/** * Checks the state of the request to make sure that it's valid and that * we have the necessary permissions to continue. Checks things like * CSRF and banning. */ public function check_state() { global $vbulletin, $show, $VB_API_REQUESTS; if (defined('CSRF_ERROR')) { define('VB_ERROR_LITE', true); $ajaxerror = $vbulletin->GPC['ajax'] ? '_ajax' : ''; switch (CSRF_ERROR) { case 'missing': standard_error(fetch_error('security_token_missing')); break; case 'guest': standard_error(fetch_error('security_token_guest' . $ajaxerror)); break; case 'timeout': standard_error(fetch_error('security_token_timeout' . $ajaxerror)); break; case 'invalid': default: standard_error(fetch_error('security_token_invalid')); } exit; } // ############################################################################# // check to see if server is too busy. this is checked at the end of session.php if ($this->server_overloaded() and !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) and THIS_SCRIPT != 'login') { standard_error(fetch_error('toobusy')); } // ############################################################################# // check that board is active - if not admin, then display error if (!defined('BYPASS_FORUM_DISABLED') and !$vbulletin->options['bbactive'] and !in_array(THIS_SCRIPT, array('login', 'css')) and !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel'])) { if (defined('DIE_QUIETLY')) { exit; } if (defined('VB_API') and VB_API === true) { standard_error(fetch_error('bbclosed', $vbulletin->options['bbclosedreason'])); } else { // If this is a post submission from an admin whose session timed out, give them a chance to log back in and save what they were working on. See bug #34258 if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' and !empty($_POST) and !$vbulletin->userinfo['userid'] and !empty($_COOKIE[COOKIE_PREFIX . 'cpsession'])) { define('VB_ERROR_PERMISSION', true); } $show['enableforumjump'] = true; unset($vbulletin->db->shutdownqueries['lastvisit']); // unregister in the assertor vB::getDbAssertor()->unregisterShutdownQuery('lastvisit'); require_once DIR . '/includes/functions_misc.php'; eval('standard_error("' . make_string_interpolation_safe(str_replace("\\'", "'", addslashes($vbulletin->options['bbclosedreason']))) . '");'); } } // ############################################################################# // password expiry system if ($vbulletin->userinfo['userid'] and $vbulletin->userinfo['permissions']['passwordexpires']) { $passworddaysold = floor((TIMENOW - $vbulletin->userinfo['passworddate']) / 86400); if ($passworddaysold >= $vbulletin->userinfo['permissions']['passwordexpires']) { if (THIS_SCRIPT != 'login' and THIS_SCRIPT != 'profile' and THIS_SCRIPT != 'ajax' or THIS_SCRIPT == 'profile' and $_REQUEST['do'] != 'editpassword' and $_POST['do'] != 'updatepassword' or THIS_SCRIPT == 'ajax' and $_REQUEST['do'] != 'imagereg' and $_REQUEST['do'] != 'securitytoken' and $_REQUEST['do'] != 'dismissnotice') { standard_error(fetch_error('passwordexpired', $passworddaysold, vB::getCurrentSession()->get('sessionurl'))); } else { $show['passwordexpired'] = true; } } } else { $show['passwordexpired'] = false; } // ############################################################################# // check required profile fields if (vB::getCurrentSession()->get('profileupdate') and THIS_SCRIPT != 'login' and THIS_SCRIPT != 'profile' and !VB_API and !vB::getUserContext()->isAdministrator()) { standard_error(fetch_error('updateprofilefields', vB::getCurrentSession()->get('sessionurl'))); } // ############################################################################# // check permission to view forum if (!$this->has_global_view_permission()) { if (defined('DIE_QUIETLY')) { exit; } else { print_no_permission(); } } // ############################################################################# // check for IP ban on user verify_ip_ban(); // Legacy Hook 'global_state_check' Removed // }
{ exec_header_redirect($vbulletin->options['bburl'] . '/' . $vbulletin->options['forumhome'] . '.php' . $vbulletin->session->vars['sessionurl_q']); } // if password is expired, deny access if ($vbulletin->userinfo['userid'] AND $permissions['passwordexpires']) { $passworddaysold = floor((TIMENOW - $vbulletin->userinfo['passworddate']) / 86400); if ($passworddaysold >= $permissions['passwordexpires']) { exec_header_redirect($vbulletin->options['bburl'] . '/' . $vbulletin->options['forumhome'] . '.php' . $vbulletin->session->vars['sessionurl_q']); } } verify_ip_ban(); $cache_templates = array('ad_archive_above_content1', 'ad_archive_above_content2', 'ad_archive_below_content'); ($hook = vBulletinHook::fetch_hook('archive_global')) ? eval($hook) : false; cache_templates($cache_templates, $style['templatelist']); unset($cache_templates); // ######################################################################################### // ###################### ARCHIVE FUNCTIONS ################################################ // function to list forums in their correct order and nesting function print_archive_forum_list($parentid = -1, $indent = '') { global $vbulletin;
