Exemplo n.º 1
0
 function form_open($action = '', $attributes = array(), $hidden = array())
 {
     $CI =& get_instance();
     if (strpos($action, '://') === FALSE && strpos($action, BASE) !== 0) {
         $action = BASE . AMP . $action;
     }
     $action = ee()->uri->reformat($action);
     $form = '<form action="' . $action . '"';
     if (is_array($attributes)) {
         if (!isset($attributes['method'])) {
             $form .= ' method="post"';
         }
         foreach ($attributes as $key => $val) {
             $form .= ' ' . $key . '="' . $val . '"';
         }
     } else {
         $form .= ' method="post" ' . $attributes;
     }
     $form .= ">\n";
     if (!bool_config_item('disable_csrf_protection')) {
         if (!is_array($hidden)) {
             $hidden = array();
         }
         $hidden['csrf_token'] = CSRF_TOKEN;
     }
     if (is_array($hidden) and count($hidden > 0)) {
         $form .= form_hidden($hidden) . "\n";
     }
     return $form;
 }
Exemplo n.º 2
0
 protected function setGlobalJs($entry, $valid)
 {
     $entry_id = $entry->entry_id;
     $channel_id = $entry->channel_id;
     $autosave_interval_seconds = ee()->config->item('autosave_interval_seconds') === FALSE ? 60 : ee()->config->item('autosave_interval_seconds');
     //	Create Foreign Character Conversion JS
     include APPPATH . 'config/foreign_chars.php';
     /* -------------------------------------
     		/*  'foreign_character_conversion_array' hook.
     		/*  - Allows you to use your own foreign character conversion array
     		/*  - Added 1.6.0
     		* 	- Note: in 2.0, you can edit the foreign_chars.php config file as well
     		*/
     if (isset(ee()->extensions->extensions['foreign_character_conversion_array'])) {
         $foreign_characters = ee()->extensions->call('foreign_character_conversion_array');
     }
     /*
     		/* -------------------------------------*/
     $smileys_enabled = isset(ee()->cp->installed_modules['emoticon']) ? TRUE : FALSE;
     if ($smileys_enabled) {
         ee()->load->helper('smiley');
         ee()->cp->add_to_foot(smiley_js());
     }
     ee()->javascript->set_global(array('lang.add_new_html_button' => lang('add_new_html_button'), 'lang.close' => lang('close'), 'lang.confirm_exit' => lang('confirm_exit'), 'lang.loading' => lang('loading'), 'publish.autosave.interval' => (int) $autosave_interval_seconds, 'publish.autosave.URL' => ee('CP/URL')->make('publish/autosave/' . $channel_id . '/' . $entry_id)->compile(), 'publish.add_category.URL' => ee('CP/URL')->make('channels/cat/createCat/###')->compile(), 'publish.foreignChars' => $foreign_characters, 'publish.lang.no_member_groups' => lang('no_member_groups'), 'publish.lang.refresh_layout' => lang('refresh_layout'), 'publish.lang.tab_count_zero' => lang('tab_count_zero'), 'publish.lang.tab_has_req_field' => lang('tab_has_req_field'), 'publish.markitup.foo' => FALSE, 'publish.smileys' => $smileys_enabled, 'publish.field.URL' => ee('CP/URL', 'publish/field/' . $channel_id . '/' . $entry_id)->compile(), 'publish.which' => $entry_id ? 'edit' : 'new', 'publish.word_separator' => ee()->config->item('word_separator') != "dash" ? '_' : '-', 'user.can_edit_html_buttons' => ee()->cp->allowed_group('can_edit_html_buttons'), 'user.foo' => FALSE, 'user_id' => ee()->session->userdata('member_id')));
     // -------------------------------------------
     //	Publish Page Title Focus - makes the title field gain focus when the page is loaded
     //
     //	Hidden Configuration Variable - publish_page_title_focus => Set focus to the tile? (y/n)
     ee()->javascript->set_global('publish.title_focus', FALSE);
     if (!$entry_id && $valid && bool_config_item('publish_page_title_focus')) {
         ee()->javascript->set_global('publish.title_focus', TRUE);
     }
 }
Exemplo n.º 3
0
 function form_open($action = '', $attributes = '', $hidden = array())
 {
     $CI =& get_instance();
     if ($attributes == '') {
         $attributes = 'method="post"';
     }
     $action = strpos($action, '://') === FALSE ? $CI->config->site_url($action) : $action;
     $form = '<form action="' . $action . '"';
     $form .= _attributes_to_string($attributes, TRUE);
     $form .= '>';
     // CSRF
     if (!bool_config_item('disable_csrf_protection')) {
         $hidden['csrf_token'] = CSRF_TOKEN;
     }
     if (is_array($hidden) and count($hidden) > 0) {
         $form .= sprintf("<div style=\"display:none\">%s</div>", form_hidden($hidden));
     }
     return $form;
 }
Exemplo n.º 4
0
 /**
  * Check and Validate Form CSRF tokens
  *
  * Checks any POST and PUT data for a valid csrf tokens. The main
  * processing happens in the csrf library which differentiates between
  * logged in and logged out users.
