if (isset($modx->config['validate_referer']) && intval($modx->config['validate_referer'])) {
if (isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
if (!empty($referer)) {
if (!preg_match('/^' . preg_quote(MODX_SITE_URL, '/') . '/i', $referer)) {
$modx->webAlertAndQuit("A possible CSRF attempt was detected from referer: {$referer}.", "index.php");
}
} else {
$modx->webAlertAndQuit("A possible CSRF attempt was detected. No referer was provided by the client.", "index.php");
}
} else {
$modx->webAlertAndQuit("A possible CSRF attempt was detected. No referer was provided by the server.", "index.php");
}
}
// invoke OnManagerPageInit event
$modx->invokeEvent("OnManagerPageInit", array("action" => $action));
// Now we decide what to do according to the action request. This is a BIG list :)
switch ($action) {
/********************************************************************/
/* frame management - show the requested frame */
/********************************************************************/
case 1:
// get the requested frame
$frame = preg_replace('/[^a-z0-9]/i', '', $_REQUEST['f']);
if ($frame > 9) {
$enable_debug = false;
// this is to stop the debug thingy being attached to the framesets
}
include_once "frames/" . $frame . ".php";
break;
/********************************************************************/
/**
* build siteCache file
* @param DocumentParser $modx
* @return boolean success
*/
function buildCache($modx)
{
$tmpPHP = "<?php\n";
// SETTINGS & DOCUMENT LISTINGS CACHE
// get settings
$sql = 'SELECT * FROM ' . $modx->getFullTableName('system_settings');
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
$config = array();
$tmpPHP .= '$c=&$this->config;' . "\n";
while (list($key, $value) = $modx->db->getRow($rs, 'num')) {
$tmpPHP .= '$c[\'' . $key . '\']' . ' = "' . $this->escapeDoubleQuotes($value) . "\";\n";
$config[$key] = $value;
}
// get aliases modx: support for alias path
$tmpPath = '';
$tmpPHP .= '$this->aliasListing = array();' . "\n";
$tmpPHP .= '$a = &$this->aliasListing;' . "\n";
$tmpPHP .= '$d = &$this->documentListing;' . "\n";
$tmpPHP .= '$m = &$this->documentMap;' . "\n";
$sql = 'SELECT IF(alias=\'\', id, alias) AS alias, id, contentType, parent FROM ' . $modx->getFullTableName('site_content') . ' WHERE deleted=0 ORDER BY parent, menuindex';
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
for ($i_tmp = 0; $i_tmp < $limit_tmp; $i_tmp++) {
$tmp1 = $modx->db->getRow($rs);
if ($config['friendly_urls'] == 1 && $config['use_alias_path'] == 1) {
$tmpPath = $this->getParents($tmp1['parent']);
$alias = (strlen($tmpPath) > 0 ? "{$tmpPath}/" : '') . $tmp1['alias'];
$alias = $modx->db->escape($alias);
$tmpPHP .= '$d[\'' . $alias . '\']' . " = " . $tmp1['id'] . ";\n";
} else {
$tmpPHP .= '$d[\'' . $modx->db->escape($tmp1['alias']) . '\']' . " = " . $tmp1['id'] . ";\n";
}
$tmpPHP .= '$a[' . $tmp1['id'] . ']' . " = array('id' => " . $tmp1['id'] . ", 'alias' => '" . $modx->db->escape($tmp1['alias']) . "', 'path' => '" . $modx->db->escape($tmpPath) . "', 'parent' => " . $tmp1['parent'] . ");\n";
$tmpPHP .= '$m[]' . " = array('" . $tmp1['parent'] . "' => '" . $tmp1['id'] . "');\n";
}
// get content types
$sql = 'SELECT id, contentType FROM ' . $modx->getFullTableName('site_content') . " WHERE contentType != 'text/html'";
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
$tmpPHP .= '$c = &$this->contentTypes;' . "\n";
