-
-
-query('SELECT b.id, b.username, b.ip, b.email, b.message, b.expire, b.ban_creator, u.username AS ban_creator_username FROM '.$db->prefix.'bans AS b LEFT JOIN '.$db->prefix.'users AS u ON b.ban_creator=u.id WHERE b.id>0'.(!empty($conditions) ? ' AND '.implode(' AND ', $conditions) : '').' ORDER BY '.$db->escape($order_by).' '.$db->escape($direction).' LIMIT '.$start_from.', 50') or error('Unable to fetch ban list', __FILE__, __LINE__, $db->error());
- if ($db->num_rows($result))
- {
- while ($ban_data = $db->fetch_assoc($result))
- {
-
- $actions = ''.$lang_admin_common['Edit'].' | '.$lang_admin_common['Remove'].'';
- $expire = format_time($ban_data['expire'], true);
-
-?>
-
-
-
-query('SELECT group_id, username, email FROM '.$db->prefix.'users WHERE id='.$user_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+ if ($db->num_rows($result))
+ list($group_id, $ban_user, $ban_email) = $db->fetch_row($result);
+ else
+ message($lang_admin_bans['No user ID message']);
+ }
+ else // Otherwise the username is in POST
+ {
+ $ban_user = pun_trim($_POST['new_ban_user']);
+
+ if ($ban_user != '')
+ {
+ $result = $db->query('SELECT id, group_id, username, email FROM '.$db->prefix.'users WHERE username=\''.$db->escape($ban_user).'\' AND id>1') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+ if ($db->num_rows($result))
+ list($user_id, $group_id, $ban_user, $ban_email) = $db->fetch_row($result);
+ else
+ message($lang_admin_bans['No user message']);
+ }
+ }
+
+ // Make sure we're not banning an admin or moderator
+ if (isset($group_id))
+ {
+ if ($group_id == PUN_ADMIN)
+ message(sprintf($lang_admin_bans['User is admin message'], pun_htmlspecialchars($ban_user)));
+
+ $result = $db->query('SELECT g_moderator FROM '.$db->prefix.'groups WHERE g_id='.$group_id) or error('Unable to fetch group info', __FILE__, __LINE__, $db->error());
+ $is_moderator_group = $db->result($result);
+
+ if ($is_moderator_group)
+ message(sprintf($lang_admin_bans['User is mod message'], pun_htmlspecialchars($ban_user)));
+ }
+
+ // If we have a $user_id, we can try to find the last known IP of that user
+ if (isset($user_id))
+ {
+ $result = $db->query('SELECT poster_ip FROM '.$db->prefix.'posts WHERE poster_id='.$user_id.' ORDER BY posted DESC LIMIT 1') or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
+ $ban_ip = ($db->num_rows($result)) ? $db->result($result) : '';
+
+ if ($ban_ip == '')
+ {
+ $result = $db->query('SELECT registration_ip FROM '.$db->prefix.'users WHERE id='.$user_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+ $ban_ip = ($db->num_rows($result)) ? $db->result($result) : '';
+ }
+ }
+
+ $mode = 'add';
+ }
+ else // We are editing a ban
+ {
+ $ban_id = intval($_GET['edit_ban']);
+ if ($ban_id < 1)
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $result = $db->query('SELECT username, ip, email, message, expire FROM '.$db->prefix.'bans WHERE id='.$ban_id) or error('Unable to fetch ban info', __FILE__, __LINE__, $db->error());
+ if ($db->num_rows($result))
+ list($ban_user, $ban_ip, $ban_email, $ban_message, $ban_expire) = $db->fetch_row($result);
+ else
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $diff = ($pun_user['timezone'] + $pun_user['dst']) * 3600;
+ $ban_expire = ($ban_expire != '') ? gmdate('Y-m-d', $ban_expire + $diff) : '';
+
+ $mode = 'edit';
+ }
+
+ $page_title = array(pun_htmlspecialchars($pun_config['o_board_title']), $lang_admin_common['Admin'], $lang_admin_common['Bans']);
+ $focus_element = array('bans2', 'ban_user');
+ define('PUN_ACTIVE_PAGE', 'admin');
+ require PUN_ROOT.'header.php';
+
+ generate_admin_menu('bans');
+
+?>
+
+
+
+query('SELECT b.id, b.username, b.ip, b.email, b.message, b.expire, b.ban_creator, u.username AS ban_creator_username FROM '.$db->prefix.'bans AS b LEFT JOIN '.$db->prefix.'users AS u ON b.ban_creator=u.id WHERE b.id>0'.(!empty($conditions) ? ' AND '.implode(' AND ', $conditions) : '').' ORDER BY '.$db->escape($order_by).' '.$db->escape($direction).' LIMIT '.$start_from.', 50') or error('Unable to fetch ban list', __FILE__, __LINE__, $db->error());
