// Try to determine if the data in redirect_url is valid (if not, we redirect to index.php after the email is sent) $redirect_url = validate_redirect($_POST['redirect_url'], 'index.php'); redirect(luna_htmlspecialchars($redirect_url)); } elseif ($action == 'out') { if ($luna_user['is_guest'] || !isset($_GET['id']) || $_GET['id'] != $luna_user['id']) { header('Location: index.php'); exit; } check_csrf($_GET['csrf_token']); // Remove user from "users online" list $db->query('DELETE FROM ' . $db->prefix . 'online WHERE user_id=' . $luna_user['id']) or error('Unable to delete from online list', __FILE__, __LINE__, $db->error()); // Update last_visit (make sure there's something to update it with) if (isset($luna_user['logged'])) { $db->query('UPDATE ' . $db->prefix . 'users SET last_visit=' . $luna_user['logged'] . ' WHERE id=' . $luna_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error()); } luna_setcookie(1, luna_hash(uniqid(rand(), true)), time() + 31536000); redirect('index.php'); } elseif ($action == 'forget' || $action == 'forget_2') { if (!$luna_user['is_guest']) { header('Location: index.php'); exit; } if (isset($_POST['form_sent'])) { // Start with a clean slate $errors = array(); require FORUM_ROOT . 'include/email.php'; // Validate the email address $email = strtolower(luna_trim($_POST['req_email'])); if (!is_valid_email($email)) { message(__('The email address you entered is invalid.', 'luna')); exit;
Login at <login_url> to activate the account. -- <board_mailer> Mailer (Do not reply to this message)', 'luna')); // The first row contains the subject $first_crlf = strpos($mail_tpl, "\n"); $mail_subject = trim(substr($mail_tpl, 8, $first_crlf - 8)); $mail_message = trim(substr($mail_tpl, $first_crlf)); $mail_subject = str_replace('<board_title>', $luna_config['o_board_title'], $mail_subject); $mail_message = str_replace('<base_url>', get_base_url() . '/', $mail_message); $mail_message = str_replace('<username>', $username, $mail_message); $mail_message = str_replace('<password>', $password1, $mail_message); $mail_message = str_replace('<login_url>', get_base_url() . '/login.php', $mail_message); $mail_message = str_replace('<board_mailer>', $luna_config['o_board_title'], $mail_message); luna_mail($email1, $mail_subject, $mail_message); message(__('Thank you for registering. Your password has been sent to the specified address. If it doesn\'t arrive you can contact the forum administrator at', 'luna') . ' <a href="mailto:' . luna_htmlspecialchars($luna_config['o_admin_email']) . '">' . luna_htmlspecialchars($luna_config['o_admin_email']) . '</a>.', true); } luna_setcookie($new_uid, $password_hash, time() + $luna_config['o_timeout_visit']); redirect('index.php'); } } $page_title = array(luna_htmlspecialchars($luna_config['o_board_title']), __('Register', 'luna')); $required_fields = array('req_user' => __('Username', 'luna'), 'req_password1' => __('Password', 'luna'), 'req_password2' => __('Confirm password', 'luna'), 'req_email1' => __('Email', 'luna'), 'req_email2' => __('Email', 'luna') . ' 2'); $focus_element = array('register', 'req_user'); define('LUNA_ACTIVE_PAGE', 'register'); require load_page('header.php'); require load_page('register.php'); require load_page('footer.php'); }
function check_cookie(&$luna_user) { global $db, $db_type, $luna_config, $cookie_name, $cookie_seed; $now = time(); // If the cookie is set and it matches the correct pattern, then read the values from it if (isset($_COOKIE[$cookie_name]) && preg_match('%^(\\d+)\\|([0-9a-fA-F]+)\\|(\\d+)\\|([0-9a-fA-F]+)$%', $_COOKIE[$cookie_name], $matches)) { $cookie = array('user_id' => intval($matches[1]), 'password_hash' => $matches[2], 'expiration_time' => intval($matches[3]), 'cookie_hash' => $matches[4]); } // If it has a non-guest user, and hasn't expired if (isset($cookie) && $cookie['user_id'] > 1 && $cookie['expiration_time'] > $now) { // If the cookie has been tampered with if (forum_hmac($cookie['user_id'] . '|' . $cookie['expiration_time'], $cookie_seed . '_cookie_hash') != $cookie['cookie_hash']) { $expire = $now + 31536000; // The cookie expires after a year luna_setcookie(1, luna_hash(uniqid(rand(), true)), $expire); set_default_user(); return; } // Check if there's a user with the user ID and password hash from the cookie $result = $db->query('SELECT u.*, g.*, o.logged, o.idle FROM ' . $db->prefix . 'users AS u INNER JOIN ' . $db->prefix . 'groups AS g ON u.group_id=g.g_id LEFT JOIN ' . $db->prefix . 'online AS o ON o.user_id=u.id WHERE u.id=' . intval($cookie['user_id'])) or error('Unable to fetch user information', __FILE__, __LINE__, $db->error()); $luna_user = $db->fetch_assoc($result); // If user authorisation failed if (!isset($luna_user['id']) || forum_hmac($luna_user['password'], $cookie_seed . '_password_hash') !