From 86d00621b56c276c0f5547c463a6968fb84e75b6 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 05:06:12 +0300 Subject: [PATCH 1/9] Cleanup doc. Signed-off-by: Norv --- sources/controllers/Groups.controller.php | 5 +++-- sources/subs/Membergroups.subs.php | 25 +++++++++++++++-------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/sources/controllers/Groups.controller.php b/sources/controllers/Groups.controller.php index 5e471b969a..27b63e0353 100644 --- a/sources/controllers/Groups.controller.php +++ b/sources/controllers/Groups.controller.php @@ -190,7 +190,7 @@ function action_grouplist() } /** - * Display members of a group, and allow adding of members to a group. Silly function name though ;) + * Display members of a group, and allow adding of members to a group. * It can be called from ManageMembergroups if it needs templating within the admin environment. * It shows a list of members that are part of a given membergroup. * It is called by ?action=moderate;area=viewgroups;sa=members;group=x @@ -199,7 +199,6 @@ function action_grouplist() * It allows sorting on several columns. * It redirects to itself. * @uses ManageMembergroups template, group_members sub template. - * @todo: use createList */ function action_groupmembers() { @@ -237,6 +236,8 @@ function action_groupmembers() ); $context['can_send_email'] = allowedTo('send_email_to_members'); + // @todo: use createList + // Load all the group moderators, for fun. $request = $db->query('', ' SELECT mem.id_member, mem.real_name diff --git a/sources/subs/Membergroups.subs.php b/sources/subs/Membergroups.subs.php index 64ef2e47b7..2511058b82 100644 --- a/sources/subs/Membergroups.subs.php +++ b/sources/subs/Membergroups.subs.php @@ -27,7 +27,9 @@ * Has protection against deletion of protected membergroups. * Deletes the permissions linked to the membergroup. * Takes members out of the deleted membergroups. + * * @param array $groups + * * @return boolean */ function deleteMembergroups($groups) @@ -151,6 +153,8 @@ function deleteMembergroups($groups) 'additional_groups_explode' => implode(', additional_groups) != 0 OR FIND_IN_SET(', $groups), ) ); + + // Update each member information. $updates = array(); while ($row = $db->fetch_assoc($request)) $updates[$row['additional_groups']][] = $row['id_member']; @@ -204,9 +208,11 @@ function deleteMembergroups($groups) * Requires the manage_membergroups permission. * Function includes a protection against removing from implicit groups. * Non-admins are not able to remove members from the admin group. + * * @param array $members * @param array $groups = null if groups is null, the specified members are stripped from all their membergroups. * @param bool $permissionCheckDone = false + * * @return boolean */ function removeMembersFromGroups($members, $groups = null, $permissionCheckDone = false) @@ -250,9 +256,10 @@ function removeMembersFromGroups($members, $groups = null, $permissionCheckDone // Just in case. if (empty($members)) return false; - elseif ($groups === null) + + // Wanna remove all groups from these members? That's easy. + if ($groups === null) { - // Wanna remove all groups from these members? That's easy. $db->query('', ' UPDATE {db_prefix}members SET @@ -406,11 +413,11 @@ function removeMembersFromGroups($members, $groups = null, $permissionCheckDone } /** - * Add one or more members to a membergroup + * Add one or more members to a membergroup. * * Requires the manage_membergroups permission. * Function has protection against adding members to implicit groups. - * Non-admins are not able to add members to the admin group. + * Non-admins cannot add members to the admin group, or protected groups. * * @param string|array $members * @param int $group @@ -425,7 +432,8 @@ function removeMembersFromGroups($members, $groups = null, $permissionCheckDone * what the previous primary membergroup was. * - auto - Assigns a membergroup to the primary group if it's still * available. If not, assign it to the additional group. - * @param bool $permissionCheckDone + * @param bool $permissionCheckDone = false if true, it checks permission of the current user to add groups ('manage_membergroups') + * * @return boolean success or failure */ function addMembersToGroup($members, $group, $type = 'auto', $permissionCheckDone = false) @@ -545,17 +553,18 @@ function addMembersToGroup($members, $group, $type = 'auto', $permissionCheckDon } /** - * Gets the members of a supplied membergroup - * Returns them as a link for display + * Gets the members of a supplied membergroup. + * Returns them as a link for display. * * @param array &$members * @param int $membergroup * @param int $limit = null + * * @return boolean */ function listMembergroupMembers_Href(&$members, $membergroup, $limit = null) { - global $scripturl, $txt; + global $scripturl; $db = database(); From a6cd126a2ed318a83989cc8ca4334619f601f915 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 