function get_template() { global $config, $user, $template, $phpEx, $src_root_path; if ($this->is_solved()) { return false; } else { $link = append_sid($src_root_path . 'ucp.' . $phpEx, 'mode=confirm&confirm_id=' . $this->confirm_id . '&type=' . $this->type); $contact_link = src_get_srcrd_contact_link($config, $src_root_path, $phpEx); $explain = $user->lang($this->type != CONFIRM_POST ? 'CONFIRM_EXPLAIN' : 'POST_CONFIRM_EXPLAIN', '<a href="' . $contact_link . '">', '</a>'); $template->assign_vars(array('CONFIRM_IMAGE_LINK' => $link, 'CONFIRM_IMAGE' => '<img src="' . $link . '" />', 'CONFIRM_IMG' => '<img src="' . $link . '" />', 'CONFIRM_ID' => $this->confirm_id, 'S_CONFIRM_CODE' => true, 'S_TYPE' => $this->type, 'S_CONFIRM_REFRESH' => $config['enable_confirm'] && $config['confirm_refresh'] && $this->type == CONFIRM_REG ? true : false, 'L_CONFIRM_EXPLAIN' => $explain)); return 'captcha_default.html'; } }
/** * Generate login box or verify password */ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = false, $s_display = true) { global $db, $user, $template, $auth, $phpEx, $src_root_path, $config; global $request, $src_container, $src_dispatcher; $err = ''; // Make sure user->setup() has been called if (empty($user->lang)) { $user->setup(); } // Print out error if user tries to authenticate as an administrator without having the privileges... if ($admin && !$auth->acl_get('a_')) { // Not authd // anonymous/inactive users are never able to go to the ACP even if they have the relevant permissions if ($user->data['is_registered']) { add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); } trigger_error('NO_AUTH_ADMIN'); } if ($request->is_set_post('login') || $request->is_set('login') && $request->variable('login', '') == 'external') { // Get credential if ($admin) { $credential = request_var('credential', ''); if (strspn($credential, 'abcdef0123456789') !== strlen($credential) || strlen($credential) != 32) { if ($user->data['is_registered']) { add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); } trigger_error('NO_AUTH_ADMIN'); } $password = $request->untrimmed_variable('password_' . $credential, '', true); } else { $password = $request->untrimmed_variable('password', '', true); } $username = request_var('username', '', true); $autologin = $request->is_set_post('autologin'); $viewonline = (int) (!$request->is_set_post('viewonline')); $admin = $admin ? 1 : 0; $viewonline = $admin ? $user->data['session_viewonline'] : $viewonline; // Check if the supplied username is equal to the one stored within the database if re-authenticating if ($admin && utf8_clean_string($username) != utf8_clean_string($user->data['username'])) { // We log the attempt to use a different username... add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); trigger_error('NO_AUTH_ADMIN_USER_DIFFER'); } // If authentication is successful we redirect user to previous page $result = $auth->login($username, $password, $autologin, $viewonline, $admin); // If admin authentication and login, we will log if it was a success or not... // We also break the operation on the first non-success login - it could be argued that the user already knows if ($admin) { if ($result['status'] == LOGIN_SUCCESS) { add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS'); } else { // Only log the failed attempt if a real user tried to. // anonymous/inactive users are never able to go to the ACP even if they have the relevant permissions if ($user->data['is_registered']) { add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); } } } // The result parameter is always an array, holding the relevant information... if ($result['status'] == LOGIN_SUCCESS) { $redirect = request_var('redirect', "{$src_root_path}index.{$phpEx}"); /** * This event allows an extension to modify the redirection when a user successfully logs in * * @event core.login_box_redirect * @var string redirect Redirect string * @var boolean admin Is admin? * @var bool return If true, do not redirect but return the sanitized URL. * @since 3.1.0-RC5 */ $vars = array('redirect', 'admin', 'return'); extract($src_dispatcher->trigger_event('core.login_box_redirect', compact($vars))); // append/replace SID (may change during the session for AOL users) $redirect = reapply_sid($redirect); // Special case... the user is effectively banned, but we allow founders to login if (defined('IN_CHECK_BAN') && $result['user_row']['user_type'] != USER_FOUNDER) { return; } redirect($redirect); } // Something failed, determine what... if ($result['status'] == LOGIN_BREAK) { trigger_error($result['error_msg']); } // Special cases... determine switch ($result['status']) { case LOGIN_ERROR_PASSWORD_CONVERT: $err = sprintf($user->lang[$result['error_msg']], $config['email_enable'] ? '<a href="' . append_sid("{$src_root_path}ucp.