// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY, without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. //
// //
// You should have received a copy of the Phorum License //
// along with this program. //
////////////////////////////////////////////////////////////////////////////////
define('phorum_page', 'read');
include_once "./common.php";
include_once "./include/email_functions.php";
include_once "./include/format_functions.php";
// for dev-purposes ..
//include_once('./include/timing.php');
//timing_start();
// set all our URL's ... we need these earlier
phorum_build_common_urls();
// checking read-permissions
if (!phorum_check_read_common()) {
return;
}
// somehow we got to a folder
if ($PHORUM["folder_flag"]) {
$dest_url = phorum_get_url(PHORUM_INDEX_URL, $PHORUM["forum_id"]);
phorum_redirect_by_url($dest_url);
exit;
}
$newflagkey = $PHORUM["forum_id"] . "-" . $PHORUM['user']['user_id'];
if ($PHORUM["DATA"]["LOGGEDIN"]) {
// reading newflags in
$PHORUM['user']['newinfo'] = null;
if ($PHORUM['cache_newflags']) {
/**
* Check if the user has read permission for a forum page.
*
* If the user does not have read permission for the currently active
* forum, then an error message is shown. What message to show depends
* on the exact case. Possible cases are:
*
* - The user is logged in: final missing read permission message;
* - The user is not logged in, but wouldn't be allowed to read the
* forum, even if he were logged in: final missing read permission message;
* - The user is not logged in, but could be allowed to read the
* forum if he were logged in: please login message.
*
* @return boolean
* TRUE in case the user is allowed to read the forum,
* FALSE otherwise.
*/
function phorum_check_read_common()
{
global $PHORUM;
$retval = TRUE;
if ($PHORUM["forum_id"] > 0 && !$PHORUM["folder_flag"] && !phorum_api_user_check_access(PHORUM_USER_ALLOW_READ)) {
if ($PHORUM["DATA"]["LOGGEDIN"]) {
// if they are logged in and not allowed, they don't have rights
$PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["NoRead"];
} else {
// Check if they could read if logged in.
// If so, let them know to log in.
if (empty($PHORUM["DATA"]["POST"]["parentid"]) && $PHORUM["reg_perms"] & PHORUM_USER_ALLOW_READ) {
$PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["PleaseLoginRead"];
} else {
$PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["NoRead"];
}
}
phorum_build_common_urls();
phorum_api_output("message");
$retval = FALSE;
}
return $retval;
}
/**
* A common function for checking the read-permissions for a forum-page
* returns false if access is not allowed and an error page-was output
*/
function phorum_check_read_common()
{
$PHORUM = $GLOBALS['PHORUM'];
$retval = true;
if ( $PHORUM["forum_id"] > 0 && !$PHORUM["folder_flag"] && !phorum_user_access_allowed( PHORUM_USER_ALLOW_READ ) ) {
if ( $PHORUM["DATA"]["LOGGEDIN"] ) {
// if they are logged in and not allowed, they don't have rights
$PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["NoRead"];
} else {
// check if they could read if logged in.
// if so, let them know to log in.
if ( ( empty( $PHORUM["DATA"]["POST"]["parentid"] ) && $PHORUM["reg_perms"] &PHORUM_USER_ALLOW_READ ) ) {
$PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["PleaseLoginRead"];
} else {
$PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["NoRead"];
}
}
phorum_build_common_urls();
include phorum_get_template( "header" );
phorum_hook( "after_header" );
include phorum_get_template( "message" );
phorum_hook( "before_footer" );
include phorum_get_template( "footer" );
$retval = false;
}
return $retval;
}
/**
* Setup and check posting tokens for form POST requests.
*
* For protecting forms against CSRF attacks, a signed posting token
* is utilized. This posting token must be included in the POST request.
* Without the token, Phorum will not accept the POST data.
*
* This function will check whether we are handling a POST request.
* If yes, then check if an anti-CSRF token is provided in the POST data.
* If no token is available or if the token does not match the expected
* token, then the POST request is rejected.
*
* As a side effect, the required token is added to the {POST_VARS}
* template variable. This facilitates protecting scripts. As
* long as the template variable is added to the <form> for the
* script, it will be automatically protected.
*
* @param string $target_page
* The page for which to check a posting token. When no target
* page is provided, then the constant "phorum_page" is used instead.
*
* @return string
* The expected posting token.
*/
function phorum_api_request_check_token($target_page = NULL)
{
global $PHORUM;
if ($target_page === NULL) {
$target_page = phorum_page;
}
$variable = 'posting_token:' . $target_page;
// Generate the posting token.
$posting_token = md5(($target_page !== NULL ? $target_page : phorum_page) . '/' . ($PHORUM['user']['user_id'] ? $PHORUM['user']['password'] . '/' . $PHORUM['user']['sessid_lt'] : (isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'unknown')) . '/' . $PHORUM['private_key']);
// Add the posting token to the {POST_VARS}.
$PHORUM['DATA']['POST_VARS'] .= "<input type=\"hidden\" name=\"{$variable}\" " . "value=\"{$posting_token}\"/>\n";
// Check the posting token if a form post is done.
if (!empty($_POST)) {
if (!isset($_POST[$variable]) || $_POST[$variable] != $posting_token) {
$PHORUM['DATA']['ERROR'] = 'Possible hack attempt detected. ' . 'The posted form data was rejected.';
phorum_build_common_urls();
phorum_api_output("message");
exit;
}
}
return $posting_token;
}
function spamhurdle_blockerror()
{
global $PHORUM;
phorum_build_common_urls();
$PHORUM["DATA"]["ERROR"] = $PHORUM["DATA"]["LANG"]["mod_spamhurdles"]["BlockError"];
include phorum_get_template("header");
phorum_hook("after_header");
include phorum_get_template("message");
phorum_hook("before_footer");
include phorum_get_template("footer");
exit(0);
}
