header("Location: ${urlServer}"); exit(); } if ($uid) { require_once 'include/action.php'; $action = new action(); $action->record(MODULE_ID_VIDEO); } // ---------------------- // download video // ---------------------- $res2 = Database::get()->querySingle("SELECT * FROM video WHERE course_id = ?d AND id = ?d", $course_id, $_GET['id']); if (!$res2) { header("Location: ${urlServer}"); exit(); } $valid = ($uid || course_status($course_id) == COURSE_OPEN) ? true : token_validate($row2['path'], $_GET['token'], 30); if (!$valid) { header("Location: ${urlServer}"); exit(); } $vObj = MediaResourceFactory::initFromVideo($res2); $real_file = $webDir . "/video/" . q($_GET['course']) . q($vObj->getPath()); send_file_to_client($real_file, my_basename(q($vObj->getUrl())), $disposition, true);
} // no user application. user account has been created with pending mail verification elseif (!empty($u_id)) { $qry = "SELECT id, username, email, verified_mail FROM user WHERE id = $u_id"; $id = $u_id; } // no id given else { $user_error_msg = $langMailVerifyNoId; } $res = Database::get()->querySingle($qry); if ($res) { $username = $res->username; $email = $res->email; // success if (token_validate($username . $email . $id, $code)) { $verified_mail = intval($res->verified_mail); // update user's application if (!empty($req_id) and ($verified_mail !== 1)) { Database::get()->query("UPDATE user_request SET verified_mail = 1 WHERE id = ?d", $req_id); $department = $tree->getFullPath($res->faculty_id); $prof = isset($res->status) && intval($res->status) === 1 ? 1 : NULL; $givenname = $res->givenname; $surname = $res->surname; $am = $res->am; $usercomment = $res->comment; $usermail = $res->email; $userphone = $res->phone; $subject = $prof ? $mailsubject : $mailsubject2; $MailMessage = $mailbody1 . $mailbody2 . "$givenname $surname\n\n" .
============================================================================== @Description: Contact the admin with an e-mail message when an account has been deactivated This script allows a user the send an e-mail to the admin, requesting the re-activation of his/her account ============================================================================== */ require_once '../../include/baseTheme.php'; require_once 'include/sendMail.inc.php'; $pageName = $langContactAdmin; $userid = isset($_GET['userid']) ? intval($_GET['userid']) : 0; if ($userid and isset($_GET['h']) and token_validate("userid=$userid", $_GET['h'])) { $info = Database::get()->querySingle("SELECT * FROM user WHERE id = ?d", $userid); if ($info) { $firstname = $info->givenname; $lastname = $info->surname; $email = $info->email; } else { $firstname = $lastname = $email = ''; } if (isset($_POST['submit'])) { $body = isset($_POST['body']) ? $_POST['body'] : ''; $tool_content .= "<table width='99%'><tbody><tr><td>"; $to = get_config('email_helpdesk'); $emailsubject = $langAccountActivate; $emailbody = "$langAccountActivateMessage\n\n$firstname $lastname\ne-mail: $email\n" .
