[ Index ]

PHP Cross Reference of MyBB 1.8.27

title

Body

[close]

/ -> xmlhttp.php (source)

   1  <?php
   2  /**
   3   * MyBB 1.8
   4   * Copyright 2014 MyBB Group, All Rights Reserved
   5   *
   6   * Website: http://www.mybb.com
   7   * License: http://www.mybb.com/about/license
   8   *
   9   */
  10  
  11  /**
  12   * The deal with this file is that it handles all of the XML HTTP Requests for MyBB.
  13   *
  14   * It contains a stripped down version of the MyBB core which does not load things
  15   * such as themes, who's online data, all of the language packs and more.
  16   *
  17   * This is done to make response times when using XML HTTP Requests faster and
  18   * less intense on the server.
  19   */
  20  
  21  define("IN_MYBB", 1);
  22  
  23  // We don't want visits here showing up on the Who's Online
  24  define("NO_ONLINE", 1);
  25  
  26  define('THIS_SCRIPT', 'xmlhttp.php');
  27  
  28  // Load MyBB core files
  29  require_once dirname(__FILE__)."/inc/init.php";
  30  
  31  $shutdown_queries = $shutdown_functions = array();
  32  
  33  // Load some of the stock caches we'll be using.
  34  $groupscache = $cache->read("usergroups");
  35  
  36  if(!is_array($groupscache))
  37  {
  38      $cache->update_usergroups();
  39      $groupscache = $cache->read("usergroups");
  40  }
  41  
  42  // Send no cache headers
  43  header("Expires: Sat, 1 Jan 2000 01:00:00 GMT");
  44  header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
  45  header("Cache-Control: no-cache, must-revalidate");
  46  header("Pragma: no-cache");
  47  
  48  // Create the session
  49  require_once  MYBB_ROOT."inc/class_session.php";
  50  $session = new session;
  51  $session->init();
  52  
  53  // Load the language we'll be using
  54  if(!isset($mybb->settings['bblanguage']))
  55  {
  56      $mybb->settings['bblanguage'] = "english";
  57  }
  58  if(isset($mybb->user['language']) && $lang->language_exists($mybb->user['language']))
  59  {
  60      $mybb->settings['bblanguage'] = $mybb->user['language'];
  61  }
  62  $lang->set_language($mybb->settings['bblanguage']);
  63  
  64  if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset']))
  65  {
  66      @mb_internal_encoding($lang->settings['charset']);
  67  }
  68  
  69  // Load the theme
  70  // 1. Check cookies
  71  if(!$mybb->user['uid'] && !empty($mybb->cookies['mybbtheme']))
  72  {
  73      $mybb->user['style'] = (int)$mybb->cookies['mybbtheme'];
  74  }
  75  
  76  // 2. Load style
  77  if(isset($mybb->user['style']) && (int)$mybb->user['style'] != 0)
  78  {
  79      $loadstyle = "tid='".(int)$mybb->user['style']."'";
  80  }
  81  else
  82  {
  83      $loadstyle = "def='1'";
  84  }
  85  
  86  // Load basic theme information that we could be needing.
  87  if($loadstyle != "def='1'")
  88  {
  89      $query = $db->simple_select('themes', 'name, tid, properties, allowedgroups', $loadstyle, array('limit' => 1));
  90      $theme = $db->fetch_array($query);
  91  
  92      if(isset($theme['tid']) && !is_member($theme['allowedgroups']) && $theme['allowedgroups'] != 'all')
  93      {
  94          if(isset($mybb->cookies['mybbtheme']))
  95          {
  96              my_unsetcookie('mybbtheme');
  97          }
  98  
  99          $loadstyle = "def='1'";
 100      }
 101  }
 102  
 103  if($loadstyle == "def='1'")
 104  {
 105      if(!$cache->read('default_theme'))
 106      {
 107          $cache->update_default_theme();
 108      }
 109  
 110      $theme = $cache->read('default_theme');
 111  }
 112  
 113  // No theme was found - we attempt to load the master or any other theme
 114  if(!isset($theme['tid']) || isset($theme['tid']) && !$theme['tid'])
 115  {
 116      // Missing theme was from a user, run a query to set any users using the theme to the default
 117      $db->update_query('users', array('style' => 0), "style = '{$mybb->user['style']}'");
 118  
 119      // Attempt to load the master or any other theme if the master is not available
 120      $query = $db->simple_select('themes', 'name, tid, properties, stylesheets', '', array('order_by' => 'tid', 'limit' => 1));
 121      $theme = $db->fetch_array($query);
 122  }
 123  $theme = @array_merge($theme, my_unserialize($theme['properties']));
 124  
 125  // Set the appropriate image language directory for this theme.
 126  // Are we linking to a remote theme server?