  *
  * @access public
  * @return boolean FALSE if there is an invalid XID, TRUE if valid or no XID
  */
 public function have_valid_xid($flags = self::CSRF_STRICT)
 {
     $is_valid = FALSE;
     // Check the token if we must
     ee()->load->library('csrf');
     if ($flags & self::CSRF_EXEMPT || AJAX_REQUEST && REQ != 'CP' && !($flags & self::CSRF_STRICT) || bool_config_item('disable_csrf_protection')) {
         $is_valid = TRUE;
     } else {
         $is_valid = ee()->csrf->check();
     }
     // Retrieve the current token
     $csrf_token = ee()->csrf->get_user_token();
     // Set the constant and the legacy constants. Le sigh.
     define('CSRF_TOKEN', $csrf_token);
     define('REQUEST_XID', $csrf_token);
     define('XID_SECURE_HASH', $csrf_token);
     // Send the header and legacy header for ajax requests
     if (AJAX_REQUEST && ee()->input->server('REQUEST_METHOD') == 'POST') {
         header('X-CSRF-TOKEN: ' . CSRF_TOKEN);
         header('X-EEXID: ' . CSRF_TOKEN);
     }
     return $is_valid;
 }
Exemplo n.º 5
0
 /**
  * Set cookie
  *
  * Accepts six parameter, or you can submit an associative
  * array in the first parameter containing all the values.
  *
  * @access	public
  * @param	mixed
  * @param	string	the value of the cookie
  * @param	string	the number of seconds until expiration
  * @param	string	the cookie domain.  Usually:  .yourdomain.com
  * @param	string	the cookie path
  * @param	string	the cookie prefix
  * @return	void
  */
 function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '')
 {
     if (is_array($name)) {
         foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'name') as $item) {
             if (isset($name[$item])) {
                 ${$item} = $name[$item];
             }
         }
     }
     if ($prefix == '' and config_item('cookie_prefix') != '') {
         $prefix = config_item('cookie_prefix');
     }
     if ($domain == '' and config_item('cookie_domain') != '') {
         $domain = config_item('cookie_domain');
     }
     if ($path == '/' and config_item('cookie_path') != '/') {
         $path = config_item('cookie_path');
     }
     if (!is_numeric($expire)) {
         $expire = time() - 86500;
     } else {
         if ($expire > 0) {
             $expire = time() + $expire;
         } else {
             $expire = 0;
         }
     }
     $secure_cookie = bool_config_item('cookie_secure') === TRUE ? 1 : 0;
     if ($secure_cookie) {
         $req = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : FALSE;
         if (!$req or $req == 'off') {
             return FALSE;
         }
     }
     setcookie($prefix . $name, $value, $expire, $path, $domain, $secure_cookie);
 }
 /**
  * Member Logout
  */
 public function member_logout()
 {
     // Check CSRF Token
     $token = FALSE;
     if (!$token) {
         $token = ee()->input->get('csrf_token');
     }
     if (!$token) {
         $token = ee()->input->get('XID');
     }
     if (!bool_config_item('disable_csrf_protection') && $token != CSRF_TOKEN) {
         return ee()->output->show_user_error('general', array(lang('not_authorized')));
     }
     // Kill the session and cookies
     ee()->db->where('site_id', ee()->config->item('site_id'));
     ee()->db->where('ip_address', ee()->input->ip_address());
     ee()->db->where('member_id', ee()->session->userdata('member_id'));
     ee()->db->delete('online_users');
     ee()->session->destroy();
     ee()->input->delete_cookie('read_topics');
     $csrf_token = ee()->csrf->refresh_token();
     /* -------------------------------------------
     		/* 'member_member_logout' hook.
     		/*  - Perform additional actions after logout
     		/*  - Added EE 1.6.1
     		*/
     ee()->extensions->call('member_member_logout');
     if (ee()->extensions->end_script === TRUE) {
         return;
     }
     /*
     		/* -------------------------------------------*/
     // Is this a forum redirect?
     $name = '';
     unset($url);
     if (ee()->input->get_post('FROM') == 'forum') {
         if (ee()->input->get_post('board_id') !== FALSE && is_numeric(ee()->input->get_post('board_id'))) {
             $query = ee()->db->select("board_forum_url, board_label")->where('board_id', ee()->input->get_post('board_id'))->get('forum_boards');
         } else {
             $query = ee()->db->select('board_forum_url, board_label')->where('board_id', (int) 1)->get('forum_boards');
         }
         $url = $query->row('board_forum_url');
         $name = $query->row('board_label');
     }
     // Build success message
     $url = !isset($url) ? ee()->config->item('site_url') : $url;
     $name = !isset($url) ? stripslashes(ee()->config->item('site_name')) : $name;
     $data = array('title' => lang('mbr_login'), 'heading' => lang('thank_you'), 'content' => lang('mbr_you_are_logged_out'), 'redirect' => $url, 'link' => array($url, $name));
     ee()->output->show_message($data);
 }
Exemplo n.º 7
0
 /**
  * Sets constants, sets paths contants to appropriate directories, loads
  * the database and generally prepares the system to run.