for ($i_tmp = 0; $i_tmp < $limit_tmp; $i_tmp++) {
$tmp1 = $modx->db->getRow($rs);
$tmpPHP .= '$c[' . $tmp1['id'] . ']' . " = '" . $tmp1['contentType'] . "';\n";
}
// WRITE Chunks to cache file
$sql = 'SELECT * FROM ' . $modx->getFullTableName('site_htmlsnippets');
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
$tmpPHP .= '$c = &$this->chunkCache;' . "\n";
for ($i_tmp = 0; $i_tmp < $limit_tmp; $i_tmp++) {
$tmp1 = $modx->db->getRow($rs);
$tmpPHP .= '$c[\'' . $modx->db->escape($tmp1['name']) . '\']' . " = '" . $this->escapeSingleQuotes($tmp1['snippet']) . "';\n";
}
// WRITE snippets to cache file
$sql = 'SELECT ss.*,sm.properties as `sharedproperties` ' . 'FROM ' . $modx->getFullTableName('site_snippets') . ' ss ' . 'LEFT JOIN ' . $modx->getFullTableName('site_modules') . ' sm on sm.guid=ss.moduleguid';
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
$tmpPHP .= '$s = &$this->snippetCache;' . "\n";
for ($i_tmp = 0; $i_tmp < $limit_tmp; $i_tmp++) {
$tmp1 = $modx->db->getRow($rs);
$tmpPHP .= '$s[\'' . $modx->db->escape($tmp1['name']) . '\']' . " = '" . $this->escapeSingleQuotes($tmp1['snippet']) . "';\n";
// Raymond: save snippet properties to cache
if ($tmp1['properties'] != "" || $tmp1['sharedproperties'] != "") {
$tmpPHP .= '$s[\'' . $tmp1['name'] . 'Props\']' . " = '" . $this->escapeSingleQuotes($tmp1['properties'] . " " . $tmp1['sharedproperties']) . "';\n";
}
// End mod
}
// WRITE plugins to cache file
$sql = 'SELECT sp.*,sm.properties as `sharedproperties`' . 'FROM ' . $modx->getFullTableName('site_plugins') . ' sp ' . 'LEFT JOIN ' . $modx->getFullTableName('site_modules') . ' sm on sm.guid=sp.moduleguid ' . 'WHERE sp.disabled=0';
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
$tmpPHP .= '$p = &$this->pluginCache;' . "\n";
for ($i_tmp = 0; $i_tmp < $limit_tmp; $i_tmp++) {
$tmp1 = $modx->db->getRow($rs);
$tmpPHP .= '$p[\'' . $modx->db->escape($tmp1['name']) . '\']' . " = '" . $this->escapeSingleQuotes($tmp1['plugincode']) . "';\n";
if ($tmp1['properties'] != '' || $tmp1['sharedproperties'] != '') {
$tmpPHP .= '$p[\'' . $tmp1['name'] . 'Props\']' . " = '" . $this->escapeSingleQuotes($tmp1['properties'] . ' ' . $tmp1['sharedproperties']) . "';\n";
}
}
// WRITE system event triggers
$sql = 'SELECT sysevt.name as `evtname`, pe.pluginid, plugs.name
FROM ' . $modx->getFullTableName('system_eventnames') . ' sysevt
INNER JOIN ' . $modx->getFullTableName('site_plugin_events') . ' pe ON pe.evtid = sysevt.id
INNER JOIN ' . $modx->getFullTableName('site_plugins') . ' plugs ON plugs.id = pe.pluginid
WHERE plugs.disabled=0
ORDER BY sysevt.name,pe.priority';
$events = array();
$rs = $modx->db->query($sql);
$limit_tmp = $modx->db->getRecordCount($rs);
$tmpPHP .= '$e = &$this->pluginEvent;' . "\n";
for ($i = 0; $i < $limit_tmp; $i++) {
$evt = $modx->db->getRow($rs);
if (!$events[$evt['evtname']]) {
$events[$evt['evtname']] = array();
}
$events[$evt['evtname']][] = $evt['name'];
}
foreach ($events as $evtname => $pluginnames) {
$tmpPHP .= '$e[\'' . $evtname . '\'] = array(\'' . implode("','", $this->escapeSingleQuotes($pluginnames)) . "');\n";
}
// close and write the file
$tmpPHP .= "\n";
$filename = $this->cachePath . 'siteCache.idx.php';
$somecontent = $tmpPHP;
// invoke OnBeforeCacheUpdate event
if ($modx) {
$modx->invokeEvent('OnBeforeCacheUpdate');
}
if (!($handle = fopen($filename, 'w'))) {
echo 'Cannot open file (', $filename, ')';
exit;
}
// Write $somecontent to our opened file.