05:19:01 +0300 Subject: [PATCH 2/9] addMembersToGroups() was not checking protected groups. Small doc updates. Signed-off-by: Norv --- sources/subs/Membergroups.subs.php | 31 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/sources/subs/Membergroups.subs.php b/sources/subs/Membergroups.subs.php index 2511058b82..2922b12449 100644 --- a/sources/subs/Membergroups.subs.php +++ b/sources/subs/Membergroups.subs.php @@ -480,7 +480,7 @@ function addMembersToGroup($members, $group, $type = 'auto', $permissionCheckDon // ... and assign protected groups! elseif (!allowedTo('admin_forum')) { - $is_protected = membergroupsById($group); + $is_protected = membergroupsById($group, 1, false, false, true); // Is it protected? if ($is_protected['group_type'] == 1) @@ -740,10 +740,10 @@ function list_getMembergroups($start, $items_per_page, $sort, $membergroup_type, /** * Count the number of members in specific groups * - * @param array $postGroups an array of post-based groups id - * @param array $normalGroups an array of normal groups id - * @param bool $include_hidden if include hidden groups in the count (default false) - * @param bool $include_moderators if include board moderators too (default false) + * @param array $postGroups an array of post-based groups id. + * @param array $normalGroups = array() an array of normal groups id. + * @param bool $include_hidden = false if true, it includes hidden groups in the count (default false). + * @param bool $include_moderators = false if true, it includes board moderators too (default false). */ function membersInGroups($postGroups, $normalGroups = array(), $include_hidden = false, $include_moderators = false) { @@ -832,22 +832,23 @@ function membersInGroups($postGroups, $normalGroups = array(), $include_hidden = /** * Returns details of membergroups based on the id * - * @param array/int $group_id the ID of the groups - * @param integer $limit the number of results returned (default 1, if null/false/0 returns all) - * @param array/string $detailed returns more fields default false, - * - false returns: id_group, group_name, group_type, - * - true adds to above: description, min_posts, online_color, max_messages, icons, hidden, id_parent - * @param bool $assignable determine if the group is assignable or not and return that information - * @param bool $protected include protected groups + * @param array/int $group_ids the IDs of the groups. + * @param integer $limit = 1 the number of results returned (default 1, if null/false/0 returns all). + * @param bool $detailed = false if true then it returns more fields (default false). + * false returns: id_group, group_name, group_type. + * true adds to above: description, min_posts, online_color, max_messages, icons, hidden, id_parent. + * @param bool $assignable = false determine if the group is assignable or not and return that information. + * @param bool $protected = false if true, it includes protected groups in the result. */ -function membergroupsById($group_id, $limit = 1, $detailed = false, $assignable = false, $protected = false) +function membergroupsById($group_ids, $limit = 1, $detailed = false, $assignable = false, $protected = false) { $db = database(); - if (!isset($group_id)) + if (empty($group_ids)) return false; - $group_ids = is_array($group_id) ? $group_id : array($group_id); + if (!is_array($group_ids)) + $group_ids = array($group_ids); $groups = array(); $group_ids = array_map('intval', $group_ids); From 0a0fc830ebdf768c68182794d6d6a487203c408d Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 05:41:20 +0300 Subject: [PATCH 3/9] Remove require_once for Logging.php, it's always loaded, even in SSI. Signed-off-by: Norv --- install/upgrade.php | 1 + sources/admin/ManageMembers.php | 1 - sources/controllers/Profile.controller.php | 1 - sources/controllers/ProfileSubscriptions.controller.php | 1 - sources/subs/Membergroups.subs.php | 3 --- sources/subs/Members.subs.php | 3 +-- sources/subs/Profile.subs.php | 5 +---- 7 files changed, 3 insertions(+), 12 deletions(-) diff --git a/install/upgrade.php b/install/upgrade.php index 13c1a31c2a..9e801aaef9 100644 --- a/install/upgrade.php +++ b/install/upgrade.php @@ -165,6 +165,7 @@ require_once(SUBSDIR . '/Cache.subs.php'); require_once(SOURCEDIR . '/Security.php'); require_once(SUBSDIR . '/Package.subs.php'); + require_once(SUBSDIR . '/Util.class.php'); loadUserSettings(); loadPermissions(); diff --git a/sources/admin/ManageMembers.php b/sources/admin/ManageMembers.php index 98216fce68..0f746aca99 100644 --- a/sources/admin/ManageMembers.php +++ b/sources/admin/ManageMembers.php @@ -1141,7 +1141,6 @@ public function action_approve() { $log_action = $_POST['todo'] == 'remind' ? 