{$phpEx}", 'mode=sendpassword') . '">' : '', $config['email_enable'] ? '</a>' : '', '<a href="' . src_get_srcrd_contact_link($config, $src_root_path, $phpEx) . '">', '</a>'); break; case LOGIN_ERROR_ATTEMPTS: $captcha = $src_container->get('captcha.factory')->get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); // $captcha->reset(); $template->assign_vars(array('CAPTCHA_TEMPLATE' => $captcha->get_template())); // no break; // Username, password, etc... // no break; // Username, password, etc... default: $err = $user->lang[$result['error_msg']]; // Assign admin contact to some error messages if ($result['error_msg'] == 'LOGIN_ERROR_USERNAME' || $result['error_msg'] == 'LOGIN_ERROR_PASSWORD') { $err = sprintf($user->lang[$result['error_msg']], '<a href="' . append_sid("{$src_root_path}memberlist.{$phpEx}", 'mode=contactadmin') . '">', '</a>'); } break; } /** * This event allows an extension to process when a user fails a login attempt * * @event core.login_box_failed * @var array result Login result data * @var string username User name used to login * @var string password Password used to login * @var string err Error message * @since 3.1.3-RC1 */ $vars = array('result', 'username', 'password', 'err'); extract($src_dispatcher->trigger_event('core.login_box_failed', compact($vars))); } // Assign credential for username/password pair $credential = $admin ? md5(unique_id()) : false; $s_hidden_fields = array('sid' => $user->session_id); if ($redirect) { $s_hidden_fields['redirect'] = $redirect; } if ($admin) { $s_hidden_fields['credential'] = $credential; } $provider_collection = $src_container->get('auth.provider_collection'); $auth_provider = $provider_collection->get_provider(); $auth_provider_data = $auth_provider->get_login_data(); if ($auth_provider_data) { if (isset($auth_provider_data['VARS'])) { $template->assign_vars($auth_provider_data['VARS']); } if (isset($auth_provider_data['BLOCK_VAR_NAME'])) { foreach ($auth_provider_data['BLOCK_VARS'] as $block_vars) { $template->assign_block_vars($auth_provider_data['BLOCK_VAR_NAME'], $block_vars); } } $template->assign_vars(array('PROVIDER_TEMPLATE_FILE' => $auth_provider_data['TEMPLATE_FILE'])); } $s_hidden_fields = build_hidden_fields($s_hidden_fields); $template->assign_vars(array('LOGIN_ERROR' => $err, 'LOGIN_EXPLAIN' => $l_explain, 'U_SEND_PASSWORD' => $config['email_enable'] ? append_sid("{$src_root_path}ucp.{$phpEx}", 'mode=sendpassword') : '', 'U_RESEND_ACTIVATION' => $config['require_activation'] == USER_ACTIVATION_SELF && $config['email_enable'] ? append_sid("{$src_root_path}ucp.{$phpEx}", 'mode=resend_act') : '', 'U_TERMS_USE' => append_sid("{$src_root_path}ucp.{$phpEx}", 'mode=terms'), 'U_PRIVACY' => append_sid("{$src_root_path}ucp.{$phpEx}", 'mode=privacy'), 'S_DISPLAY_FULL_LOGIN' => $s_display ? true : false, 'S_HIDDEN_FIELDS' => $s_hidden_fields, 'S_ADMIN_AUTH' => $admin, 'USERNAME' => $admin ? $user->data['username'] : '', 'USERNAME_CREDENTIAL' => 'username', 'PASSWORD_CREDENTIAL' => $admin ? 'password_' . $credential : 'password')); page_header($user->lang['LOGIN']); $template->set_filenames(array('body' => 'login_body.html')); make_jumpbox(append_sid("{$src_root_path}viewforum.{$phpEx}")); page_footer(); }
function get_template() { global $config, $user, $template, $src_root_path, $phpEx; if ($this->is_solved()) { return false; } else { $contact_link = src_get_srcrd_contact_link($config, $src_root_path, $phpEx); $explain = $user->lang($this->type != CONFIRM_POST ? 'CONFIRM_EXPLAIN' : 'POST_CONFIRM_EXPLAIN', '<a href="' . $contact_link . '">', '</a>'); $template->assign_vars(array('RECAPTCHA_SERVER' => $this->recaptcha_server, 'RECAPTCHA_PUBKEY' => isset($config['recaptcha_pubkey']) ? $config['recaptcha_pubkey'] : '', 'RECAPTCHA_ERRORGET' => '', 'S_RECAPTCHA_AVAILABLE' => self::is_available(), 'S_CONFIRM_CODE' => true, 'S_TYPE' => $this->type, 'L_CONFIRM_EXPLAIN' => $explain)); return 'captcha_recaptcha.html'; } }