  */
 public function bootstrap()
 {
     // Define the request type
     // Note: admin.php defines REQ=CP
     if (!defined('REQ')) {
         define('REQ', ee()->input->get_post('ACT') !== FALSE ? 'ACTION' : 'PAGE');
     }
     // Set a liberal script execution time limit, making it shorter for front-end requests than CI's default
     if (function_exists("set_time_limit") == TRUE and @ini_get("safe_mode") == 0) {
         @set_time_limit(REQ == 'CP' ? 300 : 90);
     }
     // some path constants to simplify things
     define('PATH_MOD', APPPATH . 'modules/');
     define('PATH_PI', APPPATH . 'plugins/');
     define('PATH_EXT', APPPATH . 'extensions/');
     define('PATH_ACC', APPPATH . 'accessories/');
     define('PATH_FT', APPPATH . 'fieldtypes/');
     define('PATH_RTE', APPPATH . 'rte_tools/');
     if (ee()->config->item('third_party_path')) {
         define('PATH_THIRD', rtrim(realpath(ee()->config->item('third_party_path')), '/') . '/');
     } else {
         define('PATH_THIRD', APPPATH . 'third_party/');
     }
     // application constants
     define('IS_CORE', FALSE);
     define('APP_NAME', 'ExpressionEngine' . (IS_CORE ? ' Core' : ''));
     define('APP_BUILD', '20140715');
     define('APP_VER', '2.9.0');
     define('SLASH', '&#47;');
     define('LD', '{');
     define('RD', '}');
     define('AMP', '&amp;');
     define('NBS', '&nbsp;');
     define('BR', '<br />');
     define('NL', "\n");
     define('PATH_DICT', APPPATH . 'config/');
     define('AJAX_REQUEST', ee()->input->is_ajax_request());
     // Load DB and set DB preferences
     ee()->load->database();
     ee()->db->swap_pre = 'exp_';
     ee()->db->db_debug = FALSE;
     // Note enable_db_caching is a per site setting specified in EE_Config.php
     // If debug is on we enable the profiler and DB debug
     if (DEBUG == 1 or ee()->config->item('debug') == 2) {
         $this->_enable_debugging();
     }
     // Assign Site prefs now that the DB is fully loaded
     if (ee()->config->item('site_name') != '') {
         ee()->config->set_item('site_name', preg_replace('/[^a-z0-9\\-\\_]/i', '', ee()->config->item('site_name')));
     }
     ee()->config->site_prefs(ee()->config->item('site_name'));
     // Load the default caching driver
     ee()->load->driver('cache');
     // this look backwards, but QUERY_MARKER is only used where we MUST
     // have a ?, and do not want to double up
     // question marks on sites who are forcing query strings
     define('QUERY_MARKER', ee()->config->item('force_query_string') == 'y' ? '' : '?');
     // Load the settings of the site you're logged into, however use the
     // cookie settings from the site that corresponds to the URL
     // e.g. site1.com/system/ viewing site2
     // $last_site_id = the site that you're viewing
     // config->item('site_id') = the site who's URL is being used
     $last_site_id = ee()->input->cookie('cp_last_site_id');
     if (REQ == 'CP' && ee()->config->item('multiple_sites_enabled') == 'y') {
         $cookie_prefix = ee()->config->item('cookie_prefix');
         $cookie_path = ee()->config->item('cookie_path');
         $cookie_domain = ee()->config->item('cookie_domain');
         $cookie_httponly = ee()->config->item('cookie_httponly');
         if ($cookie_prefix) {
             $cookie_prefix .= '_';
         }
         if (!empty($last_site_id) && is_numeric($last_site_id) && $last_site_id != ee()->config->item('site_id')) {
             ee()->config->site_prefs('', $last_site_id);
         }
         ee()->config->cp_cookie_prefix = $cookie_prefix;
         ee()->config->cp_cookie_path = $cookie_path;
         ee()->config->cp_cookie_domain = $cookie_domain;
         ee()->config->cp_cookie_httponly = $cookie_httponly;
     }
     // This allows CI compatibility
     if (ee()->config->item('base_url') == FALSE) {
         ee()->config->set_item('base_url', ee()->config->item('site_url'));
     }
     if (ee()->config->item('index_page') == FALSE) {
         ee()->config->set_item('index_page', ee()->config->item('site_index'));
     }
     if (IS_CORE) {
         ee()->config->set_item('enable_template_routes', 'n');
     }
     // Backwards compatibility for the removed secure forms setting.
     // Developers are still checking against this key, so we'll wait some
     // time before removing it.
     $secure_forms = bool_config_item('disable_csrf_protection') ? 'n' : 'y';
     ee()->config->set_item('secure_forms', $secure_forms);
     // Set the path to the "themes" folder
     if (ee()->config->item('theme_folder_path') !== FALSE && ee()->config->item('theme_folder_path') != '') {
         $theme_path = preg_replace("#/+#", "/", ee()->config->item('theme_folder_path') . '/');
     } else {
         $theme_path = substr(APPPATH, 0, -strlen(SYSDIR . '/expressionengine/')) . 'themes/';
         $theme_path = preg_replace("#/+#", "/", $theme_path);
     }
     // Maybe the site has been moved.
     // Let's try some basic autodiscovery if config items are set
     // But the directory does not exist.
     if (!is_dir($theme_path)) {
         if (is_dir(FCPATH . '../themes/')) {
             $theme_path = FCPATH . '../themes/';
         } elseif (is_dir(FCPATH . 'themes/')) {
             $theme_path = FCPATH . 'themes/';
         }
     }
     define('PATH_THEMES', $theme_path);
     define('PATH_MBR_THEMES', PATH_THEMES . 'profile_themes/');
     define('PATH_CP_GBL_IMG', ee()->config->slash_item('theme_folder_url') . 'cp_global_images/');
     unset($theme_path);
     // Define Third Party Theme Path and URL
     if (ee()->config->item('path_third_themes')) {
         define('PATH_THIRD_THEMES', rtrim(realpath(ee()->config->item('path_third_themes')), '/') . '/');
     } else {
         define('PATH_THIRD_THEMES', PATH_THEMES . 'third_party/');
     }
     if (ee()->config->item('url_third_themes')) {
         define('URL_THIRD_THEMES', rtrim(ee()->config->item('url_third_themes'), '/') . '/');
     } else {
         define('URL_THIRD_THEMES', ee()->config->slash_item('theme_folder_url') . 'third_party/');
     }
     // Load the very, very base classes
     ee()->load->library('functions');
     ee()->load->library('extensions');
     // Our design is a little dirty. The asset controllers need
     // path_cp_theme. Fix it without loading all the other junk!
