[ Index ]

PHP Cross Reference of MyBB 1.8.19

title

Body

[close]

/ -> xmlhttp.php (source)

   1  <?php
   2  /**
   3   * MyBB 1.8
   4   * Copyright 2014 MyBB Group, All Rights Reserved
   5   *
   6   * Website: http://www.mybb.com
   7   * License: http://www.mybb.com/about/license
   8   *
   9   */
  10  
  11  /**
  12   * The deal with this file is that it handles all of the XML HTTP Requests for MyBB.
  13   *
  14   * It contains a stripped down version of the MyBB core which does not load things
  15   * such as themes, who's online data, all of the language packs and more.
  16   *
  17   * This is done to make response times when using XML HTTP Requests faster and
  18   * less intense on the server.
  19   */
  20  
  21  define("IN_MYBB", 1);
  22  
  23  // We don't want visits here showing up on the Who's Online
  24  define("NO_ONLINE", 1);
  25  
  26  define('THIS_SCRIPT', 'xmlhttp.php');
  27  
  28  // Load MyBB core files
  29  require_once dirname(__FILE__)."/inc/init.php";
  30  
  31  $shutdown_queries = $shutdown_functions = array();
  32  
  33  // Load some of the stock caches we'll be using.
  34  $groupscache = $cache->read("usergroups");
  35  
  36  if(!is_array($groupscache))
  37  {
  38      $cache->update_usergroups();
  39      $groupscache = $cache->read("usergroups");
  40  }
  41  
  42  // Send no cache headers
  43  header("Expires: Sat, 1 Jan 2000 01:00:00 GMT");
  44  header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
  45  header("Cache-Control: no-cache, must-revalidate");
  46  header("Pragma: no-cache");
  47  
  48  // Create the session
  49  require_once  MYBB_ROOT."inc/class_session.php";
  50  $session = new session;
  51  $session->init();
  52  
  53  // Load the language we'll be using
  54  if(!isset($mybb->settings['bblanguage']))
  55  {
  56      $mybb->settings['bblanguage'] = "english";
  57  }
  58  if(isset($mybb->user['language']) && $lang->language_exists($mybb->user['language']))
  59  {
  60      $mybb->settings['bblanguage'] = $mybb->user['language'];
  61  }
  62  $lang->set_language($mybb->settings['bblanguage']);
  63  
  64  if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset']))
  65  {
  66      @mb_internal_encoding($lang->settings['charset']);
  67  }
  68  
  69  // Load the theme
  70  // 1. Check cookies
  71  if(!$mybb->user['uid'] && !empty($mybb->cookies['mybbtheme']))
  72  {
  73      $mybb->user['style'] = (int)$mybb->cookies['mybbtheme'];
  74  }
  75  
  76  // 2. Load style
  77  if(isset($mybb->user['style']) && (int)$mybb->user['style'] != 0)
  78  {
  79      $loadstyle = "tid='".(int)$mybb->user['style']."'";
  80  }
  81  else
  82  {
  83      $loadstyle = "def='1'";
  84  }
  85  
  86  // Load basic theme information that we could be needing.
  87  if($loadstyle != "def='1'")
  88  {
  89      $query = $db->simple_select('themes', 'name, tid, properties, allowedgroups', $loadstyle, array('limit' => 1));
  90      $theme = $db->fetch_array($query);
  91  
  92      if(isset($theme['tid']) && !is_member($theme['allowedgroups']) && $theme['allowedgroups'] != 'all')
  93      {
  94          if(isset($mybb->cookies['mybbtheme']))
  95          {
  96              my_unsetcookie('mybbtheme');
  97          }
  98  
  99          $loadstyle = "def='1'";
 100      }
 101  }
 102  
 103  if($loadstyle == "def='1'")
 104  {
 105      if(!$cache->read('default_theme'))
 106      {
 107          $cache->update_default_theme();
 108      }
 109  
 110      $theme = $cache->read('default_theme');
 111  }
 112  
 113  // No theme was found - we attempt to load the master or any other theme
 114  if(!isset($theme['tid']) || isset($theme['tid']) && !$theme['tid'])
 115  {
 116      // Missing theme was from a user, run a query to set any users using the theme to the default
 117      $db->update_query('users', array('style' => 0), "style = '{$mybb->user['style']}'");
 118  
 119      // Attempt to load the master or any other theme if the master is not available
 120      $query = $db->simple_select('themes', 'name, tid, properties, stylesheets', '', array('order_by' => 'tid', 'limit' => 1));
 121      $theme = $db->fetch_array($query);
 122  }
 123  $theme = @array_merge($theme, my_unserialize($theme['properties']));
 124  
 125  // Set the appropriate image language directory for this theme.
 126  // Are we linking to a remote theme server?