 127  if(my_validate_url($theme['imgdir']))
 128  {
 129      // If a language directory for the current language exists within the theme - we use it
 130      if(!empty($mybb->user['language']))
 131      {
 132          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
 133      }
 134      else
 135      {
 136          // Check if a custom language directory exists for this theme
 137          if(!empty($mybb->settings['bblanguage']))
 138          {
 139              $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
 140          }
 141          // Otherwise, the image language directory is the same as the language directory for the theme
 142          else
 143          {
 144              $theme['imglangdir'] = $theme['imgdir'];
 145          }
 146      }
 147  }
 148  else
 149  {
 150      $img_directory = $theme['imgdir'];
 151  
 152      if($mybb->settings['usecdn'] && !empty($mybb->settings['cdnpath']))
 153      {
 154          $img_directory = rtrim($mybb->settings['cdnpath'], '/') . '/' . ltrim($theme['imgdir'], '/');
 155      }
 156  
 157      if(!@is_dir($img_directory))
 158      {
 159          $theme['imgdir'] = 'images';
 160      }
 161  
 162      // If a language directory for the current language exists within the theme - we use it
 163      if(!empty($mybb->user['language']) && is_dir($img_directory.'/'.$mybb->user['language']))
 164      {
 165          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
 166      }
 167      else
 168      {
 169          // Check if a custom language directory exists for this theme
 170          if(is_dir($img_directory.'/'.$mybb->settings['bblanguage']))
 171          {
 172              $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
 173          }
 174          // Otherwise, the image language directory is the same as the language directory for the theme
 175          else
 176          {
 177              $theme['imglangdir'] = $theme['imgdir'];
 178          }
 179      }
 180  
 181      $theme['imgdir'] = $mybb->get_asset_url($theme['imgdir']);
 182      $theme['imglangdir'] = $mybb->get_asset_url($theme['imglangdir']);
 183  }
 184  
 185  $templatelist = "postbit_editedby,xmlhttp_buddyselect_online,xmlhttp_buddyselect_offline,xmlhttp_buddyselect";
 186  $templates->cache($db->escape_string($templatelist));
 187  
 188  if($lang->settings['charset'])
 189  {
 190      $charset = $lang->settings['charset'];
 191  }
 192  // If not, revert to UTF-8
 193  else
 194  {
 195      $charset = "UTF-8";
 196  }
 197  
 198  $lang->load("global");
 199  $lang->load("xmlhttp");
 200  
 201  $closed_bypass = array("refresh_captcha", "validate_captcha");
 202  
 203  $mybb->input['action'] = $mybb->get_input('action');
 204  
 205  $plugins->run_hooks("xmlhttp");
 206  
 207  // If the board is closed, the user is not an administrator and they're not trying to login, show the board closed message
 208  if($mybb->settings['boardclosed'] == 1 && $mybb->usergroup['canviewboardclosed'] != 1 && !in_array($mybb->input['action'], $closed_bypass))
 209  {
 210      // Show error
 211      if(!$mybb->settings['boardclosed_reason'])
 212      {
 213          $mybb->settings['boardclosed_reason'] = $lang->boardclosed_reason;
 214      }
 215  
 216      $lang->error_boardclosed .= "<br /><em>{$mybb->settings['boardclosed_reason']}</em>";
 217  
 218      xmlhttp_error($lang->error_boardclosed);
 219  }
 220  
 221  // Fetch a list of usernames beginning with a certain string (used for auto completion)
 222  if($mybb->input['action'] == "get_users")
 223  {
 224      $mybb->input['query'] = ltrim($mybb->get_input('query'));
 225      $search_type = $mybb->get_input('search_type', MyBB::INPUT_INT); // 0: starts with, 1: ends with, 2: contains
 226  
 227      // If the string is less than 2 characters, quit.
 228      if(my_strlen($mybb->input['query']) < 2)
 229      {
 230          exit;
 231      }
 232  
 233      if($mybb->get_input('getone', MyBB::INPUT_INT) == 1)
 234      {
 235          $limit = 1;
 236      }
 237      else
 238      {
 239          $limit = 15;
 240      }
 241  
 242      // Send our headers.
 243      header("Content-type: application/json; charset={$charset}");
 244  
 245      // Query for any matching users.
 246      $query_options = array(
 247          "order_by" => "username",
 248          "order_dir" => "asc",
 249          "limit_start" => 0,
 250          "limit" => $limit
 251      );
 252  
 253      $plugins->run_hooks("xmlhttp_get_users_start");
 254  
 255      $likestring = $db->escape_string_like($mybb->input['query']);
 256      if($search_type == 1)
 257      {
 258          $likestring = '%'.$likestring;
 259      }
 260      elseif($search_type == 2)
 261      {
 262          $likestring = '%'.$likestring.'%';
 263      }
 264      else
 265      {
 266          $likestring .= '%';
 267      }
 268  
 269      $query = $db->simple_select("users", "uid, username", "username LIKE '{$likestring}'", $query_options);
 270      if($limit == 1)
 271      {
 272          $user = $db->fetch_array($query);
 273          $data = array('uid' => $user['uid'], 'id' => $user['username'], 'text' => $user['username']);
 274      }
 275      else
 276      {
 277          $data = array();
 278          while($user = $db->fetch_array($query))
 279          {
 280              $data[] = array('uid' => $user['uid'], 'id' => $user['username'], 'text' => $user['username']);
 281          }
 282      }
 283  
 284      $plugins->run_hooks("xmlhttp_get_users_end");
 285  
 286      echo json_encode($data);
 287      exit;
 288  }
 289  // This action provides editing of thread/post subjects from within their respective list pages.
 290  else if($mybb->input['action'] == "edit_subject" && $mybb->request_method == "post")
 291  {
 292      // Verify POST request
 293      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 294      {
 295          xmlhttp_error($lang->invalid_post_code);
 296      }
 297  
 298      // We're editing a thread subject.