== $cookie['password_hash']) { $expire = $now + 31536000; // The cookie expires after a year luna_setcookie(1, luna_hash(uniqid(rand(), true)), $expire); set_default_user(); return; } // Send a new, updated cookie with a new expiration timestamp $expire = $cookie['expiration_time'] > $now + $luna_config['o_timeout_visit'] ? $now + 1209600 : $now + $luna_config['o_timeout_visit']; luna_setcookie($luna_user['id'], $luna_user['password'], $expire); // Set a default language if the user selected language no longer exists if (!file_exists(FORUM_ROOT . 'lang/' . $luna_user['language'])) { $luna_user['language'] = $luna_config['o_default_lang']; } // Set a default style if the user selected style no longer exists if (!file_exists(FORUM_ROOT . 'themes/' . $luna_user['style'] . '/style.css')) { $luna_user['style'] = $luna_config['o_default_style']; } if (!$luna_user['disp_topics']) { $luna_user['disp_topics'] = $luna_config['o_disp_topics_default']; } if (!$luna_user['disp_posts']) { $luna_user['disp_posts'] = $luna_config['o_disp_posts_default']; } // Define this if you want this visit to affect the online list and the users last visit data if (!defined('FORUM_QUIET_VISIT')) { // Update the online list if (!$luna_user['logged']) { $luna_user['logged'] = $now; // With MySQL/MySQLi/SQLite, REPLACE INTO avoids a user having two rows in the online table switch ($db_type) { case 'mysql': case 'mysqli': case 'mysql_innodb': case 'mysqli_innodb': case 'sqlite': $db->query('REPLACE INTO ' . $db->prefix . 'online (user_id, ident, logged) VALUES(' . $luna_user['id'] . ', \'' . $db->escape($luna_user['username']) . '\', ' . $luna_user['logged'] . ')') or error('Unable to insert into online list', __FILE__, __LINE__, $db->error()); break; default: $db->query('INSERT INTO ' . $db->prefix . 'online (user_id, ident, logged) SELECT ' . $luna_user['id'] . ', \'' . $db->escape($luna_user['username']) . '\', ' . $luna_user['logged'] . ' WHERE NOT EXISTS (SELECT 1 FROM ' . $db->prefix . 'online WHERE user_id=' . $luna_user['id'] . ')') or error('Unable to insert into online list', __FILE__, __LINE__, $db->error()); break; } // Reset tracked topics set_tracked_topics(null); } else { // Special case: We've timed out, but no other user has browsed the forums since we timed out if ($luna_user['logged'] < $now - $luna_config['o_timeout_visit']) { $db->query('UPDATE ' . $db->prefix . 'users SET last_visit=' . $luna_user['logged'] . ' WHERE id=' . $luna_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error()); $luna_user['last_visit'] = $luna_user['logged']; } $idle_sql = $luna_user['idle'] == '1' ? ', idle=0' : ''; $db->query('UPDATE ' . $db->prefix . 'online SET logged=' . $now . $idle_sql . ' WHERE user_id=' . $luna_user['id']) or error('Unable to update online list', __FILE__, __LINE__, $db->error()); // Update tracked topics with the current expire time if (isset($_COOKIE[$cookie_name . '_track'])) { forum_setcookie($cookie_name . '_track', $_COOKIE[$cookie_name . '_track'], $now + $luna_config['o_timeout_visit']); } } } else { if (!$luna_user['logged']) { $luna_user['logged'] = $luna_user['last_visit']; } } $luna_user['is_guest'] = false; $luna_user['is_admmod'] = $luna_user['g_id'] == FORUM_ADMIN || $luna_user['g_moderator'] == '1'; } else { set_default_user(); } }
$result = $db->query('SELECT * FROM ' . $db->prefix . 'users WHERE id=' . $id) or error('Unable to fetch password', __FILE__, __LINE__, $db->error()); $cur_user = $db->fetch_assoc($result); $authorized = false; if (!empty($cur_user['password'])) { $old_password_hash = luna_hash($old_password); if ($cur_user['password'] == $old_password_hash || $luna_user['is_admmod']) { $authorized = true; } } if (!$authorized) { message(__('Wrong old password.', 'luna')); } $new_password_hash = luna_hash($new_password1); $db->query('UPDATE ' . $db->prefix . 'users SET password=\'' . $new_password_hash . '\'' . (!empty($cur_user['salt']) ? ', salt=NULL' : '') . ' WHERE id=' . $id) or error('Unable to update password', __FILE__, __LINE__, $db->error()); if ($luna_user['id'] == $id) { luna_setcookie($luna_user['id'], $new_password_hash, time() + $luna_config['o_timeout_visit']); } redirect('settings.php?id=' . $id); } } elseif ($action == 'change_email') { // Make sure we are allowed to change this user's email if ($luna_user['id'] != $id) { if (!$luna_user['is_admmod']) { // A regular user trying to change another user's email? message(__('You do not have permission to access this page.', 'luna'), false, '403 Forbidden'); } elseif ($luna_user['g_moderator'] == '1') { // A moderator trying to change a user's email? $result = $db->query('SELECT u.group_id, g.g_moderator FROM ' . $db->prefix . 'users AS u INNER JOIN ' . $db->prefix . 'groups AS g ON (g.g_id=u.group_id) WHERE u.id=' . $id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error()); if (!$db->num_rows($result)) { message(__('Bad request. The link you followed is incorrect, outdated or you are simply not allowed to hang around here.', 'luna'), false, '404 Not Found'); }