+ if ($db->num_rows($result))
+ {
+ while ($ban_data = $db->fetch_assoc($result))
+ {
+
+ $actions = ''.$lang_admin_common['Edit'].' | '.$lang_admin_common['Remove'].'';
+ $expire = format_time($ban_data['expire'], true);
+
+?>
+
-escape($form_username).'\'' : 'LOWER(username)=LOWER(\''.$db->escape($form_username).'\')';
+
+ $result = $db->query('SELECT * FROM '.$db->prefix.'users WHERE '.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+ $cur_user = $db->fetch_assoc($result);
+
+ $authorized = false;
+
+ if (!empty($cur_user['password']))
+ {
+ $form_password_hash = pun_hash($form_password); // Will result in a SHA-1 hash
+
+ // If there is a salt in the database we have upgraded from 1.3-legacy though haven't yet logged in
+ if (!empty($cur_user['salt']))
+ {
+ if (sha1($cur_user['salt'].sha1($form_password)) == $cur_user['password']) // 1.3 used sha1(salt.sha1(pass))
+ {
+ $authorized = true;
+
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
+ }
+ }
+ // If the length isn't 40 then the password isn't using sha1, so it must be md5 from 1.2
+ else if (strlen($cur_user['password']) != 40)
+ {
+ if (md5($form_password) == $cur_user['password'])
+ {
+ $authorized = true;
+
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
+ }
+ }
+ // Otherwise we should have a normal sha1 password
+ else
+ $authorized = ($cur_user['password'] == $form_password_hash);
+ }
+
+ if (!$authorized)
+ message($lang_login['Wrong user/pass'].' '.$lang_login['Forgotten pass'].'');
+
+ // Update the status if this is the first time the user logged in
+ if ($cur_user['group_id'] == PUN_UNVERIFIED)
+ {
+ $db->query('UPDATE '.$db->prefix.'users SET group_id='.$pun_config['o_default_user_group'].' WHERE id='.$cur_user['id']) or error('Unable to update user status', __FILE__, __LINE__, $db->error());
+
+ // Regenerate the users info cache
+ if (!defined('FORUM_CACHE_FUNCTIONS_LOADED'))
+ require PUN_ROOT.'include/cache.php';
+
+ generate_users_info_cache();
+ }
+
+ // Remove this user's guest entry from the online list
+ $db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape(get_remote_address()).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
+
+ $expire = ($save_pass == '1') ? time() + 1209600 : time() + $pun_config['o_timeout_visit'];
+ pun_setcookie($cur_user['id'], $form_password_hash, $expire);
+
+ // Reset tracked topics
+ set_tracked_topics(null);
+
+ // Try to determine if the data in redirect_url is valid (if not, we redirect to index.php after login)
+ $redirect_url = validate_redirect($_POST['redirect_url'], 'index.php');
+
+ redirect(pun_htmlspecialchars($redirect_url), $lang_login['Login redirect']);
+}
+
+
+else if ($action == 'out')
+{
+ if ($pun_user['is_guest'] || !isset($_GET['id']) || $_GET['id'] != $pun_user['id'] || !isset($_GET['csrf_token']) || $_GET['csrf_token'] != pun_hash($pun_user['id'].pun_hash(get_remote_address())))
+ {
+ header('Location: index.php');
+ exit;
+ }
+
+ // Remove user from "users online" list
+ $db->query('DELETE FROM '.$db->prefix.'online WHERE user_id='.$pun_user['id']) or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
+
+ // Update last_visit (make sure there's something to update it with)
+ if (isset($pun_user['logged']))
+ $db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error());
+
+ pun_setcookie(1, pun_hash(uniqid(rand(), true)), time() + 31536000);
+
+ redirect('index.php', $lang_login['Logout redirect']);
+}
+
+
+else if ($action == 'forget' || $action == 'forget_2')
+{
+ if (!$pun_user['is_guest'])
+ {
+ header('Location: index.php');
+ exit;
+ }
+
+ if (isset($_POST['form_sent']))
+ {
+ // Start with a clean slate
+ $errors = array();
+
+ require PUN_ROOT.'include/email.php';
+
+ // Validate the email address
+ $email = strtolower(pun_trim($_POST['req_email']));
+ if (!is_valid_email($email))
+ $errors[] = $lang_common['Invalid email'];
+
+ // Did everything go according to plan?