 299      if($mybb->get_input('tid', MyBB::INPUT_INT))
 300      {
 301          // Fetch the thread.
 302          $thread = get_thread($mybb->get_input('tid', MyBB::INPUT_INT));
 303          if(!$thread)
 304          {
 305              xmlhttp_error($lang->thread_doesnt_exist);
 306          }
 307  
 308          // Fetch some of the information from the first post of this thread.
 309          $query_options = array(
 310              "order_by" => "dateline, pid",
 311          );
 312          $query = $db->simple_select("posts", "pid,uid,dateline", "tid='".$thread['tid']."'", $query_options);
 313          $post = $db->fetch_array($query);
 314      }
 315      else
 316      {
 317          exit;
 318      }
 319  
 320      // Fetch the specific forum this thread/post is in.
 321      $forum = get_forum($thread['fid']);
 322  
 323      // Missing thread, invalid forum? Error.
 324      if(!$forum || $forum['type'] != "f")
 325      {
 326          xmlhttp_error($lang->thread_doesnt_exist);
 327      }
 328  
 329      // Fetch forum permissions.
 330      $forumpermissions = forum_permissions($forum['fid']);
 331  
 332      $plugins->run_hooks("xmlhttp_edit_subject_start");
 333  
 334      // If this user is not a moderator with "caneditposts" permissions.
 335      if(!is_moderator($forum['fid'], "caneditposts"))
 336      {
 337          // Thread is closed - no editing allowed.
 338          if($thread['closed'] == 1)
 339          {
 340              xmlhttp_error($lang->thread_closed_edit_subjects);
 341          }
 342          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 343          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0)
 344          {
 345              xmlhttp_error($lang->no_permission_edit_subject);
 346          }
 347          // If we're past the edit time limit - don't allow editing.
 348          else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60)))
 349          {
 350              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']);
 351              xmlhttp_error($lang->edit_time_limit);
 352          }
 353          $ismod = false;
 354      }
 355      else
 356      {
 357          $ismod = true;
 358      }
 359      $subject = $mybb->get_input('value');
 360      if(my_strtolower($charset) != "utf-8")
 361      {
 362          if(function_exists("iconv"))
 363          {
 364              $subject = iconv($charset, "UTF-8//IGNORE", $subject);
 365          }
 366          else if(function_exists("mb_convert_encoding"))
 367          {
 368              $subject = @mb_convert_encoding($subject, $charset, "UTF-8");
 369          }
 370          else if(my_strtolower($charset) == "iso-8859-1")
 371          {
 372              $subject = utf8_decode($subject);
 373          }
 374      }
 375  
 376      // Only edit subject if subject has actually been changed
 377      if($thread['subject'] != $subject)
 378      {
 379          // Set up posthandler.
 380          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 381          $posthandler = new PostDataHandler("update");
 382          $posthandler->action = "post";
 383  
 384          // Set the post data that came from the input to the $post array.
 385          $updatepost = array(
 386              "pid" => $post['pid'],
 387              "tid" => $thread['tid'],
 388              "prefix" => $thread['prefix'],
 389              "subject" => $subject,
 390              "edit_uid" => $mybb->user['uid']
 391          );
 392          $posthandler->set_data($updatepost);
 393  
 394          // Now let the post handler do all the hard work.
 395          if(!$posthandler->validate_post())
 396          {
 397              $post_errors = $posthandler->get_friendly_errors();
 398              xmlhttp_error($post_errors);
 399          }
 400          // No errors were found, we can call the update method.
 401          else
 402          {
 403              $posthandler->update_post();
 404              if($ismod == true)
 405              {
 406                  $modlogdata = array(
 407                      "tid" => $thread['tid'],
 408                      "fid" => $forum['fid']
 409                  );
 410                  log_moderator_action($modlogdata, $lang->edited_post);
 411              }
 412          }
 413      }
 414  
 415      require_once  MYBB_ROOT."inc/class_parser.php";
 416      $parser = new postParser;
 417  
 418      // Send our headers.
 419      header("Content-type: application/json; charset={$charset}");
 420  
 421      $plugins->run_hooks("xmlhttp_edit_subject_end");
 422  
 423      $mybb->input['value'] = $parser->parse_badwords($mybb->get_input('value'));
 424  
 425      // Spit the subject back to the browser.
 426      $subject = substr($mybb->input['value'], 0, 120); // 120 is the varchar length for the subject column
 427      echo json_encode(array("subject" => '<a href="'.get_thread_link($thread['tid']).'">'.htmlspecialchars_uni($subject).'</a>'));
 428  
 429      // Close the connection.
 430      exit;
 431  }
 432  else if($mybb->input['action'] == "edit_post")
 433  {
 434      // Fetch the post from the database.
 435      $post = get_post($mybb->get_input('pid', MyBB::INPUT_INT));
 436  
 437      // No result, die.
 438      if(!$post || $post['visible'] == -1)
 439      {
 440          xmlhttp_error($lang->post_doesnt_exist);
 441      }
 442  
 443      // Fetch the thread associated with this post.
 444      $thread = get_thread($post['tid']);
 445  
 446      // Fetch the specific forum this thread/post is in.
 447      $forum = get_forum($thread['fid']);
 448  
 449      // Missing thread, invalid forum? Error.
