/** * Checks a password with a supplied username. * * @param string The username of the user. * @param string The plain-text password. * @return boolean|array False when no match, array with user info when match. */ function validate_password_from_username($username, $password) { global $db, $mybb; $username = $db->escape_string(my_strtolower($username)); switch ($mybb->settings['username_method']) { case 0: $query = $db->simple_select("users", "uid,username,password,salt,loginkey,coppauser,usergroup", "LOWER(username)='" . $username . "'", array('limit' => 1)); break; case 1: $query = $db->simple_select("users", "uid,username,password,salt,loginkey,coppauser,usergroup", "LOWER(email)='" . $username . "'", array('limit' => 1)); break; case 2: $query = $db->simple_select("users", "uid,username,password,salt,loginkey,coppauser,usergroup", "LOWER(username)='" . $username . "' OR LOWER(email)='" . $username . "'", array('limit' => 1)); break; default: $query = $db->simple_select("users", "uid,username,password,salt,loginkey,coppauser,usergroup", "LOWER(username)='" . $username . "'", array('limit' => 1)); break; } $user = $db->fetch_array($query); if (!$user['uid']) { return false; } else { return validate_password_from_uid($user['uid'], $password, $user); } }
/** * Checks a password with a supplied username. * * @param string $username The username of the user. * @param string $password The plain-text password. * @return boolean|array False when no match, array with user info when match. */ function validate_password_from_username($username, $password) { global $mybb; $options = array('fields' => array('username', 'password', 'salt', 'loginkey', 'coppauser', 'usergroup'), 'username_method' => $mybb->settings['username_method']); $user = get_user_by_username($username, $options); if (!$user['uid']) { return false; } return validate_password_from_uid($user['uid'], $password, $user); }
/** * Checks a password with a supplied username. * * @param string The username of the user. * @param string The plain-text password. * @return boolean|array False when no match, array with user info when match. */ function validate_password_from_username($username, $password) { global $db; $query = $db->simple_select("users", "uid,username,password,salt,loginkey,remember,coppauser,usergroup", "username='******'", array('limit' => 1)); $user = $db->fetch_array($query); if (!$user['uid']) { return false; } else { return validate_password_from_uid($user['uid'], $password, $user); } }
} else { $userhandler->update_user(); $plugins->run_hooks("usercp_do_email_changed"); $result_text = $lang->redirect_emailupdated; $verify_result = true; } } } if (count($errors) > 0) { error($errors[0]); } } if ($mybb->input['action'] == "do_password" && $mybb->request_method == "post") { $errors = array(); $plugins->run_hooks("usercp_do_password_start"); if (!$verify_result && !validate_password_from_uid($mybb->user['uid'], $mybb->input['oldpassword'])) { $errors[] = $lang->error_invalidpassword; } else { // Set up user handler. require_once "inc/datahandlers/user.php"; $userhandler = new UserDataHandler("update"); $user = array("uid" => $mybb->user['uid'], "password" => $mybb->input['password'], "password2" => $mybb->input['password2']); $userhandler->set_data($user); if (!$userhandler->validate_user()) { $errors = $userhandler->get_friendly_errors(); } else { $userhandler->update_user(); my_setcookie("mybbuser", $mybb->user['uid'] . "_" . $userhandler->data['loginkey']); $plugins->run_hooks("usercp_do_password_end"); $verify_result = true; }
$errors = inline_error($errors); } } if ($mybb->input['action'] == "password") { $plugins->run_hooks("usercp_password"); eval("\$editpassword = \"" . $templates->get("usercp_password") . "\";"); output_page($editpassword); } if ($mybb->input['action'] == "do_changename" && $mybb->request_method == "post") { // Verify incoming POST request verify_post_check($mybb->get_input('my_post_key')); $plugins->run_hooks("usercp_do_changename_start"); if ($mybb->usergroup['canchangename'] != 1) { error_no_permission(); } if (validate_password_from_uid($mybb->user['uid'], $mybb->get_input('password')) == false) { $errors[] = $lang->error_invalidpassword; } else { // Set up user handler. require_once "inc/datahandlers/user.php"; $userhandler = new UserDataHandler("update"); $user = array("uid" => $mybb->user['uid'], "username" => $mybb->get_input('username')); $userhandler->set_data($user); if (!$userhandler->validate_user()) { $errors = $userhandler->get_friendly_errors(); } else { $userhandler->update_user(); $plugins->run_hooks("usercp_do_changename_end"); redirect("usercp.php?action=changename", $lang->redirect_namechanged); } }