'remind_member' : 'approve_member'; - require_once(SOURCEDIR . '/Logging.php'); foreach ($member_info as $member) logAction($log_action, array('member' => $member['id']), 'admin'); } diff --git a/sources/controllers/Profile.controller.php b/sources/controllers/Profile.controller.php index 9b452c1385..ca663aab52 100644 --- a/sources/controllers/Profile.controller.php +++ b/sources/controllers/Profile.controller.php @@ -604,7 +604,6 @@ function action_modifyprofile() if (!empty($context['log_changes']) && !empty($modSettings['modlog_enabled'])) { $log_changes = array(); - require_once(SOURCEDIR . '/Logging.php'); foreach ($context['log_changes'] as $k => $v) $log_changes[] = array( 'action' => $k, diff --git a/sources/controllers/ProfileSubscriptions.controller.php b/sources/controllers/ProfileSubscriptions.controller.php index 466c41188a..f9543e4c0e 100644 --- a/sources/controllers/ProfileSubscriptions.controller.php +++ b/sources/controllers/ProfileSubscriptions.controller.php @@ -312,7 +312,6 @@ function action_activateaccount() updateMemberData($context['id_member'], array('is_activated' => $user_profile[$memID]['is_activated'] >= 10 ? 11 : 1, 'validation_code' => '')); // Log what we did? - require_once(SOURCEDIR . '/Logging.php'); logAction('approve_member', array('member' => $memID), 'admin'); // If we are doing approval, update the stats for the member just in case. diff --git a/sources/subs/Membergroups.subs.php b/sources/subs/Membergroups.subs.php index 2922b12449..560be897ee 100644 --- a/sources/subs/Membergroups.subs.php +++ b/sources/subs/Membergroups.subs.php @@ -402,11 +402,8 @@ function removeMembersFromGroups($members, $groups = null, $permissionCheckDone // Do the log. if (!empty($log_inserts) && !empty($modSettings['modlog_enabled'])) - { - require_once(SOURCEDIR . '/Logging.php'); foreach ($log_inserts as $extra) logAction('removed_from_group', $extra, 'admin'); - } // Mission successful. return true; diff --git a/sources/subs/Members.subs.php b/sources/subs/Members.subs.php index f194595c3e..4af3bf5b67 100644 --- a/sources/subs/Members.subs.php +++ b/sources/subs/Members.subs.php @@ -416,7 +416,6 @@ function deleteMembers($users, $check_not_admin = false) updateStats('member'); - require_once(SOURCEDIR . '/Logging.php'); logActions($log_changes); } @@ -1007,7 +1006,7 @@ function groupsAllowedTo($permission, $board_id = null) { require_once(SUBSDIR . '/Boards.subs.php'); $board_data = fetchBoardsInfo(array('boards' => $board_id), array('selects' => 'permissions')); - + if (empty($board_data)) fatal_lang_error('no_board'); $profile_id = $board_data['id_profile']; diff --git a/sources/subs/Profile.subs.php b/sources/subs/Profile.subs.php index 1f4a323afc..c571bd9580 100644 --- a/sources/subs/Profile.subs.php +++ b/sources/subs/Profile.subs.php @@ -31,7 +31,7 @@ function currentMemberID($fatal = true, $reload_id = false) global $user_info; static $memID; - // If we already + // If we already if (isset($memID) && !$reload_id) return $memID; @@ -1508,10 +1508,7 @@ function makeCustomFieldChanges($memID, $area, $sanitize = true) array('id_theme', 'variable', 'id_member') ); if (!empty($log_changes) && !empty($modSettings['modlog_enabled'])) - { - require_once(SOURCEDIR . '/Logging.php'); logActions($log_changes); - } } } From b9242d8192f0a91fb9c7aeeb486f66c209ca0acd Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 05:55:01 +0300 Subject: [PATCH 4/9] Wrong parameter order for assignGroupToBoards(). Small docs cleanups. Signed-off-by: Norv --- sources/admin/ManageMembergroups.php | 2 +- sources/subs/Membergroups.subs.php | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/sources/admin/ManageMembergroups.php b/sources/admin/ManageMembergroups.php index 77b7fa6b56..c332ac63f2 100644 --- a/sources/admin/ManageMembergroups.php +++ b/sources/admin/ManageMembergroups.php @@ -433,7 +433,7 @@ public function action_add() { // Only do this if they have special access requirements. if (!empty($changed_boards[$board_action])) - assignGroupToBoards($changed_boards, $id_group, $board_action); + assignGroupToBoards($id_group, $changed_boards, $board_action); } // If this is joinable then set it to show group membership in people's profiles. diff --git a/sources/subs/Membergroups.subs.php b/sources/subs/Membergroups.subs.php index 560be897ee..41df95218e 100644 --- a/sources/subs/Membergroups.subs.php +++ b/sources/subs/Membergroups.subs.php @@ -741,6 +741,8 @@ function list_getMembergroups($start, $items_per_page, $sort, $membergroup_type, * @param array $normalGroups = array() an array of normal groups id. * @param bool $include_hidden = false if true, it includes hidden groups in the count (default false). * @param bool $include_moderators = false if true, it includes board moderators too (default false). + * + * @return array */ function membersInGroups($postGroups, $normalGroups = array(), $include_hidden = false, $include_moderators = false) { @@ -836,6 +838,8 @@ function membersInGroups($postGroups, $normalGroups = array(), $include_hidden = * true adds to above: description, min_posts, online_color, max_messages, icons, hidden, id_parent. * @param