Esempio n. 1
0
function deleteAttachment($attachmentId)
{
    if (!isAdmin()) {
        return 4;
    }
    $link = getDBConnection();
    $data = array();
    if (mysqli_select_db($link, getDBName())) {
        $attachmentId = intval($attachmentId);
        if (mysqli_query($link, "DELETE FROM attachments WHERE id = {$attachmentId}")) {
            removeDir(getAttachmentPath($attachmentId));
            if (!file_exists(getAttachmentPath($attachmentId))) {
                return 0;
            } else {
                return 1;
            }
        } else {
            return 2;
        }
    } else {
        return 3;
    }
}
Esempio n. 2
0
/**
 * Do some important security checks:
 *
 * What it does:
 * - checks the existence of critical files e.g. install.php
 * - checks for an active admin session.
 * - checks cache directory is writable.
 * - calls secureDirectory to protect attachments & cache.
 * - checks if the forum is in maintance mode.
 */
function doSecurityChecks()
{
    global $modSettings, $context, $maintenance, $user_info, $txt, $scripturl, $user_settings, $options;
    $show_warnings = false;
    if (allowedTo('admin_forum') && !$user_info['is_guest']) {
        // If agreement is enabled, at least the english version shall exists
        if ($modSettings['requireAgreement'] && !file_exists(BOARDDIR . '/agreement.txt')) {
            $context['security_controls_files']['title'] = $txt['generic_warning'];
            $context['security_controls_files']['errors']['agreement'] = $txt['agreement_missing'];
            $show_warnings = true;
        }
        // Cache directory writeable?
        if (!empty($modSettings['cache_enable']) && !is_writable(CACHEDIR)) {
            $context['security_controls_files']['title'] = $txt['generic_warning'];
            $context['security_controls_files']['errors']['cache'] = $txt['cache_writable'];
            $show_warnings = true;
        }
        // @todo add a hook here
        $securityFiles = array('install.php', 'upgrade.php', 'convert.php', 'repair_paths.php', 'repair_settings.php', 'Settings.php~', 'Settings_bak.php~');
        foreach ($securityFiles as $securityFile) {
            if (file_exists(BOARDDIR . '/' . $securityFile)) {
                $context['security_controls_files']['title'] = $txt['security_risk'];
                $context['security_controls_files']['errors'][$securityFile] = sprintf($txt['not_removed'], $securityFile);
                $show_warnings = true;
                if ($securityFile == 'Settings.php~' || $securityFile == 'Settings_bak.php~') {
                    $context['security_controls_files']['errors'][$securityFile] .= '<span class="smalltext">' . sprintf($txt['not_removed_extra'], $securityFile, substr($securityFile, 0, -1)) . '</span>';
                }
            }
        }
        // We are already checking so many files...just few more doesn't make any difference! :P
        require_once SUBSDIR . '/Attachments.subs.php';
        $path = getAttachmentPath();
        secureDirectory($path, true);
        secureDirectory(CACHEDIR);
        // Active admin session?
        if (empty($modSettings['securityDisable']) && (isset($_SESSION['admin_time']) && $_SESSION['admin_time'] + $modSettings['admin_session_lifetime'] * 60 > time())) {
            $context['warning_controls']['admin_session'] = sprintf($txt['admin_session_active'], $scripturl . '?action=admin;area=adminlogoff;redir;' . $context['session_var'] . '=' . $context['session_id']);
        }
        // Maintenance mode enabled?
        if (!empty($maintenance)) {
            $context['warning_controls']['maintenance'] = sprintf($txt['admin_maintenance_active'], $scripturl . '?action=admin;area=serversettings;' . $context['session_var'] . '=' . $context['session_id']);
        }
        // New updates
        if (defined('FORUM_VERSION')) {
            $index = 'new_in_' . str_replace(array('ElkArte ', '.'), array('', '_'), FORUM_VERSION);
            if (!empty($modSettings[$index]) && empty($options['dismissed_' . $index])) {
                $show_warnings = true;
                $context['new_version_updates'] = array('title' => $txt['new_version_updates'], 'errors' => array(replaceBasicActionUrl($txt['new_version_updates_text'])));
            }
        }
    }
    // Check for database errors.
    if (!empty($_SESSION['query_command_denied'])) {
        if ($user_info['is_admin']) {
            $context['security_controls_query']['title'] = $txt['query_command_denied'];
            $show_warnings = true;
            foreach ($_SESSION['query_command_denied'] as $command => $error) {
                $context['security_controls_query']['errors'][$command] = '<pre>' . Util::htmlspecialchars($error) . '</pre>';
            }
        } else {
            $context['security_controls_query']['title'] = $txt['query_command_denied_guests'];
            foreach ($_SESSION['query_command_denied'] as $command => $error) {
                $context['security_controls_query']['errors'][$command] = '<pre>' . sprintf($txt['query_command_denied_guests_msg'], Util::htmlspecialchars($command)) . '</pre>';
            }
        }
    }
    // Are there any members waiting for approval?
    if (allowedTo('moderate_forum') && (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == 2 || !empty($modSettings['approveAccountDeletion'])) && !empty($modSettings['unapprovedMembers'])) {
        $context['warning_controls']['unapproved_members'] = sprintf($txt[$modSettings['unapprovedMembers'] == 1 ? 'approve_one_member_waiting' : 'approve_many_members_waiting'], $scripturl . '?action=admin;area=viewmembers;sa=browse;type=approve', $modSettings['unapprovedMembers']);
    }
    if (!empty($context['open_mod_reports']) && (empty($user_settings['mod_prefs']) || $user_settings['mod_prefs'][0] == 1)) {
        $context['warning_controls']['open_mod_reports'] = '<a href="' . $scripturl . '?action=moderate;area=reports">' . sprintf($txt['mod_reports_waiting'], $context['open_mod_reports']) . '</a>';
    }
    if (isset($_SESSION['ban']['cannot_post'])) {
        // An admin cannot be banned (technically he could), and if it is better he knows.
        $context['security_controls_ban']['title'] = sprintf($txt['you_are_post_banned'], $user_info['is_guest'] ? $txt['guest_title'] : $user_info['name']);
        $show_warnings = true;
        $context['security_controls_ban']['errors']['reason'] = '';
        if (!empty($_SESSION['ban']['cannot_post']['reason'])) {
            $context['security_controls_ban']['errors']['reason'] = $_SESSION['ban']['cannot_post']['reason'];
        }
        if (!empty($_SESSION['ban']['expire_time'])) {
            $context['security_controls_ban']['errors']['reason'] .= '<span class="smalltext">' . sprintf($txt['your_ban_expires'], standardTime($_SESSION['ban']['expire_time'], false)) . '</span>';
        } else {
            $context['security_controls_ban']['errors']['reason'] .= '<span class="smalltext">' . $txt['your_ban_expires_never'] . '</span>';
        }
    }
    // Finally, let's show the layer.
    if ($show_warnings || !empty($context['warning_controls'])) {
        Template_Layers::getInstance()->addAfter('admin_warning', 'body');
    }
}
Esempio n. 3
0
/**
 * The avatars path: if custom avatar directory is set, that's it.
 * Otherwise, it's attachments path.
 *
 * @package Attachments
 * @return string
 */
function getAvatarPath()
{
    global $modSettings;
    return empty($modSettings['custom_avatar_enabled']) ? getAttachmentPath() : $modSettings['custom_avatar_dir'];
}