     if (REQ == 'CP') {
         define('PATH_CP_THEME', PATH_THEMES . 'cp_themes/');
         // theme path
     }
     if (extension_loaded('newrelic')) {
         ee()->load->library('newrelic');
         if (ee()->config->item('use_newrelic') == 'n') {
             ee()->newrelic->disable_autorum();
         } else {
             ee()->newrelic->set_appname();
             ee()->newrelic->name_transaction();
         }
     }
 }
Exemplo n.º 8
0
 /**
  * Adds member image directories (avatars, photos, etc...) as upload
  * directories
  *
  * @access private
  * @return void
  */
 private function _update_upload_directories()
 {
     $module = ee('Model')->get('Module')->filter('module_name', 'Member')->first();
     // Bail if the member module isn't installed
     if (empty($module)) {
         return TRUE;
     }
     // Install member upload directories
     $site_id = ee()->config->item('site_id');
     $member_directories = array();
     if (bool_config_item('enable_avatars')) {
         $avatar_uploads = ee('Model')->get('UploadDestination')->filter('name', 'Avatars')->first();
         if (empty($avatar_uploads)) {
             $member_directories['Avatars'] = array('server_path' => ee()->config->item('avatar_path'), 'url' => ee()->config->item('avatar_url'), 'allowed_types' => 'img', 'max_width' => ee()->config->item('avatar_max_width'), 'max_height' => ee()->config->item('avatar_max_height'), 'max_size' => ee()->config->item('avatar_max_kb'));
         }
     }
     if (bool_config_item('enable_photos')) {
         $member_photo_uploads = ee('Model')->get('UploadDestination')->filter('name', 'Member Photos')->first();
         if (empty($member_photo_uploads)) {
             $member_directories['Member Photos'] = array('server_path' => ee()->config->item('photo_path'), 'url' => ee()->config->item('photo_url'), 'allowed_types' => 'img', 'max_width' => ee()->config->item('photo_max_width'), 'max_height' => ee()->config->item('photo_max_height'), 'max_size' => ee()->config->item('photo_max_kb'));
         }
     }
     if (bool_config_item('allow_signatures')) {
         $signature_uploads = ee('Model')->get('UploadDestination')->filter('name', 'Signature Attachments')->first();
         if (empty($signature_uploads)) {
             $member_directories['Signature Attachments'] = array('server_path' => ee()->config->item('sig_img_path'), 'url' => ee()->config->item('sig_img_url'), 'allowed_types' => 'img', 'max_width' => ee()->config->item('sig_img_max_width'), 'max_height' => ee()->config->item('sig_img_max_height'), 'max_size' => ee()->config->item('sig_img_max_kb'));
         }
     }
     if (bool_config_item('prv_msg_enabled') && bool_config_item('prv_msg_allow_attachments')) {
         $pm_uploads = ee('Model')->get('UploadDestination')->filter('name', 'PM Attachments')->first();
         if (empty($pm_uploads)) {
             $member_directories['PM Attachments'] = array('server_path' => ee()->config->item('prv_msg_upload_path'), 'url' => str_replace('avatars', 'pm_attachments', ee()->config->item('avatar_url')), 'allowed_types' => 'img', 'max_size' => ee()->config->item('prv_msg_attach_maxsize'));
         }
     }
     foreach ($member_directories as $name => $dir) {
         $directory = ee('Model')->make('UploadDestination');
         $directory->site_id = $site_id;
         $directory->name = $name;
         $directory->removeNoAccess();
         $directory->setModule($module);
         foreach ($dir as $property => $value) {
             $directory->{$property} = $value;
         }
         $directory->save();
     }
     return TRUE;
 }
Exemplo n.º 9
0
 /**
  * Date Settings
  */
 public function index()
 {
     $field['allowed_channels'] = array();
     $all_sites_have_channels = TRUE;
     // If MSM is enabled, let them choose a channel for each site, should they
     // want to redirect to the publish form on each site
     if (bool_config_item('multiple_sites_enabled')) {
         $sites = ee('Model')->get('Site')->all();
         $field['sites'] = $sites->getDictionary('site_id', 'site_label');
         $assigned_channels = $this->member->MemberGroup->AssignedChannels->pluck('channel_id');
         foreach ($sites as $site) {
             // Get only the channels they're allowed to post in
             $field['allowed_channels'][$site->getId()] = $site->Channels->filter(function ($channel) {
                 return ee()->session->userdata('group_id') == 1 or !empty($assigned_channels) && in_array($channel->getId(), $assigned_channels);
             })->getDictionary('channel_id', 'channel_title');
             // No channels? Let them know
             if (empty($field['allowed_channels'][$site->getId()])) {
                 $all_sites_have_channels = FALSE;
                 $field['allowed_channels'][$site->getId()][0] = lang('no_channels');
             }
         }
     } else {
         $allowed_channels = ee('Model')->get('Channel')->filter('site_id', ee()->config->item('site_id'));
         if (!empty(ee()->session->userdata['assigned_channels'])) {
             $allowed_channels->filter('channel_id', 'IN', array_keys(ee()->session->userdata['assigned_channels']));
         }
         $field['allowed_channels'] = $allowed_channels->all()->getDictionary('channel_id', 'channel_title');
         if (empty($field['allowed_channels'])) {
             $all_sites_have_channels = FALSE;
             $field['allowed_channels'][0] = lang('no_channels');
         }
         $site_id = ee()->config->item('site_id');
         $field['selected_channel'] = isset($this->member->cp_homepage_channel[$site_id]) ? $this->member->cp_homepage_channel[$site_id] : 0;
     }
     $field['member'] = $this->member;
     $field['all_sites_have_channels'] = $all_sites_have_channels;
     $vars['sections'] = array(array(array('title' => 'default_cp_homepage', 'desc' => 'default_cp_homepage_myaccount_desc', 'fields' => array('cp_homepage_custom' => array('type' => 'html', 'content' => ee('View')->make('account/cp_homepage_setting')->render($field))))));
     $base_url = ee('CP/URL')->make($this->base_url);
     if (!empty($_POST)) {
         $validator = ee('Validation')->make();
         $validator->defineRule('whenTypeIs', function ($key, $value, $parameters, $rule) {
             if ($_POST['cp_homepage'] != $parameters[0]) {
                 $rule->skip();
             }
             return TRUE;
         });