if (fwrite($handle, $somecontent) === FALSE) {
echo 'Cannot write main MODx cache file! Make sure the assets/cache directory is writable!';
exit;
}
fclose($handle);
// invoke OnCacheUpdate event
if ($modx) {
$modx->invokeEvent('OnCacheUpdate');
}
return true;
}
include_once "error.class.inc.php";
$e = new errorHandler();
// initiate the content manager class
include_once "document.parser.class.inc.php";
$modx = new DocumentParser();
$modx->loadExtension("ManagerAPI");
$modx->getSettings();
$etomite =& $modx;
// for backward compatibility
$username = $modx->db->escape($_REQUEST['username']);
$givenPassword = $modx->db->escape($_REQUEST['password']);
$captcha_code = $_REQUEST['captcha_code'];
$rememberme = $_REQUEST['rememberme'];
$failed_allowed = $modx->config["failed_login_attempts"];
// invoke OnBeforeManagerLogin event
$modx->invokeEvent("OnBeforeManagerLogin", array("username" => $username, "userpassword" => $givenPassword, "rememberme" => $rememberme));
$sql = "SELECT {$dbase}.`" . $table_prefix . "manager_users`.*, {$dbase}.`" . $table_prefix . "user_attributes`.* FROM {$dbase}.`" . $table_prefix . "manager_users`, {$dbase}.`" . $table_prefix . "user_attributes` WHERE BINARY {$dbase}.`" . $table_prefix . "manager_users`.username = '******' and {$dbase}.`" . $table_prefix . "user_attributes`.internalKey={$dbase}.`" . $table_prefix . "manager_users`.id;";
$rs = mysql_query($sql);
$limit = mysql_num_rows($rs);
if ($limit == 0 || $limit > 1) {
jsAlert($e->errors[900]);
return;
}
$row = mysql_fetch_assoc($rs);
$internalKey = $row['internalKey'];
$dbasePassword = $row['password'];
$failedlogins = $row['failedlogincount'];
$blocked = $row['blocked'];
$blockeduntildate = $row['blockeduntil'];
$blockedafterdate = $row['blockedafter'];
$registeredsessionid = $row['sessionid'];
include_once $richtextIncludeDirectory . 'assets/cache/siteManager.php';
}
if (!defined('MGR_DIR')) {
define('MGR_DIR', 'manager');
}
$richtextIncludeDirectory .= MGR_DIR . '/';
//Config
$_SERVER['PHP_SELF'] = $_SERVER['SCRIPT_NAME'] = '/';
require_once $richtextIncludeDirectory . 'includes/protect.inc.php';
require_once $richtextIncludeDirectory . 'includes/config.inc.php';
startCMSSession();
if ($_SESSION['mgrValidated']) {
define('IN_MANAGER_MODE', true);
//Setup the MODx API
define('MODX_API_MODE', true);
//Initiate a new document parser
require_once $richtextIncludeDirectory . 'includes/document.parser.class.inc.php';
$modx = new DocumentParser();
//Provide the MODx DBAPI
$modx->db->connect();
//Provide the $modx->documentMap and user settings
$modx->getSettings();
$mmDir = 'assets/plugins/managermanager/';
$windowDir = $mmDir . 'widgets/ddmultiplefields/richtext/';
//Include the ddTools library
require_once $modx->config['base_path'] . $mmDir . 'modx.ddtools.class.php';
$temp = $modx->invokeEvent('OnRichTextEditorInit', array('editor' => 'TinyMCE', 'elements' => array('ddMultipleFields_richtext')));