include '../../include/baseTheme.php'; require_once 'modules/auth/auth.inc.php'; require_once 'include/lib/hierarchy.class.php'; require_once 'include/lib/user.class.php'; require_once 'modules/admin/custom_profile_fields_functions.php'; $tree = new Hierarchy(); $user = new User(); $toolName = $langMyProfile; $userdata = array(); if (isset($_GET['id']) and isset($_GET['token'])) { $id = intval($_GET['id']); if (!token_validate($id, $_GET['token'], 3600)) { forbidden($_SERVER['REQUEST_URI']); } $pageName = $langUserProfile; } else { $id = $uid; } $userdata = Database::get()->querySingle("SELECT surname, givenname, username, email, status, phone, am, registered_at, has_icon, description, password, email_public, phone_public, am_public FROM user WHERE id = ?d", $id); if ($userdata) { $auth = array_search($userdata->password, $auth_ids);
* Panepistimiopolis Ilissia, 15784, Athens, Greece * e-mail: info@openeclass.org * ======================================================================== */ if (!isset($_GET['username']) || !isset($_GET['token']) || !isset($_GET['session'])) { exit; } $username = $_GET['username']; $token = $_GET['token']; $session_id = $_GET['session']; session_id($session_id); session_start(); require_once '../../include/init.php'; require_once 'modules/auth/auth.inc.php'; // validate token timestamp if (!token_validate($username . $session_id, $token, 500)) { exit; } $exists = Database::get()->querySingle("SELECT 1 AS `exists` FROM user_sso WHERE username = ?s AND token = ?s AND session_id = ?s", $username, $token, $session_id); if ($exists && intval($exists->exists) === 1) { foreach (array_keys($_SESSION) as $key) { unset($_SESSION[$key]); } $user = Database::get()->querySingle("SELECT * FROM user WHERE username COLLATE utf8_bin = ?s", $username); $is_active = check_activity($user->id); $admin_rights = get_admin_rights($user->id); if ($admin_rights == ADMIN_USER) { $is_active = 1; // admin user is always active $_SESSION['is_admin'] = 1; } elseif ($admin_rights == POWER_USER) {
$homelink = "<br><p><a href='{$urlAppend}'>{$langHome}</a></p>\n"; function password_is_editable($password) { global $auth_ids; if (in_array($password, $auth_ids)) { return false; // not editable, external auth method } else { return true; // editable } } if (isset($_REQUEST['u']) and isset($_REQUEST['h'])) { $change_ok = false; $userUID = intval($_REQUEST['u']); $valid = token_validate('password' . $userUID, $_REQUEST['h'], TOKEN_VALID_TIME); $res = Database::get()->querySingle("SELECT id FROM user WHERE id = ?d AND password NOT IN ('" . implode("', '", $auth_ids) . "')", $userUID); $error_messages = array(); if ($valid and $res) { if (isset($_POST['newpass']) and isset($_POST['newpass1']) and count($error_messages = acceptable_password($_POST['newpass'], $_POST['newpass1'])) == 0) { $hasher = new PasswordHash(8, false); $q1 = Database::get()->query("UPDATE user SET password = ?s\n WHERE id = ?d", $hasher->HashPassword($_POST['newpass']), $userUID); if ($q1->affectedRows > 0) { $tool_content = "<div class='alert alert-success'><p>{$langAccountResetSuccess1}</p></div>\n {$homelink}"; $change_ok = true; } } elseif (count($error_messages)) { $tool_content .= "<div class='alert alert-warning'><ul><li>" . implode("</li>\n<li>", $error_messages) . "</li></ul></div>"; } if (!$change_ok) { $tool_content .= "\n <div class='form-wrapper'>\n <form method='post' action='{$_SERVER['SCRIPT_NAME']}'>\n <input type='hidden' name='u' value='{$userUID}'>\n <input type='hidden' name='h' value='" . q($_REQUEST['h']) . "'>\n <fieldset>\n <legend>{$langPassword}</legend>\n <table class='tbl'>\n <tr>\n <th>{$langNewPass1}</th>\n <td><input type='password' size='40' name='newpass' value='' id='password' autocomplete='off'/> <span id='result'></span></td>\n </tr>\n <tr>\n <th>{$langNewPass2}</th>\n <td><input type='password' size='40' name='newpass1' value='' autocomplete='off'></td>\n </tr>\n <tr>\n <th> </th>\n <td><input class='btn btn-primary' type='submit' name='submit' value='{$langModify}'></td>\n </tr>\n </table>\n </fieldset>\n </form>\n </div>";