 127  if(my_validate_url($theme['imgdir']))
 128  {
 129      // If a language directory for the current language exists within the theme - we use it
 130      if(!empty($mybb->user['language']))
 131      {
 132          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
 133      }
 134      else
 135      {
 136          // Check if a custom language directory exists for this theme
 137          if(!empty($mybb->settings['bblanguage']))
 138          {
 139              $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
 140          }
 141          // Otherwise, the image language directory is the same as the language directory for the theme
 142          else
 143          {
 144              $theme['imglangdir'] = $theme['imgdir'];
 145          }
 146      }
 147  }
 148  else
 149  {
 150      $img_directory = $theme['imgdir'];
 151  
 152      if($mybb->settings['usecdn'] && !empty($mybb->settings['cdnpath']))
 153      {
 154          $img_directory = rtrim($mybb->settings['cdnpath'], '/') . '/' . ltrim($theme['imgdir'], '/');
 155      }
 156  
 157      if(!@is_dir($img_directory))
 158      {
 159          $theme['imgdir'] = 'images';
 160      }
 161  
 162      // If a language directory for the current language exists within the theme - we use it
 163      if(!empty($mybb->user['language']) && is_dir($img_directory.'/'.$mybb->user['language']))
 164      {
 165          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
 166      }
 167      else
 168      {
 169          // Check if a custom language directory exists for this theme
 170          if(is_dir($img_directory.'/'.$mybb->settings['bblanguage']))
 171          {
 172              $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
 173          }
 174          // Otherwise, the image language directory is the same as the language directory for the theme
 175          else
 176          {
 177              $theme['imglangdir'] = $theme['imgdir'];
 178          }
 179      }
 180  
 181      $theme['imgdir'] = $mybb->get_asset_url($theme['imgdir']);
 182      $theme['imglangdir'] = $mybb->get_asset_url($theme['imglangdir']);
 183  }
 184  
 185  $templatelist = "postbit_editedby,xmlhttp_buddyselect_online,xmlhttp_buddyselect_offline,xmlhttp_buddyselect";
 186  $templates->cache($db->escape_string($templatelist));
 187  
 188  if($lang->settings['charset'])
 189  {
 190      $charset = $lang->settings['charset'];
 191  }
 192  // If not, revert to UTF-8
 193  else
 194  {
 195      $charset = "UTF-8";
 196  }
 197  
 198  $lang->load("global");
 199  $lang->load("xmlhttp");
 200  
 201  $closed_bypass = array("refresh_captcha", "validate_captcha");
 202  
 203  $mybb->input['action'] = $mybb->get_input('action');
 204  
 205  $plugins->run_hooks("xmlhttp");
 206  
 207  // If the board is closed, the user is not an administrator and they're not trying to login, show the board closed message
 208  if($mybb->settings['boardclosed'] == 1 && $mybb->usergroup['canviewboardclosed'] != 1 && !in_array($mybb->input['action'], $closed_bypass))
 209  {
 210      // Show error
 211      if(!$mybb->settings['boardclosed_reason'])
 212      {
 213          $mybb->settings['boardclosed_reason'] = $lang->boardclosed_reason;
 214      }
 215  
 216      $lang->error_boardclosed .= "<br /><em>{$mybb->settings['boardclosed_reason']}</em>";
 217  
 218      xmlhttp_error($lang->error_boardclosed);
 219  }
 220  
 221  // Fetch a list of usernames beginning with a certain string (used for auto completion)
 222  if($mybb->input['action'] == "get_users")
 223  {
 224      $mybb->input['query'] = ltrim($mybb->get_input('query'));
 225      $search_type = $mybb->get_input('search_type', MyBB::INPUT_INT); // 0: contains, 1: starts with, 2: ends with
 226  
 227      // If the string is less than 2 characters, quit.
 228      if(my_strlen($mybb->input['query']) < 2)
 229      {
 230          exit;
 231      }
 232  
 233      if($mybb->get_input('getone', MyBB::INPUT_INT) == 1)
 234      {
 235          $limit = 1;
 236      }
 237      else
 238      {
 239          $limit = 15;
 240      }
 241  
 242      // Send our headers.
 243      header("Content-type: application/json; charset={$charset}");
 244  
 245      // Query for any matching users.
 246      $query_options = array(
 247          "order_by" => "username",
 248          "order_dir" => "asc",
 249          "limit_start" => 0,
 250          "limit" => $limit
 251      );
 252  
 253      $plugins->run_hooks("xmlhttp_get_users_start");
 254  
 255      $likestring = $db->escape_string_like($mybb->input['query']);
 256      if($search_type == 1)
 257      {
 258          $likestring .= '%';
 259      }
 260      elseif($search_type == 2)
 261      {
 262          $likestring = '%'.$likestring;
 263      }
 264      else
 265      {
 266          $likestring = '%'.$likestring.'%';
 267      }
 268  
 269      $query = $db->simple_select("users", "uid, username", "username LIKE '{$likestring}'", $query_options);
 270      if($limit == 1)
 271      {
 272          $user = $db->fetch_array($query);
 273          $data = array('uid' => $user['uid'], 'id' => $user['username'], 'text' => $user['username']);
 274      }
 275      else
 276      {
 277          $data = array();
 278          while($user = $db->fetch_array($query))
 279          {
 280              $data[] = array('uid' => $user['uid'], 'id' => $user['username'], 'text' => $user['username']);
 281          }
 282      }
 283  
 284      $plugins->run_hooks("xmlhttp_get_users_end");
 285  
 286      echo json_encode($data);
 287      exit;
 288  }
 289  // This action provides editing of thread/post subjects from within their respective list pages.