echo ddTools::parseText(file_get_contents($modx->config['base_path'] . $windowDir . 'template.html'), array('site_url' => $modx->config['site_url'], 'mmDir' => $mmDir, 'windowDir' => $windowDir, 'charset' => '<meta charset="' . $modx->config['modx_charset'] . '" />', 'style' => MODX_MANAGER_URL . 'media/style/' . $modx->config['manager_theme'] . '/style.css', 'tinyMCE' => $temp[0]), '[+', '+]', false);
} else {
echo file_get_contents(dirname(__FILE__) . '/index.html');
}
/**
* build siteCache file
* @param DocumentParser $modx
* @return boolean success
*/
function buildCache($modx)
{
$tmpPHP = "<?php\n";
// SETTINGS & DOCUMENT LISTINGS CACHE
// get settings
$rs = $modx->db->select('*', $modx->getFullTableName('system_settings'));
$config = array();
$tmpPHP .= '$c=&$this->config;' . "\n";
while (list($key, $value) = $modx->db->getRow($rs, 'num')) {
$tmpPHP .= '$c[\'' . $this->escapeSingleQuotes($key) . '\']' . ' = "' . $this->escapeDoubleQuotes($value) . "\";\n";
$config[$key] = $value;
}
// get aliases modx: support for alias path
$tmpPath = '';
$tmpPHP .= '$this->aliasListing = array();' . "\n";
$tmpPHP .= '$a = &$this->aliasListing;' . "\n";
$tmpPHP .= '$d = &$this->documentListing;' . "\n";
$tmpPHP .= '$m = &$this->documentMap;' . "\n";
$rs = $modx->db->select('IF(alias=\'\', id, alias) AS alias, id, parent, isfolder', $modx->getFullTableName('site_content'), 'deleted=0', 'parent, menuindex');
while ($tmp1 = $modx->db->getRow($rs)) {
if ($config['friendly_urls'] == 1 && $config['use_alias_path'] == 1) {
$tmpPath = $this->getParents($tmp1['parent']);
$alias = (strlen($tmpPath) > 0 ? "{$tmpPath}/" : '') . $tmp1['alias'];
$tmpPHP .= '$d[\'' . $this->escapeSingleQuotes($alias) . '\']' . " = " . $tmp1['id'] . ";\n";
} else {
$tmpPHP .= '$d[\'' . $this->escapeSingleQuotes($tmp1['alias']) . '\']' . " = " . $tmp1['id'] . ";\n";
}
$tmpPHP .= '$a[' . $tmp1['id'] . ']' . " = array('id' => " . $tmp1['id'] . ", 'alias' => '" . $this->escapeSingleQuotes($tmp1['alias']) . "', 'path' => '" . $this->escapeSingleQuotes($tmpPath) . "', 'parent' => " . $tmp1['parent'] . ", 'isfolder' => " . $tmp1['isfolder'] . ");\n";
$tmpPHP .= '$m[]' . " = array('" . $tmp1['parent'] . "' => '" . $tmp1['id'] . "');\n";
}
// get content types
$rs = $modx->db->select('id, contentType', $modx->getFullTableName('site_content'), "contentType != 'text/html'");
$tmpPHP .= '$c = &$this->contentTypes;' . "\n";
while ($tmp1 = $modx->db->getRow($rs)) {
$tmpPHP .= '$c[' . $tmp1['id'] . ']' . " = '" . $this->escapeSingleQuotes($tmp1['contentType']) . "';\n";
}
// WRITE Chunks to cache file
$rs = $modx->db->select('*', $modx->getFullTableName('site_htmlsnippets'));
$tmpPHP .= '$c = &$this->chunkCache;' . "\n";
while ($tmp1 = $modx->db->getRow($rs)) {
$tmpPHP .= '$c[\'' . $this->escapeSingleQuotes($tmp1['name']) . '\']' . " = '" . $this->escapeSingleQuotes($tmp1['snippet']) . "';\n";
}
// WRITE snippets to cache file