$db->update_query("users", $lastvisit, "uid='" . $mybb->user['uid'] . "'"); $db->delete_query("sessions", "sid='" . $session->sid . "'"); } header("Location: upgrade.php"); } else { if ($mybb->input['action'] == "do_login" && $mybb->request_method == "post") { require_once MYBB_ROOT . "inc/functions_user.php"; if (!username_exists($mybb->input['username'])) { $output->print_error("Wpisany login jest niepoprawny."); } $query = $db->simple_select("users", "uid,username,password,salt,loginkey", "username='******'username']) . "'", array('limit' => 1)); $user = $db->fetch_array($query); if (!$user['uid']) { $output->print_error("Wpisany login jest niepoprawny."); } else { $user = validate_password_from_uid($user['uid'], $mybb->input['password'], $user); if (!$user['uid']) { $output->print_error("Wpisane hasło jest nieprawidłowe. Jeżeli nie pamiętasz swojego hasła, kliknij <a href=\"../member.php?action=lostpw\">tutaj</a>, aby je odzyskać i spróbuj ponownie."); } } $db->delete_query("sessions", "ip='" . $db->escape_string($session->ipaddress) . "' AND sid != '" . $session->sid . "'"); $newsession = array("uid" => $user['uid']); $db->update_query("sessions", $newsession, "sid='" . $session->sid . "'"); // Temporarily set the cookie remember option for the login cookies $mybb->user['remember'] = $user['remember']; my_setcookie("mybbuser", $user['uid'] . "_" . $user['loginkey'], null, true); my_setcookie("sid", $session->sid, -1, true); header("Location: ./upgrade.php"); } } $output->steps = array($lang->upgrade);
$lastvisit = array("lastactive" => $time - 900, "lastvisit" => $time); $db->update_query("users", $lastvisit, "uid='" . $mybb->user['uid'] . "'"); } header("Location: upgrade.php"); } else { if ($mybb->input['action'] == "do_login" && $mybb->request_method == "post") { require_once MYBB_ROOT . "inc/functions_user.php"; if (!username_exists($mybb->get_input('username'))) { $output->print_error("The username you have entered appears to be invalid."); } $options = array('fields' => array('username', 'password', 'salt', 'loginkey')); $user = get_user_by_username($mybb->get_input('username'), $options); if (!$user['uid']) { $output->print_error("The username you have entered appears to be invalid."); } else { $user = validate_password_from_uid($user['uid'], $mybb->get_input('password'), $user); if (!$user['uid']) { $output->print_error("The password you entered is incorrect. If you have forgotten your password, click <a href=\"../member.php?action=lostpw\">here</a>. Otherwise, go back and try again."); } } my_setcookie("mybbuser", $user['uid'] . "_" . $user['loginkey'], null, true); header("Location: ./upgrade.php"); } } $output->steps = array($lang->upgrade); if ($mybb->user['uid'] == 0) { $output->print_header($lang->please_login, "errormsg", 0, 1); $output->print_contents('<p>' . $lang->login_desc . '</p> <form action="upgrade.php" method="post"> <div class="border_wrapper"> <table class="general" cellspacing="0">
$errors = inline_error($errors); } } if ($mybb->input['action'] == "password") { $plugins->run_hooks("usercp_password"); eval("\$editpassword = \"" . $templates->get("usercp_password") . "\";"); output_page($editpassword); } if ($mybb->input['action'] == "do_changename" && $mybb->request_method == "post") { // Verify incoming POST request verify_post_check($mybb->input['my_post_key']); $plugins->run_hooks("usercp_do_changename_start"); if ($mybb->usergroup['canchangename'] != 1) { error_no_permission(); } if (validate_password_from_uid($mybb->user['uid'], $mybb->input['password']) == false) { $errors[] = $lang->error_invalidpassword; } else { // Set up user handler. require_once "inc/datahandlers/user.php"; $userhandler = new UserDataHandler("update"); $user = array("uid" => $mybb->user['uid'], "username" => $mybb->input['username']); $userhandler->set_data($user); if (!$userhandler->validate_user()) { $errors = $userhandler->get_friendly_errors(); } else { $userhandler->update_user(); $plugins->run_hooks("usercp_do_changename_end"); redirect("usercp.php", $lang->redirect_namechanged); } }