 290  else if($mybb->input['action'] == "edit_subject" && $mybb->request_method == "post")
 291  {
 292      // Verify POST request
 293      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 294      {
 295          xmlhttp_error($lang->invalid_post_code);
 296      }
 297  
 298      // We're editing a thread subject.
 299      if($mybb->get_input('tid', MyBB::INPUT_INT))
 300      {
 301          // Fetch the thread.
 302          $thread = get_thread($mybb->get_input('tid', MyBB::INPUT_INT));
 303          if(!$thread)
 304          {
 305              xmlhttp_error($lang->thread_doesnt_exist);
 306          }
 307  
 308          // Fetch some of the information from the first post of this thread.
 309          $query_options = array(
 310              "order_by" => "dateline",
 311              "order_dir" => "asc",
 312          );
 313          $query = $db->simple_select("posts", "pid,uid,dateline", "tid='".$thread['tid']."'", $query_options);
 314          $post = $db->fetch_array($query);
 315      }
 316      else
 317      {
 318          exit;
 319      }
 320  
 321      // Fetch the specific forum this thread/post is in.
 322      $forum = get_forum($thread['fid']);
 323  
 324      // Missing thread, invalid forum? Error.
 325      if(!$forum || $forum['type'] != "f")
 326      {
 327          xmlhttp_error($lang->thread_doesnt_exist);
 328      }
 329  
 330      // Fetch forum permissions.
 331      $forumpermissions = forum_permissions($forum['fid']);
 332  
 333      $plugins->run_hooks("xmlhttp_edit_subject_start");
 334  
 335      // If this user is not a moderator with "caneditposts" permissions.
 336      if(!is_moderator($forum['fid'], "caneditposts"))
 337      {
 338          // Thread is closed - no editing allowed.
 339          if($thread['closed'] == 1)
 340          {
 341              xmlhttp_error($lang->thread_closed_edit_subjects);
 342          }
 343          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 344          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0)
 345          {
 346              xmlhttp_error($lang->no_permission_edit_subject);
 347          }
 348          // If we're past the edit time limit - don't allow editing.
 349          else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60)))
 350          {
 351              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']);
 352              xmlhttp_error($lang->edit_time_limit);
 353          }
 354          $ismod = false;
 355      }
 356      else
 357      {
 358          $ismod = true;
 359      }
 360      $subject = $mybb->get_input('value');
 361      if(my_strtolower($charset) != "utf-8")
 362      {
 363          if(function_exists("iconv"))
 364          {
 365              $subject = iconv($charset, "UTF-8//IGNORE", $subject);
 366          }
 367          else if(function_exists("mb_convert_encoding"))
 368          {
 369              $subject = @mb_convert_encoding($subject, $charset, "UTF-8");
 370          }
 371          else if(my_strtolower($charset) == "iso-8859-1")
 372          {
 373              $subject = utf8_decode($subject);
 374          }
 375      }
 376  
 377      // Only edit subject if subject has actually been changed
 378      if($thread['subject'] != $subject)
 379      {
 380          // Set up posthandler.
 381          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 382          $posthandler = new PostDataHandler("update");
 383          $posthandler->action = "post";
 384  
 385          // Set the post data that came from the input to the $post array.
 386          $updatepost = array(
 387              "pid" => $post['pid'],
 388              "tid" => $thread['tid'],
 389              "prefix" => $thread['prefix'],
 390              "subject" => $subject,
 391              "edit_uid" => $mybb->user['uid']
 392          );
 393          $posthandler->set_data($updatepost);
 394  
 395          // Now let the post handler do all the hard work.
 396          if(!$posthandler->validate_post())
 397          {
 398              $post_errors = $posthandler->get_friendly_errors();
 399              xmlhttp_error($post_errors);
 400          }
 401          // No errors were found, we can call the update method.
 402          else
 403          {
 404              $posthandler->update_post();
 405              if($ismod == true)
 406              {
 407                  $modlogdata = array(
 408                      "tid" => $thread['tid'],
 409                      "fid" => $forum['fid']
 410                  );
 411                  log_moderator_action($modlogdata, $lang->edited_post);
 412              }
 413          }
 414      }
 415  
 416      require_once  MYBB_ROOT."inc/class_parser.php";
 417      $parser = new postParser;
 418  
 419      // Send our headers.
 420      header("Content-type: application/json; charset={$charset}");
 421  
 422      $plugins->run_hooks("xmlhttp_edit_subject_end");
 423  
 424      $mybb->input['value'] = $parser->parse_badwords($mybb->get_input('value'));
 425  
 426      // Spit the subject back to the browser.