 450      if(!$thread || !$forum || $forum['type'] != "f")
 451      {
 452          xmlhttp_error($lang->thread_doesnt_exist);
 453      }
 454  
 455      // Check if this forum is password protected and we have a valid password
 456      if(check_forum_password($forum['fid'], 0, true))
 457      {
 458          xmlhttp_error($lang->wrong_forum_password);
 459      }
 460  
 461      // Fetch forum permissions.
 462      $forumpermissions = forum_permissions($forum['fid']);
 463  
 464      $plugins->run_hooks("xmlhttp_edit_post_start");
 465  
 466      // If this user is not a moderator with "caneditposts" permissions.
 467      if(!is_moderator($forum['fid'], "caneditposts"))
 468      {
 469          // Thread is closed - no editing allowed.
 470          if($thread['closed'] == 1)
 471          {
 472              xmlhttp_error($lang->thread_closed_edit_message);
 473          }
 474          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 475          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0 || $mybb->user['suspendposting'] == 1)
 476          {
 477              xmlhttp_error($lang->no_permission_edit_post);
 478          }
 479          // If we're past the edit time limit - don't allow editing.
 480          else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60)))
 481          {
 482              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']);
 483              xmlhttp_error($lang->edit_time_limit);
 484          }
 485          // User can't edit unapproved post unless permitted for own
 486          if($post['visible'] == 0 && !($mybb->settings['showownunapproved'] && $post['uid'] == $mybb->user['uid']))
 487          {
 488              xmlhttp_error($lang->post_moderation);
 489          }
 490      }
 491  
 492      $plugins->run_hooks("xmlhttp_edit_post_end");
 493  
 494      if($mybb->get_input('do') == "get_post")
 495      {
 496          // Send our headers.
 497          header("Content-type: application/json; charset={$charset}");
 498  
 499          // Send the contents of the post.
 500          echo json_encode($post['message']);
 501          exit;
 502      }
 503      else if($mybb->get_input('do') == "update_post")
 504      {
 505          // Verify POST request
 506          if(!verify_post_check($mybb->get_input('my_post_key'), true))
 507          {
 508              xmlhttp_error($lang->invalid_post_code);
 509          }
 510  
 511          $message = $mybb->get_input('value');
 512          $editreason = $mybb->get_input('editreason');
 513          if(my_strtolower($charset) != "utf-8")
 514          {
 515              if(function_exists("iconv"))
 516              {
 517                  $message = iconv($charset, "UTF-8//IGNORE", $message);
 518                  $editreason = iconv($charset, "UTF-8//IGNORE", $editreason);
 519              }
 520              else if(function_exists("mb_convert_encoding"))
 521              {
 522                  $message = @mb_convert_encoding($message, $charset, "UTF-8");
 523                  $editreason = @mb_convert_encoding($editreason, $charset, "UTF-8");
 524              }
 525              else if(my_strtolower($charset) == "iso-8859-1")
 526              {
 527                  $message = utf8_decode($message);
 528                  $editreason = utf8_decode($editreason);
 529              }
 530          }
 531  
 532          // Set up posthandler.
 533          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 534          $posthandler = new PostDataHandler("update");
 535          $posthandler->action = "post";
 536  
 537          // Set the post data that came from the input to the $post array.
 538          $updatepost = array(
 539              "pid" => $post['pid'],
 540              "message" => $message,
 541              "editreason" => $editreason,
 542              "edit_uid" => $mybb->user['uid']
 543          );
 544  
 545          // If this is the first post set the prefix. If a forum requires a prefix the quick edit would throw an error otherwise
 546          if($post['pid'] == $thread['firstpost'])
 547          {
 548              $updatepost['prefix'] = $thread['prefix'];
 549          }
 550  
 551          $posthandler->set_data($updatepost);
 552  
 553          // Now let the post handler do all the hard work.
 554          if(!$posthandler->validate_post())
 555          {
 556              $post_errors = $posthandler->get_friendly_errors();
 557              xmlhttp_error($post_errors);
 558          }
 559          // No errors were found, we can call the update method.
 560          else
 561          {
 562              $postinfo = $posthandler->update_post();
 563              $visible = $postinfo['visible'];
 564              if($visible == 0 && !is_moderator($post['fid'], "canviewunapprove"))
 565              {
 566                  // Is it the first post?