/** * Gets the usercp Enhanced Account Switcher page and handles all actions. * */ function accountswitcher_usercp() { global $db, $mybb, $lang, $templates, $theme, $eas, $headerinclude, $header, $usercpnav, $usercpmenu, $as_usercp, $as_usercp_options, $as_usercp_privacy, $as_usercp_users, $as_usercp_userbit, $as_usercp_input, $footer, $shareuser, $attachedOneName, $attachedOneUID, $as_sec_account, $sec_check, $checkbox, $privacy_check, $as_usercp_privacy_master, $buddy_check, $as_usercp_buddyshare, $colspan, $user_sec_reason; if (!isset($lang->as_isshared)) { $lang->load("accountswitcher"); } // Get the master account of the current user $master = get_user((int) $mybb->user['as_uid']); // Get the number of attached ones $count = $eas->get_attached($mybb->user['uid']); // Get limit for users group, declare variables $limit = (int) $mybb->usergroup['as_limit']; $user_sec_reason = htmlspecialchars_uni($mybb->user['as_secreason']); $as_usercp_input = $colspan = $shareuser = $as_sec_account = $sec_check = $privacy_check = $as_usercp_privacy = $as_usercp_privacy_master = $buddy_check = $as_usercp_buddyshare = ''; // Check if user can use the Enhanced Account Switcher or is attached to an account. If yes grant access to the page if ($mybb->input['action'] == "as_edit" && ($mybb->usergroup['as_canswitch'] == 1 || $mybb->user['as_uid'] != 0 || $mybb->user['as_share'] != 0)) { add_breadcrumb($lang->nav_usercp, "usercp.php"); add_breadcrumb($lang->as_name); // Mark secondary accounts, exclude master account if (isset($mybb->settings['aj_secstyle']) && $mybb->settings['aj_secstyle'] == 1 && $count == 0 && $mybb->user['as_share'] == 0) { if ($mybb->user['as_sec'] == 1) { $sec_check = 'checked="checked"'; } $as_sec_account .= eval($templates->render('accountswitcher_usercp_sec_account')); } // Hide account from list if (isset($mybb->settings['aj_privacy']) && $mybb->settings['aj_privacy'] == 1) { // Master can hide all attached accounts if ($mybb->user['as_uid'] == 0 && $count > 0) { $as_usercp_privacy_master .= eval($templates->render('accountswitcher_usercp_privacy_master')); } if ($mybb->user['as_privacy'] == 1) { $privacy_check = 'checked="checked"'; } $as_usercp_privacy .= eval($templates->render('accountswitcher_usercp_privacy')); } // If the user account is shared if ($mybb->user['as_share'] != 0) { if ($mybb->user['as_buddyshare'] == 1) { $buddy_check = 'checked="checked"'; } if ($mybb->user['buddylist'] != '') { $buddylist = explode(",", $mybb->user['buddylist']); } if (!empty($buddylist)) { $as_usercp_buddyshare .= eval($templates->render('accountswitcher_usercp_buddyshare')); } // Build the detach button if ($mybb->user['as_buddyshare'] != 0) { $lang->as_isshared = $lang->as_isshared_buddy; } $as_usercp_input .= eval($templates->render('accountswitcher_usercp_unshare')); $as_usercp_options = eval($templates->render('accountswitcher_usercp_options')); } elseif ($mybb->user['as_uid'] != 0) { $colspan = 'colspan="2"'; $lang->as_isattached = $lang->sprintf($lang->as_isattached, htmlspecialchars_uni($master['username'])); // Build the detach button $as_usercp_input .= eval($templates->render('accountswitcher_usercp_attached_detach')); $as_usercp_options = eval($templates->render('accountswitcher_usercp_options')); } else { // If limit is set to 0 = unlimited if ($limit != 0) { $lang->as_usercp_attached = $lang->sprintf($lang->as_usercp_attached, (int) $count, $limit); } else { $lang->as_usercp_attached = $lang->sprintf($lang->as_usercp_attached, (int) $count, $lang->as_unlimited); } // If there are no users attached grant full acccess if ($count == 0) { $colspan = 'colspan="2"'; if (isset($mybb->settings['aj_shareuser']) && $mybb->settings['aj_shareuser'] == 1) { $shareuser = eval($templates->render('accountswitcher_usercp_shareuser')); } $as_usercp_input .