIX."posts p 735 LEFT JOIN ".TABLE_PREFIX."threads t ON (t.tid=p.tid) 736 LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=p.uid) 737 WHERE {$from_tid}p.pid IN ({$quoted_posts}) {$unviewable_forums} {$inactiveforums} 738 ORDER BY p.dateline, p.pid 739 "); 740 while($quoted_post = $db->fetch_array($query)) 741 { 742 if( 743 (!is_moderator($quoted_post['fid'], "canviewunapprove") && $quoted_post['visible'] == 0) || 744 (!is_moderator($quoted_post['fid'], "canviewdeleted") && $quoted_post['visible'] == -1) || 745 (in_array($quoted_post['fid'], $onlyusfids) && (!$mybb->user['uid'] || $quoted_post['thread_uid'] != $mybb->user['uid'])) 746 ) 747 { 748 // Allow quoting from own unapproved post 749 if($quoted_post['visible'] == 0 && !($mybb->settings['showownunapproved'] && $quoted_post['uid'] == $mybb->user['uid'])) 750 { 751 continue; 752 } 753 } 754 755 $message .= parse_quoted_message($quoted_post, false); 756 } 757 if($mybb->settings['maxquotedepth'] != '0') 758 { 759 $message = remove_message_quotes($message); 760 } 761 762 // Send our headers. 763 header("Content-type: application/json; charset={$charset}"); 764 765 $plugins->run_hooks("xmlhttp_get_multiquoted_end"); 766 767 echo json_encode(array("message" => $message)); 768 exit; 769 } 770 else if($mybb->input['action'] == "refresh_captcha") 771 { 772 $imagehash = $db->escape_string($mybb->get_input('imagehash')); 773 $query = $db->simple_select("captcha", "dateline", "imagehash='$imagehash'"); 774 if($db->num_rows($query) == 0) 775 { 776 xmlhttp_error($lang->captcha_not_exists); 777 } 778 $db->delete_query("captcha", "imagehash='$imagehash'"); 779 $randomstr = random_str(5); 780 $imagehash = md5(random_str(12)); 781 $regimagearray = array( 782 "imagehash" => $imagehash, 783 "imagestring" => $randomstr, 784 "dateline" => TIME_NOW 785 ); 786 787 $plugins->run_hooks("xmlhttp_refresh_captcha"); 788 789 $db->insert_query("captcha", $regimagearray); 790 header("Content-type: application/json; charset={$charset}"); 791 echo json_encode(array("imagehash" => $imagehash)); 792 exit; 793 } 794 else if($mybb->input['action'] == "validate_captcha") 795 { 796 header("Content-type: application/json; charset={$charset}"); 797 $imagehash = $db->escape_string($mybb->get_input('imagehash')); 798 $query = $db->simple_select("captcha", "imagestring", "imagehash='$imagehash'"); 799 if($db->num_rows($query) == 0) 800 { 801 echo json_encode($lang->captcha_valid_not_exists); 802 exit; 803 } 804 $imagestring = $db->fetch_field($query, 'imagestring'); 805 806 $plugins->run_hooks("xmlhttp_validate_captcha"); 807 808 if(my_strtolower($imagestring) == my_strtolower($mybb->get_input('imagestring'))) 809 { 810 //echo json_encode(array("success" => $lang->captcha_matches)); 811 echo json_encode("true"); 812 exit; 813 } 814 else 815 { 816 echo json_encode($lang->captcha_does_not_match); 817 exit; 818 } 819 } 820 else if($mybb->input['action'] == "refresh_question" && $mybb->settings['securityquestion']) 821 { 822 header("Content-type: application/json; charset={$charset}"); 823 824 $sid = $db->escape_string($mybb->get_input('question_id')); 825 $query = $db->query(" 826 SELECT q.qid, s.sid 827 FROM ".TABLE_PREFIX."questionsessions s 828 LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid) 829 WHERE q.active='1' AND s.sid='{$sid}' 830 "); 831 832 if($db->num_rows($query) == 0) 833 { 834 xmlhttp_error($lang->answer_valid_not_exists); 835 } 836 837 $qsession = $db->fetch_array($query); 838 839 // Delete previous question session 840 $db->delete_query("questionsessions", "sid='$sid'"); 841 842 require_once MYBB_ROOT."inc/functions_user.php"; 843 844 $sid = generate_question($qsession['qid']); 845 $query = $db->query(" 846 SELECT q.question, s.sid 847 FROM ".TABLE_PREFIX."questionsessions s 848 LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid) 849 WHERE q.active='1' AND s.sid='{$sid}' AND q.qid!