bool $assignable = false determine if the group is assignable or not and return that information. * @param bool $protected = false if true, it includes protected groups in the result. + * + * @return array|false */ function membergroupsById($group_ids, $limit = 1, $detailed = false, $assignable = false, $protected = false) { @@ -904,7 +908,8 @@ function membergroupsById($group_ids, $limit = 1, $detailed = false, $assignable * @param array $excludes * @param string $sort_order * @param bool $split, splits postgroups and membergroups - * @return type + * + * @return array */ function getBasicMembergroupData($includes = array(), $excludes = array(), $sort_order = null, $split = null) { @@ -1024,6 +1029,7 @@ function getBasicMembergroupData($includes = array(), $excludes = array(), $sort * Retrieve groups and their number of members. * * @param array $groupList + * * @return array with ('id', 'name', 'member_count') */ function getGroups($groupList) @@ -1049,7 +1055,6 @@ function getGroups($groupList) GROUP BY mg.id_group', array( 'group_list' => $groups, - 'newbie_id_group' => 4, ) ); while ($row = $db->fetch_assoc($request)) @@ -1238,7 +1243,10 @@ function updateInheritedGroup($id_group, $copy_id) } /** - * Updates the membergroup with the given information. + * This function updates the membergroup with the given information. + * It's passed an associative array $properties, with 'current_group' holding + * the group to update. The rest of the keys are details to update it with. + * * @param array $properties */ function updateMembergroupProperties($properties) @@ -1271,6 +1279,7 @@ function updateMembergroupProperties($properties) /** * Detaches a membergroup from the boards listed in $boards. + * * @param int $id_group * @param array $boards * @param array $access_list @@ -1279,7 +1288,7 @@ function detachGroupFromBoards($id_group, $boards, $access_list) { $db = database(); - // Find all board this group is in, but shouldn't be in. + // Find all boards in whose access list this group is in, but shouldn't be. $request = $db->query('', ' SELECT id_board, {raw:column} FROM {db_prefix}boards @@ -1305,6 +1314,14 @@ function detachGroupFromBoards($id_group, $boards, $access_list) $db->free_result($request); } +/** + * Assigns the given group $id_group to the boards specified, for + * the 'allow' or 'deny' list. + * + * @param int $id_group + * @param array $boards + * @param string $access_list ('allow', 'deny') + */ function assignGroupToBoards($id_group, $boards, $access_list) { $db = database(); From 27ecf69c177be388af88d03a7c997d069fcca1f5 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 06:13:43 +0300 Subject: [PATCH 5/9] Doc cleanups. Signed-off-by: Norv --- sources/subs/Admin.subs.php | 10 +++++++--- sources/subs/AdminDebug.subs.php | 3 ++- sources/subs/Membergroups.subs.php | 18 +++++++++++++----- 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/sources/subs/Admin.subs.php b/sources/subs/Admin.subs.php index 111219900d..8e8c471877 100644 --- a/sources/subs/Admin.subs.php +++ b/sources/subs/Admin.subs.php @@ -22,6 +22,7 @@ /** * Get a list of versions that are currently installed on the server. + * * @param array $checkFor */ function getServerVersions($checkFor) @@ -99,6 +100,8 @@ function getServerVersions($checkFor) * language files found in the default theme directory (grouped by language). * * @param array &$versionOptions + * + * @return array */ function getFileVersions(&$versionOptions) { @@ -238,6 +241,7 @@ function getFileVersions(&$versionOptions) foreach ($version_info['default_language_versions'] as $language => $dummy) ksort($version_info['default_language_versions'][$language]); } + return $version_info; } @@ -297,9 +301,9 @@ function updateAdminPreferences() /** * Send all the administrators a lovely email. - * - loads all users who are admins or have the admin forum permission. - * - uses the email template and replacements passed in the parameters. - * - sends them an email. + * It loads all users who are admins or have the admin forum permission. + * It uses the email template and replacements passed in the parameters. + * It sends them an email. * * @param string $template * @param array $replacements diff --git a/sources/subs/AdminDebug.subs.php b/sources/subs/AdminDebug.subs.php index 0dace2f205..e81657553c 100644 --- a/sources/subs/AdminDebug.subs.php +++ b/sources/subs/AdminDebug.subs.php @@ -15,7 +15,8 @@ /** * Get the admin info file from the database * - * @param type $filename + * @param string $filename + * * @return array */ function list_getAdminInfoFile($filename) diff --git a/sources/subs/Membergroups.subs.php b/sources/subs/Membergroups.subs.php index 41df95218e..b7eac1364c 100644 --- a/sources/subs/Membergroups.subs.php +++ b/sources/subs/Membergroups.subs.php @@ -594,6 +594,7 @@ function listMembergroupMembers_Href(&$members, $membergroup, $limit = null) * * @global type $scripturl * @global type $smcFunc + * * @return type */ function cache_getMembergroupList() @@ -1382,7 +1383,8 @@ function detachDeletedGroupFromMembers($id_group) } /** - * Make the given group hidden. Hidden groups are stored in the additional_groups + * Make the given group hidden. Hidden groups are stored in the additional_groups. + * * @param int $id_group */ function setGroupToHidden($id_group) @@ -1420,7 +1422,8 @@ function setGroupToHidden($id_group) } /** - * Make sure the membergroup key on the board index is valid + * Make sure the setting to display membergroup key on the board index is valid. + * It updates the setting if necessary. */ function validateShowGroupMembership() { @@ -1445,7 +1448,8 @@ function validateShowGroupMembership() } /** - * Detaches group moderators from a deleted group + * Detaches group moderators from a deleted group. + * * @param int $id_group */ function detachGroupModerators($id_group) @@ -1513,10 +1517,11 @@ function assignGroupModerators($id_group, $group_moderators) } /** - * List moderators from a given membergroup + * List moderators from a given membergroup. * * @param int $id_group - * @return array + * + * @return array moderators as array (id => name) */ function getGroupModerators($id_group) { @@ -1542,7 +1547,9 @@ function getGroupModerators($id_group) /** * Lists all groups which inherit permission profiles from the given group. + * * @param int $id_group + * * @return array */ function getInheritableGroups($id_group) @@ -1576,6 +1583,7 @@ function getInheritableGroups($id_group) return $inheritable_groups; } + /** * Gets a list of membergroups, parent groups first. * From dbf7fad8653ea6197f383fec014741e2083b3980 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 06:19:47 +0300 Subject: [PATCH 6/9] Standardize action_kickguest() and action_maintenance_mode() Signed-off-by: Norv --- SSI.php | 5 +-- sources/Dispatcher.class.php | 10 +++--- sources/controllers/Auth.controller.php | 42 +++++++++++++++++++++++++ sources/subs/Auth.subs.php | 42 ------------------------- 4 files changed, 51 insertions(+), 48 deletions(-) diff --git a/SSI.php b/SSI.php index a14ef56b9d..0cbd229a32 100644 --- a/SSI.php +++ b/SSI.php @@ -185,8 +185,9 @@ // Do we allow guests in here? if (empty($ssi_guest_access) && empty($modSettings['allow_guestAccess']) && $user_info['is_guest'] && basename($_SERVER['PHP_SELF']) != 'SSI.php') { - require_once(SUBSDIR . '/Auth.subs.php'); - KickGuest(); + require_once(CONTROLLERDIR . '/Auth.controller.php'); + $controller = new Auth_Controller(); + $controller->action_kickguest(); obExit(null, true); } diff --git a/sources/Dispatcher.class.php b/sources/Dispatcher.class.php index 62d70e329f..2a06ed273b 100644 --- a/sources/Dispatcher.class.php +++ b/sources/Dispatcher.class.php @@ -77,15 +77,17 @@ public function __construct() // "maintenance mode" page else { - $this->_file_name = SUBSDIR . '/Auth.subs.php'; - $this->_function_name = 'InMaintenance'; + $this->_file_name = CONTROLLERDIR . '/Auth.controller.php'; + $this->_controller_name = 'Auth_Controller'; + $this->_function_name = 'action_maintenance_mode'; } } // If guest access is disallowed, a guest is kicked out... politely. :P elseif (empty($modSettings['allow_guestAccess']) && $user_info['is_guest'] && (!isset($_GET['action']) || !in_array($_GET['action'], array('coppa', 'login', 'login2', 'register', 'register2', 'reminder', 'activate', 'help', 'mailq', 'verificationcode', 'openidreturn')))) { - $this->_file_name = SUBSDIR . '/Auth.subs.php'; - $this->_function_name = 'KickGuest'; + $this->_file_name = CONTROLLERDIR . '/Auth.controller.php'; + $this->_controller_name = 'Auth_Controller'; + $this->_function_name = 'action_kickguest'; } elseif (empty($_GET['action'])) { diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php index 154fe167be..ee612c1b64 100644 --- a/sources/controllers/Auth.controller.php +++ b/sources/controllers/Auth.controller.php @@ -458,6 +458,48 @@ function action_logout($internal = false, $redirect = true) } } } + + /** + * Throws guests out to the login screen when guest access is off. + * It sets $_SESSION['login_url'] to $_SERVER['REQUEST_URL']. + * It uses the 'kick_guest' sub template found in Login.template.php. + */ + function action_kickguest() + { + global $txt, $context; + + loadLanguage('Login'); + loadTemplate('Login'); + + // Never redirect to an attachment + if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false) + $_SESSION['login_url'] = $_SERVER['REQUEST_URL']; + + $context['sub_template'] = 'kick_guest'; + $context['page_title'] = $txt['login']; + } + + /** + * Display a message about the forum being in maintenance mode. + * Displays a login screen with sub template 'maintenance'. + * It sends a 503 header, so search engines don't index while we're in maintenance mode. + */ + function action_maintenance_mode() + { + global $txt, $mtitle, $mmessage, $context; + + loadLanguage('Login'); + loadTemplate('Login'); + + // Send a 503 header, so search engines don't bother indexing while we're in maintenance mode. + header('HTTP/1.1 503 Service Temporarily Unavailable'); + + // Basic template stuff.. + $context['sub_template'] = 'maintenance'; + $context['title'] = &$mtitle; + $context['description'] = &$mmessage; + $context['page_title'] = $txt['maintain_mode']; + } } /** diff --git a/sources/subs/Auth.subs.php b/sources/subs/Auth.subs.php index 77cdf9516e..2a524f500b 100644 --- a/sources/subs/Auth.subs.php +++ b/sources/subs/Auth.subs.php @@ -147,48 +147,6 @@ function url_parts($local, $global) return array($parsed_url['host'], $parsed_url['path'] . '/'); } -/** - * Throws guests out to the login screen when guest access is off. - * - sets $_SESSION['login_url'] to $_SERVER['REQUEST_URL']. - * - uses the 'kick_guest' sub template found in Login.template.php. - */ -function KickGuest() -{ - global $txt, $context; - - loadLanguage('Login'); - loadTemplate('Login'); - - // Never redirect to an attachment - if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false) - $_SESSION['login_url'] = $_SERVER['REQUEST_URL']; - - $context['sub_template'] = 'kick_guest'; - $context['page_title'] = $txt['login']; -} - -/** - * Display a message about the forum being in maintenance mode. - * - display a login screen with sub template 'maintenance'. - * - sends a 503 header, so search engines don't bother indexing while we're in maintenance mode. - */ -function InMaintenance() -{ - global $txt, $mtitle, $mmessage, $context; - - loadLanguage('Login'); - loadTemplate('Login'); - - // Send a 503 header, so search engines don't bother indexing while we're in maintenance mode. - header('HTTP/1.1 503 Service Temporarily Unavailable'); - - // Basic template stuff.. - $context['sub_template'] = 'maintenance'; - $context['title'] = &$mtitle; - $context['description'] = &$mmessage; - $context['page_title'] = $txt['maintain_mode']; -} - /** * Question the verity of the admin by asking for his or her password. * - loads Login.template.php and uses the admin_login sub template. From 14c95cab034b9aa3a86672f9d6de639de194e7d2 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 06:42:42 +0300 Subject: [PATCH 7/9] Make action methods public in Auth controller. Signed-off-by: Norv --- sources/Security.php | 5 +++-- sources/controllers/Auth.controller.php | 13 +++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/sources/Security.php b/sources/Security.php index bb25160de0..8c897a876d 100644 --- a/sources/Security.php +++ b/sources/Security.php @@ -34,7 +34,7 @@ function validateSession($type = 'admin') { global $modSettings, $user_info, $sc, $user_settings; - // We don't care if the option is off, because Guests should NEVER get past here. + // Guests are not welcome here. is_not_guest(); // Validate what type of session check this is. @@ -49,7 +49,7 @@ function validateSession($type = 'admin') if (!empty($modSettings['securityDisable' . ($type != 'admin' ? '_' . $type : '')])) return; - // Or are they already logged in?, Moderator or admin sesssion is need for this area + // If their admin or moderator session hasn't expired yet, let it pass. if ((!empty($_SESSION[$type . '_time']) && $_SESSION[$type . '_time'] + $refreshTime >= time()) || (!empty($_SESSION['admin_time']) && $_SESSION['admin_time'] + $refreshTime >= time())) return; @@ -69,6 +69,7 @@ function validateSession($type = 'admin') return; } } + // Posting the password... check it. if (isset($_POST[$type. '_pass'])) { diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php index ee612c1b64..a0fa62902c 100644 --- a/sources/controllers/Auth.controller.php +++ b/sources/controllers/Auth.controller.php @@ -32,7 +32,7 @@ class Auth_Controller * @uses the protocol_login sub-template in the Wireless template, * if you are using a wireless device */ - function action_login() + public function action_login() { global $txt, $context, $scripturl, $user_info; @@ -78,7 +78,7 @@ function action_login() * - accessed from ?action=login2, by forms. * On error, uses the same templates Login() uses. */ - function action_login2() + public function action_login2() { global $txt, $scripturl, $user_info, $user_settings; @@ -88,6 +88,7 @@ function action_login2() // Load cookie authentication stuff. require_once(SUBSDIR . '/Auth.subs.php'); + // sa=salt if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest']) { if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~', $_COOKIE[$cookiename]) === 1) @@ -95,7 +96,7 @@ function action_login2() elseif (isset($_SESSION['login_' . $cookiename])) list (, , $timeout) = @unserialize($_SESSION['login_' . $cookiename]); else - trigger_error('Login2(): Cannot be logged in without a session or cookie', E_USER_ERROR); + trigger_error('action_login2(): Cannot be logged in without a session or