+ if (empty($errors))
+ {
+ $result = $db->query('SELECT id, username, last_email_sent FROM '.$db->prefix.'users WHERE email=\''.$db->escape($email).'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+
+ if ($db->num_rows($result))
+ {
+ // Load the "activate password" template
+ $mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/activate_password.tpl'));
+
+ // The first row contains the subject
+ $first_crlf = strpos($mail_tpl, "\n");
+ $mail_subject = trim(substr($mail_tpl, 8, $first_crlf-8));
+ $mail_message = trim(substr($mail_tpl, $first_crlf));
+
+ // Do the generic replacements first (they apply to all emails sent out here)
+ $mail_message = str_replace('', get_base_url().'/', $mail_message);
+ $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
+
+ // Loop through users we found
+ while ($cur_hit = $db->fetch_assoc($result))
+ {
+ if ($cur_hit['last_email_sent'] != '' && (time() - $cur_hit['last_email_sent']) < 3600 && (time() - $cur_hit['last_email_sent']) >= 0)
+ message(sprintf($lang_login['Email flood'], intval((3600 - (time() - $cur_hit['last_email_sent'])) / 60)), true);
+
+ // Generate a new password and a new password activation code
+ $new_password = random_pass(12);
+ $new_password_key = random_pass(8);
+
+ $db->query('UPDATE '.$db->prefix.'users SET activate_string=\''.pun_hash($new_password).'\', activate_key=\''.$new_password_key.'\', last_email_sent = '.time().' WHERE id='.$cur_hit['id']) or error('Unable to update activation data', __FILE__, __LINE__, $db->error());
+
+ // Do the user specific replacements to the template
+ $cur_mail_message = str_replace('', $cur_hit['username'], $mail_message);
+ $cur_mail_message = str_replace('', get_base_url().'/profile.php?id='.$cur_hit['id'].'&action=change_pass&key='.$new_password_key, $cur_mail_message);
+ $cur_mail_message = str_replace('', $new_password, $cur_mail_message);
+
+ pun_mail($email, $mail_subject, $cur_mail_message);
+ }
+
+ message($lang_login['Forget mail'].' '.pun_htmlspecialchars($pun_config['o_admin_email']).'.', true);
+ }
+ else
+ $errors[] = $lang_login['No email match'].' '.htmlspecialchars($email).'.';
+ }
+ }
+
+ $page_title = array(pun_htmlspecialchars($pun_config['o_board_title']), $lang_login['Request pass']);
+ $required_fields = array('req_email' => $lang_common['Email']);
+ $focus_element = array('request_pass', 'req_email');
+ define ('PUN_ACTIVE_PAGE', 'login');
+ require PUN_ROOT.'header.php';
+
+// If there are errors, we display them
+if (!empty($errors))
+{
+
+?>
+
-query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user last visit data', __FILE__, __LINE__, $db->error());
-
- // Reset tracked topics
- set_tracked_topics(null);
-
- redirect('index.php', $lang_misc['Mark read redirect']);
-}
-
-
-// Mark the topics/posts in a forum as read?
-else if ($action == 'markforumread')
-{
- if ($pun_user['is_guest'])
- message($lang_common['No permission'], false, '403 Forbidden');
-
- $fid = isset($_GET['fid']) ? intval($_GET['fid']) : 0;
- if ($fid < 1)
- message($lang_common['Bad request'], false, '404 Not Found');
-
- $tracked_topics = get_tracked_topics();
- $tracked_topics['forums'][$fid] = time();
- set_tracked_topics($tracked_topics);
-
- redirect('viewforum.php?id='.$fid, $lang_misc['Mark forum read redirect']);
-}
-
-
-else if (isset($_GET['email']))
-{
- if ($pun_user['is_guest'] || $pun_user['g_send_email'] == '0')
- message($lang_common['No permission'], false, '403 Forbidden');
-
- $recipient_id = intval($_GET['email']);
- if ($recipient_id < 2)
- message($lang_common['Bad request'], false, '404 Not Found');
-
- $result = $db->query('SELECT username, email, email_setting FROM '.$db->prefix.'users WHERE id='.$recipient_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_common['Bad request'], false, '404 Not Found');
-
- list($recipient, $recipient_email, $email_setting) = $db->fetch_row($result);
-
- if ($email_setting == 2 && !$pun_user['is_admmod'])
- message($lang_misc['Form email disabled']);
-
-
- if (isset($_POST['form_sent']))
- {
- confirm_referrer('misc.php');
-
- // Clean up message and subject from POST
- $subject = pun_trim($_POST['req_subject']);
- $message = pun_trim($_POST['req_message']);
-
- if ($subject == '')
- message($lang_misc['No email subject']);
- else if ($message == '')
- message($lang_misc['No email message']);