='{$qsession['qid']}' 850 "); 851 852 $plugins->run_hooks("xmlhttp_refresh_question"); 853 854 require_once MYBB_ROOT."inc/class_parser.php"; 855 $parser = new postParser; 856 857 $parser_options = array( 858 "allow_html" => 0, 859 "allow_mycode" => 1, 860 "allow_smilies" => 1, 861 "allow_imgcode" => 1, 862 "allow_videocode" => 1, 863 "filter_badwords" => 1, 864 "me_username" => 0, 865 "shorten_urls" => 0, 866 "highlight" => 0, 867 ); 868 869 if($db->num_rows($query) > 0) 870 { 871 $question = $db->fetch_array($query); 872 873 echo json_encode(array("question" => $parser->parse_message($question['question'], $parser_options), 'sid' => htmlspecialchars_uni($question['sid']))); 874 exit; 875 } 876 else 877 { 878 xmlhttp_error($lang->answer_valid_not_exists); 879 } 880 } 881 elseif($mybb->input['action'] == "validate_question" && $mybb->settings['securityquestion']) 882 { 883 header("Content-type: application/json; charset={$charset}"); 884 $sid = $db->escape_string($mybb->get_input('question')); 885 $answer = $db->escape_string($mybb->get_input('answer')); 886 887 $query = $db->query(" 888 SELECT q.*, s.sid 889 FROM ".TABLE_PREFIX."questionsessions s 890 LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid) 891 WHERE q.active='1' AND s.sid='{$sid}' 892 "); 893 894 if($db->num_rows($query) == 0) 895 { 896 echo json_encode($lang->answer_valid_not_exists); 897 exit; 898 } 899 else 900 { 901 $question = $db->fetch_array($query); 902 $valid_answers = preg_split("/\r\n|\n|\r/", $question['answer']); 903 $validated = 0; 904 905 foreach($valid_answers as $answers) 906 { 907 if(my_strtolower($answers) == my_strtolower($answer)) 908 { 909 $validated = 1; 910 } 911 } 912 913 $plugins->run_hooks("xmlhttp_validate_question"); 914 915 if($validated != 1) 916 { 917 echo json_encode($lang->answer_does_not_match); 918 exit; 919 } 920 else 921 { 922 echo json_encode("true"); 923 exit; 924 } 925 } 926 927 exit; 928 } 929 else if($mybb->input['action'] == "complex_password") 930 { 931 $password = trim($mybb->get_input('password')); 932 $password = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $password); 933 934 header("Content-type: application/json; charset={$charset}"); 935 936 $plugins->run_hooks("xmlhttp_complex_password"); 937 938 if(!preg_match("/^.*(?=.{".$mybb->settings['minpasswordlength'].",})(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$/", $password)) 939 { 940 echo json_encode($lang->complex_password_fails); 941 } 942 else 943 { 944 // Return nothing but an OK password if passes regex 945 echo json_encode("true"); 946 } 947 948 exit; 949 } 950 else if($mybb->input['action'] == "username_availability") 951 { 952 if(!verify_post_check($mybb->get_input('my_post_key'), true)) 953 { 954 xmlhttp_error($lang->invalid_post_code); 955 } 956 957 require_once MYBB_ROOT."inc/functions_user.php"; 958 $username = $mybb->get_input('username'); 959 960 // Fix bad characters 961 $username = trim_blank_chrs($username); 962 $username = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $username); 963 964 // Remove multiple spaces from the username 965 $username = preg_replace("#\s{2,}#", " ", $username); 966 967 header("Content-type: application/json; charset={$charset}"); 968 969 if(empty($username)) 970 { 971 echo json_encode($lang->banned_characters_username); 972 exit; 973 } 974 975 // Check if the username belongs to the list of banned usernames. 976 $banned_username = is_banned_username($username, true); 977 if($banned_username) 978 { 979 echo json_encode($lang->banned_username); 980 exit; 981 } 982 983 // Check for certain characters in username (<, >, &, and slashes) 984 if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false)) 985 { 986 echo json_encode($lang->banned_characters_username); 987 exit; 988 } 989 990 // Check if the username is actually already in use 991 $user = get_user_by_username($username); 992 993 $plugins->run_hooks("xmlhttp_username_availability"); 994 995 if($user) 996 { 997 $lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username)); 998 echo json_encode($lang->username_taken); 999 exit; 1000 } 1001 else 1002 { 1003 //$lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username)); 1004 echo json_encode("true"); 1005 exit; 1006 } 1007 } 1008 else if($mybb->input['action'] == "email_availability") 1009 { 1010 if(!verify_post_check($mybb->get_input('my_post_key'), true)) 1011 { 1012 xmlhttp_error($lang->invalid_post_code); 1013 } 1014 1015 require_once MYBB_ROOT."inc/datahandlers/user.php"; 1016 $userhandler = new UserDataHandler("insert"); 1017 1018 $email = $mybb->get_input('email'); 1019 1020 header("Content-type: application/json; charset={$charset}"); 1021 1022 $user = array( 1023 'email' => $email 1024 ); 1025 1026 $userhandler->set_data($user); 1027 1028 $errors = array(); 1029 1030 if(!