 427      $subject = substr($mybb->input['value'], 0, 120); // 120 is the varchar length for the subject column
 428      echo json_encode(array("subject" => '<a href="'.get_thread_link($thread['tid']).'">'.htmlspecialchars_uni($subject).'</a>'));
 429  
 430      // Close the connection.
 431      exit;
 432  }
 433  else if($mybb->input['action'] == "edit_post")
 434  {
 435      // Fetch the post from the database.
 436      $post = get_post($mybb->get_input('pid', MyBB::INPUT_INT));
 437  
 438      // No result, die.
 439      if(!$post || $post['visible'] == -1)
 440      {
 441          xmlhttp_error($lang->post_doesnt_exist);
 442      }
 443  
 444      // Fetch the thread associated with this post.
 445      $thread = get_thread($post['tid']);
 446  
 447      // Fetch the specific forum this thread/post is in.
 448      $forum = get_forum($thread['fid']);
 449  
 450      // Missing thread, invalid forum? Error.
 451      if(!$thread || !$forum || $forum['type'] != "f")
 452      {
 453          xmlhttp_error($lang->thread_doesnt_exist);
 454      }
 455  
 456      // Check if this forum is password protected and we have a valid password
 457      if(check_forum_password($forum['fid'], 0, true))
 458      {
 459          xmlhttp_error($lang->wrong_forum_password);
 460      }
 461  
 462      // Fetch forum permissions.
 463      $forumpermissions = forum_permissions($forum['fid']);
 464  
 465      $plugins->run_hooks("xmlhttp_edit_post_start");
 466  
 467      // If this user is not a moderator with "caneditposts" permissions.
 468      if(!is_moderator($forum['fid'], "caneditposts"))
 469      {
 470          // Thread is closed - no editing allowed.
 471          if($thread['closed'] == 1)
 472          {
 473              xmlhttp_error($lang->thread_closed_edit_message);
 474          }
 475          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 476          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0 || $mybb->user['suspendposting'] == 1)
 477          {
 478              xmlhttp_error($lang->no_permission_edit_post);
 479          }
 480          // If we're past the edit time limit - don't allow editing.
 481          else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60)))
 482          {
 483              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']);
 484              xmlhttp_error($lang->edit_time_limit);
 485          }
 486          // User can't edit unapproved post
 487          if($post['visible'] == 0)
 488          {
 489              xmlhttp_error($lang->post_moderation);
 490          }
 491      }
 492  
 493      $plugins->run_hooks("xmlhttp_edit_post_end");
 494  
 495      if($mybb->get_input('do') == "get_post")
 496      {
 497          // Send our headers.
 498          header("Content-type: application/json; charset={$charset}");
 499  
 500          // Send the contents of the post.
 501          echo json_encode($post['message']);
 502          exit;
 503      }
 504      else if($mybb->get_input('do') == "update_post")
 505      {
 506          // Verify POST request
 507          if(!verify_post_check($mybb->get_input('my_post_key'), true))
 508          {
 509              xmlhttp_error($lang->invalid_post_code);
 510          }
 511  
 512          $message = $mybb->get_input('value');
 513          $editreason = $mybb->get_input('editreason');
 514          if(my_strtolower($charset) != "utf-8")
 515          {
 516              if(function_exists("iconv"))
 517              {
 518                  $message = iconv($charset, "UTF-8//IGNORE", $message);
 519                  $editreason = iconv($charset, "UTF-8//IGNORE", $editreason);
 520              }
 521              else if(function_exists("mb_convert_encoding"))
 522              {
 523                  $message = @mb_convert_encoding($message, $charset, "UTF-8");
 524                  $editreason = @mb_convert_encoding($editreason, $charset, "UTF-8");
 525              }
 526              else if(my_strtolower($charset) == "iso-8859-1")
 527              {
 528                  $message = utf8_decode($message);
 529                  $editreason = utf8_decode($editreason);
 530              }
 531          }
 532  
 533          // Set up posthandler.
 534          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 535          $posthandler = new PostDataHandler("update");
 536          $posthandler->action = "post";
 537  
 538          // Set the post data that came from the input to the $post array.
 539          $updatepost = array(
 540              "pid" => $post['pid'],
 541              "message" => $message,
 542              "editreason" => $editreason,
 543              "edit_uid" => $mybb->user['uid']
 544          );
 545  
 546          // If this is the first post set the prefix. If a forum requires a prefix the quick edit would throw an error otherwise
 547          if($post['pid'] == $thread['firstpost'])
 548          {
 549              $updatepost['prefix'] = $thread['prefix'];
 550          }
 551  
 552          $posthandler->set_data($updatepost);
 553  
 554          // Now let the post handler do all the hard work.
 555          if(!$posthandler->validate_post())
 556          {
 557              $post_errors = $posthandler->get_friendly_errors();
 558              xmlhttp_error($post_errors);
 559          }
 560          // No errors were found, we can call the update method.
 561          else
 562          {
 563              $postinfo = $posthandler->update_post();
 564              $visible = $postinfo['visible'];
 565              if($visible == 0 && !is_moderator($post['fid'], "canviewunapprove"))
 566              {
 567                  // Is it the first post?