/** * @brief Check whether an RSS link token is valid for the current module and user */ function rss_token_valid($token, $uid) { global $course_code, $course_id, $module_id, $modules; if (!token_validate($modules[$module_id]['link'] . $uid . $course_code, $token)) { return false; } $q = Database::get()->querySingle('SELECT status FROM course_user WHERE course_id = ?d AND user_id = ?d', $course_id, $uid); if (!$q or !$q->status) { return false; } return true; }
// $disk_path is set if common file link $disk_path = common_doc_path($file_info->extra_path, true); if (!$disk_path) { // external file URL header("Location: {$file_info->extra_path}"); exit; } elseif (!$common_doc_visible) { forbidden(preg_replace('/^.*file\\.php/', '', $uri)); } } else { // Normal file $disk_path = $basedir . $file_info->path; } if (file_exists($disk_path)) { if (!$is_in_playmode) { $valid = $uid || course_status($course_id) == COURSE_OPEN ? true : token_validate($file_info->path, $_GET['token'], 30); if (!$valid) { not_found(preg_replace('/^.*file\\.php/', '', $uri)); exit; } send_file_to_client($disk_path, $file_info->filename); } else { require_once 'include/lib/fileDisplayLib.inc.php'; require_once 'include/lib/multimediahelper.class.php'; $mediaPath = file_url($file_info->path, $file_info->filename); $mediaURL = $urlServer . 'modules/document/index.php?course=' . $course_code . '&download=' . $file_info->path; if (defined('GROUP_DOCUMENTS')) { $mediaURL = $urlServer . 'modules/group/index.php?course=' . $course_code . '&group_id=' . $group_id . '&download=' . $file_info->path; } $token = token_generate($file_info->path, true); $mediaAccess = $mediaPath . '?token=' . $token;
exit; } elseif (!$common_doc_visible) { forbidden(preg_replace('/^.*file\.php/', '', $uri)); } } else { // Normal file $disk_path = $basedir . $file_info->path; } if (file_exists($disk_path)) { if (!$is_in_playmode) { $valid = $uid || defined('COMMON_DOCUMENTS') || defined('MY_DOCUMENTS') || course_status($course_id) == COURSE_OPEN || (isset($_GET['token']) && token_validate($file_info->path, $_GET['token'], 30)); if (!$valid) { not_found(preg_replace('/^.*file\.php/', '', $uri)); exit(); } send_file_to_client($disk_path, $file_info->filename); } else { require_once 'include/lib/fileDisplayLib.inc.php'; require_once 'include/lib/multimediahelper.class.php'; $mediaPath = file_url($file_info->path, $file_info->filename); $mediaURL = $urlServer . 'modules/document/index.php?course=' . $course_code . '&download=' . $file_info->path; if (defined('GROUP_DOCUMENTS')) $mediaURL = $urlServer . 'modules/group/index.php?course=' . $course_code . '&group_id=' . $group_id . '&download=' . $file_info->path; $token = token_generate($file_info->path, true); $mediaAccess = $mediaPath . '?token=' . $token;
/** * Allows checking if a honeypot is valid * * Function will verify all honeypot fields and remove them afterwards. */ function checkHoneypot() { if ($this->form['honeypot']) { if (isset($_REQUEST[token_hash('hp_empty')]) && !isset($_REQUEST[token_hash('hp_removed')]) && isset($_REQUEST[token_hash('hp_token')]) && isset($_REQUEST[token_hash('hp_timestamp')])) { $empty = $_REQUEST[token_hash('hp_empty')]; // Grab the empty field $token = $_REQUEST[token_hash('hp_token')]; // Grab the token field $timestamp = $_REQUEST[token_hash('hp_timestamp')]; // Grab the timestamp field if ($empty == '' && token_validate($token) && time() - $timestamp <= 1800 && time() - $timestamp > 0) { unset($_REQUEST[token_hash('hp_empty')]); // Unset all fields... unset($_REQUEST[token_hash('hp_token')]); unset($_REQUEST[token_hash('hp_timestamp')]); return true; // ...and return true } else { return false; } // Fields do not match } else { return false; } // Fields are not all set (or not set) } else { return true; } // Field does not require a honeypot check }
/** * * @global type $basedir * @global type $uid * @param type $file_path * @param type $initial_path */ function send_file_by_url_file_path($file_path, $initial_path = '') { global $basedir, $uid; $path_components = explode('/', str_replace('//', chr(1), $file_path)); $file_info = public_path_to_disk_path($path_components, $initial_path); $valid = $uid ? true : token_validate($file_info->path, $_GET['token'], 30); if (!$valid) { header("Location: {$urlServer}"); exit; } if (!send_file_to_client($basedir . $file_info->path, $file_info->filename, null, false)) { not_found($file_path); } exit; }