 567                  if($thread['firstpost'] == $post['pid'])
 568                  {
 569                      echo json_encode(array("moderation_thread" => $lang->thread_moderation, 'url' => $mybb->settings['bburl'].'/'.get_forum_link($thread['fid']), "message" => $post['message']));
 570                      exit;
 571                  }
 572                  else
 573                  {
 574                      echo json_encode(array("moderation_post" => $lang->post_moderation, 'url' => $mybb->settings['bburl'].'/'.get_thread_link($thread['tid']), "message" => $post['message']));
 575                      exit;
 576                  }
 577              }
 578          }
 579  
 580          require_once  MYBB_ROOT."inc/class_parser.php";
 581          $parser = new postParser;
 582  
 583          $parser_options = array(
 584              "allow_html" => $forum['allowhtml'],
 585              "allow_mycode" => $forum['allowmycode'],
 586              "allow_smilies" => $forum['allowsmilies'],
 587              "allow_imgcode" => $forum['allowimgcode'],
 588              "allow_videocode" => $forum['allowvideocode'],
 589              "me_username" => $post['username'],
 590              "filter_badwords" => 1
 591          );
 592  
 593          $post['username'] = htmlspecialchars_uni($post['username']);
 594  
 595          if($post['smilieoff'] == 1)
 596          {
 597              $parser_options['allow_smilies'] = 0;
 598          }
 599  
 600          if($mybb->user['uid'] != 0 && $mybb->user['showimages'] != 1 || $mybb->settings['guestimages'] != 1 && $mybb->user['uid'] == 0)
 601          {
 602              $parser_options['allow_imgcode'] = 0;
 603          }
 604  
 605          if($mybb->user['uid'] != 0 && $mybb->user['showvideos'] != 1 || $mybb->settings['guestvideos'] != 1 && $mybb->user['uid'] == 0)
 606          {
 607              $parser_options['allow_videocode'] = 0;
 608          }
 609  
 610          $post['message'] = $parser->parse_message($message, $parser_options);
 611  
 612          // Now lets fetch all of the attachments for these posts.
 613          if($mybb->settings['enableattachments'] != 0)
 614          {
 615              $query = $db->simple_select("attachments", "*", "pid='{$post['pid']}'");
 616              while($attachment = $db->fetch_array($query))
 617              {
 618                  $attachcache[$attachment['pid']][$attachment['aid']] = $attachment;
 619              }
 620  
 621              require_once  MYBB_ROOT."inc/functions_post.php";
 622  
 623              get_post_attachments($post['pid'], $post);
 624          }
 625  
 626          // Figure out if we need to show an "edited by" message
 627          // Only show if at least one of "showeditedby" or "showeditedbyadmin" is enabled
 628          if($mybb->settings['showeditedby'] != 0 && $mybb->settings['showeditedbyadmin'] != 0)
 629          {
 630              $post['editdate'] = my_date('relative', TIME_NOW);
 631              $post['editnote'] = $lang->sprintf($lang->postbit_edited, $post['editdate']);
 632              $mybb->user['username'] = htmlspecialchars_uni($mybb->user['username']);
 633              $post['editedprofilelink'] = build_profile_link($mybb->user['username'], $mybb->user['uid']);
 634              $post['editreason'] = trim($editreason);
 635              $editreason = "";
 636              if($post['editreason'] != "")
 637              {
 638                  $post['editreason'] = $parser->parse_badwords($post['editreason']);
 639                  $post['editreason'] = htmlspecialchars_uni($post['editreason']);
 640                  eval("\$editreason = \"".$templates->get("postbit_editedby_editreason")."\";");
 641              }
 642              eval("\$editedmsg = \"".$templates->get("postbit_editedby")."\";");
 643          }
 644  
 645          // Send our headers.
 646          header("Content-type: application/json; charset={$charset}");
 647  
 648          $editedmsg_response = null;
 649          if($editedmsg)
 650          {
 651              $editedmsg_response = str_replace(array("\r", "\n"), "", $editedmsg);
 652          }
 653  
 654          $plugins->run_hooks("xmlhttp_update_post");
 655  
 656          echo json_encode(array("message" => $post['message']."\n", "editedmsg" => $editedmsg_response));
 657          exit;
 658      }
 659  }
 660  // Fetch the list of multiquoted posts which are not in a specific thread
 661  else if($mybb->input['action'] == "get_multiquoted")
 662  {
 663      // If the cookie does not exist, exit
 664      if(!array_key_exists("multiquote", $mybb->cookies))
 665      {
 666          exit;
 667      }
 668      // Divide up the cookie using our delimeter
 669      $multiquoted = explode("|", $mybb->cookies['multiquote']);
 670  
 671      $plugins->run_hooks("xmlhttp_get_multiquoted_start");
 672  
 673      // No values - exit
 674      if(!is_array($multiquoted))
 675      {
 676          exit;
 677      }
 678  
 679      // Loop through each post ID and sanitize it before querying
 680      foreach($multiquoted as $post)
 681      {
 682          $quoted_posts[$post] = (int)$post;
 683      }
 684  
 685      // Join the post IDs back together
 686      $quoted_posts = implode(",", $quoted_posts);
 687  
 688      // Fetch unviewable forums
 689      $unviewable_forums = get_unviewable_forums();
 690      $inactiveforums = get_inactive_forums();
 691      if($unviewable_forums)
 692      {
 693          $unviewable_forums = "AND t.fid NOT IN ({$unviewable_forums})";
 694      }
 695      if($inactiveforums)
 696      {
 697          $inactiveforums = "AND t.fid NOT IN ({$inactiveforums})";
 698      }
 699  
 700      // Check group permissions if we can't view threads not started by us
 701      $group_permissions = forum_permissions();
 702      $onlyusfids = array();
 703      foreach($group_permissions as $gpfid => $forum_permissions)
 704      {
 705          if(isset($forum_permissions['canonlyviewownthreads']) && $forum_permissions['canonlyviewownthreads'] == 1)
 706          {
 707              $onlyusfids[] = $gpfid;
 708          }
 709      }
 710  
 711      $message = '';
 712  
 713      // Are we loading all quoted posts or only those not in the current thread?
