diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/includes/auth.php | 195 | ||||
| -rw-r--r-- | phpBB/includes/constants.php | 29 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 63 | ||||
| -rw-r--r-- | phpBB/viewforum.php | 40 | ||||
| -rw-r--r-- | phpBB/viewtopic.php | 45 |
5 files changed, 295 insertions, 77 deletions
diff --git a/phpBB/includes/auth.php b/phpBB/includes/auth.php index 79ec6f04f2..7034c809aa 100644 --- a/phpBB/includes/auth.php +++ b/phpBB/includes/auth.php @@ -23,71 +23,172 @@ ***************************************************************************/ /* Notes: - * auth() is going to become a very complex function and can take in a LARGE number of arguments. - * The currently included argements should be enough to handle any situation, however, if you need access to another - * the best option would be to create a global variable and access it that way if you can. - * * auth() returns: * TRUE if the user authorized * FALSE if the user is not */ -function auth($type, $id = "", $user_ip = "") +function auth($type, $forum_id, $userdata, $f_access = -1) { - global $db, $userdata; + global $db; - switch($type) + // + // If not logged on all we + // need do is find out + // if $forum_id has ANY + // auth for $type + // + // If logged on we want to + // find out if $forum_id has + // ALL, REG, ACL, MOD or ADMIN + // for $type + // + switch($type) { - // Empty for the moment. - } -} - + case VIEW: + $a_sql = "auth_view"; + break; + case READ: + $a_sql = "auth_read"; + break; + case POST: + $a_sql = "auth_post"; + break; + case REPLY: + $a_sql = "auth_reply"; + break; + case EDIT: + $a_sql = "auth_edit"; + break; + case DELETE: + $a_sql = "auth_delete"; + break; + case VOTECREATE: + $a_sql = "auth_votecreate"; + break; + case VOTE: + $a_sql = "auth_vote"; + break; + default: + break; + } -/* - * The following functions are used for getting user information. They are not related directly to auth() - */ + if($f_access == -1 || $forum_id == LIST_ALL) + { + $forum_match_sql = ($forum_id != LIST_ALL) ? "" : "WHERE forum_id = $forum_id"; + $sql = "SELECT $a_sql AS forum_auth + FROM ".AUTH_FORUMS_TABLE." + $forum_match_sql"; + $af_result = $db->sql_query($sql); -function get_userdata_from_id($userid) -{ - global $db; + if($forum_id != LIST_ALL) + { + $f_access = $db->sql_fetchfield("forum_auth", -1, $af_result); + } + else + { + $f_access_rows = $db->sql_fetchrowset($af_result); - $sql = "SELECT * FROM ".USERS_TABLE." WHERE user_id = $userid"; - if(!$result = $db->sql_query($sql)) - { - $userdata = array("error" => "1"); - return ($userdata); + } } - if($db->sql_numrows($result)) + + if(!$userdata['session_logged_in']) { - $myrow = $db->sql_fetchrowset($result); - return($myrow[0]); + if($forum_id != LIST_ALL) + { + $auth_user = ($f_access == ALL) ? true : false; + } + else + { + $auth_user_list = array(); + for($i = 0; $i < count($auth_forum_rows); $i++) + { + $auth_user_list[] = ($f_access_rows['0']['forum_auth'] == ALL) ? true : false; + } + } + } - else + else { - $userdata = array("error" => "1"); - return ($userdata); - } -} + if($f_access == ALL || $f_access == REG) + { + $auth_user = true; + } + else + { + $forum_match_sql = ($forum_id != LIST_ALL) ? "AND ( aa.forum_id = $forum_id OR aa.forum_id = " . ALL . ")" : ""; + $sql = "SELECT aa.$a_sql AS user_auth, aa.auth_mod, aa.auth_admin, g.single_user + FROM ".AUTH_ACCESS_TABLE." aa, " . USER_GROUP_TABLE. " ug, " . GROUPS_TABLE. " g + WHERE ug.user_id = ".