 568                  if($thread['firstpost'] == $post['pid'])
 569                  {
 570                      echo json_encode(array("moderation_thread" => $lang->thread_moderation, 'url' => $mybb->settings['bburl'].'/'.get_forum_link($thread['fid']), "message" => $post['message']));
 571                      exit;
 572                  }
 573                  else
 574                  {
 575                      echo json_encode(array("moderation_post" => $lang->post_moderation, 'url' => $mybb->settings['bburl'].'/'.get_thread_link($thread['tid']), "message" => $post['message']));
 576                      exit;
 577                  }
 578              }
 579          }
 580  
 581          require_once  MYBB_ROOT."inc/class_parser.php";
 582          $parser = new postParser;
 583  
 584          $parser_options = array(
 585              "allow_html" => $forum['allowhtml'],
 586              "allow_mycode" => $forum['allowmycode'],
 587              "allow_smilies" => $forum['allowsmilies'],
 588              "allow_imgcode" => $forum['allowimgcode'],
 589              "allow_videocode" => $forum['allowvideocode'],
 590              "me_username" => $post['username'],
 591              "filter_badwords" => 1
 592          );
 593  
 594          $post['username'] = htmlspecialchars_uni($post['username']);
 595  
 596          if($post['smilieoff'] == 1)
 597          {
 598              $parser_options['allow_smilies'] = 0;
 599          }
 600  
 601          if($mybb->user['showimages'] != 1 && $mybb->user['uid'] != 0 || $mybb->settings['guestimages'] != 1 && $mybb->user['uid'] == 0)
 602          {
 603              $parser_options['allow_imgcode'] = 0;
 604          }
 605  
 606          if($mybb->user['showvideos'] != 1 && $mybb->user['uid'] != 0 || $mybb->settings['guestvideos'] != 1 && $mybb->user['uid'] == 0)
 607          {
 608              $parser_options['allow_videocode'] = 0;
 609          }
 610  
 611          $post['message'] = $parser->parse_message($message, $parser_options);
 612  
 613          // Now lets fetch all of the attachments for these posts.
 614          if($mybb->settings['enableattachments'] != 0)
 615          {
 616              $query = $db->simple_select("attachments", "*", "pid='{$post['pid']}'");
 617              while($attachment = $db->fetch_array($query))
 618              {
 619                  $attachcache[$attachment['pid']][$attachment['aid']] = $attachment;
 620              }
 621  
 622              require_once  MYBB_ROOT."inc/functions_post.php";
 623  
 624              get_post_attachments($post['pid'], $post);
 625          }
 626  
 627          // Figure out if we need to show an "edited by" message
 628          // Only show if at least one of "showeditedby" or "showeditedbyadmin" is enabled
 629          if($mybb->settings['showeditedby'] != 0 && $mybb->settings['showeditedbyadmin'] != 0)
 630          {
 631              $post['editdate'] = my_date('relative', TIME_NOW);
 632              $post['editnote'] = $lang->sprintf($lang->postbit_edited, $post['editdate']);
 633              $mybb->user['username'] = htmlspecialchars_uni($mybb->user['username']);
 634              $post['editedprofilelink'] = build_profile_link($mybb->user['username'], $mybb->user['uid']);
 635              $post['editreason'] = trim($editreason);
 636              $editreason = "";
 637              if($post['editreason'] != "")
 638              {
 639                  $post['editreason'] = $parser->parse_badwords($post['editreason']);
 640                  $post['editreason'] = htmlspecialchars_uni($post['editreason']);
 641                  eval("\$editreason = \"".$templates->get("postbit_editedby_editreason")."\";");
 642              }
 643              eval("\$editedmsg = \"".$templates->get("postbit_editedby")."\";");
 644          }
 645  
 646          // Send our headers.
