mirror of
https://github.com/phpbb/phpbb.git
synced 2025-06-28 14:18:52 +00:00
Auth Stage-1 goes in
git-svn-id: file:///svn/phpbb/trunk@377 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Paul S. Owen
parent
7401fc7d07
commit
53c41d08d1
5 changed files with 304 additions and 86 deletions
|
|
@ -23,71 +23,172 @@
|
|||
***************************************************************************/
|
||||
|
||||
/* Notes:
|
||||
* auth() is going to become a very complex function and can take in a LARGE number of arguments.
|
||||
* The currently included argements should be enough to handle any situation, however, if you need access to another
|
||||
* the best option would be to create a global variable and access it that way if you can.
|
||||
*
|
||||
* auth() returns:
|
||||
* TRUE if the user authorized
|
||||
* FALSE if the user is not
|
||||
*/
|
||||
function auth($type, $id = "", $user_ip = "")
|
||||
function auth($type, $forum_id, $userdata, $f_access = -1)
|
||||
{
|
||||
global $db, $userdata;
|
||||
global $db;
|
||||
|
||||
//
|
||||
// If not logged on all we
|
||||
// need do is find out
|
||||
// if $forum_id has ANY
|
||||
// auth for $type
|
||||
//
|
||||
// If logged on we want to
|
||||
// find out if $forum_id has
|
||||
// ALL, REG, ACL, MOD or ADMIN
|
||||
// for $type
|
||||
//
|
||||
switch($type)
|
||||
{
|
||||
// Empty for the moment.
|
||||
}
|
||||
case VIEW:
|
||||
$a_sql = "auth_view";
|
||||
break;
|
||||
case READ:
|
||||
$a_sql = "auth_read";
|
||||
break;
|
||||
case POST:
|
||||
$a_sql = "auth_post";
|
||||
break;
|
||||
case REPLY:
|
||||
$a_sql = "auth_reply";
|
||||
break;
|
||||
case EDIT:
|
||||
$a_sql = "auth_edit";
|
||||
break;
|
||||
case DELETE:
|
||||
$a_sql = "auth_delete";
|
||||
break;
|
||||
case VOTECREATE:
|
||||
$a_sql = "auth_votecreate";
|
||||
break;
|
||||
case VOTE:
|
||||
$a_sql = "auth_vote";
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* The following functions are used for getting user information. They are not related directly to auth()
|
||||
*/
|
||||
|
||||
function get_userdata_from_id($userid)
|
||||
if($f_access == -1 || $forum_id == LIST_ALL)
|
||||
{
|
||||
global $db;
|
||||
$forum_match_sql = ($forum_id != LIST_ALL) ? "" : "WHERE forum_id = $forum_id";
|
||||
$sql = "SELECT $a_sql AS forum_auth
|
||||
FROM ".AUTH_FORUMS_TABLE."
|
||||
$forum_match_sql";
|
||||
$af_result = $db->sql_query($sql);
|
||||
|
||||
$sql = "SELECT * FROM ".USERS_TABLE." WHERE user_id = $userid";
|
||||
if(!$result = $db->sql_query($sql))
|
||||
if($forum_id != LIST_ALL)
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
return ($userdata);
|
||||
}
|
||||
if($db->sql_numrows($result))
|
||||
{
|
||||
$myrow = $db->sql_fetchrowset($result);
|
||||
return($myrow[0]);
|
||||
$f_access = $db->sql_fetchfield("forum_auth", -1, $af_result);
|
||||
}
|
||||
else
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
return ($userdata);
|
||||
$f_access_rows = $db->sql_fetchrowset($af_result);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function get_userdata($username) {
|
||||
|
||||
global $db;
|
||||
|
||||
$sql = "SELECT * FROM ".USERS_TABLE." WHERE username = '$username' AND user_level != ".DELETED;
|
||||
if(!$result = $db->sql_query($sql))
|
||||
if(!$userdata['session_logged_in'])
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
}
|
||||
|
||||
if($db->sql_numrows($result))
|
||||
if($forum_id != LIST_ALL)
|
||||
{
|
||||
$myrow = $db->sql_fetchrowset($result);
|
||||
return($myrow[0]);
|
||||
$auth_user = ($f_access == ALL) ? true : false;
|
||||
}
|
||||
else
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
return ($userdata);
|
||||
$auth_user_list = array();
|
||||
for($i = 0; $i < count($auth_forum_rows); $i++)
|
||||
{
|
||||
$auth_user_list[] = ($f_access_rows['0']['forum_auth'] == ALL) ? true : false;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
if($f_access == ALL || $f_access == REG)
|
||||
{
|
||||
$auth_user = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
