$RCMAIL->kill_session();
$RCMAIL->plugins->exec_hook('logout_after', $userdata);
} else {
if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
if (!$RCMAIL->authenticate_session()) {
$OUTPUT->show_message('sessionerror', 'error');
$RCMAIL->kill_session();
}
}
}
}
// don't check for valid request tokens in these actions
$request_check_whitelist = array('login' => 1, 'spell' => 1);
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token() && !empty($RCMAIL->user->ID)) {
header('HTTP/1.1 404 Not Found');
die("Invalid Request");
}
} else {
if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
$OUTPUT->show_message('invalidrequest', 'error');
$OUTPUT->send($RCMAIL->task);
}
}
// not logged in -> show login page
if (empty($RCMAIL->user->ID)) {
if ($OUTPUT->ajax_call) {
$OUTPUT->redirect(array(), 2000);
}
if (!empty($_REQUEST['_framed'])) {
if (($RCMAIL->task == 'logout' || $RCMAIL->action == 'logout') && isset($_SESSION['user_id'])) {
$OUTPUT->show_message('loggedout');
$RCMAIL->logout_actions();
$RCMAIL->kill_session();
} else {
if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
if (!$RCMAIL->authenticate_session()) {
$OUTPUT->show_message('sessionerror', 'error');
$RCMAIL->kill_session();
}
}
}
}
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) {
header('HTTP/1.1 404 Not Found');
die("Invalid Request");
}
}
// not logged in -> show login page
if (empty($RCMAIL->user->ID)) {
if ($OUTPUT->ajax_call) {
$OUTPUT->redirect(array(), 2000);
}
// check if installer is still active
if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
$OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your RoundCube installation is still stored in its default location!") . html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the RoundCube directory because .\n these files may expose sensitive configuration data like server passwords and encryption keys\n to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")));
}
$OUTPUT->set_env('task', 'login');
$OUTPUT->send('login');
}
// check if installer is still active
if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
$OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your Roundcube installation is still stored in its default location!") . html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .\n these files may expose sensitive configuration data like server passwords and encryption keys\n to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")));
}
if ($session_error || $_REQUEST['_err'] == 'session') {
$OUTPUT->show_message('sessionerror', 'error', null, true, -1);
}
$RCMAIL->set_task('login');
$OUTPUT->send('login');
} else {
// don't check for valid request tokens in these actions
$request_check_whitelist = array('login' => 1, 'spell' => 1);
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
header('HTTP/1.1 403 Forbidden');
die("Invalid Request");
}
} else {
if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
$OUTPUT->show_message('invalidrequest', 'error');
$OUTPUT->send($RCMAIL->task);
}
}
// check referer if configured
if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
raise_error(array('code' => 403, 'type' => 'php', 'message' => "Referer check failed"), true, true);
}
}
// we're ready, user is authenticated and the request is safe
// check if installer is still active
if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
$OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your Roundcube installation is still stored in its default location!") . html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .\n these files may expose sensitive configuration data like server passwords and encryption keys\n to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")));
}
if ($session_error || $_REQUEST['_err'] == 'session') {
$OUTPUT->show_message('sessionerror', 'error', null, true, -1);
}
$plugin = $RCMAIL->plugins->exec_hook('unauthenticated', array('task' => 'login', 'error' => $session_error));
$RCMAIL->set_task($plugin['task']);
$OUTPUT->send($plugin['task']);
} else {
$request_check_whitelist = array('login' => 1, 'spell' => 1, 'spell_html' => 1);
if (!$request_check_whitelist[$RCMAIL->action]) {
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
header('HTTP/1.1 403 Forbidden');
die("Invalid Request");
}
} else {
if (!empty($_POST) && !$RCMAIL->check_request()) {
$OUTPUT->show_message('invalidrequest', 'error');
$OUTPUT->send($RCMAIL->task);
}
}
// check referer if configured
if ($RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
raise_error(array('code' => 403, 'type' => 'php', 'message' => "Referer check failed"), true, true);
}
}
}
