function authmgr_intercept_admin()
{
authmgr_require_capability(AuthmgrCapability::ShowAdmin);
// we use this GET param to send up a feedback notice to user
if (isset($_GET['access']) && $_GET['access'] == 'denied') {
yourls_add_notice('Access Denied');
}
$action_capability_map = array('add' => AuthmgrCapability::AddURL, 'delete' => AuthmgrCapability::DeleteURL, 'edit_display' => AuthmgrCapability::EditURL, 'edit_save' => AuthmgrCapability::EditURL, 'activate' => AuthmgrCapability::ManagePlugins, 'deactivate' => AuthmgrCapability::ManagePlugins);
// intercept requests for plugin management
if (isset($_REQUEST['plugin'])) {
$action_keyword = $_REQUEST['action'];
$cap_needed = $action_capability_map[$action_keyword];
if ($cap_needed !== NULL && authmgr_have_capability($cap_needed) !== true) {
yourls_redirect(yourls_admin_url('?access=denied'), 302);
}
}
// also intercept AJAX requests
if (yourls_is_Ajax()) {
$action_keyword = $_REQUEST['action'];
$cap_needed = $action_capability_map[$action_keyword];
if (authmgr_have_capability($cap_needed) !== true) {
$err = array();
$err['status'] = 'fail';
$err['code'] = 'error:authorization';
$err['message'] = 'Access Denied';
$err['errorCode'] = '403';
echo json_encode($err);
die;
}
}
}
/**
* Check a REQUEST password sent in plain text against stored password which can be a salted hash
*
*/
function yourls_check_password_hash($stored, $plaintext)
{
if (substr($stored, 0, 4) == 'md5:' and strlen($stored) == 42) {
// Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:<md5($r.'thepassword')>"
// And 42. Of course. http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything
list($temp, $salt, $md5) = explode(':', $stored);
return $stored == 'md5:' . $salt . ':' . md5($salt . $plaintext);
} else {
// Password was sent in clear
$message = '';
$message .= yourls__('<strong>Notice</strong>: your password is stored as clear text in your <tt>config.php</tt>');
$message .= yourls__('Did you know you can easily improve the security of your YOURLS install by <strong>encrypting</strong> your password?');
$message .= yourls__('See <a href="http://yourls.org/userpassword">UsernamePassword</a> for details');
yourls_add_notice($message, 'notice');
return $stored == $plaintext;
}
}
function yourls_load_plugins()
{
global $ydb;
$ydb->plugins = array();
$active_plugins = yourls_get_option('active_plugins');
// Don't load plugins when installing or updating
if (!$active_plugins or defined('YOURLS_INSTALLING') and YOURLS_INSTALLING or yourls_upgrade_is_needed()) {
return;
}
foreach ((array) $active_plugins as $key => $plugin) {
if (yourls_validate_plugin_file(YOURLS_PLUGINDIR . '/' . $plugin)) {
include_once YOURLS_PLUGINDIR . '/' . $plugin;
$ydb->plugins[] = $plugin;
unset($active_plugins[$key]);
}
}
// $active_plugins should be empty now, if not, a plugin could not be find: remove it
if (count($active_plugins)) {
$missing = '<strong>' . join('</strong>, <strong>', $active_plugins) . '</strong>';
yourls_update_option('active_plugins', $ydb->plugins);
$message = 'Could not find and deactivated ' . yourls_plural('plugin', count($active_plugins)) . ' ' . $missing;
yourls_add_notice($message);
}
}
/**
* Display a notice if there is a newer version of YOURLS available
*
* @since 1.7
*/
function yourls_new_core_version_notice()
{
yourls_debug_log('Check for new version: ' . (yourls_maybe_check_core_version() ? 'yes' : 'no'));
$checks = yourls_get_option('core_version_checks');
if (isset($checks->last_result->latest) and version_compare($checks->last_result->latest, YOURLS_VERSION, '>')) {
$msg = yourls_s('<a href="%s">YOURLS version %s</a> is available. Please update!', 'http://yourls.org/download', $checks->last_result->latest);
yourls_add_notice($msg);
}
}
function yourls_load_plugins()
{
// Don't load plugins when installing or updating
if (yourls_is_installing() or yourls_is_upgrading()) {
return;
}
$active_plugins = yourls_get_option('active_plugins');
if (false === $active_plugins) {
return;
}
global $ydb;
$ydb->plugins = array();
foreach ((array) $active_plugins as $key => $plugin) {
if (yourls_validate_plugin_file(YOURLS_PLUGINDIR . '/' . $plugin)) {
include_once YOURLS_PLUGINDIR . '/' . $plugin;
$ydb->plugins[] = $plugin;