cookie', E_USER_ERROR); $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4); updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt'])); @@ -402,7 +403,7 @@ function action_login2() * @param bool $internal if true, it doesn't check the session * @param $redirect */ - function action_logout($internal = false, $redirect = true) + public function action_logout($internal = false, $redirect = true) { global $user_info, $user_settings, $context, $modSettings; @@ -464,7 +465,7 @@ function action_logout($internal = false, $redirect = true) * It sets $_SESSION['login_url'] to $_SERVER['REQUEST_URL']. * It uses the 'kick_guest' sub template found in Login.template.php. */ - function action_kickguest() + public function action_kickguest() { global $txt, $context; @@ -484,7 +485,7 @@ function action_kickguest() * Displays a login screen with sub template 'maintenance'. * It sends a 503 header, so search engines don't index while we're in maintenance mode. */ - function action_maintenance_mode() + public function action_maintenance_mode() { global $txt, $mtitle, $mmessage, $context; From 2c8d4e4bc7f881017bf07ae036869165dd3219f5 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 07:23:23 +0300 Subject: [PATCH 8/9] Detach different actions from login2. Signed-off-by: Norv --- sources/controllers/Auth.controller.php | 133 +++++++++++--------- sources/controllers/Register.controller.php | 2 +- 2 files changed, 78 insertions(+), 57 deletions(-) diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php index a0fa62902c..210e950450 100644 --- a/sources/controllers/Auth.controller.php +++ b/sources/controllers/Auth.controller.php @@ -76,67 +76,16 @@ public function action_login() * - upgrades password encryption on login, if necessary. * - after successful login, redirects you to $_SESSION['login_url']. * - accessed from ?action=login2, by forms. - * On error, uses the same templates Login() uses. + * On error, uses the same templates action_login() uses. */ public function action_login2() { global $txt, $scripturl, $user_info, $user_settings; - - $db = database(); global $cookiename, $maintenance, $modSettings, $context, $sc; - // Load cookie authentication stuff. + // Load cookie authentication and all stuff. require_once(SUBSDIR . '/Auth.subs.php'); - // sa=salt - if (isset($_GET['sa']) && $_GET['sa'] == 'salt' && !$user_info['is_guest']) - { - if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~', $_COOKIE[$cookiename]) === 1) - list (, , $timeout) = @unserialize($_COOKIE[$cookiename]); - elseif (isset($_SESSION['login_' . $cookiename])) - list (, , $timeout) = @unserialize($_SESSION['login_' . $cookiename]); - else - trigger_error('action_login2(): Cannot be logged in without a session or cookie', E_USER_ERROR); - - $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4); - updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt'])); - - setLoginCookie($timeout - time(), $user_info['id'], sha1($user_settings['passwd'] . $user_settings['password_salt'])); - - redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']); - } - // Double check the cookie... - elseif (isset($_GET['sa']) && $_GET['sa'] == 'check') - { - // Strike! You're outta there! - if ($_GET['member'] != $user_info['id']) - fatal_lang_error('login_cookie_error', false); - - $user_info['can_mod'] = allowedTo('access_mod_center') || (!$user_info['is_guest'] && ($user_info['mod_cache']['gq'] != '0=1' || $user_info['mod_cache']['bq'] != '0=1' || ($modSettings['postmod_active'] && !empty($user_info['mod_cache']['ap'])))); - if ($user_info['can_mod'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri'])) - { - $_SESSION['moderate_time'] = time(); - unset($_SESSION['just_registered']); - } - - // Some whitelisting for login_url... - if (empty($_SESSION['login_url'])) - redirectexit(); - elseif (!empty($_SESSION['login_url']) && (strpos('http://', $_SESSION['login_url']) === false && strpos('https://', $_SESSION['login_url']) === false)) - { - unset ($_SESSION['login_url']); - redirectexit(); - } - else - { - // Best not to clutter the session data too much... - $temp = $_SESSION['login_url']; - unset($_SESSION['login_url']); - - redirectexit($temp); - } - } - // Beyond this point you are assumed to be a guest trying to login. if (!$user_info['is_guest']) redirectexit(); @@ -407,8 +356,6 @@ public function action_logout($internal = false, $redirect = true) { global $user_info, $user_settings, $context, $modSettings; - $db = database(); - // Make sure they aren't being auto-logged out. if (!$internal) checkSession('get'); @@ -501,6 +448,80 @@ public function action_maintenance_mode() $context['description'] = &$mmessage; $context['page_title'] = $txt['maintain_mode']; } + + /** + * Checks the cookie and update salt. + * If successful, it redirects to action=auth;sa=check. + * Accessed by ?action=auth;sa=salt. + */ + public function action_salt() + { + global $user_info, $user_settings, $context; + + // we deal only with logged in folks in here! + if (!