 647          header("Content-type: application/json; charset={$charset}");
 648  
 649          $editedmsg_response = null;
 650          if($editedmsg)
 651          {
 652              $editedmsg_response = str_replace(array("\r", "\n"), "", $editedmsg);
 653          }
 654  
 655          $plugins->run_hooks("xmlhttp_update_post");
 656  
 657          echo json_encode(array("message" => $post['message']."\n", "editedmsg" => $editedmsg_response));
 658          exit;
 659      }
 660  }
 661  // Fetch the list of multiquoted posts which are not in a specific thread
 662  else if($mybb->input['action'] == "get_multiquoted")
 663  {
 664      // If the cookie does not exist, exit
 665      if(!array_key_exists("multiquote", $mybb->cookies))
 666      {
 667          exit;
 668      }
 669      // Divide up the cookie using our delimeter
 670      $multiquoted = explode("|", $mybb->cookies['multiquote']);
 671  
 672      $plugins->run_hooks("xmlhttp_get_multiquoted_start");
 673  
 674      // No values - exit
 675      if(!is_array($multiquoted))
 676      {
 677          exit;
 678      }
 679  
 680      // Loop through each post ID and sanitize it before querying
 681      foreach($multiquoted as $post)
 682      {
 683          $quoted_posts[$post] = (int)$post;
 684      }
 685  
 686      // Join the post IDs back together
 687      $quoted_posts = implode(",", $quoted_posts);
 688  
 689      // Fetch unviewable forums
 690      $unviewable_forums = get_unviewable_forums();
 691      $inactiveforums = get_inactive_forums();
 692      if($unviewable_forums)
 693      {
 694          $unviewable_forums = "AND t.fid NOT IN ({$unviewable_forums})";
 695      }
 696      if($inactiveforums)
 697      {
 698          $inactiveforums = "AND t.fid NOT IN ({$inactiveforums})";
 699      }
 700  
 701      // Check group permissions if we can't view threads not started by us
 702      $group_permissions = forum_permissions();
 703      $onlyusfids = array();
 704      foreach($group_permissions as $gpfid => $forum_permissions)
 705      {
 706          if(isset($forum_permissions['canonlyviewownthreads']) && $forum_permissions['canonlyviewownthreads'] == 1)
 707          {
 708              $onlyusfids[] = $gpfid;
 709          }
 710      }
 711  
 712      $message = '';
 713  
 714      // Are we loading all quoted posts or only those not in the current thread?
 715      if(empty($mybb->input['load_all']))
 716      {
 717          $from_tid = "p.tid != '".$mybb->get_input('tid', MyBB::INPUT_INT)."' AND ";
 718      }
 719      else
 720      {
 721          $from_tid = '';
 722      }
 723  
 724      require_once  MYBB_ROOT."inc/class_parser.php";
 725      $parser = new postParser;
 726  
 727      require_once  MYBB_ROOT."inc/functions_posting.php";
 728  
 729      $plugins->run_hooks("xmlhttp_get_multiquoted_intermediate");
 730  
 731      // Query for any posts in the list which are not within the specified thread
 732      $query = $db->query("
 733          SELECT p.subject, p.message, p.pid, p.tid, p.username, p.dateline, t.fid, t.uid AS thread_uid, p.visible, u.username AS userusername
 734          FROM ".TABLE_PREFIX."posts p
 735          LEFT JOIN ".TABLE_PREFIX."threads t ON (t.tid=p.tid)
 736          LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=p.uid)
 737          WHERE {$from_tid}p.pid IN ({$quoted_posts}) {$unviewable_forums} {$inactiveforums}
 738          ORDER BY p.dateline
 739      ");
 740      while($quoted_post = $db->fetch_array($query))
 741      {
 742          if(
 743              (!is_moderator($quoted_post['fid'], "canviewunapprove") && $quoted_post['visible'] == 0) ||
 744              (!is_moderator($quoted_post['fid'], "canviewdeleted") && $quoted_post['visible'] == -1) ||
 745              (in_array($quoted_post['fid'], $onlyusfids) && (!$mybb->user['uid'] || $quoted_post['thread_uid'] != $mybb->user['uid']))
 746          )
 747          {
 748              continue;
 749          }
 750  
 751          $message .= parse_quoted_message($quoted_post, false);
 752      }
 753      if($mybb->settings['maxquotedepth'] != '0')
 754      {
 755          $message = remove_message_quotes($message);
 756      }
 757  
 758      // Send our headers.
 759      header("Content-type: application/json; charset={$charset}");
 760  
 761      $plugins->run_hooks("xmlhttp_get_multiquoted_end");
 762  
 763      echo json_encode(array("message" => $message));
 764      exit;
 765  }
 766  else if($mybb->input['action'] == "refresh_captcha")
 767  {
 768      $imagehash = $db->escape_string($mybb->get_input('imagehash'));
 769      $query = $db->simple_select("captcha", "dateline", "imagehash='$imagehash'");
 770      if($db->num_rows($query) == 0)
 771      {
 772          xmlhttp_error($lang->captcha_not_exists);
 773      }
 774      $db->delete_query("captcha", "imagehash='$imagehash'");
 775      $randomstr = random_str(5);
 776      $imagehash = md5(random_str(12));
 777      $regimagearray = array(
 778          "imagehash" => $imagehash,
 779          "imagestring" => $randomstr,
 780          "dateline" => TIME_NOW
 781      );
 782  
 783      $plugins->run_hooks("xmlhttp_refresh_captcha");
 784  
 785      $db->insert_query("captcha", $regimagearray);
 786      header("Content-type: application/json; charset={$charset}");
 787      echo json_encode(array("imagehash" => $imagehash));
 788      exit;
 789  }
 790  else if($mybb->input['action'] == "validate_captcha")
 791  {
 792      header("Content-type: application/json; charset={$charset}");
 793      $imagehash = $db->escape_string($mybb->get_input('imagehash'));