 714      if(empty($mybb->input['load_all']))
 715      {
 716          $from_tid = "p.tid != '".$mybb->get_input('tid', MyBB::INPUT_INT)."' AND ";
 717      }
 718      else
 719      {
 720          $from_tid = '';
 721      }
 722  
 723      require_once  MYBB_ROOT."inc/class_parser.php";
 724      $parser = new postParser;
 725  
 726      require_once  MYBB_ROOT."inc/functions_posting.php";
 727  
 728      $plugins->run_hooks("xmlhttp_get_multiquoted_intermediate");
 729  
 730      // Query for any posts in the list which are not within the specified thread
 731      $query = $db->query("
 732          SELECT p.subject, p.message, p.pid, p.tid, p.username, p.dateline, t.fid, t.uid AS thread_uid, p.visible, u.username AS userusername
 733          FROM ".TABLE_PREFIX."posts p
 734          LEFT JOIN ".TABLE_PREFIX."threads t ON (t.tid=p.tid)
 735          LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=p.uid)
 736          WHERE {$from_tid}p.pid IN ({$quoted_posts}) {$unviewable_forums} {$inactiveforums}
 737          ORDER BY p.dateline, p.pid
 738      ");
 739      while($quoted_post = $db->fetch_array($query))
 740      {
 741          if(
 742              (!is_moderator($quoted_post['fid'], "canviewunapprove") && $quoted_post['visible'] == 0) ||
 743              (!is_moderator($quoted_post['fid'], "canviewdeleted") && $quoted_post['visible'] == -1) ||
 744              (in_array($quoted_post['fid'], $onlyusfids) && (!$mybb->user['uid'] || $quoted_post['thread_uid'] != $mybb->user['uid']))
 745          )
 746          {
 747              // Allow quoting from own unapproved post
 748              if($quoted_post['visible'] == 0 && !($mybb->settings['showownunapproved'] && $quoted_post['uid'] == $mybb->user['uid']))
 749              {
 750                  continue;
 751              }
 752          }
 753  
 754          $message .= parse_quoted_message($quoted_post, false);
 755      }
 756      if($mybb->settings['maxquotedepth'] != '0')
 757      {
 758          $message = remove_message_quotes($message);
 759      }
 760  
 761      // Send our headers.
 762      header("Content-type: application/json; charset={$charset}");
 763  
 764      $plugins->run_hooks("xmlhttp_get_multiquoted_end");
 765  
 766      echo json_encode(array("message" => $message));
 767      exit;
 768  }
 769  else if($mybb->input['action'] == "refresh_captcha")
 770  {
 771      $imagehash = $db->escape_string($mybb->get_input('imagehash'));
 772      $query = $db->simple_select("captcha", "dateline", "imagehash='$imagehash'");
 773      if($db->num_rows($query) == 0)
 774      {
 775          xmlhttp_error($lang->captcha_not_exists);
 776      }
 777      $db->delete_query("captcha", "imagehash='$imagehash'");
 778      $randomstr = random_str(5);
 779      $imagehash = md5(random_str(12));
 780      $regimagearray = array(
 781          "imagehash" => $imagehash,
 782          "imagestring" => $randomstr,
 783          "dateline" => TIME_NOW
 784      );
 785  
 786      $plugins->run_hooks("xmlhttp_refresh_captcha");
 787  
 788      $db->insert_query("captcha", $regimagearray);
 789      header("Content-type: application/json; charset={$charset}");
 790      echo json_encode(array("imagehash" => $imagehash));
 791      exit;
 792  }
 793  else if($mybb->input['action'] == "validate_captcha")
 794  {
 795      header("Content-type: application/json; charset={$charset}");
 796      $imagehash = $db->escape_string($mybb->get_input('imagehash'));
 797      $query = $db->simple_select("captcha", "imagestring", "imagehash='$imagehash'");
 798      if($db->num_rows($query) == 0)
 799      {
 800          echo json_encode($lang->captcha_valid_not_exists);
 801          exit;
 802      }
 803      $imagestring = $db->fetch_field($query, 'imagestring');
 804  
 805      $plugins->run_hooks("xmlhttp_validate_captcha");
 806  
 807      if(my_strtolower($imagestring) == my_strtolower($mybb->get_input('imagestring')))
 808      {
 809          //echo json_encode(array("success" => $lang->captcha_matches));
 810          echo json_encode("true");
 811          exit;
 812      }
 813      else
 814      {
 815          echo json_encode($lang->captcha_does_not_match);
 816          exit;
 817      }
 818  }
 819  else if($mybb->input['action'] == "refresh_question" && $mybb->settings['securityquestion'])
 820  {
 821      header("Content-type: application/json; charset={$charset}");
 822  
 823      $sid = $db->escape_string($mybb->get_input('question_id'));
 824      $query = $db->query("
 825          SELECT q.qid, s.sid
 826          FROM ".TABLE_PREFIX."questionsessions s
 827          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 828          WHERE q.active='1' AND s.sid='{$sid}'
 829      ");
 830  
 831      if($db->num_rows($query) == 0)
 832      {
 833          xmlhttp_error($lang->answer_valid_not_exists);
