unset($_SESSION); unset($_SESSION["user"]); $error_msg = "Signed off."; } if (!isLogged()) { yourls_html_head('login'); mu_html_menu(); // Login form switch ($act) { case "login": $username = yourls_escape($_POST['username']); $password = $_POST['password']; if (!empty($username) && !empty($password)) { if (isValidUser($username, $password)) { $token = getUserTokenByEmail($username); $id = getUserIdByToken($token); $_SESSION['user'] = array("id" => $id, "user" => $username, "token" => $token); yourls_redirect("index.php"); } else { $error_msg = "Problems to login."; require_once 'form.php'; } } break; case "joinform": require_once 'formjoin.php'; break; case "join": $username = yourls_escape($_POST['username']); $password = $_POST['password']; if (captchaEnabled()) {
function trapApi($args) { $action = $args[0]; $admin = yourls_is_valid_user(); // Uses this name but REFERS to ADMIN! if ($admin === true || $action == "expand") { return; } if (YOURLS_MULTUSER_PROTECTED === false && ($action == "stats" || $action == "db-stats" || $action == 'url-stats')) { return; } switch ($action) { case "shorturl": if (YOURLS_MULTIUSER_ANONYMOUS === true) { return; } else { $token = isset($_REQUEST['token']) ? yourls_sanitize_string($_REQUEST['token']) : ''; $user = getUserIdByToken($token); if ($user == false) { $u = $_SESSION["user"]; $user = getUserIdByToken($u["token"]); } if ($user == false) { $return = array('simple' => 'You can\'t be anonymous', 'message' => 'You can\'t be anonymous', 'errorCode' => 403); } else { return; } } break; // Stats for a shorturl // Stats for a shorturl case 'url-stats': $token = isset($_REQUEST['token']) ? yourls_sanitize_string($_REQUEST['token']) : ''; $user = getUserIdByToken($token); if ($user == false) { $u = $_SESSION["user"]; $user = getUserIdByToken($u["token"]); } if ($user == false) { $return = array('simple' => 'Invalid username or password', 'message' => 'Invalid username or password', 'errorCode' => 403); } else { if (verifyUrlOwner($keyword, $user)) { $shorturl = isset($_REQUEST['shorturl']) ? $_REQUEST['shorturl'] : ''; $return = yourls_api_url_stats($shorturl); } else { $return = array('simple' => 'Invalid username or password', 'message' => 'Invalid username or password', 'errorCode' => 403); } } break; default: $return = array('errorCode' => 400, 'message' => 'Unknown or missing or forbidden "action" parameter', 'simple' => 'Unknown or missing or forbidden "action" parameter'); } $format = isset($_REQUEST['format']) ? $_REQUEST['format'] : 'xml'; yourls_api_output($format, $return); die; }