$rs = $modx->db->select('ss.*, sm.properties as sharedproperties', $modx->getFullTableName('site_snippets') . ' ss
LEFT JOIN ' . $modx->getFullTableName('site_modules') . ' sm on sm.guid=ss.moduleguid');
$tmpPHP .= '$s = &$this->snippetCache;' . "\n";
while ($tmp1 = $modx->db->getRow($rs)) {
$tmpPHP .= '$s[\'' . $this->escapeSingleQuotes($tmp1['name']) . '\']' . " = '" . $this->escapeSingleQuotes($tmp1['snippet']) . "';\n";
if ($tmp1['properties'] != '' || $tmp1['sharedproperties'] != '') {
$tmpPHP .= '$s[\'' . $this->escapeSingleQuotes($tmp1['name']) . 'Props\']' . " = '" . $this->escapeSingleQuotes($tmp1['properties'] . " " . $tmp1['sharedproperties']) . "';\n";
}
}
// WRITE plugins to cache file
$rs = $modx->db->select('sp.*, sm.properties as sharedproperties', $modx->getFullTableName('site_plugins') . ' sp
LEFT JOIN ' . $modx->getFullTableName('site_modules') . ' sm on sm.guid=sp.moduleguid', 'sp.disabled=0');
$tmpPHP .= '$p = &$this->pluginCache;' . "\n";
while ($tmp1 = $modx->db->getRow($rs)) {
$tmpPHP .= '$p[\'' . $this->escapeSingleQuotes($tmp1['name']) . '\']' . " = '" . $this->escapeSingleQuotes($tmp1['plugincode']) . "';\n";
if ($tmp1['properties'] != '' || $tmp1['sharedproperties'] != '') {
$tmpPHP .= '$p[\'' . $this->escapeSingleQuotes($tmp1['name']) . 'Props\']' . " = '" . $this->escapeSingleQuotes($tmp1['properties'] . ' ' . $tmp1['sharedproperties']) . "';\n";
}
}
// WRITE system event triggers
$events = array();
$rs = $modx->db->select('sysevt.name as evtname, pe.pluginid, plugs.name', $modx->getFullTableName('system_eventnames') . ' sysevt
INNER JOIN ' . $modx->getFullTableName('site_plugin_events') . ' pe ON pe.evtid = sysevt.id
INNER JOIN ' . $modx->getFullTableName('site_plugins') . ' plugs ON plugs.id = pe.pluginid', 'plugs.disabled=0', 'sysevt.name,pe.priority');
$tmpPHP .= '$e = &$this->pluginEvent;' . "\n";
while ($evt = $modx->db->getRow($rs)) {
if (!$events[$evt['evtname']]) {
$events[$evt['evtname']] = array();
}
$events[$evt['evtname']][] = $evt['name'];
}
foreach ($events as $evtname => $pluginnames) {
$tmpPHP .= '$e[\'' . $this->escapeSingleQuotes($evtname) . '\'] = array(\'' . implode("','", $this->escapeSingleQuotes($pluginnames)) . "');\n";
}
// close and write the file
$tmpPHP .= "\n";
$filename = $this->cachePath . 'siteCache.idx.php';
$somecontent = $tmpPHP;
// invoke OnBeforeCacheUpdate event
if ($modx) {
$modx->invokeEvent('OnBeforeCacheUpdate');
}
if (!($handle = fopen($filename, 'w'))) {
echo 'Cannot open file (', $filename, ')';
exit;
}
if (!is_file($this->cachePath . '/.htaccess')) {
file_put_contents($this->cachePath . '/.htaccess', "order deny,allow\ndeny from all\n");
}
// Write $somecontent to our opened file.
if (fwrite($handle, $somecontent) === FALSE) {
echo 'Cannot write main MODX cache file! Make sure the assets/cache directory is writable!';
exit;
}
fclose($handle);
// invoke OnCacheUpdate event
if ($modx) {
$modx->invokeEvent('OnCacheUpdate');
}
return true;
}