- // Here we use strlen() not pun_strlen() as we want to limit the post to PUN_MAX_POSTSIZE bytes, not characters
- else if (strlen($message) > PUN_MAX_POSTSIZE)
- message($lang_misc['Too long email message']);
-
- if ($pun_user['last_email_sent'] != '' && (time() - $pun_user['last_email_sent']) < $pun_user['g_email_flood'] && (time() - $pun_user['last_email_sent']) >= 0)
- message(sprintf($lang_misc['Email flood'], $pun_user['g_email_flood'], $pun_user['g_email_flood'] - (time() - $pun_user['last_email_sent'])));
-
- // Load the "form email" template
- $mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/form_email.tpl'));
-
- // The first row contains the subject
- $first_crlf = strpos($mail_tpl, "\n");
- $mail_subject = pun_trim(substr($mail_tpl, 8, $first_crlf-8));
- $mail_message = pun_trim(substr($mail_tpl, $first_crlf));
-
- $mail_subject = str_replace('', $subject, $mail_subject);
- $mail_message = str_replace('', $pun_user['username'], $mail_message);
- $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
- $mail_message = str_replace('', $message, $mail_message);
- $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
-
- require_once PUN_ROOT.'include/email.php';
-
- pun_mail($recipient_email, $mail_subject, $mail_message, $pun_user['email'], $pun_user['username']);
-
- $db->query('UPDATE '.$db->prefix.'users SET last_email_sent='.time().' WHERE id='.$pun_user['id']) or error('Unable to update user', __FILE__, __LINE__, $db->error());
-
- redirect(pun_htmlspecialchars($_POST['redirect_url']), $lang_misc['Email sent redirect']);
- }
-
-
- // Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to the user's profile after the email is sent)
- if (!empty($_SERVER['HTTP_REFERER']))
- {
- $referrer = parse_url($_SERVER['HTTP_REFERER']);
- // Remove www subdomain if it exists
- if (strpos($referrer['host'], 'www.') === 0)
- $referrer['host'] = substr($referrer['host'], 4);
-
- // Make sure the path component exists
- if (!isset($referrer['path']))
- $referrer['path'] = '';
-
- $valid = parse_url(get_base_url());
- // Remove www subdomain if it exists
- if (strpos($valid['host'], 'www.') === 0)
- $valid['host'] = substr($valid['host'], 4);
-
- // Make sure the path component exists
- if (!isset($valid['path']))
- $valid['path'] = '';
-
- if ($referrer['host'] == $valid['host'] && preg_match('%^'.preg_quote($valid['path'], '%').'/(.*?)\.php%i', $referrer['path']))
- $redirect_url = $_SERVER['HTTP_REFERER'];
- }
-
- if (!isset($redirect_url))
- $redirect_url = 'profile.php?id='.$recipient_id;
- else if (preg_match('%viewtopic\.php\?pid=(\d+)$%', $redirect_url, $matches))
- $redirect_url .= '#p'.$matches[1];
-
- $page_title = array(pun_htmlspecialchars($pun_config['o_board_title']), $lang_misc['Send email to'].' '.pun_htmlspecialchars($recipient));
- $required_fields = array('req_subject' => $lang_misc['Email subject'], 'req_message' => $lang_misc['Email message']);
- $focus_element = array('email', 'req_subject');
- define('PUN_ACTIVE_PAGE', 'index');
- require PUN_ROOT.'header.php';
-
-?>
-
-
-
-
-
-
- 65535) // TEXT field can only hold 65535 bytes
- message($lang_misc['Reason too long']);
-
- if ($pun_user['last_report_sent'] != '' && (time() - $pun_user['last_report_sent']) < $pun_user['g_report_flood'] && (time() - $pun_user['last_report_sent']) >= 0)
- message(sprintf($lang_misc['Report flood'], $pun_user['g_report_flood'], $pun_user['g_report_flood'] - (time() - $pun_user['last_report_sent'])));
-
- // Get the topic ID
- $result = $db->query('SELECT topic_id FROM '.$db->prefix.'posts WHERE id='.$post_id) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_common['Bad request'], false, '404 Not Found');
-
- $topic_id = $db->result($result);
-
- // Get the subject and forum ID
- $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_common['Bad request'], false, '404 Not Found');
-
- list($subject, $forum_id) = $db->fetch_row($result);
-
- // Should we use the internal report handling?
- if ($pun_config['o_report_method'] == '0' || $pun_config['o_report_method'] == '2')
- $db->query('INSERT INTO '.$db->prefix.'reports (post_id, topic_id, forum_id, reported_by, created, message) VALUES('.$post_id.', '.$topic_id.', '.$forum_id.', '.$pun_user['id'].', '.time().', \''.$db->escape($reason).'\')' ) or error('Unable to create report', __FILE__, __LINE__, $db->error());
-
- // Should we email the report?