$userhandler->verify_email()) 1031 { 1032 $errors = $userhandler->get_friendly_errors(); 1033 } 1034 1035 $plugins->run_hooks("xmlhttp_email_availability"); 1036 1037 if(!empty($errors)) 1038 { 1039 echo json_encode($errors[0]); 1040 exit; 1041 } 1042 else 1043 { 1044 echo json_encode("true"); 1045 exit; 1046 } 1047 } 1048 else if($mybb->input['action'] == "get_buddyselect") 1049 { 1050 // Send our headers. 1051 header("Content-type: text/plain; charset={$charset}"); 1052 1053 if($mybb->user['buddylist'] != "") 1054 { 1055 $query_options = array( 1056 "order_by" => "username", 1057 "order_dir" => "asc" 1058 ); 1059 1060 $plugins->run_hooks("xmlhttp_get_buddyselect_start"); 1061 1062 $timecut = TIME_NOW - $mybb->settings['wolcutoff']; 1063 $query = $db->simple_select("users", "uid, username, usergroup, displaygroup, lastactive, lastvisit, invisible", "uid IN ({$mybb->user['buddylist']})", $query_options); 1064 $online = array(); 1065 $offline = array(); 1066 while($buddy = $db->fetch_array($query)) 1067 { 1068 $buddy['username'] = htmlspecialchars_uni($buddy['username']); 1069 $buddy_name = format_name($buddy['username'], $buddy['usergroup'], $buddy['displaygroup']); 1070 $profile_link = build_profile_link($buddy_name, $buddy['uid'], '_blank'); 1071 if($buddy['lastactive'] > $timecut && ($buddy['invisible'] == 0 || $mybb->user['usergroup'] == 4) && $buddy['lastvisit'] != $buddy['lastactive']) 1072 { 1073 eval("\$online[] = \"".$templates->get("xmlhttp_buddyselect_online")."\";"); 1074 } 1075 else 1076 { 1077 eval("\$offline[] = \"".$templates->get("xmlhttp_buddyselect_offline")."\";"); 1078 } 1079 } 1080 $online = implode("", $online); 1081 $offline = implode("", $offline); 1082 1083 $plugins->run_hooks("xmlhttp_get_buddyselect_end"); 1084 1085 eval("\$buddy_select = \"".$templates->get("xmlhttp_buddyselect")."\";"); 1086 echo $buddy_select; 1087 } 1088 else 1089 { 1090 xmlhttp_error($lang->buddylist_error); 1091 } 1092 } 1093 else if($mybb->input['action'] == 'get_referrals') 1094 { 1095 $lang->load('member'); 1096 $uid = $mybb->get_input('uid', MYBB::INPUT_INT); 1097 1098 if (!$uid) { 1099 xmlhttp_error($lang->referrals_no_user_specified); 1100 } 1101 1102 $referrals = get_user_referrals($uid); 1103 1104 if (empty($referrals)) { 1105 eval("\$referral_rows = \"".$templates->get('member_no_referrals')."\";"); 1106 } else { 1107 foreach($referrals as $referral) 1108 { 1109 $bg_color = alt_trow(); 1110 // Format user name link 1111 $username = htmlspecialchars_uni($referral['username']); 1112 $username = format_name($username, $referral['usergroup'], $referral['displaygroup']); 1113 $username = build_profile_link($username, $referral['uid']); 1114 1115 $regdate = my_date('normal', $referral['regdate']); 1116 1117 eval("\$referral_rows .= \"".$templates->get('member_referral_row')."\";"); 1118 } 1119 } 1120 1121 $plugins->run_hooks('xmlhttp_referrals_end'); 1122 1123 eval("\$referrals = \"".$templates->get('member_referrals_popup', 1, 0)."\";"); 1124 1125 // Send our headers and output. 1126 header("Content-type: text/plain; charset={$charset}"); 1127 echo $referrals; 1128 } 1129 1130 /** 1131 * Spits an XML Http based error message back to the browser 1132 * 1133 * @param string $message The message to send back. 1134 */ 1135 function xmlhttp_error($message) 1136 { 1137 global $charset; 1138 1139 // Send our headers. 1140 header("Content-type: application/json; charset={$charset}"); 1141 1142 // Do we have an array of messages? 1143 if(is_array($message)) 1144 { 1145 $response = array(); 1146 foreach($message as $error) 1147 { 1148 $response[] = $error; 1149 } 1150 1151 // Send the error messages. 1152 echo json_encode(array("errors" => array($response))); 1153 1154 exit; 1155 } 1156 1157 // Just a single error? Send it along. 1158 echo json_encode(array("errors" => array($message))); 1159 1160 exit; 1161 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| 2005 - 2021 © MyBB.de | Alle Rechte vorbehalten! | Sponsor: netcup | Cross-referenced by PHPXref |