/** * Checks the state of the request to make sure that it's valid and that * we have the necessary permissions to continue. Checks things like * CSRF and banning. */ public function check_state() { global $vbulletin, $show; if (defined('CSRF_ERROR')) { define('VB_ERROR_LITE', true); $ajaxerror = $vbulletin->GPC['ajax'] ? '_ajax' : ''; switch (CSRF_ERROR) { case 'missing': standard_error(fetch_error('security_token_missing', $vbulletin->options['contactuslink'])); break; case 'guest': standard_error(fetch_error('security_token_guest' . $ajaxerror)); break; case 'timeout': standard_error(fetch_error('security_token_timeout' . $ajaxerror, $vbulletin->options['contactuslink'])); break; case 'invalid': default: standard_error(fetch_error('security_token_invalid', $vbulletin->options['contactuslink'])); } exit; } // ############################################################################# // check to see if server is too busy. this is checked at the end of session.php if ($this->server_overloaded() AND !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) AND THIS_SCRIPT != 'login') { $vbulletin->options['useforumjump'] = 0; standard_error(fetch_error('toobusy')); } // ############################################################################# // phpinfo display for support purposes if (!empty($_REQUEST['do']) AND $_REQUEST['do'] == 'phpinfo') { if ($vbulletin->options['allowphpinfo'] AND !is_demo_mode()) { phpinfo(); exit; } else { standard_error(fetch_error('admin_disabled_php_info')); } } // ############################################################################# // check that board is active - if not admin, then display error if ( !defined('BYPASS_FORUM_DISABLED') AND !$vbulletin->options['bbactive'] AND !in_array(THIS_SCRIPT, array('login', 'css')) AND !($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions['cancontrolpanel']) ) { if (defined('DIE_QUIETLY')) { exit; } // If this is a post submission from an admin whose session timed out, give them a chance to log back in and save what they were working on. See bug #34258 if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST' AND !empty($_POST) AND !$vbulletin->userinfo['userid'] AND !empty($_COOKIE[COOKIE_PREFIX . 'cpsession'])) { define('VB_ERROR_PERMISSION', true); } $show['enableforumjump'] = true; unset($vbulletin->db->shutdownqueries['lastvisit']); require_once(DIR . '/includes/functions_misc.php'); eval('standard_error("' . make_string_interpolation_safe(str_replace("\\'", "'", addslashes($vbulletin->options['bbclosedreason']))) . '");'); } // ############################################################################# // password expiry system if ($vbulletin->userinfo['userid'] AND $vbulletin->userinfo['permissions']['passwordexpires']) { $passworddaysold = floor((TIMENOW - $vbulletin->userinfo['passworddate']) / 86400); if ($passworddaysold >= $vbulletin->userinfo['permissions']['passwordexpires']) { if ((THIS_SCRIPT != 'login' AND THIS_SCRIPT != 'profile' AND THIS_SCRIPT != 'ajax') OR (THIS_SCRIPT == 'profile' AND $_REQUEST['do'] != 'editpassword' AND $_POST['do'] != 'updatepassword') OR (THIS_SCRIPT == 'ajax' AND $_REQUEST['do'] != 'imagereg' AND $_REQUEST['do'] != 'securitytoken' AND $_REQUEST['do'] != 'dismissnotice') ) { standard_error(fetch_error('passwordexpired', $passworddaysold, $vbulletin->session->vars['sessionurl'] )); } else { $show['passwordexpired'] = true; } } } else { $show['passwordexpired'] = false; } // ############################################################################# // password same as username? if (!defined('ALLOW_SAME_USERNAME_PASSWORD') AND $vbulletin->userinfo['userid']) { // save the resource on md5'ing if the option is not enabled or guest if ($vbulletin->userinfo['password'] == md5(md5($vbulletin->userinfo['username']) . $vbulletin->userinfo['salt'])) { if ((THIS_SCRIPT != 'login' AND THIS_SCRIPT != 'profile') OR (THIS_SCRIPT == 'profile' AND $_REQUEST['do'] != 'editpassword' AND $_POST['do'] != 'updatepassword')) { standard_error(fetch_error('username_same_as_password', $vbulletin->session->vars['sessionurl'] )); } } } // ############################################################################# // check required profile fields if ($vbulletin->session->vars['profileupdate'] AND THIS_SCRIPT != 'login' AND THIS_SCRIPT != 'profile') { $vbulletin->options['useforumjump'] = 0; standard_error(fetch_error('updateprofilefields', $vbulletin->session->vars['sessionurl'])); } // ############################################################################# // check permission to view forum if (!$this->has_global_view_permission()) { if (defined('DIE_QUIETLY')) { exit; } else { print_no_permission(); } } // ############################################################################# // check for IP ban on user verify_ip_ban(); ($hook = vBulletinHook::fetch_hook('global_state_check')) ? eval($hook) : false; }