- if ($pun_config['o_report_method'] == '1' || $pun_config['o_report_method'] == '2')
- {
- // We send it to the complete mailing-list in one swoop
- if ($pun_config['o_mailing_list'] != '')
- {
- // Load the "new report" template
- $mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/new_report.tpl'));
-
- // The first row contains the subject
- $first_crlf = strpos($mail_tpl, "\n");
- $mail_subject = trim(substr($mail_tpl, 8, $first_crlf-8));
- $mail_message = trim(substr($mail_tpl, $first_crlf));
-
- $mail_subject = str_replace('', $forum_id, $mail_subject);
- $mail_subject = str_replace('', $subject, $mail_subject);
- $mail_message = str_replace('', $pun_user['username'], $mail_message);
- $mail_message = str_replace('', get_base_url().'/viewtopic.php?pid='.$post_id.'#p'.$post_id, $mail_message);
- $mail_message = str_replace('', $reason, $mail_message);
- $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
-
- require PUN_ROOT.'include/email.php';
-
- pun_mail($pun_config['o_mailing_list'], $mail_subject, $mail_message);
- }
- }
-
- $db->query('UPDATE '.$db->prefix.'users SET last_report_sent='.time().' WHERE id='.$pun_user['id']) or error('Unable to update user', __FILE__, __LINE__, $db->error());
-
- redirect('viewforum.php?id='.$forum_id, $lang_misc['Report redirect']);
- }
-
- // Fetch some info about the post, the topic and the forum
- $result = $db->query('SELECT f.id AS fid, f.forum_name, t.id AS tid, t.subject FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND p.id='.$post_id) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_common['Bad request'], false, '404 Not Found');
-
- $cur_post = $db->fetch_assoc($result);
-
- if ($pun_config['o_censoring'] == '1')
- $cur_post['subject'] = censor_words($cur_post['subject']);
-
- $page_title = array(pun_htmlspecialchars($pun_config['o_board_title']), $lang_misc['Report post']);
- $required_fields = array('req_reason' => $lang_misc['Reason']);
- $focus_element = array('report', 'req_reason');
- define('PUN_ACTIVE_PAGE', 'index');
- require PUN_ROOT.'header.php';
-
-?>
-
-
-
-
-
»
-
»
-
»
-
-
-
-
-
-
-
-
-
-
-query('SELECT 1 FROM '.$db->prefix.'topics AS t LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=t.forum_id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id='.$topic_id.' AND t.moved_to IS NULL') or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_common['Bad request'], false, '404 Not Found');
-
- $result = $db->query('SELECT 1 FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
- if ($db->num_rows($result))
- message($lang_misc['Already subscribed topic']);
-
- $db->query('INSERT INTO '.$db->prefix.'topic_subscriptions (user_id, topic_id) VALUES('.$pun_user['id'].' ,'.$topic_id.')') or error('Unable to add subscription', __FILE__, __LINE__, $db->error());
-
- redirect('viewtopic.php?id='.$topic_id, $lang_misc['Subscribe redirect']);
- }
-
- if ($forum_id)
- {
- if ($pun_config['o_forum_subscriptions'] != '1')
- message($lang_common['No permission'], false, '403 Forbidden');
-
- // Make sure the user can view the forum
- $result = $db->query('SELECT 1 FROM '.$db->prefix.'forums AS f LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND f.id='.$forum_id) or error('Unable to fetch forum info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_common['Bad request'], false, '404 Not Found');
-
- $result = $db->query('SELECT 1 FROM '.$db->prefix.'forum_subscriptions WHERE user_id='.$pun_user['id'].' AND forum_id='.$forum_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
- if ($db->num_rows($result))
- message($lang_misc['Already subscribed forum']);
-
- $db->query('INSERT INTO '.$db->prefix.'forum_subscriptions (user_id, forum_id) VALUES('.$pun_user['id'].' ,'.$forum_id.')') or error('Unable to add subscription', __FILE__, __LINE__, $db->error());
-
- redirect('viewforum.php?id='.$forum_id, $lang_misc['Subscribe redirect']);
- }
-}
-
-
-else if ($action == 'unsubscribe')
-{
- if ($pun_user['is_guest'])
- message($lang_common['No permission'], false, '403 Forbidden');
-
- $topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0;
- $forum_id = isset($_GET['fid']) ? intval($_GET['fid']) : 0;
- if ($topic_id < 1 && $forum_id < 1)