 794      $query = $db->simple_select("captcha", "imagestring", "imagehash='$imagehash'");
 795      if($db->num_rows($query) == 0)
 796      {
 797          echo json_encode($lang->captcha_valid_not_exists);
 798          exit;
 799      }
 800      $imagestring = $db->fetch_field($query, 'imagestring');
 801  
 802      $plugins->run_hooks("xmlhttp_validate_captcha");
 803  
 804      if(my_strtolower($imagestring) == my_strtolower($mybb->get_input('imagestring')))
 805      {
 806          //echo json_encode(array("success" => $lang->captcha_matches));
 807          echo json_encode("true");
 808          exit;
 809      }
 810      else
 811      {
 812          echo json_encode($lang->captcha_does_not_match);
 813          exit;
 814      }
 815  }
 816  else if($mybb->input['action'] == "refresh_question" && $mybb->settings['securityquestion'])
 817  {
 818      header("Content-type: application/json; charset={$charset}");
 819  
 820      $sid = $db->escape_string($mybb->get_input('question_id'));
 821      $query = $db->query("
 822          SELECT q.qid, s.sid
 823          FROM ".TABLE_PREFIX."questionsessions s
 824          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 825          WHERE q.active='1' AND s.sid='{$sid}'
 826      ");
 827  
 828      if($db->num_rows($query) == 0)
 829      {
 830          xmlhttp_error($lang->answer_valid_not_exists);
 831      }
 832  
 833      $qsession = $db->fetch_array($query);
 834  
 835      // Delete previous question session
 836      $db->delete_query("questionsessions", "sid='$sid'");
 837  
 838      require_once  MYBB_ROOT."inc/functions_user.php";
 839  
 840      $sid = generate_question($qsession['qid']);
 841      $query = $db->query("
 842          SELECT q.question, s.sid
 843          FROM ".TABLE_PREFIX."questionsessions s
 844          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 845          WHERE q.active='1' AND s.sid='{$sid}' AND q.qid!='{$qsession['qid']}'
 846      ");
 847  
 848      $plugins->run_hooks("xmlhttp_refresh_question");
 849  
 850      if($db->num_rows($query) > 0)
 851      {
 852          $question = $db->fetch_array($query);
 853  
 854          echo json_encode(array("question" => htmlspecialchars_uni($question['question']), 'sid' => htmlspecialchars_uni($question['sid'])));
 855          exit;
 856      }
 857      else
 858      {
 859          xmlhttp_error($lang->answer_valid_not_exists);
 860      }
 861  }
 862  elseif($mybb->input['action'] == "validate_question" && $mybb->settings['securityquestion'])
 863  {
 864      header("Content-type: application/json; charset={$charset}");
 865      $sid = $db->escape_string($mybb->get_input('question'));
 866      $answer = $db->escape_string($mybb->get_input('answer'));
 867  
 868      $query = $db->query("
 869          SELECT q.*, s.sid
 870          FROM ".TABLE_PREFIX."questionsessions s
 871          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 872          WHERE q.active='1' AND s.sid='{$sid}'
 873      ");
 874  
 875      if($db->num_rows($query) == 0)
 876      {
 877          echo json_encode($lang->answer_valid_not_exists);
 878          exit;
 879      }
 880      else
 881      {
 882          $question = $db->fetch_array($query);
 883          $valid_answers = preg_split("/\r\n|\n|\r/", $question['answer']);
 884          $validated = 0;
 885  
 886          foreach($valid_answers as $answers)
 887          {
 888              if(my_strtolower($answers) == my_strtolower($answer))
 889              {
 890                  $validated = 1;
 891              }
 892          }
 893  
 894          $plugins->run_hooks("xmlhttp_validate_question");
 895  
 896          if($validated != 1)
 897          {
 898              echo json_encode($lang->answer_does_not_match);
 899              exit;
 900          }
 901          else
 902          {
 903              echo json_encode("true");
 904              exit;
 905          }
 906      }
 907  
 908      exit;
 909  }
 910  else if($mybb->input['action'] == "complex_password")
 911  {
 912      $password = trim($mybb->get_input('password'));
 913      $password = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $password);
 914  
 915      header("Content-type: application/json; charset={$charset}");
 916  
 917      $plugins->run_hooks("xmlhttp_complex_password");
 918  
 919      if(!preg_match("/^.*(?=.{".$mybb->settings['minpasswordlength'].",})(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$/", $password))
 920      {
 921          echo json_encode($lang->complex_password_fails);
 922      }
 923      else
 924      {
 925          // Return nothing but an OK password if passes regex
 926          echo json_encode("true");
 927      }
 928  
 929      exit;
 930  }
 931  else if($mybb->input['action'] == "username_availability")
 932  {
 933      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 934      {
 935          xmlhttp_error($lang->invalid_post_code);
 936      }
 937  
 938      require_once  MYBB_ROOT."inc/functions_user.php";
 939      $username = $mybb->get_input('username');
 940  
 941      // Fix bad characters
 942      $username = trim_blank_chrs($username);
 943      $username = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $username);
 944  
 945      // Remove multiple spaces from the username
 946      $username = preg_replace("#\s{2,}#", " ", $username);
 947  
 948      header("Content-type: application/json; charset={$charset}");
 949  
 950      if(empty($username))
 951      {
 952          echo json_encode($lang->banned_characters_username);
 953          exit;
 954      }
 955  
 956      // Check if the username belongs to the list of banned usernames.