         $validator->defineRule('validateHomepageChannel', function () use($all_sites_have_channels) {
             if (!$all_sites_have_channels) {
                 return 'must_have_channels';
             }
             return TRUE;
         });
         $validator->setRules(array('cp_homepage' => 'whenTypeIs[publish_form]|validateHomepageChannel', 'cp_homepage_custom' => 'whenTypeIs[custom]|required'));
         $result = $validator->validate($_POST);
         if (AJAX_REQUEST) {
             $field = ee()->input->post('ee_fv_field');
             if ($result->hasErrors($field)) {
                 ee()->output->send_ajax_response(array('error' => $result->renderError($field)));
             } else {
                 ee()->output->send_ajax_response('success');
             }
         }
         if ($result->isValid()) {
             // Only set what we need to set to prevent POST fiddling
             $this->member->set(array('cp_homepage' => $_POST['cp_homepage'], 'cp_homepage_channel' => $_POST['cp_homepage_channel'], 'cp_homepage_custom' => $_POST['cp_homepage_custom']))->save();
             ee('CP/Alert')->makeInline('shared-form')->asSuccess()->withTitle(lang('member_updated'))->addToBody(lang('member_updated_desc'))->defer();
             ee()->functions->redirect($base_url);
         } else {
             $vars['errors'] = $result;
             ee('CP/Alert')->makeInline('shared-form')->asIssue()->withTitle(lang('settings_save_error'))->addToBody(lang('settings_save_error_desc'))->now();
         }
     }
     ee()->javascript->output("\n\t\t\t\$(document).ready(function () {\n\n\t\t\t\t\$('input[type=\"radio\"]').click(function(){\n\t\t\t\t\t\$('label.child').toggleClass('chosen', \$(this).val() == 'publish_form');\n\t\t\t\t});\n\t\t\t});\n\t\t");
     ee()->view->base_url = $base_url;
     ee()->view->ajax_validate = TRUE;
     ee()->view->cp_page_title = lang('cp_settings');
     ee()->view->save_btn_text = 'btn_save_settings';
     ee()->view->save_btn_text_working = 'btn_saving';
     ee()->cp->render('settings/form', $vars);
 }
Exemplo n.º 10
0
 /**
  * Authenticate
  *
  * @access	private
  */
 private function _authenticate(CI_DB_result $member, $password)
 {
     $always_disallowed = array(4);
     if (bool_config_item('allow_pending_login')) {
         $always_disallowed = array_diff($always_disallowed, array(4));
     }
     if ($member->num_rows() !== 1) {
         return FALSE;
     }
     if (in_array($member->row('group_id'), $always_disallowed)) {
         return ee()->output->show_user_error('general', lang('mbr_account_not_active'));
     }
     $m_salt = $member->row('salt');
     $m_pass = $member->row('password');
     // hash using the algo used for this password
     $h_byte_size = strlen($m_pass);
     $hashed_pair = $this->hash_password($password, $m_salt, $h_byte_size);
     if ($hashed_pair === FALSE or $m_pass !== $hashed_pair['password']) {
         return FALSE;
     }
     // Officially a valid user, but are they as secure as possible?
     // ----------------------------------------------------------------
     reset($this->hash_algos);
     // Not hashed or better algo available?
     if (!$m_salt or $h_byte_size != key($this->hash_algos)) {
         $m_id = $member->row('member_id');
         $this->update_password($m_id, $password);
     }
     $authed = new Auth_result($member->row());
     $member->free_result();
     return $authed;
 }
Exemplo n.º 11
0
 /**
  * Renders the template revisions table for the Revisions tab
  *
  * @param TemplateModel $template A Template entity
  * @param int $version_id ID of template version to mark as selected
  * @return string Table HTML for insertion into Template edit form
  */
 protected function renderRevisionsPartial($template, $version_id = FALSE)
 {
     if (!bool_config_item('save_tmpl_revisions')) {
         return FALSE;
     }
     $table = ee('CP/Table');
     $table->setColumns(array('rev_id', 'rev_date', 'rev_author', 'manage' => array('encode' => FALSE)));
     $table->setNoResultsText(lang('no_revisions'));
     $data = array();
     $i = 1;
     foreach ($template->Versions as $version) {
         $attrs = array();
         // Last item should be marked as current
         if ($template->Versions->count() == $i) {
             $toolbar = '<span class="st-open">' . lang('current') . '</span>';
         } else {
             $toolbar = ee('View')->make('_shared/toolbar')->render(array('toolbar_items' => array('txt-only' => array('href' => ee('CP/URL', 'design/template/edit/' . $template->getId(), array('version' => $version->getId())), 'title' => lang('view'), 'content' => lang('view')))));
         }
         // Mark currently-loaded version as selected
         if (!$version_id && $template->Versions->count() == $i or $version_id == $version->getId()) {
             $attrs = array('class' => 'selected');
         }
         $data[] = array('attrs' => $attrs, 'columns' => array($i, ee()->localize->human_time($version->item_date), $version->Author->getMemberName(), $toolbar));
         $i++;
     }
     $table->setData($data);
     return ee('View')->make('_shared/table')->render($table->viewData(''));
 }
Exemplo n.º 12
0
 /**
  * Write the session cookie
  *
  * @access	public
  * @return	void
  */
 function _set_cookie($cookie_data = NULL)
 {
     if (is_null($cookie_data)) {
         $cookie_data = $this->userdata;
     }
     // Serialize the userdata for the cookie
     $cookie_data = $this->_serialize($cookie_data);
     if ($this->sess_encrypt_cookie == TRUE) {
         $cookie_data = $this->CI->encrypt->encode($cookie_data);
     } else {
         // if encryption is not used, we provide an md5 hash to prevent userside tampering
         $cookie_data = $cookie_data . md5($cookie_data . $this->encryption_key);
     }
     $expire = $this->sess_expire_on_close === TRUE ? 0 : $this->sess_expiration + time();
     $secure_cookie = bool_config_item('cookie_secure') === TRUE ? 1 : 0;
     if ($secure_cookie) {
         $req = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : FALSE;
         if (!$req or $req == 'off') {
             return FALSE;
         }
     }
     // Set the cookie
     setcookie($this->sess_cookie_name, $cookie_data, $expire, $this->cookie_path, $this->cookie_domain, $secure_cookie);
 }
Exemplo n.º 13
0
 /**
  * Sets constants, sets paths contants to appropriate directories, loads
  * the database and generally prepares the system to run.