- message($lang_common['Bad request'], false, '404 Not Found');
-
- if ($topic_id)
- {
- if ($pun_config['o_topic_subscriptions'] != '1')
- message($lang_common['No permission'], false, '403 Forbidden');
-
- $result = $db->query('SELECT 1 FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_misc['Not subscribed topic']);
-
- $db->query('DELETE FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to remove subscription', __FILE__, __LINE__, $db->error());
-
- redirect('viewtopic.php?id='.$topic_id, $lang_misc['Unsubscribe redirect']);
- }
-
- if ($forum_id)
- {
- if ($pun_config['o_forum_subscriptions'] != '1')
- message($lang_common['No permission'], false, '403 Forbidden');
-
- $result = $db->query('SELECT 1 FROM '.$db->prefix.'forum_subscriptions WHERE user_id='.$pun_user['id'].' AND forum_id='.$forum_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
- if (!$db->num_rows($result))
- message($lang_misc['Not subscribed forum']);
-
- $db->query('DELETE FROM '.$db->prefix.'forum_subscriptions WHERE user_id='.$pun_user['id'].' AND forum_id='.$forum_id) or error('Unable to remove subscription', __FILE__, __LINE__, $db->error());
-
- redirect('viewforum.php?id='.$forum_id, $lang_misc['Unsubscribe redirect']);
- }
-}
-
-
-else
- message($lang_common['Bad request'], false, '404 Not Found');
+
+
+
+
+
+
+
+
+
+query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user last visit data', __FILE__, __LINE__, $db->error());
+
+ // Reset tracked topics
+ set_tracked_topics(null);
+
+ redirect('index.php', $lang_misc['Mark read redirect']);
+}
+
+
+// Mark the topics/posts in a forum as read?
+else if ($action == 'markforumread')
+{
+ if ($pun_user['is_guest'])
+ message($lang_common['No permission'], false, '403 Forbidden');
+
+ $fid = isset($_GET['fid']) ? intval($_GET['fid']) : 0;
+ if ($fid < 1)
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $tracked_topics = get_tracked_topics();
+ $tracked_topics['forums'][$fid] = time();
+ set_tracked_topics($tracked_topics);
+
+ redirect('viewforum.php?id='.$fid, $lang_misc['Mark forum read redirect']);
+}
+
+
+else if (isset($_GET['email']))
+{
+ if ($pun_user['is_guest'] || $pun_user['g_send_email'] == '0')
+ message($lang_common['No permission'], false, '403 Forbidden');
+
+ $recipient_id = intval($_GET['email']);
+ if ($recipient_id < 2)
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $result = $db->query('SELECT username, email, email_setting FROM '.$db->prefix.'users WHERE id='.$recipient_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ list($recipient, $recipient_email, $email_setting) = $db->fetch_row($result);
+
+ if ($email_setting == 2 && !$pun_user['is_admmod'])
+ message($lang_misc['Form email disabled']);
+
+
+ if (isset($_POST['form_sent']))
+ {
+ confirm_referrer('misc.php');
+
+ // Clean up message and subject from POST
+ $subject = pun_trim($_POST['req_subject']);
+ $message = pun_trim($_POST['req_message']);
+
+ if ($subject == '')
+ message($lang_misc['No email subject']);
+ else if ($message == '')
+ message($lang_misc['No email message']);
+ // Here we use strlen() not pun_strlen() as we want to limit the post to PUN_MAX_POSTSIZE bytes, not characters
+ else if (strlen($message) > PUN_MAX_POSTSIZE)
+ message($lang_misc['Too long email message']);
+
+ if ($pun_user['last_email_sent'] != '' && (time() - $pun_user['last_email_sent']) < $pun_user['g_email_flood'] && (time() - $pun_user['last_email_sent']) >= 0)
+ message(sprintf($lang_misc['Email flood'], $pun_user['g_email_flood'], $pun_user['g_email_flood'] - (time() - $pun_user['last_email_sent'])));
+
+ // Load the "form email" template
+ $mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/form_email.tpl'));
+
+ // The first row contains the subject
+ $first_crlf = strpos($mail_tpl, "\n");
+ $mail_subject = pun_trim(substr($mail_tpl, 8, $first_crlf-8));
+ $mail_message = pun_trim(substr($mail_tpl, $first_crlf));
+
+ $mail_subject = str_replace('', $subject, $mail_subject);
+ $mail_message = str_replace('', $pun_user['username'], $mail_message);
+ $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
+ $mail_message = str_replace('', $message, $mail_message);
+ $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
+
+ require_once PUN_ROOT.'include/email.php';