$user_info['is_guest']) + { + if (isset($_COOKIE[$cookiename]) && preg_match('~^a:[34]:\{i:0;(i:\d{1,6}|s:[1-8]:"\d{1,8}");i:1;s:(0|40):"([a-fA-F0-9]{40})?";i:2;[id]:\d{1,14};(i:3;i:\d;)?\}$~', $_COOKIE[$cookiename]) === 1) + list (, , $timeout) = @unserialize($_COOKIE[$cookiename]); + elseif (isset($_SESSION['login_' . $cookiename])) + list (, , $timeout) = @unserialize($_SESSION['login_' . $cookiename]); + else + trigger_error('Auth: Cannot be logged in without a session or cookie', E_USER_ERROR); + + $user_settings['password_salt'] = substr(md5(mt_rand()), 0, 4); + updateMemberData($user_info['id'], array('password_salt' => $user_settings['password_salt'])); + + setLoginCookie($timeout - time(), $user_info['id'], sha1($user_settings['passwd'] . $user_settings['password_salt'])); + + redirectexit('action=auth;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']); + } + + // Lets be sure. + redirectexit(); + } + + /** + * Double check the cookie. + */ + public function action_check() + { + global $user_info; + + // Only our members, please. + if (!$user_info['is_guest']) + { + // Strike! You're outta there! + if ($_GET['member'] != $user_info['id']) + fatal_lang_error('login_cookie_error', false); + + $user_info['can_mod'] = allowedTo('access_mod_center') || (!$user_info['is_guest'] && ($user_info['mod_cache']['gq'] != '0=1' || $user_info['mod_cache']['bq'] != '0=1' || ($modSettings['postmod_active'] && !empty($user_info['mod_cache']['ap'])))); + if ($user_info['can_mod'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri'])) + { + $_SESSION['moderate_time'] = time(); + unset($_SESSION['just_registered']); + } + + // Some whitelisting for login_url... + if (empty($_SESSION['login_url'])) + redirectexit(); + elseif (!empty($_SESSION['login_url']) && (strpos('http://', $_SESSION['login_url']) === false && strpos('https://', $_SESSION['login_url']) === false)) + { + unset ($_SESSION['login_url']); + redirectexit(); + } + else + { + // Best not to clutter the session data too much... + $temp = $_SESSION['login_url']; + unset($_SESSION['login_url']); + + redirectexit($temp); + } + } + + // It'll never get here... until it does :P + redirectexit(); + } } /** @@ -615,7 +636,7 @@ function DoLogin() // Just log you back out if it's in maintenance mode and you AREN'T an admin. if (empty($maintenance) || allowedTo('admin_forum')) - redirectexit('action=login2;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']); + redirectexit('action=auth;sa=check;member=' . $user_info['id'], $context['server']['needs_login_fix']); else redirectexit('action=logout;' . $context['session_var'] . '=' . $context['session_id'], $context['server']['needs_login_fix']); } diff --git a/sources/controllers/Register.controller.php b/sources/controllers/Register.controller.php index bce9c4c56f..be652790e8 100644 --- a/sources/controllers/Register.controller.php +++ b/sources/controllers/Register.controller.php @@ -524,7 +524,7 @@ function action_register2($verifiedOpenID = false) setLoginCookie(60 * $modSettings['cookieTime'], $memberID, sha1(sha1(strtolower($regOptions['username']) . $regOptions['password']) . $regOptions['register_vars']['password_salt'])); - redirectexit('action=login2;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); + redirectexit('action=auth;sa=check;member=' . $memberID, $context['server']['needs_login_fix']); } } From 725c657a37d272a5e937eb44a513bbcc44ab6a39 Mon Sep 17 00:00:00 2001 From: Norv Date: Wed, 22 May 2013 07:31:13 +0300 Subject: [PATCH 9/9] Clean-up doLogin() Signed-off-by: Norv --- sources/controllers/Auth.controller.php | 13 +++++++------ sources/subs/OpenID.subs.php | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php index 210e950450..5642a0cdf0 100644 --- a/sources/controllers/Auth.controller.php +++ b/sources/controllers/Auth.controller.php @@ -340,7 +340,7 @@ public function action_login2() if (!checkActivation()) return; - DoLogin(); + doLogin(); } /** @@ -574,16 +574,17 @@ function checkActivation() } /** - * Perform the logging in. (set cookie, call hooks, etc) + * This function performs the logging in. + * It sets the cookie, it call hooks, updates runtime settings for the user. */ -function DoLogin() +function doLogin() { - global $txt, $scripturl, $user_info, $user_settings; + global $user_info, $user_settings; + global $cookiename, $maintenance, $modSettings, $context; $db = database(); - global $cookiename, $maintenance, $modSettings, $context; - // Load cookie authentication stuff. + // Load authentication stuffs. require_once(SUBSDIR . '/Auth.subs.php'); // Call login integration functions. diff --git a/sources/subs/OpenID.subs.php b/sources/subs/OpenID.subs.php index abf93c38d7..5c5b7eb184 100644 --- a/sources/subs/OpenID.subs.php +++ b/sources/subs/OpenID.subs.php @@ -400,7 +400,7 @@ function action_openidreturn() if (!checkActivation()) return; - DoLogin(); + doLogin(); } }