unset($active_plugins[$key]);
}
}
// $active_plugins should be empty now, if not, a plugin could not be find: remove it
if (count($active_plugins)) {
yourls_update_option('active_plugins', $ydb->plugins);
$message = yourls_n('Could not find and deactivated plugin :', 'Could not find and deactivated plugins :', count($active_plugins));
$missing = '<strong>' . join('</strong>, <strong>', $active_plugins) . '</strong>';
yourls_add_notice($message . ' ' . $missing);
}
}
/**
* Yourls action auth_successful
*
* @return bool
*/
public function action_auth_successful()
{
if (!yourls_is_admin()) {
return true;
}
/**
* Check page permissions
*/
if (preg_match('#\\/admin\\/(.*?)\\.php#', $_SERVER['SCRIPT_FILENAME'], $matches)) {
if (!in_array($matches[1], $this->helperGetAllowedPermissions())) {
yourls_add_notice(yourls__('Denied access to this page', self::APP_NAMESPACE));
yourls_html_head('accessdenied', yourls__('Denied access to this page', self::APP_NAMESPACE));
yourls_html_logo();
yourls_html_menu();
yourls_html_footer();
die;
}
}
/**
* Check action permissions
*/
if (yourls_is_Ajax()) {
$action = $this->getRequest('action');
$permissions = $this->helperGetAllowedPermissions();
$bol = false;
switch ($action) {
case 'edit_display':
case 'edit_save':
if (!in_array('edit', $permissions['action'])) {
$bol = true;
}
break;
case 'add':
case 'delete':
if (!in_array($action, $permissions['action'])) {
$bol = true;
}
break;
}
if ($bol) {
$this->setRequest('action_old', $action);
$this->setRequest('action', 'accessdenied');
}
}
}
* The following code is a shim that helps users store passwords securely in config.php
* by storing a password hash and removing the plaintext.
*
* TODO: Remove this once real user management is implemented
*/
// Did we just fail at encrypting passwords ?
if (isset($_GET['dismiss']) && $_GET['dismiss'] == 'hasherror') {
yourls_update_option('defer_hashing_error', time() + 86400 * 7);
// now + 1 week
} else {
// Encrypt passwords that are clear text
if (!defined('YOURLS_NO_HASH_PASSWORD') && yourls_has_cleartext_passwords()) {
$hash = yourls_hash_passwords_now(YOURLS_CONFIGFILE);
if ($hash === true) {
// Hashing succesful. Remove flag from DB if any.
if (yourls_get_option('defer_hashing_error')) {
yourls_delete_option('defer_hashing_error');
}
} else {
// It failed, display message for first time or if last time was a week ago
if (time() > yourls_get_option('defer_hashing_error') or !yourls_get_option('defer_hashing_error')) {
$message = yourls_s('Could not auto-encrypt passwords. Error was: "%s".', $hash);
$message .= ' ';
$message .= yourls_s('<a href="%s">Get help</a>.', 'http://yourls.org/userpassword');
$message .= '</p><p>';
$message .= yourls_s('<a href="%s">Click here</a> to dismiss this message for one week.', '?dismiss=hasherror');
yourls_add_notice($message);
}
}
}
}
yourls_redirect(yourls_admin_url('plugins.php?success=deactivated'), 302);
}
break;
default:
$result = 'Unsupported action';
break;
}
} else {
$result = 'No plugin specified, or not a valid plugin';
}
yourls_add_notice($result);
}
// Handle message upon succesfull (de)activation
if (isset($_GET['success'])) {
if ($_GET['success'] == 'activated' or $_GET['success'] == 'deactivated') {
yourls_add_notice('Plugin ' . $_GET['success']);
}
}
yourls_html_head('plugins', 'Manage Plugins');
yourls_html_logo();
yourls_html_menu();
?>
<h2>Plugins</h2>
<?php
$plugins = (array) yourls_get_plugins();
$count = count($plugins);
$count_active = yourls_has_active_plugins();
?>
/**
* Displays an error message in case of missing required variables
*
* TODO: Needs more testing
*/
function itfs_piwik_admin_messages()
{
if (!isset($_POST['piwik_config'])) {
return;
}
$error_message = '';
if (empty($_POST['piwik_config']['piwik_url'])) {
$error_message .= '<p><label for="piwik_url" class="borderbottom">Piwik URL</label> is a required field.</p>';
}
if (empty($_POST['piwik_config']['site_id'])) {
$error_message .= '<p><label for="site_id" class="borderbottom">Site ID</label> is a required field.</p>';
}
if (!empty($error_message)) {
echo yourls_add_notice($error_message, 'message_error');
} else {
echo yourls_add_notice('Settings have been saved', 'message_success');
}
}