+
+ pun_mail($recipient_email, $mail_subject, $mail_message, $pun_user['email'], $pun_user['username']);
+
+ $db->query('UPDATE '.$db->prefix.'users SET last_email_sent='.time().' WHERE id='.$pun_user['id']) or error('Unable to update user', __FILE__, __LINE__, $db->error());
+
+ // Try to determine if the data in redirect_url is valid (if not, we redirect to index.php after login)
+ $redirect_url = validate_redirect($_POST['redirect_url'], 'index.php');
+
+ redirect(pun_htmlspecialchars($redirect_url), $lang_misc['Email sent redirect']);
+ }
+
+
+ // Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to the user's profile after the email is sent)
+ if (!empty($_SERVER['HTTP_REFERER']))
+ $redirect_url = validate_redirect($_SERVER['HTTP_REFERER'], null);
+
+ if (!isset($redirect_url))
+ $redirect_url = 'profile.php?id='.$recipient_id;
+ else if (preg_match('%viewtopic\.php\?pid=(\d+)$%', $redirect_url, $matches))
+ $redirect_url .= '#p'.$matches[1];
+
+ $page_title = array(pun_htmlspecialchars($pun_config['o_board_title']), $lang_misc['Send email to'].' '.pun_htmlspecialchars($recipient));
+ $required_fields = array('req_subject' => $lang_misc['Email subject'], 'req_message' => $lang_misc['Email message']);
+ $focus_element = array('email', 'req_subject');
+ define('PUN_ACTIVE_PAGE', 'index');
+ require PUN_ROOT.'header.php';
+
+?>
+
+
+
+
+
+
+ 65535) // TEXT field can only hold 65535 bytes
+ message($lang_misc['Reason too long']);
+
+ if ($pun_user['last_report_sent'] != '' && (time() - $pun_user['last_report_sent']) < $pun_user['g_report_flood'] && (time() - $pun_user['last_report_sent']) >= 0)
+ message(sprintf($lang_misc['Report flood'], $pun_user['g_report_flood'], $pun_user['g_report_flood'] - (time() - $pun_user['last_report_sent'])));
+
+ // Get the topic ID
+ $result = $db->query('SELECT topic_id FROM '.$db->prefix.'posts WHERE id='.$post_id) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $topic_id = $db->result($result);
+
+ // Get the subject and forum ID
+ $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ list($subject, $forum_id) = $db->fetch_row($result);
+
+ // Should we use the internal report handling?
+ if ($pun_config['o_report_method'] == '0' || $pun_config['o_report_method'] == '2')
+ $db->query('INSERT INTO '.$db->prefix.'reports (post_id, topic_id, forum_id, reported_by, created, message) VALUES('.$post_id.', '.$topic_id.', '.$forum_id.', '.$pun_user['id'].', '.time().', \''.$db->escape($reason).'\')' ) or error('Unable to create report', __FILE__, __LINE__, $db->error());
+
+ // Should we email the report?
+ if ($pun_config['o_report_method'] == '1' || $pun_config['o_report_method'] == '2')
+ {
+ // We send it to the complete mailing-list in one swoop
+ if ($pun_config['o_mailing_list'] != '')
+ {
+ // Load the "new report" template
+ $mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/new_report.tpl'));
+
+ // The first row contains the subject
+ $first_crlf = strpos($mail_tpl, "\n");
+ $mail_subject = trim(substr($mail_tpl, 8, $first_crlf-8));
+ $mail_message = trim(substr($mail_tpl, $first_crlf));
+
+ $mail_subject = str_replace('', $forum_id, $mail_subject);
+ $mail_subject = str_replace('', $subject, $mail_subject);
+ $mail_message = str_replace('', $pun_user['username'], $mail_message);
+ $mail_message = str_replace('', get_base_url().'/viewtopic.php?pid='.$post_id.'#p'.$post_id, $mail_message);
+ $mail_message = str_replace('', $reason, $mail_message);
+ $mail_message = str_replace('', $pun_config['o_board_title'], $mail_message);
+
+ require PUN_ROOT.'include/email.php';
+
+ pun_mail($pun_config['o_mailing_list'], $mail_subject, $mail_message);
+ }
+ }
+
+ $db->query('UPDATE '.$db->prefix.'users SET last_report_sent='.time().' WHERE id='.$pun_user['id']) or error('Unable to update user', __FILE__, __LINE__, $db->error());
+
+ redirect('viewforum.php?id='.$forum_id, $lang_misc['Report redirect']);
+ }
+
+ // Fetch some info about the post, the topic and the forum
+ $result = $db->query('SELECT f.id AS fid, f.forum_name, t.id AS tid, t.subject FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND p.id='.$post_id) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $cur_post = $db->fetch_assoc($result);