$userdata['user_id']. " + AND g.group_id = ug.group_id + AND aa.group_id = ug.group_id + $forum_match_sql"; + $au_result = $db->sql_query($sql); -function get_userdata($username) { + if(!$db->sql_numrows($au_result)) + { + // + // No entry was found + // for this forum and user + // thus they don't have + // access + // + $auth_user = false; + } + else + { + $u_access = $db->sql_fetchrowset($au_result); + } - global $db; + $single_user = false; - $sql = "SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND user_level != ".DELETED; - if(!$result = $db->sql_query($sql)) - { - $userdata = array("error" => "1"); - } +// echo "<br><BR>".$f_access."<BR>".ADMIN."<BR>"; + switch($f_access) + { + case ACL: +// echo "HERE1"; + for($i = 0; $i < count($u_access); $i++) + { + if(!$single_user) + { + $auth_user = $auth_user || $u_access[$i]['user_auth'] || $u_access[$i]['auth_mod'] || $u_access[$i]['auth_admin']; + $single_user = $u_access[$i]['single_user']; + } + } + break; + + case MOD: +// echo "HERE2"; + for($i = 0; $i < count($u_access); $i++) + { + if(!$single_user) + { + $auth_user = $auth_user || $u_access[$i]['auth_mod'] || $u_access[$i]['auth_admin']; + $single_user = $u_access[$i]['single_user']; + } + } + break; + + case ADMIN: +// echo "HERE3"; + for($i = 0; $i < count($u_access); $i++) + { + if(!$single_user) + { + $auth_user = $auth_user || $u_access[$i]['auth_admin']; + $single_user = $u_access[$i]['single_user']; + } + } + break; - if($db->sql_numrows($result)) - { - $myrow = $db->sql_fetchrowset($result); - return($myrow[0]); - } - else - { - $userdata = array("error" => "1"); - return ($userdata); + default: +// echo "HERE4"; + $auth_user = false; + break; + } + } } + + return ( ($forum_id != LIST_ALL) ? $auth_user : $auth_user_list ); } -?> +?>
\ No newline at end of file diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 3f0e70e4ba..315e95d072 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -28,9 +28,9 @@ define(DEBUG, 1); // Debugging on //define(DEBUG, 0); // Debugging off // User Levels -define(ADMIN, 4); -define(SUPERMOD, 3); -define(MODERATOR, 2); +//define(ADMIN, 4); +//define(SUPERMOD, 3); +//define(MODERATOR, 2); define(USER, 1); define(DELETED, -1); define(ANONYMOUS, -1); @@ -85,6 +85,25 @@ define(PAGE_VIEWMEMBERS, -7); define(PAGE_FAQ, -8); define(PAGE_POSTING, -9); +// Auth settings +define(ALL, 0); +define(REG, 1); +define(ACL, 2); +define(MOD, 3); +define(SUPERMOD, 4); +define(ADMIN, 5); + +define(VIEW, 0); +define(READ, 1); +define(POST, 2); +define(REPLY, 3); +define(EDIT, 4); +define(DELETE, 5); +define(VOTECREATE, 6); +define(VOTE, 7); +define(LIST_ALL, 10); + +// Table names define('BANLIST_TABLE', $table_prefix.'banlist'); define('CATEGORIES_TABLE', $table_prefix.'categories'); define('CONFIG_TABLE', $table_prefix.'config'); @@ -101,6 +120,10 @@ define('SESSIONS_KEY_TABLE', $table_prefix.'session_keys'); define('THEMES_TABLE', $table_prefix.'themes'); define('TOPICS_TABLE', $table_prefix.'topics'); define('USERS_TABLE', $table_prefix.'users'); +define('GROUPS_TABLE', $table_prefix.'groups'); +define('USER_GROUP_TABLE', $table_prefix.'user_group'); define('WORDS_TABLE', $table_prefix.'words'); +define('AUTH_ACCESS_TABLE', $table_prefix.'auth_access'); +define('AUTH_FORUMS_TABLE', $table_prefix.'auth_forums'); ?>