  */
 public function bootstrap()
 {
     if ($this->bootstrapped) {
         return;
     }
     $this->bootstrapped = TRUE;
     // Define the request type
     // Note: admin.php defines REQ=CP
     if (!defined('REQ')) {
         define('REQ', ee()->input->get_post('ACT') !== FALSE ? 'ACTION' : 'PAGE');
     }
     // Set a liberal script execution time limit, making it shorter for front-end requests than CI's default
     if (function_exists("set_time_limit") == TRUE and @ini_get("safe_mode") == 0) {
         @set_time_limit(REQ == 'CP' ? 300 : 90);
     }
     // If someone's trying to access the CP but EE_APPPATH is defined, it likely
     // means the installer is still active; redirect to clean path
     if (defined('EE_APPPATH') && ee()->uri->segment(1) == 'cp') {
         header('Location: ' . SELF);
     }
     // some path constants to simplify things
     define('PATH_ADDONS', SYSPATH . 'ee/EllisLab/Addons/');
     define('PATH_MOD', SYSPATH . 'ee/EllisLab/Addons/');
     define('PATH_PI', SYSPATH . 'ee/EllisLab/Addons/');
     define('PATH_EXT', SYSPATH . 'ee/EllisLab/Addons/');
     define('PATH_FT', SYSPATH . 'ee/EllisLab/Addons/');
     define('PATH_RTE', APPPATH . 'rte_tools/');
     define('PATH_THIRD', SYSPATH . 'user/addons/');
     define('PATH_CACHE', SYSPATH . 'user/cache/');
     define('PATH_TMPL', SYSPATH . 'user/templates/');
     // application constants
     define('IS_CORE', TRUE);
     define('APP_NAME', 'ExpressionEngine' . (IS_CORE ? ' Core' : ''));
     define('APP_BUILD', '20151201');
     define('APP_VER', '3.0.5');
     define('SLASH', '&#47;');
     define('LD', '{');
     define('RD', '}');
     define('AMP', '&amp;');
     define('NBS', '&nbsp;');
     define('BR', '<br />');
     define('NL', "\n");
     define('PATH_DICT', APPPATH . 'config/');
     define('AJAX_REQUEST', ee()->input->is_ajax_request());
     define('PASSWORD_MAX_LENGTH', 72);
     ee()->load->helper('language');
     ee()->load->helper('string');
     // Load the default caching driver
     ee()->load->driver('cache');
     ee()->load->database();
     ee()->db->swap_pre = 'exp_';
     ee()->db->db_debug = FALSE;
     // boot the addons
     ee('App')->setupAddons(SYSPATH . 'ee/EllisLab/Addons/');
     ee('App')->setupAddons(PATH_THIRD);
     // Set ->api on the legacy facade to the model factory
     ee()->set('api', ee()->di->make('Model'));
     // If debug is on we enable the profiler and DB debug
     if (DEBUG == 1 or ee()->config->item('debug') == 2) {
         $this->_enable_debugging();
     }
     // Assign Site prefs now that the DB is fully loaded
     if (ee()->config->item('site_name') != '') {
         ee()->config->set_item('site_name', preg_replace('/[^a-z0-9\\-\\_]/i', '', ee()->config->item('site_name')));
     }
     ee()->config->site_prefs(ee()->config->item('site_name'));
     // earliest point we can apply this, makes sure that PHPSESSID cookies
     // don't leak to JS by setting the httpOnly flag
     $secure = bool_config_item('cookie_secure');
     $httpOnly = ee()->config->item('cookie_httponly') ? bool_config_item('cookie_httponly') : TRUE;
     session_set_cookie_params(0, ee()->config->item('cookie_path'), ee()->config->item('cookie_domain'), $secure, $httpOnly);
     // this look backwards, but QUERY_MARKER is only used where we MUST
     // have a ?, and do not want to double up
     // question marks on sites who are forcing query strings
     define('QUERY_MARKER', ee()->config->item('force_query_string') == 'y' ? '' : '?');
     // Load the settings of the site you're logged into, however use the
     // cookie settings from the site that corresponds to the URL
     // e.g. site1.com/system/ viewing site2
     // $last_site_id = the site that you're viewing
     // config->item('site_id') = the site who's URL is being used
     $last_site_id = ee()->input->cookie('cp_last_site_id');
     if (REQ == 'CP' && ee()->config->item('multiple_sites_enabled') == 'y') {
         $cookie_prefix = ee()->config->item('cookie_prefix');
         $cookie_path = ee()->config->item('cookie_path');
         $cookie_domain = ee()->config->item('cookie_domain');
         $cookie_httponly = ee()->config->item('cookie_httponly');
         if ($cookie_prefix) {
             $cookie_prefix .= '_';
         }
         if (!empty($last_site_id) && is_numeric($last_site_id) && $last_site_id != ee()->config->item('site_id')) {
             ee()->config->site_prefs('', $last_site_id);
         }
         ee()->config->cp_cookie_prefix = $cookie_prefix;
         ee()->config->cp_cookie_path = $cookie_path;
         ee()->config->cp_cookie_domain = $cookie_domain;
         ee()->config->cp_cookie_httponly = $cookie_httponly;
     }
     // This allows CI compatibility
     if (ee()->config->item('base_url') == FALSE) {
         ee()->config->set_item('base_url', ee()->config->item('site_url'));
     }
     if (ee()->config->item('index_page') == FALSE) {
         ee()->config->set_item('index_page', ee()->config->item('site_index'));
     }
     if (IS_CORE) {
         ee()->config->set_item('enable_template_routes', 'n');
     }
     // Backwards compatibility for the removed secure forms setting.