$forum_match_sql = ($forum_id != LIST_ALL) ? "AND ( aa.forum_id = $forum_id OR aa.forum_id = " . ALL . ")" : "";
|
||||
$sql = "SELECT aa.$a_sql AS user_auth, aa.auth_mod, aa.auth_admin, g.single_user
|
||||
FROM ".AUTH_ACCESS_TABLE." aa, " . USER_GROUP_TABLE. " ug, " . GROUPS_TABLE. " g
|
||||
WHERE ug.user_id = ".$userdata['user_id']. "
|
||||
AND g.group_id = ug.group_id
|
||||
AND aa.group_id = ug.group_id
|
||||
$forum_match_sql";
|
||||
$au_result = $db->sql_query($sql);
|
||||
|
||||
if(!$db->sql_numrows($au_result))
|
||||
{
|
||||
//
|
||||
// No entry was found
|
||||
// for this forum and user
|
||||
// thus they don't have
|
||||
// access
|
||||
//
|
||||
$auth_user = false;
|
||||
}
|
||||
else
|
||||
{
|
||||
$u_access = $db->sql_fetchrowset($au_result);
|
||||
}
|
||||
|
||||
$single_user = false;
|
||||
|
||||
// echo "<br><BR>".$f_access."<BR>".ADMIN."<BR>";
|
||||
switch($f_access)
|
||||
{
|
||||
case ACL:
|
||||
// echo "HERE1";
|
||||
for($i = 0; $i < count($u_access); $i++)
|
||||
{
|
||||
if(!$single_user)
|
||||
{
|
||||
$auth_user = $auth_user || $u_access[$i]['user_auth'] || $u_access[$i]['auth_mod'] || $u_access[$i]['auth_admin'];
|
||||
$single_user = $u_access[$i]['single_user'];
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
case MOD:
|
||||
// echo "HERE2";
|
||||
for($i = 0; $i < count($u_access); $i++)
|
||||
{
|
||||
if(!$single_user)
|
||||
{
|
||||
$auth_user = $auth_user || $u_access[$i]['auth_mod'] || $u_access[$i]['auth_admin'];
|
||||
$single_user = $u_access[$i]['single_user'];
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
case ADMIN:
|
||||
// echo "HERE3";
|
||||
for($i = 0; $i < count($u_access); $i++)
|
||||
{
|
||||
if(!$single_user)
|
||||
{
|
||||
$auth_user = $auth_user || $u_access[$i]['auth_admin'];
|
||||
$single_user = $u_access[$i]['single_user'];
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
// echo "HERE4";
|
||||
$auth_user = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return ( ($forum_id != LIST_ALL) ? $auth_user : $auth_user_list );
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
@ -28,9 +28,9 @@ define(DEBUG, 1); // Debugging on
|
|||
//define(DEBUG, 0); // Debugging off
|
||||
|
||||
// User Levels
|
||||
define(ADMIN, 4);
|
||||
define(SUPERMOD, 3);
|
||||
define(MODERATOR, 2);
|
||||
//define(ADMIN, 4);
|
||||
//define(SUPERMOD, 3);
|
||||
//define(MODERATOR, 2);
|
||||
define(USER, 1);
|
||||
define(DELETED, -1);
|
||||
define(ANONYMOUS, -1);
|
||||
|
|
@ -85,6 +85,25 @@ define(PAGE_VIEWMEMBERS, -7);
|
|||
define(PAGE_FAQ, -8);
|
||||
define(PAGE_POSTING, -9);
|
||||
|
||||
// Auth settings
|
||||
define(ALL, 0);
|
||||
define(REG, 1);
|
||||
define(ACL, 2);
|
||||
define(MOD, 3);
|
||||
define(SUPERMOD, 4);
|
||||
define(ADMIN, 5);
|
||||
|
||||
define(VIEW, 0);
|
||||
define(READ, 1);
|
||||
define(POST, 2);
|
||||
define(REPLY, 3);
|
||||
define(EDIT, 4);
|
||||
define(DELETE, 5);
|
||||
define(VOTECREATE, 6);
|
||||
define(VOTE, 7);
|
||||
define(LIST_ALL, 10);
|
||||
|
||||
// Table names
|
||||
define('BANLIST_TABLE', $table_prefix.'banlist');
|
||||
define('CATEGORIES_TABLE', $table_prefix.'categories');
|
||||
define('CONFIG_TABLE', $table_prefix.'config');
|
||||
|
|
@ -101,6 +120,10 @@ define('SESSIONS_KEY_TABLE', $table_prefix.'session_keys');
|
|||
define('THEMES_TABLE', $table_prefix.'themes');
|
||||
define('TOPICS_TABLE', $table_prefix.'topics');
|
||||
define('USERS_TABLE', $table_prefix.'users');
|
||||
define('GROUPS_TABLE', $table_prefix.'groups');
|
||||
define('USER_GROUP_TABLE', $table_prefix.'user_group');
|
||||
define('WORDS_TABLE', $table_prefix.'words');
|
||||
define('AUTH_ACCESS_TABLE', $table_prefix.'auth_access');
|
||||
define('AUTH_FORUMS_TABLE', $table_prefix.'auth_forums');
|
||||
|
||||
?>
|
||||
|
|
@ -77,6 +77,54 @@ function get_db_stat($mode)
|
|||
}
|
||||
}
|
||||
|
||||
function get_userdata_from_id($userid)
|
||||
{
|
||||
global $db;
|
||||
|
||||
$sql = "SELECT *
|
||||
FROM ".USERS_TABLE."