+
+ if ($pun_config['o_censoring'] == '1')
+ $cur_post['subject'] = censor_words($cur_post['subject']);
+
+ $page_title = array(pun_htmlspecialchars($pun_config['o_board_title']), $lang_misc['Report post']);
+ $required_fields = array('req_reason' => $lang_misc['Reason']);
+ $focus_element = array('report', 'req_reason');
+ define('PUN_ACTIVE_PAGE', 'index');
+ require PUN_ROOT.'header.php';
+
+?>
+
+
+
+
+
»
+
»
+
»
+
+
+
+
+
+
+
+
+
+
+query('SELECT 1 FROM '.$db->prefix.'topics AS t LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=t.forum_id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id='.$topic_id.' AND t.moved_to IS NULL') or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $result = $db->query('SELECT 1 FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
+ if ($db->num_rows($result))
+ message($lang_misc['Already subscribed topic']);
+
+ $db->query('INSERT INTO '.$db->prefix.'topic_subscriptions (user_id, topic_id) VALUES('.$pun_user['id'].' ,'.$topic_id.')') or error('Unable to add subscription', __FILE__, __LINE__, $db->error());
+
+ redirect('viewtopic.php?id='.$topic_id, $lang_misc['Subscribe redirect']);
+ }
+
+ if ($forum_id)
+ {
+ if ($pun_config['o_forum_subscriptions'] != '1')
+ message($lang_common['No permission'], false, '403 Forbidden');
+
+ // Make sure the user can view the forum
+ $result = $db->query('SELECT 1 FROM '.$db->prefix.'forums AS f LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND f.id='.$forum_id) or error('Unable to fetch forum info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ $result = $db->query('SELECT 1 FROM '.$db->prefix.'forum_subscriptions WHERE user_id='.$pun_user['id'].' AND forum_id='.$forum_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
+ if ($db->num_rows($result))
+ message($lang_misc['Already subscribed forum']);
+
+ $db->query('INSERT INTO '.$db->prefix.'forum_subscriptions (user_id, forum_id) VALUES('.$pun_user['id'].' ,'.$forum_id.')') or error('Unable to add subscription', __FILE__, __LINE__, $db->error());
+
+ redirect('viewforum.php?id='.$forum_id, $lang_misc['Subscribe redirect']);
+ }
+}
+
+
+else if ($action == 'unsubscribe')
+{
+ if ($pun_user['is_guest'])
+ message($lang_common['No permission'], false, '403 Forbidden');
+
+ $topic_id = isset($_GET['tid']) ? intval($_GET['tid']) : 0;
+ $forum_id = isset($_GET['fid']) ? intval($_GET['fid']) : 0;
+ if ($topic_id < 1 && $forum_id < 1)
+ message($lang_common['Bad request'], false, '404 Not Found');
+
+ if ($topic_id)
+ {
+ if ($pun_config['o_topic_subscriptions'] != '1')
+ message($lang_common['No permission'], false, '403 Forbidden');
+
+ $result = $db->query('SELECT 1 FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_misc['Not subscribed topic']);
+
+ $db->query('DELETE FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to remove subscription', __FILE__, __LINE__, $db->error());
+
+ redirect('viewtopic.php?id='.$topic_id, $lang_misc['Unsubscribe redirect']);
+ }
+
+ if ($forum_id)
+ {
+ if ($pun_config['o_forum_subscriptions'] != '1')
+ message($lang_common['No permission'], false, '403 Forbidden');
+
+ $result = $db->query('SELECT 1 FROM '.$db->prefix.'forum_subscriptions WHERE user_id='.$pun_user['id'].' AND forum_id='.$forum_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
+ if (!$db->num_rows($result))
+ message($lang_misc['Not subscribed forum']);
+
+ $db->query('DELETE FROM '.$db->prefix.'forum_subscriptions WHERE user_id='.$pun_user['id'].' AND forum_id='.$forum_id) or error('Unable to remove subscription', __FILE__, __LINE__, $db->error());
+
+ redirect('viewforum.php?id='.$forum_id, $lang_misc['Unsubscribe redirect']);
+ }
+}
+
+
+else
+ message($lang_common['Bad request'], false, '404 Not Found');
diff --git a/profile.php b/profile.php
index a2ee583f2..feb8295f8 100644
--- a/profile.php
+++ b/profile.php
@@ -55,7 +55,7 @@
message($lang_profile['Pass key bad'].' '.pun_htmlspecialchars($pun_config['o_admin_email']).'.');
else
{
- $db->query('UPDATE '.$db->prefix.'users SET password=\''.$cur_user['activate_string'].'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
+ $db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
message($lang_profile['Pass updated'], true);
}