= eval($templates->render('accountswitcher_usercp_free_attach')); $as_usercp_options = eval($templates->render('accountswitcher_usercp_options')); } // If there are users attached allow only user attachment if ($count != 0) { $as_usercp_input .= eval($templates->render('accountswitcher_usercp_master_attach')); $as_usercp_options = eval($templates->render('accountswitcher_usercp_options')); // Get attached ones from the cache $accounts = $eas->accountswitcher_cache; if (is_array($accounts)) { foreach ($accounts as $key => $account) { $attachedOneUID = (int) $account['uid']; $attachedOneName = htmlspecialchars_uni($account['username']); if ($account['as_uid'] == $mybb->user['uid']) { $as_usercp_userbit .= eval($templates->render('accountswitcher_usercp_attached_userbit')); } } $as_usercp_users = eval($templates->render('accountswitcher_usercp_attached_users')); } } } $as_usercp = eval($templates->render('accountswitcher_usercp')); output_page($as_usercp); exit; } //########## ACTIONS ########## // Attach current user to another account if ($mybb->input['action'] == "as_attach" && $mybb->input['select'] == "attachme" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); // Check if current user is already attached if ($mybb->user['as_uid'] != 0) { error($lang->as_alreadyattached); } // Validate input $select = $db->escape_string($mybb->get_input('select')); $username = $db->escape_string($mybb->get_input('username')); $password = $db->escape_string($mybb->get_input('password')); // Get the target $targetUser = get_user_by_username($username); $target = get_user($targetUser['uid']); // User exist? Password correct? if (!$target) { error($lang->as_invaliduser); } if (validate_password_from_uid($target['uid'], $password) == false) { error($lang->as_invaliduser); } // Check targets permission and limit $permission = user_permissions((int) $target['uid']); // Count number of attached accounts $count = $eas->get_attached($target['uid']); // If other user is shared or already attached return if ($target['as_uid'] != 0 || $target['as_share'] != 0) { error($lang->as_alreadyattached); } // If target has permission if ($permission['as_canswitch'] == 0) { error($lang->as_usercp_nopermission); } if ($permission['as_limit'] != 0 && $count == $permission['as_limit']) { error($lang->as_limitreached); } // Set uid of the new master $as_uid = array("as_uid" => (int) $target['uid']); // Update database $db->update_query("users", $as_uid, "uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_attach_success); } // Detach current user from master if ($mybb->input['action'] == "as_detach" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); // Reset master uid $as_uid = array("as_uid" => 0); // Update database if ($db->update_query("users", $as_uid, "uid='" . (int) $mybb->user['uid'] . "'")) { $eas->update_accountswitcher_cache(); // If user can use Enhanced Account Switcher stay here if ($mybb->usergroup['as_canswitch'] == 1) { redirect("usercp.php?action=as_edit", $lang->aj_update_success); } // Else redirect to usercp redirect("usercp.php", $lang->aj_detach_success); } } // Attach an user to the current account if ($mybb->input['action'] == "as_attach" && $mybb->input['select'] == "attachuser" && $mybb->request_method == "post" && $mybb->user['as_uid'] == 0) { verify_post_check($mybb->get_input('my_post_key')); // Validate input $select = $db->escape_string($mybb->get_input('select')); $username = $db->escape_string($mybb->get_input('username')); $password = $db->escape_string($mybb->get_input('password')); // Get the target $targetUser = get_user_by_username($username); $target = get_user($targetUser['uid']); // User exist? Password correct? if (!$target) { error($lang->as_invaliduser); } if (validate_password_from_uid($target['uid'], $password) == false) { error($lang->as_invaliduser); } // Check targets permission and limit $permission = user_permissions((int) $target['uid']); // Count number of attached accounts $count = $eas->get_attached($mybb->user['uid']); $counttarget = $eas->get_attached($target['uid']); // If other user is shared or already attached return if ($target['as_uid'] != 0 || $target['as_share'] != 0 || $counttarget > 0) { error($lang->as_alreadyattached); } // If we have permission if ($mybb->usergroup['as_canswitch'] == 0) { error($lang->as_usercp_nopermission); } if ($mybb->usergroup['as_limit'] != 0 && $count == $mybb->usergroup['as_limit']) { error($lang->as_limitreached); } // Set his new masters uid $as_uid = array("as_uid" => (int) $mybb->user['uid']); // Update database $db->update_query("users", $as_uid, "uid='" . (int) $target['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_attach_success); } // Detach user from current account if ($mybb->input['action'] == "as_detachuser" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); // Validate input if (!is_numeric($mybb->input['uid'])) { die("UID must be numeric!"); } // Reset master uid $as_uid = array("as_uid" => 0); $db->update_query("users", $as_uid, "uid='" . $mybb->get_input('uid', MyBB::INPUT_INT) . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_detach_success); } // Share the current account if ($mybb->input['action'] == "as_attach" && $mybb->input['select'] == "shareuser" && $mybb->request_method == "post" && $mybb->user['as_uid'] == 0 && $mybb->settings['aj_shareuser'] == 1) { verify_post_check($mybb->get_input('my_post_key')); // Validate input $select = $db->escape_string($mybb->get_input('select')); // Update database $as_share = array("as_share" => 1); $db->update_query("users", $as_share, "uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_share_success); } // Unshare the current account if ($mybb->input['action'] == "as_unshare" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); $as_unshare = array("as_share" => 0); $as_unshareuid = array("as_shareuid" => 0); $as_unsharebuddy = array("as_buddyshare" => 0); $db->update_query("users", $as_unshare, "uid='" . (int) $mybb->user['uid'] . "'"); $db->update_query("users", $as_unshareuid, "uid='" . (int) $mybb->user['uid'] . "'"); $db->update_query("users", $as_unsharebuddy, "uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_unshare_success); } // Mark/unmark the current account as secondary if ($mybb->input['action'] == "do_secaccount" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); $secacc_reason = $mybb->get_input('secacc_reason'); // When account is unmarked delete the reason too if ($mybb->get_input('secacc', MyBB::INPUT_INT) != 1) { $secacc_reason = ''; } $as_secacc = array("as_sec" => $mybb->get_input('secacc', MyBB::INPUT_INT), "as_secreason" => $db->escape_string($secacc_reason)); $db->update_query("users", $as_secacc, "uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_seacc_success); } // Hide/show the current account on account list if ($mybb->input['action'] == "do_as_privacy" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); $as_privacc = array("as_privacy" => $mybb->get_input('as_privacy', MyBB::INPUT_INT)); $db->update_query("users", $as_privacc, "uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_seacc_success); } // Hide the all attached accounts on account list if ($mybb->input['action'] == "do_as_privacy_master" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); $as_privacc_master = array("as_privacy" => 1); $db->update_query("users", $as_privacc_master, "uid='" . (int) $mybb->user['uid'] . "'"); $db->update_query("users", $as_privacc_master, "as_uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_seacc_success); } // Unhide the all attached accounts on account list if ($mybb->input['action'] == "undo_as_privacy_master" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); $as_privacc_master = array("as_privacy" => 0); $db->update_query("users", $as_privacc_master, "uid='" . (int) $mybb->user['uid'] . "'"); $db->update_query("users", $as_privacc_master, "as_uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_seacc_success); } // Share with buddies only if ($mybb->input['action'] == "do_buddyshare" && $mybb->request_method == "post") { verify_post_check($mybb->get_input('my_post_key')); if ($mybb->user['buddylist'] != '') { $buddylist = explode(",", $mybb->user['buddylist']); } if (!empty($buddylist)) { $as_buddy_share = array("as_buddyshare" => $mybb->get_input('buddyshare', MyBB::INPUT_INT)); $db->update_query("users", $as_buddy_share, "uid='" . (int) $mybb->user['uid'] . "'"); $eas->update_accountswitcher_cache(); redirect("usercp.php?action=as_edit", $lang->aj_user_seacc_success); } else { error($lang->aj_user_buddy_none); } } }