 834      }
 835  
 836      $qsession = $db->fetch_array($query);
 837  
 838      // Delete previous question session
 839      $db->delete_query("questionsessions", "sid='$sid'");
 840  
 841      require_once  MYBB_ROOT."inc/functions_user.php";
 842  
 843      $sid = generate_question($qsession['qid']);
 844      $query = $db->query("
 845          SELECT q.question, s.sid
 846          FROM ".TABLE_PREFIX."questionsessions s
 847          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 848          WHERE q.active='1' AND s.sid='{$sid}' AND q.qid!='{$qsession['qid']}'
 849      ");
 850  
 851      $plugins->run_hooks("xmlhttp_refresh_question");
 852      
 853      require_once  MYBB_ROOT."inc/class_parser.php";
 854      $parser = new postParser;
 855      
 856      $parser_options = array(
 857          "allow_html" => 0,
 858          "allow_mycode" => 1,
 859          "allow_smilies" => 1,
 860          "allow_imgcode" => 1,
 861          "allow_videocode" => 1,
 862          "filter_badwords" => 1,
 863          "me_username" => 0,
 864          "shorten_urls" => 0,
 865          "highlight" => 0,
 866      );    
 867  
 868      if($db->num_rows($query) > 0)
 869      {
 870          $question = $db->fetch_array($query);
 871  
 872          echo json_encode(array("question" => $parser->parse_message($question['question'], $parser_options), 'sid' => htmlspecialchars_uni($question['sid'])));
 873          exit;
 874      }
 875      else
 876      {
 877          xmlhttp_error($lang->answer_valid_not_exists);
 878      }
 879  }
 880  elseif($mybb->input['action'] == "validate_question" && $mybb->settings['securityquestion'])
 881  {
 882      header("Content-type: application/json; charset={$charset}");
 883      $sid = $db->escape_string($mybb->get_input('question'));
 884      $answer = $db->escape_string($mybb->get_input('answer'));
 885  
 886      $query = $db->query("
 887          SELECT q.*, s.sid
 888          FROM ".TABLE_PREFIX."questionsessions s
 889          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 890          WHERE q.active='1' AND s.sid='{$sid}'
 891      ");
 892  
 893      if($db->num_rows($query) == 0)
 894      {
 895          echo json_encode($lang->answer_valid_not_exists);
 896          exit;
 897      }
 898      else
 899      {
 900          $question = $db->fetch_array($query);
 901          $valid_answers = preg_split("/\r\n|\n|\r/", $question['answer']);
 902          $validated = 0;
 903  
 904          foreach($valid_answers as $answers)
 905          {
 906              if(my_strtolower($answers) == my_strtolower($answer))
 907              {
 908                  $validated = 1;
 909              }
 910          }
 911  
 912          $plugins->run_hooks("xmlhttp_validate_question");
 913  
 914          if($validated != 1)
 915          {
 916              echo json_encode($lang->answer_does_not_match);
 917              exit;
 918          }
 919          else
 920          {
 921              echo json_encode("true");
 922              exit;
 923          }
 924      }
 925  
 926      exit;
 927  }
 928  else if($mybb->input['action'] == "complex_password")
 929  {
 930      $password = trim($mybb->get_input('password'));
 931      $password = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $password);
 932  
 933      header("Content-type: application/json; charset={$charset}");
 934  
 935      $plugins->run_hooks("xmlhttp_complex_password");
 936  
 937      if(!preg_match("/^.*(?=.{".$mybb->settings['minpasswordlength'].",})(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$/", $password))
 938      {
 939          echo json_encode($lang->complex_password_fails);
 940      }
 941      else
 942      {
 943          // Return nothing but an OK password if passes regex
 944          echo json_encode("true");
 945      }
 946  
 947      exit;
 948  }
 949  else if($mybb->input['action'] == "username_availability")
 950  {
 951      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 952      {
 953          xmlhttp_error($lang->invalid_post_code);
 954      }
 955  
 956      require_once  MYBB_ROOT."inc/functions_user.php";
 957      $username = $mybb->get_input('username');
 958  
 959      // Fix bad characters
 960      $username = trim_blank_chrs($username);
 961      $username = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $username);
 962  
 963      // Remove multiple spaces from the username
 964      $username = preg_replace("#\s{2,}#", " ", $username);
 965  
 966      header("Content-type: application/json; charset={$charset}");
 967  
 968      if(empty($username))
 969      {
 970          echo json_encode($lang->banned_characters_username);
 971          exit;
 972      }
 973  
 974      // Check if the username belongs to the list of banned usernames.