\ No newline at end of file diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4b77f1ee91..931eec8d73 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -77,6 +77,54 @@ function get_db_stat($mode) } } +function get_userdata_from_id($userid) +{ + global $db; + + $sql = "SELECT * + FROM ".USERS_TABLE." + WHERE user_id = $userid"; + if(!$result = $db->sql_query($sql)) + { + $userdata = array("error" => "1"); + return ($userdata); + } + if($db->sql_numrows($result)) + { + $myrow = $db->sql_fetchrowset($result); + return($myrow[0]); + } + else + { + $userdata = array("error" => "1"); + return ($userdata); + } +} + +function get_userdata($username) { + + global $db; + + $sql = "SELECT * + FROM ".USERS_TABLE." + WHERE username = '$username' + AND user_level != ".DELETED; + if(!$result = $db->sql_query($sql)) + { + $userdata = array("error" => "1"); + } + + if($db->sql_numrows($result)) + { + $myrow = $db->sql_fetchrowset($result); + return($myrow[0]); + } + else + { + $userdata = array("error" => "1"); + return ($userdata); + } +} function make_jumpbox() { @@ -245,13 +293,16 @@ function generate_activation_key() return($act_key_md); } - function encode_ip($dotquad_ip) { $ip_sep = explode(".", $dotquad_ip); return (sprintf("%02x%02x%02x%02x", $ip_sep[0], $ip_sep[1], $ip_sep[2], $ip_sep[3])); - //return (( $ip_sep[0] * 0xFFFFFF + $ip_sep[0] ) + ( $ip_sep[1] * 0xFFFF + $ip_sep[1] ) + ( $ip_sep[2] * 0xFF + $ip_sep[2] ) + ( $ip_sep[3] ) ); +// $ip_p = (!empty($dotquad_proxy_ip)) ? explode(".", $dotquad_proxy_ip) : explode(".", "0.0.0.0"); + +// return (sprintf("%03d.%03d.%03d.%03d:%03d.%03d.%03d.%03d", $ip[0], $ip[1], $ip[2], $ip[3], $ip_p[0], $ip_p[1], $ip_p[2], $ip_p[3])); + +// return (( $ip_sep[0] * 0xFFFFFF + $ip_sep[0] ) + ( $ip_sep[1] * 0xFFFF + $ip_sep[1] ) + ( $ip_sep[2] * 0xFF + $ip_sep[2] ) + ( $ip_sep[3] ) ); } function decode_ip($int_ip) @@ -259,8 +310,8 @@ function decode_ip($int_ip) $hexipbang = explode(".",chunk_split($int_ip, 2, ".")); return hexdec($hexipbang[0]).".".hexdec($hexipbang[1]).".".hexdec($hexipbang[2]).".".hexdec($hexipbang[3]); - //return sprintf( "%d.%d.%d.%d", ( ( $int_ip >> 24 ) & 0xFF ), ( ( $int_ip >> 16 ) & 0xFF ), ( ( $int_ip >> 8 ) & 0xFF ), ( ( $int_ip ) & 0xFF ) ); - +// list($ip['remote'], $ip['forwarded']) = explode(":", $c_ip); +// return sprintf( "%d.%d.%d.%d", ( ( $int_ip >> 24 ) & 0xFF ), ( ( $int_ip >> 16 ) & 0xFF ), ( ( $int_ip >> 8 ) & 0xFF ), ( ( $int_ip ) & 0xFF ) ); } // @@ -345,11 +396,11 @@ function generate_pagination($base_url, $num_items, $per_page, $start_item, $add { if($on_page > 1) { - $page_string = "<a href=\"".append_sid($base_url."&start=".(($on_page-2) * $per_page))."\">Previous</a> : " . $page_string; + $page_string = " <a href=\"".append_sid($base_url."&start=".(($on_page-2) * $per_page))."\">Previous</a> " . $page_string; } if($on_page < $total_pages) { - $page_string .= " : <a href=\"".append_sid($base_url."&start=".($on_page * $per_page))."\">Next</a>"; + $page_string .= " <a href=\"".append_sid($base_url."&start=".($on_page * $per_page))."\">Next</a>"; } } diff --git a/phpBB/viewforum.php b/phpBB/viewforum.php index 2b30c6368a..76bf681f32 100644 --- a/phpBB/viewforum.php +++ b/phpBB/viewforum.php @@ -56,10 +56,11 @@ init_userprefs($userdata); // if(isset($forum_id)) { - $sql = "SELECT f.forum_type, f.forum_name, f.forum_topics, u.username, u.user_id - FROM ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u + $sql = "SELECT f.forum_type, f.forum_name, f.forum_topics, u.username, u.user_id, fa.* + FROM ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u, ".AUTH_FORUMS_TABLE." fa WHERE f.forum_id = $forum_id - AND fm.forum_id = $forum_id + AND fa.forum_id = f.forum_id + AND fm.forum_id = f.forum_id AND u.user_id = fm.user_id"; } else @@ -78,21 +79,40 @@ if(!