/** * Check for banned user * * Checks whether the supplied user is banned by id, ip or email. If no parameters * are passed to the method pre-existing session data is used. * * @param int|false $user_id The user id * @param mixed $user_ips Can contain a string with one IP or an array of multiple IPs * @param string|false $user_email The user email * @param bool $return If $return is false this routine does not return on finding a banned user, * it outputs a relevant message and stops execution. */ function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false) { global $config, $db, $src_dispatcher; if (defined('IN_CHECK_BAN') || defined('SKIP_CHECK_BAN')) { return; } $banned = false; $cache_ttl = 3600; $where_sql = array(); $sql = 'SELECT ban_ip, ban_userid, ban_email, ban_exclude, ban_give_reason, ban_end FROM ' . BANLIST_TABLE . ' WHERE '; // Determine which entries to check, only return those if ($user_email === false) { $where_sql[] = "ban_email = ''"; } if ($user_ips === false) { $where_sql[] = "(ban_ip = '' OR ban_exclude = 1)"; } if ($user_id === false) { $where_sql[] = '(ban_userid = 0 OR ban_exclude = 1)'; } else { $cache_ttl = $user_id == ANONYMOUS ? 3600 : 0; $_sql = '(ban_userid = ' . $user_id; if ($user_email !== false) { $_sql .= " OR ban_email <> ''"; } if ($user_ips !== false) { $_sql .= " OR ban_ip <> ''"; } $_sql .= ')'; $where_sql[] = $_sql; } $sql .= sizeof($where_sql) ? implode(' AND ', $where_sql) : ''; $result = $db->sql_query($sql, $cache_ttl); $ban_triggered_by = 'user'; while ($row = $db->sql_fetchrow($result)) { if ($row['ban_end'] && $row['ban_end'] < time()) { continue; } $ip_banned = false; if (!empty($row['ban_ip'])) { if (!is_array($user_ips)) { $ip_banned = preg_match('#^' . str_replace('\\*', '.*?', preg_quote($row['ban_ip'], '#')) . '$#i', $user_ips); } else { foreach ($user_ips as $user_ip) { if (preg_match('#^' . str_replace('\\*', '.*?', preg_quote($row['ban_ip'], '#')) . '$#i', $user_ip)) { $ip_banned = true; break; } } } } if (!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id || $ip_banned || !empty($row['ban_email']) && preg_match('#^' . str_replace('\\*', '.*?', preg_quote($row['ban_email'], '#')) . '$#i', $user_email)) { if (!empty($row['ban_exclude'])) { $banned = false; break; } else { $banned = true; $ban_row = $row; if (!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id) { $ban_triggered_by = 'user'; } else { if ($ip_banned) { $ban_triggered_by = 'ip'; } else { $ban_triggered_by = 'email'; } } // Don't break. Check if there is an exclude rule for this user } } } $db->sql_freeresult($result); /** * Event to set custom ban type * * @event core.session_set_custom_ban * @var bool return If $return is false this routine does not return on finding a banned user, it outputs a relevant message and stops execution * @var bool banned Check if user already banned * @var array|false ban_row Ban data * @var string ban_triggered_by Method that caused ban, can be your custom method * @since 3.1.3-RC1 */ $ban_row = isset($ban_row) ? $ban_row : false; $vars = array('return', 'banned', 'ban_row', 'ban_triggered_by'); extract($src_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars))); if ($banned && !$return) { global $template, $src_root_path, $phpEx; // If the session is empty we need to create a valid one... if (empty($this->session_id)) { // This seems to be no longer needed? - #14971 // $this->session_create(ANONYMOUS); } // Initiate environment ... since it won't be set at this stage $this->setup(); // Logout the user, banned users are unable to use the normal 'logout' link if ($this->data['user_id'] != ANONYMOUS) { $this->session_kill(); } // We show a login box here to allow founders accessing the srcrd if banned by IP if (defined('IN_LOGIN') && $this->data['user_id'] == ANONYMOUS) { $this->setup('ucp'); $this->data['is_registered'] = $this->data['is_bot'] = false; // Set as a precaution to allow login_box() handling this case correctly as well as this function not being executed again. define('IN_CHECK_BAN', 1); login_box("index.{$phpEx}"); // The false here is needed, else the user is able to circumvent the ban. $this->session_kill(false); } // Ok, we catch the case of an empty session id for the anonymous user... // This can happen if the user is logging in, banned by username and the login_box() being called "again". if (empty($this->session_id) && defined('IN_CHECK_BAN')) { $this->session_create(ANONYMOUS); } // Determine which message to output $till_date = $ban_row['ban_end'] ? $this->format_date($ban_row['ban_end']) : ''; $message = $ban_row['ban_end'] ? 'srcRD_BAN_TIME' : 'srcRD_BAN_PERM'; $contact_link = src_get_srcrd_contact_link($config, $src_root_path, $phpEx); $message = sprintf($this->lang[$message], $till_date, '<a href="' . $contact_link . '">', '</a>'); $message .= $ban_row['ban_give_reason'] ? '<br /><br />' . sprintf($this->lang['srcRD_BAN_REASON'], $ban_row['ban_give_reason']) : ''; $message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>'; // To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again $this->session_kill(false); // A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page if (defined('IN_CRON')) { garbage_collection(); exit_handler(); exit; } trigger_error($message); } return $banned && $ban_row['ban_give_reason'] ? $ban_row['ban_give_reason'] : $banned; }