 975      $banned_username = is_banned_username($username, true);
 976      if($banned_username)
 977      {
 978          echo json_encode($lang->banned_username);
 979          exit;
 980      }
 981  
 982      // Check for certain characters in username (<, >, &, and slashes)
 983      if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
 984      {
 985          echo json_encode($lang->banned_characters_username);
 986          exit;
 987      }
 988  
 989      // Check if the username is actually already in use
 990      $user = get_user_by_username($username);
 991  
 992      $plugins->run_hooks("xmlhttp_username_availability");
 993  
 994      if(!empty($user['uid']))
 995      {
 996          $lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username));
 997          echo json_encode($lang->username_taken);
 998          exit;
 999      }
1000      else
1001      {
1002          //$lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username));
1003          echo json_encode("true");
1004          exit;
1005      }
1006  }
1007  else if($mybb->input['action'] == "email_availability")
1008  {
1009      if(!verify_post_check($mybb->get_input('my_post_key'), true))
1010      {
1011          xmlhttp_error($lang->invalid_post_code);
1012      }
1013  
1014      require_once  MYBB_ROOT."inc/datahandlers/user.php";
1015      $userhandler = new UserDataHandler("insert");
1016  
1017      $email = $mybb->get_input('email');
1018  
1019      header("Content-type: application/json; charset={$charset}");
1020  
1021      $user = array(
1022          'email' => $email
1023      );
1024  
1025      $userhandler->set_data($user);
1026  
1027      $errors = array();
1028  
1029      if(!$userhandler->verify_email())
1030      {
1031          $errors = $userhandler->get_friendly_errors();
1032      }
1033  
1034      $plugins->run_hooks("xmlhttp_email_availability");
1035  
1036      if(!empty($errors))
1037      {
1038          echo json_encode($errors[0]);
1039          exit;
1040      }
1041      else
1042      {
1043          echo json_encode("true");
1044          exit;
1045      }
1046  }
1047  else if($mybb->input['action'] == "get_buddyselect")
1048  {
1049      // Send our headers.
1050      header("Content-type: text/plain; charset={$charset}");
1051  
1052      if($mybb->user['buddylist'] != "")
1053      {
1054          $query_options = array(
1055              "order_by" => "username",
1056              "order_dir" => "asc"
1057          );
1058  
1059          $plugins->run_hooks("xmlhttp_get_buddyselect_start");
1060  
1061          $timecut = TIME_NOW - $mybb->settings['wolcutoff'];
1062          $query = $db->simple_select("users", "uid, username, usergroup, displaygroup, lastactive, lastvisit, invisible", "uid IN ({$mybb->user['buddylist']})", $query_options);
1063          $online = array();
1064          $offline = array();
1065          while($buddy = $db->fetch_array($query))
1066          {
1067              $buddy['username'] = htmlspecialchars_uni($buddy['username']);
1068              $buddy_name = format_name($buddy['username'], $buddy['usergroup'], $buddy['displaygroup']);
1069              $profile_link = build_profile_link($buddy_name, $buddy['uid'], '_blank');
1070              if($buddy['lastactive'] > $timecut && ($buddy['invisible'] == 0 || $mybb->user['usergroup'] == 4) && $buddy['lastvisit'] != $buddy['lastactive'])
1071              {
1072                  eval("\$online[] = \"".$templates->get("xmlhttp_buddyselect_online")."\";");
1073              }
1074              else
1075              {
1076                  eval("\$offline[] = \"".$templates->get("xmlhttp_buddyselect_offline")."\";");
1077              }
1078          }
1079          $online = implode("", $online);
1080          $offline = implode("", $offline);
1081  
1082          $plugins->run_hooks("xmlhttp_get_buddyselect_end");
1083  
1084          eval("\$buddy_select = \"".$templates->get("xmlhttp_buddyselect")."\";");
1085          echo $buddy_select;
1086      }
1087      else
1088      {
1089          xmlhttp_error($lang->buddylist_error);
1090      }
1091  }
1092  else if($mybb->input['action'] == 'get_referrals')
1093  {
1094      $lang->load('member');
1095      $uid = $mybb->get_input('uid', MYBB::INPUT_INT);
1096  
1097      if (!$uid) {
1098          xmlhttp_error($lang->referrals_no_user_specified);
1099      }
1100  
1101      $referrals = get_user_referrals($uid);
1102  
1103      if (empty($referrals)) {
1104          eval("\$referral_rows = \"".$templates->get('member_no_referrals')."\";");
1105      } else {
1106          foreach($referrals as $referral)
1107          {
1108              $bg_color = alt_trow();
1109              // Format user name link
1110              $username = htmlspecialchars_uni($referral['username']);
1111              $username = format_name($username, $referral['usergroup'], $referral['displaygroup']);
1112              $username = build_profile_link($username, $referral['uid']);
1113  
1114              $regdate = my_date('normal', $referral['regdate']);
1115  
1116              eval("\$referral_rows .= \"".$templates->get('member_referral_row')."\";");
1117          }
1118      }
1119  
1120      $plugins->run_hooks('xmlhttp_referrals_end');
1121  
1122      eval("\$referrals = \"".$templates->get('member_referrals_popup', 1, 0)."\";");
1123  
1124      // Send our headers and output.
1125      header("Content-type: text/plain; charset={$charset}");
1126      echo $referrals;
1127  }
1128  
1129  /**
1130   * Spits an XML Http based error message back to the browser
1131   *
1132   * @param string $message The message to send back.
1133   */
1134  function xmlhttp_error($message)
1135  {
1136      global $charset;
1137  
1138      // Send our headers.
1139      header("Content-type: application/json; charset={$charset}");
1140  
1141      // Do we have an array of messages?
1142      if(is_array($message))
1143      {
1144          $response = array();
1145          foreach($message as $error)
1146          {
1147              $response[] = $error;
1148          }
1149  
1150          // Send the error messages.
1151          echo json_encode(array("errors" => array($response)));
1152  
1153          exit;
1154      }
1155  
1156      // Just a single error? Send it along.
1157      echo json_encode(array("errors" => array($message)));
1158  
1159      exit;
1160  }


2005 - 2021 © MyBB.de | Alle Rechte vorbehalten! | Sponsor: netcup Cross-referenced by PHPXref