$total_rows = $db->sql_numrows($result)) error_die(GENERAL_ERROR, "The forum you selected does not exist. Please go back and try again."); } +$forum_row = $db->sql_fetchrowset($result); +if(!$forum_row) +{ + error_die(SQL_QUERY, "Couldn't obtain rowset.", __LINE__, __FILE__); +} // // Start auth check // +$is_auth = auth(READ, $forum_id, $userdata, $forum_row['0']['auth_read']); -// -// End of auth check -// +if(!$is_auth) +{ + // + // Ooopss, user is not authed + // to read this forum ... + // + include('includes/page_header.'.$phpEx); + + $msg = "I am sorry but you are not currently authorised to read this forum. You could try logging on and trying again. If you are logged on then this is a private forum for which you have not been granted access."; + $template->set_filenames(array( + "reg_header" => "error_body.tpl" + )); + $template->assign_vars(array( + "ERROR_MESSAGE" => $msg + )); + $template->pparse("reg_header"); -$forum_row = $db->sql_fetchrowset($result); -if(!$forum_row) -{ - error_die(SQL_QUERY, "Couldn't obtain rowset.", __LINE__, __FILE__); + include('includes/page_tail.'.$phpEx); } +// +// End of auth check +// $forum_name = stripslashes($forum_row[0]['forum_name']); if(empty($HTTP_POST_VARS['postdays'])) diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index b58b7d919b..d275f5f5fb 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -138,10 +138,11 @@ else $count_sql = (!isset($post_id)) ? "" : ", COUNT(p2.post_id) AS prev_posts"; $order_sql = (!isset($post_id)) ? "" : "GROUP BY fm.user_id, p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, f.forum_type, f.forum_name, f.forum_id, u.username, u.user_id ORDER BY p.post_id ASC"; - $sql = "SELECT t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, f.forum_type, f.forum_name, f.forum_id, u.username, u.user_id".$count_sql." - FROM $join_sql_table ".TOPICS_TABLE." t, ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u + $sql = "SELECT t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, f.forum_type, f.forum_name, f.forum_id, u.username, u.user_id, fa.auth_read".$count_sql." + FROM $join_sql_table ".TOPICS_TABLE." t, ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u, ".AUTH_FORUMS_TABLE." fa WHERE $join_sql - AND f.forum_id = t.forum_id + AND f.forum_id = t.forum_id + AND fa.forum_id = f.forum_id AND fm.forum_id = t.forum_id AND u.user_id = fm.user_id $order_sql"; @@ -209,6 +210,36 @@ init_userprefs($userdata); // End session management // +// +// Start auth check +// +$is_auth = auth(READ, $forum_id, $userdata, $forum_row[0]['auth_read']); + +if(!$is_auth) +{ + // + // Ooopss, user is not authed + // to read this forum ... + // + include('includes/page_header.'.$phpEx); + + $msg = "I am sorry but you are not currently authorised to read this forum. You could try logging on and trying again. If you are logged on then this is a private forum for which you have not been granted access."; + + $template->set_filenames(array( + "reg_header" => "error_body.tpl" + )); + $template->assign_vars(array( + "ERROR_MESSAGE" => $msg + )); + $template->pparse("reg_header"); + + include('includes/page_tail.'.$phpEx); +} +// +// End auth check +// + + for($x = 0; $x < $total_rows; $x++) { $moderators[] = array("user_id" => $forum_row[$x]['user_id'], @@ -220,14 +251,6 @@ for($x = 0; $x < $total_rows; $x++) } // -// Start auth check -// - -// -// End auth check -// - -// // Get next and previous topic_id's // $sql_next_id = "SELECT topic_id |