     // Developers are still checking against this key, so we'll wait some
     // time before removing it.
     $secure_forms = bool_config_item('disable_csrf_protection') ? 'n' : 'y';
     ee()->config->set_item('secure_forms', $secure_forms);
     // Set the path to the "themes" folder
     if (ee()->config->item('theme_folder_path') !== FALSE && ee()->config->item('theme_folder_path') != '') {
         $theme_path = preg_replace("#/+#", "/", ee()->config->item('theme_folder_path') . '/');
     } else {
         $theme_path = substr(APPPATH, 0, -strlen(SYSDIR . '/expressionengine/')) . 'themes/';
         $theme_path = preg_replace("#/+#", "/", $theme_path);
     }
     // Maybe the site has been moved.
     // Let's try some basic autodiscovery if config items are set
     // But the directory does not exist.
     if (!is_dir($theme_path)) {
         if (is_dir(FCPATH . '../themes/')) {
             $theme_path = FCPATH . '../themes/';
         } elseif (is_dir(FCPATH . 'themes/')) {
             $theme_path = FCPATH . 'themes/';
         }
     }
     $theme_url = ee()->config->slash_item('theme_folder_url');
     define('PATH_THEMES', $theme_path . 'ee/');
     define('URL_THEMES', $theme_url . 'ee/');
     define('PATH_THEMES_GLOBAL_ASSET', PATH_THEMES . 'asset/');
     define('URL_THEMES_GLOBAL_ASSET', URL_THEMES . 'asset/');
     define('PATH_THIRD_THEMES', $theme_path . 'user/');
     define('URL_THIRD_THEMES', $theme_url . 'user/');
     define('PATH_MBR_THEMES', PATH_THEMES . 'member/');
     define('PATH_CP_GBL_IMG', URL_THEMES_GLOBAL_ASSET . 'img/');
     unset($theme_path);
     // Load the very, very base classes
     ee()->load->library('functions');
     ee()->load->library('extensions');
     if (extension_loaded('newrelic')) {
         ee()->load->library('newrelic');
         if (ee()->config->item('use_newrelic') == 'n') {
             ee()->newrelic->disable_autorum();
         } else {
             ee()->newrelic->set_appname();
             ee()->newrelic->name_transaction();
         }
     }
 }
Exemplo n.º 14
0
 /**
  * Saves a new template revision and rotates revisions based on 'max_tmpl_revisions' config item
  *
  * @param	Template	$template	Saved template model object
  */
 protected function saveNewTemplateRevision($template)
 {
     if (!bool_config_item('save_tmpl_revisions')) {
         return;
     }
     // Create the new version
     $version = ee('Model')->make('RevisionTracker');
     $version->Template = $template;
     $version->item_table = 'exp_templates';
     $version->item_field = 'template_data';
     $version->item_data = $template->template_data;
     $version->item_date = ee()->localize->now;
     $version->Author = $template->LastAuthor;
     $version->save();
     // Now, rotate template revisions based on 'max_tmpl_revisions' config item
     $versions = ee('Model')->get('RevisionTracker')->filter('item_id', $template->getId())->filter('item_field', 'template_data')->order('item_date', 'desc')->limit(ee()->config->item('max_tmpl_revisions'))->all();
     // Reassign versions and delete the leftovers
     $template->Versions = $versions;
     $template->save();
 }
Exemplo n.º 15
0
		&mdash; <i><?php 
    echo lang('choose_channels_per_site');
    ?>
</i>
	<?php 
} else {
    ?>
		<?php 
    echo form_dropdown('cp_homepage_channel[' . ee()->config->item('site_id') . ']', $allowed_channels, $selected_channel);
    ?>
	<?php 
}
?>
</label>
<?php 
if (bool_config_item('multiple_sites_enabled')) {
    ?>
	<?php 
    foreach ($allowed_channels as $site_id => $channels) {
        ?>
		<label class="choice block child<?php 
        if ($member->cp_homepage == 'publish_form') {
            ?>
 chosen<?php 
        }
        ?>
">
			<?php 
        echo $sites[$site_id];
        ?>
 &mdash;
Exemplo n.º 16
0
 /**
  * Setup Session Cookie Timeout
  *
  * @return 	int Cookie timeout in seconds
  */
 protected function _setup_cookie_ttl()
 {
     if (bool_config_item('expire_session_on_browser_close')) {
         return 0;
     }
     return $this->session_length;
 }
Exemplo n.º 17
0
 /**
  * Set a Cookie
  *
  * Protected method called from EE_Input::set_cookie() and
  * EE_Input::delete_cookie(). Handles the common config file logic, calls
  * the set_cookie_end hook and sets the cookie.
