if (SLASH_METHOD) { $archive_info = $_SERVER['REQUEST_URI'] ? $_SERVER['REQUEST_URI'] : $_SERVER['PHP_SELF']; } else { $archive_info = $_SERVER['QUERY_STRING']; } if ($vbulletin->session->visible) { if (SLASH_METHOD) { define('ARCHIVE_SESSION_URL', '?s=' . $vbulletin->session->vars['sessionhash']); } else { define('ARCHIVE_SESSION_URL', '&s=' . $vbulletin->session->vars['sessionhash']); } } else { define('ARCHIVE_SESSION_URL', ''); } // check to see if server is too busy. this is checked at the end of session.php if (server_overloaded() and $vbulletin->userinfo['usergroupid'] != 6 or $vbulletin->options['archiveenabled'] == 0) { exec_header_redirect(fetch_seo_url('forumhome|bburl', array())); } // ############################################################################# // ### CACHE PERMISSIONS AND GRAB $permissions // get the combined permissions for the current user // this also creates the $fpermscache containing the user's forum permissions $permissions = cache_permissions($vbulletin->userinfo); $vbulletin->userinfo['permissions'] =& $permissions; // ############################################################################# // check that board is active - if not admin, then display error if (!$vbulletin->options['bbactive'] and !($permissions['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) or !($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview'])) { exec_header_redirect(fetch_seo_url('forumhome|bburl', array())); } // if password is expired, deny access if ($vbulletin->userinfo['userid'] and $permissions['passwordexpires']) {
/** * Checks the state of the request to make sure that it's valid and that * we have the necessary permissions to continue. Checks things like * CSRF and banning. */ public function check_state() { global $vbulletin, $show, $VB_API_REQUESTS; if (defined('CSRF_ERROR')) { define('VB_ERROR_LITE', true); $ajaxerror = $vbulletin->GPC['ajax'] ? '_ajax' : ''; switch (CSRF_ERROR) { case 'missing': standard_error(fetch_error('security_token_missing', $vbulletin->options['contactuslink'])); break; case 'guest': standard_error(fetch_error('security_token_guest' . $ajaxerror)); break; case 'timeout': standard_error(fetch_error('security_token_timeout' . $ajaxerror, $vbulletin->options['contactuslink'])); break; case 'invalid': default: standard_error(fetch_error('security_token_invalid', $vbulletin->options['contactuslink'])); } exit; } else { if (defined('VB_ERROR_LITE') and VB_ERROR_LITE === true) { standard_error(VB_ERROR_LITE_ERROR); } } // ############################################################################# // check to see if server is too busy. this is checked at the end of session.php if (server_overloaded() and !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) and THIS_SCRIPT != 'login') { $vbulletin->options['useforumjump'] = 0; standard_error(fetch_error('toobusy')); } // ############################################################################# // phpinfo display for support purposes if (!empty($_REQUEST['do']) and $_REQUEST['do'] == 'phpinfo') { if ($vbulletin->options['allowphpinfo'] and !is_demo_mode()) { phpinfo(); exit; } else { standard_error(fetch_error('admin_disabled_php_info')); } } // ############################################################################# // check that board is active - if not admin, then display error if (!defined('BYPASS_FORUM_DISABLED') and !$vbulletin->options['bbactive'] and !in_array(THIS_SCRIPT, array('login', 'css', 'mobile')) and !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) { if (defined('DIE_QUIETLY')) { exit; } if (defined('VB_API') and VB_API === true) { standard_error(fetch_error('bbclosed', $vbulletin->options['bbclosedreason'])); } else { // If this is a post submission from an admin whose session timed out, give them a chance to log back in and save what they were working on. See bug #34258 if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' and !empty($_POST) and !$vbulletin->userinfo['userid'] and !empty($_COOKIE[COOKIE_PREFIX . 'cpsession'])) { define('VB_ERROR_PERMISSION', true); } unset($vbulletin->db->shutdownqueries['lastvisit']); require_once DIR . '/includes/functions_misc.php'; // If CMS, just flag as closed for now. if (defined('CMS_SCRIPT') and CMS_SCRIPT == true) { define('BB_CLOSED', true); } else { eval('standard_error("' . make_string_interpolation_safe(str_replace("\\'", "'", addslashes($vbulletin->options['bbclosedreason']))) . '");'); } } } // ############################################################################# // password expiry system if ($vbulletin->userinfo['userid'] and $vbulletin->userinfo['permissions']['passwordexpires']) { $passworddaysold = floor((TIMENOW - $vbulletin->userinfo['passworddate']) / 86400); if ($passworddaysold >= $vbulletin->userinfo['permissions']['passwordexpires']) { if (THIS_SCRIPT != 'login' and THIS_SCRIPT != 'profile' and THIS_SCRIPT != 'ajax' or THIS_SCRIPT == 'profile' and $_REQUEST['do'] != 'editpassword' and $_POST['do'] != 'updatepassword' or THIS_SCRIPT == 'ajax' and $_REQUEST['do'] != 'imagereg' and $_REQUEST['do'] != 'securitytoken' and $_REQUEST['do'] != 'dismissnotice') { standard_error(fetch_error('passwordexpired', $passworddaysold, $vbulletin->session->vars['sessionurl'])); } else { $show['passwordexpired'] = true; } } } else { $show['passwordexpired'] = false; } // ############################################################################# // password same as username? if (!defined('ALLOW_SAME_USERNAME_PASSWORD') and $vbulletin->userinfo['userid']) { // save the resource on md5'ing if the option is not enabled or guest if ($vbulletin->userinfo['password'] == md5(md5($vbulletin->userinfo['username']) . $vbulletin->userinfo['salt'])) { if (THIS_SCRIPT != 'login' and THIS_SCRIPT != 'profile' or THIS_SCRIPT == 'profile' and $_REQUEST['do'] != 'editpassword' and $_POST['do'] != 'updatepassword') { standard_error(fetch_error('username_same_as_password', $vbulletin->session->vars['sessionurl'])); } } } // ############################################################################# // check required profile fields if ($vbulletin->session->vars['profileupdate'] and THIS_SCRIPT != 'login' and THIS_SCRIPT != 'profile' and !VB_API) { $vbulletin->options['useforumjump'] = 0; standard_error(fetch_error('updateprofilefields', $vbulletin->session->vars['sessionurl'])); } // ############################################################################# // check permission to view forum if (!$this->has_global_view_permission()) { if (defined('DIE_QUIETLY')) { exit; } else { print_no_permission(); } } // ############################################################################# // check for IP ban on user verify_ip_ban(); ($hook = vBulletinHook::fetch_hook('global_state_check')) ? eval($hook) : false; }