// This program is distributed in the hope that it will be useful, // // but WITHOUT ANY WARRANTY, without even the implied warranty of // // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // // // // You should have received a copy of the Phorum License // // along with this program. // //////////////////////////////////////////////////////////////////////////////// define('phorum_page', 'read'); include_once "./common.php"; include_once "./include/email_functions.php"; include_once "./include/format_functions.php"; // for dev-purposes .. //include_once('./include/timing.php'); //timing_start(); // set all our URL's ... we need these earlier phorum_build_common_urls(); // checking read-permissions if (!phorum_check_read_common()) { return; } // somehow we got to a folder if ($PHORUM["folder_flag"]) { $dest_url = phorum_get_url(PHORUM_INDEX_URL, $PHORUM["forum_id"]); phorum_redirect_by_url($dest_url); exit; } $newflagkey = $PHORUM["forum_id"] . "-" . $PHORUM['user']['user_id']; if ($PHORUM["DATA"]["LOGGEDIN"]) { // reading newflags in $PHORUM['user']['newinfo'] = null; if ($PHORUM['cache_newflags']) {
/** * Check if the user has read permission for a forum page. * * If the user does not have read permission for the currently active * forum, then an error message is shown. What message to show depends * on the exact case. Possible cases are: * * - The user is logged in: final missing read permission message; * - The user is not logged in, but wouldn't be allowed to read the * forum, even if he were logged in: final missing read permission message; * - The user is not logged in, but could be allowed to read the * forum if he were logged in: please login message. * * @return boolean * TRUE in case the user is allowed to read the forum, * FALSE otherwise. */ function phorum_check_read_common() { global $PHORUM; $retval = TRUE; if ($PHORUM["forum_id"] > 0 && !$PHORUM["folder_flag"] && !phorum_api_user_check_access(PHORUM_USER_ALLOW_READ)) { if ($PHORUM["DATA"]["LOGGEDIN"]) { // if they are logged in and not allowed, they don't have rights $PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["NoRead"]; } else { // Check if they could read if logged in. // If so, let them know to log in. if (empty($PHORUM["DATA"]["POST"]["parentid"]) && $PHORUM["reg_perms"] & PHORUM_USER_ALLOW_READ) { $PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["PleaseLoginRead"]; } else { $PHORUM["DATA"]["OKMSG"] = $PHORUM["DATA"]["LANG"]["NoRead"]; } } phorum_build_common_urls(); phorum_api_output("message"); $retval = FALSE; } return $retval; }
/** * A common function for checking the read-permissions for a forum-page * returns false if access is not allowed and an error page-was output */ function phorum_check_read_common() { $PHORUM = $GLOBALS['PHORUM']; $retval = true; if ( $PHORUM["forum_id"] > 0 && !$PHORUM["folder_flag"] && !phorum_user_access_allowed( PHORUM_USER_ALLOW_READ ) ) { if ( $PHORUM["DATA"]["LOGGEDIN"] ) { // if they are logged in and not allowed, they don't have rights $PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["NoRead"]; } else { // check if they could read if logged in. // if so, let them know to log in. if ( ( empty( $PHORUM["DATA"]["POST"]["parentid"] ) && $PHORUM["reg_perms"] &PHORUM_USER_ALLOW_READ ) ) { $PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["PleaseLoginRead"]; } else { $PHORUM["DATA"]["MESSAGE"] = $PHORUM["DATA"]["LANG"]["NoRead"]; } } phorum_build_common_urls(); include phorum_get_template( "header" ); phorum_hook( "after_header" ); include phorum_get_template( "message" ); phorum_hook( "before_footer" ); include phorum_get_template( "footer" ); $retval = false; } return $retval; }
/** * Setup and check posting tokens for form POST requests. * * For protecting forms against CSRF attacks, a signed posting token * is utilized. This posting token must be included in the POST request. * Without the token, Phorum will not accept the POST data. * * This function will check whether we are handling a POST request. * If yes, then check if an anti-CSRF token is provided in the POST data. * If no token is available or if the token does not match the expected * token, then the POST request is rejected. * * As a side effect, the required token is added to the {POST_VARS} * template variable. This facilitates protecting scripts. As * long as the template variable is added to the <form> for the * script, it will be automatically protected. * * @param string $target_page * The page for which to check a posting token. When no target * page is provided, then the constant "phorum_page" is used instead. * * @return string * The expected posting token. */ function phorum_api_request_check_token($target_page = NULL) { global $PHORUM; if ($target_page === NULL) { $target_page = phorum_page; } $variable = 'posting_token:' . $target_page; // Generate the posting token. $posting_token = md5(($target_page !== NULL ? $target_page : phorum_page) . '/' . ($PHORUM['user']['user_id'] ? $PHORUM['user']['password'] . '/' . $PHORUM['user']['sessid_lt'] : (isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'unknown')) . '/' . $PHORUM['private_key']); // Add the posting token to the {POST_VARS}. $PHORUM['DATA']['POST_VARS'] .= "<input type=\"hidden\" name=\"{$variable}\" " . "value=\"{$posting_token}\"/>\n"; // Check the posting token if a form post is done. if (!empty($_POST)) { if (!isset($_POST[$variable]) || $_POST[$variable] != $posting_token) { $PHORUM['DATA']['ERROR'] = 'Possible hack attempt detected. ' . 'The posted form data was rejected.'; phorum_build_common_urls(); phorum_api_output("message"); exit; } } return $posting_token; }
function spamhurdle_blockerror() { global $PHORUM; phorum_build_common_urls(); $PHORUM["DATA"]["ERROR"] = $PHORUM["DATA"]["LANG"]["mod_spamhurdles"]["BlockError"]; include phorum_get_template("header"); phorum_hook("after_header"); include phorum_get_template("message"); phorum_hook("before_footer"); include phorum_get_template("footer"); exit(0); }