  *
  * Must recieve name, value, and expire in the parameter array or
  * will throw an exception.
  *
  * @param	mixed[]	The array of data containing name, value, expire and
  * 						httponly.  Must contain those parameters.
  * @return	bool	If output exists prior to calling this method it will
  * 						fail with FALSE, otherwise it will return TRUE.
  * 						This does not indicate whether the user accepts the
  * 						cookie.
  */
 protected function _set_cookie(array $data)
 {
     // Always assume we'll forget and catch ourselves.  The earlier you catch this sort of screw up the better.
     if (!isset($data['name']) || !isset($data['value']) || !isset($data['expire'])) {
         throw new RuntimeException('EE_Input::_set_cookie() is missing key data.');
     }
     // Set prefix, path and domain. We'll pull em out of config.
     if (REQ == 'CP' && ee()->config->item('multiple_sites_enabled') == 'y') {
         $data['prefix'] = !ee()->config->cp_cookie_prefix ? 'exp_' : ee()->config->cp_cookie_prefix;
         $data['path'] = !ee()->config->cp_cookie_path ? '/' : ee()->config->cp_cookie_path;
         $data['domain'] = !ee()->config->cp_cookie_domain ? '' : ee()->config->cp_cookie_domain;
         $data['httponly'] = !ee()->config->cp_cookie_httponly ? 'y' : ee()->config->cp_cookie_httponly;
     } else {
         $data['prefix'] = !ee()->config->item('cookie_prefix') ? 'exp_' : ee()->config->item('cookie_prefix') . '_';
         $data['path'] = !ee()->config->item('cookie_path') ? '/' : ee()->config->item('cookie_path');
         $data['domain'] = !ee()->config->item('cookie_domain') ? '' : ee()->config->item('cookie_domain');
         $data['httponly'] = !ee()->config->item('cookie_httponly') ? 'y' : ee()->config->item('cookie_httponly');
     }
     //  Turn httponly into a true boolean.
     $data['httponly'] = $data['httponly'] == 'y' ? TRUE : FALSE;
     // Deal with secure cookies.
     $data['secure_cookie'] = bool_config_item('cookie_secure') === TRUE ? 1 : 0;
     if ($data['secure_cookie']) {
         $req = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : FALSE;
         if (!$req or $req == 'off') {
             return FALSE;
         }
     }
     /* -------------------------------------------
     		/* 'set_cookie_end' hook.
     		/*  - Take control of Cookie setting routine
     		/*  - Added EE 2.5.0
     		*/
     ee()->extensions->call('set_cookie_end', $data);
     if (ee()->extensions->end_script === TRUE) {
         return;
     }
     /*
     		/* -------------------------------------------*/
     return setcookie($data['prefix'] . $data['name'], $data['value'], $data['expire'], $data['path'], $data['domain'], $data['secure_cookie'], $data['httponly']);
 }
Exemplo n.º 18
0
 /**
  * Check the csrf token for this request
  *
  * @return bool True/False for a valid or invalid token, respectively
  */
 public function check()
 {
     // If secure forms is off we don't need to check
     if (bool_config_item('disable_csrf_protection')) {
         return TRUE;
     }
     // Exempt safe html methods (@see RFC2616)
     $safe = array('GET', 'HEAD', 'OPTIONS', 'TRACE');
     if (in_array(ee()->input->server('REQUEST_METHOD'), $safe)) {
         return TRUE;
     }
     // Fetch data, these methods enforce token time limits
     $this->fetch_session_token();
     $this->fetch_request_token();
     // Main check
     if ($this->request_token === $this->session_token) {
         return TRUE;
     }
     return FALSE;
 }
Exemplo n.º 19
0
 /**
  * Create a custom URL
  *
  * The input to this function is parsed and added to the
  * full site URL to create a full URL/URI
  *
  * @access	public
  * @param	string
  * @param	bool
  * @return	string
  */
 public function create_url($segment, $sess_id = TRUE)
 {
     // Since this function can be used via a callback
     // we'll fetch the segment if it's an array
     if (is_array($segment)) {
         $segment = $segment[1];
     }
     if (isset($this->cached_url[$segment])) {
         return $this->cached_url[$segment];
     }
     $full_segment = $segment;
     $segment = str_replace(array("'", '"'), '', $segment);
     $segment = preg_replace("/(.+?(\\/))index(\\/)(.*?)/", "\\1\\2", $segment);
     $segment = preg_replace("/(.+?(\\/))index\$/", "\\1", $segment);
     // These are exceptions to the normal path rules
     if ($segment == '' or strtolower($segment) == 'site_index') {
         return $this->fetch_site_index();
     }
     if (strtolower($segment) == 'logout') {
         $qs = ee()->config->item('force_query_string') == 'y' ? '' : '?';
         $xid = bool_config_item('disable_csrf_protection') ? '' : AMP . 'csrf_token=' . CSRF_TOKEN;
         return $this->fetch_site_index(0, 0) . $qs . 'ACT=' . $this->fetch_action_id('Member', 'member_logout') . $xid;
     }
     // END Specials
     $base = $this->fetch_site_index(0, $sess_id) . '/' . trim_slashes($segment);
     $out = reduce_double_slashes($base);
     $this->cached_url[$full_segment] = $out;
     return $out;
 }
Exemplo n.º 20
0
 /**
  * Returns a boolean indicating if a CAPTCHA should be displayed or not
  * according to the site's CAPTCHA settings
  *
  * @return	boolean
  */
 public function shouldRequireCaptcha()
 {
     return bool_config_item('require_captcha') && !(!bool_config_item('captcha_require_members') && ee()->session->userdata('member_id') != 0);
 }