 957      $banned_username = is_banned_username($username, true);
 958      if($banned_username)
 959      {
 960          echo json_encode($lang->banned_username);
 961          exit;
 962      }
 963  
 964      // Check for certain characters in username (<, >, &, and slashes)
 965      if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
 966      {
 967          echo json_encode($lang->banned_characters_username);
 968          exit;
 969      }
 970  
 971      // Check if the username is actually already in use
 972      $user = get_user_by_username($username);
 973  
 974      $plugins->run_hooks("xmlhttp_username_availability");
 975  
 976      if($user['uid'])
 977      {
 978          $lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username));
 979          echo json_encode($lang->username_taken);
 980          exit;
 981      }
 982      else
 983      {
 984          //$lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username));
 985          echo json_encode("true");
 986          exit;
 987      }
 988  }
 989  else if($mybb->input['action'] == "email_availability")
 990  {
 991      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 992      {
 993          xmlhttp_error($lang->invalid_post_code);
 994      }
 995  
 996      require_once  MYBB_ROOT."inc/datahandlers/user.php";
 997      $userhandler = new UserDataHandler("insert");
 998  
 999      $email = $mybb->get_input('email');
1000  
1001      header("Content-type: application/json; charset={$charset}");
1002  
1003      $user = array(
1004          'email' => $email
1005      );
1006  
1007      $userhandler->set_data($user);
1008  
1009      $errors = array();
1010  
1011      if(!$userhandler->verify_email())
1012      {
1013          $errors = $userhandler->get_friendly_errors();
1014      }
1015  
1016      $plugins->run_hooks("xmlhttp_email_availability");
1017  
1018      if(!empty($errors))
1019      {
1020          echo json_encode($errors[0]);
1021          exit;
1022      }
1023      else
1024      {
1025          echo json_encode("true");
1026          exit;
1027      }
1028  }
1029  else if($mybb->input['action'] == "get_buddyselect")
1030  {
1031      // Send our headers.
1032      header("Content-type: text/plain; charset={$charset}");
1033  
1034      if($mybb->user['buddylist'] != "")
1035      {
1036          $query_options = array(
1037              "order_by" => "username",
1038              "order_dir" => "asc"
1039          );
1040  
1041          $plugins->run_hooks("xmlhttp_get_buddyselect_start");
1042  
1043          $timecut = TIME_NOW - $mybb->settings['wolcutoff'];
1044          $query = $db->simple_select("users", "uid, username, usergroup, displaygroup, lastactive, lastvisit, invisible", "uid IN ({$mybb->user['buddylist']})", $query_options);
1045          $online = array();
1046          $offline = array();
1047          while($buddy = $db->fetch_array($query))
1048          {
1049              $buddy['username'] = htmlspecialchars_uni($buddy['username']);
1050              $buddy_name = format_name($buddy['username'], $buddy['usergroup'], $buddy['displaygroup']);
1051              $profile_link = build_profile_link($buddy_name, $buddy['uid'], '_blank');
1052              if($buddy['lastactive'] > $timecut && ($buddy['invisible'] == 0 || $mybb->user['usergroup'] == 4) && $buddy['lastvisit'] != $buddy['lastactive'])
1053              {
1054                  eval("\$online[] = \"".$templates->get("xmlhttp_buddyselect_online")."\";");
1055              }
1056              else
1057              {
1058                  eval("\$offline[] = \"".$templates->get("xmlhttp_buddyselect_offline")."\";");
1059              }
1060          }
1061          $online = implode("", $online);
1062          $offline = implode("", $offline);
1063  
1064          $plugins->run_hooks("xmlhttp_get_buddyselect_end");
1065  
1066          eval("\$buddy_select = \"".$templates->get("xmlhttp_buddyselect")."\";");
1067          echo $buddy_select;
1068      }
1069      else
1070      {
1071          xmlhttp_error($lang->buddylist_error);
1072      }
1073  }
1074  
1075  /**
1076   * Spits an XML Http based error message back to the browser
1077   *
1078   * @param string $message The message to send back.
1079   */
1080  function xmlhttp_error($message)
1081  {
1082      global $charset;
1083  
1084      // Send our headers.
1085      header("Content-type: application/json; charset={$charset}");
1086  
1087      // Do we have an array of messages?
1088      if(is_array($message))
1089      {
1090          $response = array();
1091          foreach($message as $error)
1092          {
1093              $response[] = $error;
1094          }
1095  
1096          // Send the error messages.
1097          echo json_encode(array("errors" => array($response)));
1098  
1099          exit;
1100      }
1101  
1102      // Just a single error? Send it along.
1103      echo json_encode(array("errors" => array($message)));
1104  
1105      exit;
1106  }


2005 - 2018 © MyBB.de | Alle Rechte vorbehalten! | Sponsor: netcup Cross-referenced by PHPXref 0.7.1