|
||||
WHERE user_id = $userid";
|
||||
if(!$result = $db->sql_query($sql))
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
return ($userdata);
|
||||
}
|
||||
if($db->sql_numrows($result))
|
||||
{
|
||||
$myrow = $db->sql_fetchrowset($result);
|
||||
return($myrow[0]);
|
||||
}
|
||||
else
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
return ($userdata);
|
||||
}
|
||||
}
|
||||
|
||||
function get_userdata($username) {
|
||||
|
||||
global $db;
|
||||
|
||||
$sql = "SELECT *
|
||||
FROM ".USERS_TABLE."
|
||||
WHERE username = '$username'
|
||||
AND user_level != ".DELETED;
|
||||
if(!$result = $db->sql_query($sql))
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
}
|
||||
|
||||
if($db->sql_numrows($result))
|
||||
{
|
||||
$myrow = $db->sql_fetchrowset($result);
|
||||
return($myrow[0]);
|
||||
}
|
||||
else
|
||||
{
|
||||
$userdata = array("error" => "1");
|
||||
return ($userdata);
|
||||
}
|
||||
}
|
||||
|
||||
function make_jumpbox()
|
||||
{
|
||||
|
|
@ -245,12 +293,15 @@ function generate_activation_key()
|
|||
return($act_key_md);
|
||||
}
|
||||
|
||||
|
||||
function encode_ip($dotquad_ip)
|
||||
{
|
||||
$ip_sep = explode(".", $dotquad_ip);
|
||||
return (sprintf("%02x%02x%02x%02x", $ip_sep[0], $ip_sep[1], $ip_sep[2], $ip_sep[3]));
|
||||
|
||||
// $ip_p = (!empty($dotquad_proxy_ip)) ? explode(".", $dotquad_proxy_ip) : explode(".", "0.0.0.0");
|
||||
|
||||
// return (sprintf("%03d.%03d.%03d.%03d:%03d.%03d.%03d.%03d", $ip[0], $ip[1], $ip[2], $ip[3], $ip_p[0], $ip_p[1], $ip_p[2], $ip_p[3]));
|
||||
|
||||
// return (( $ip_sep[0] * 0xFFFFFF + $ip_sep[0] ) + ( $ip_sep[1] * 0xFFFF + $ip_sep[1] ) + ( $ip_sep[2] * 0xFF + $ip_sep[2] ) + ( $ip_sep[3] ) );
|
||||
}
|
||||
|
||||
|
|
@ -259,8 +310,8 @@ function decode_ip($int_ip)
|
|||
$hexipbang = explode(".",chunk_split($int_ip, 2, "."));
|
||||
return hexdec($hexipbang[0]).".".hexdec($hexipbang[1]).".".hexdec($hexipbang[2]).".".hexdec($hexipbang[3]);
|
||||
|
||||
// list($ip['remote'], $ip['forwarded']) = explode(":", $c_ip);
|
||||
// return sprintf( "%d.%d.%d.%d", ( ( $int_ip >> 24 ) & 0xFF ), ( ( $int_ip >> 16 ) & 0xFF ), ( ( $int_ip >> 8 ) & 0xFF ), ( ( $int_ip ) & 0xFF ) );
|
||||
|
||||
}
|
||||
|
||||
//
|
||||
|
|
@ -345,11 +396,11 @@ function generate_pagination($base_url, $num_items, $per_page, $start_item, $add
|
|||
{
|
||||
if($on_page > 1)
|
||||
{
|
||||
$page_string = "<a href=\"".append_sid($base_url."&start=".(($on_page-2) * $per_page))."\">Previous</a> : " . $page_string;
|
||||
$page_string = " <a href=\"".append_sid($base_url."&start=".(($on_page-2) * $per_page))."\">Previous</a> " . $page_string;
|
||||
}
|
||||
if($on_page < $total_pages)
|
||||
{
|
||||
$page_string .= " : <a href=\"".append_sid($base_url."&start=".($on_page * $per_page))."\">Next</a>";
|
||||
$page_string .= " <a href=\"".append_sid($base_url."&start=".($on_page * $per_page))."\">Next</a>";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -56,10 +56,11 @@ init_userprefs($userdata);
|
|||
//
|
||||
if(isset($forum_id))
|
||||
{
|
||||
$sql = "SELECT f.forum_type, f.forum_name, f.forum_topics, u.username, u.user_id
|
||||
FROM ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u
|
||||
$sql = "SELECT f.forum_type, f.forum_name, f.forum_topics, u.username, u.user_id, fa.*
|
||||
FROM ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u, ".AUTH_FORUMS_TABLE." fa
|
||||
WHERE f.forum_id = $forum_id
|
||||
AND fm.forum_id = $forum_id
|
||||
AND fa.forum_id = f.forum_id
|
||||
AND fm.forum_id = f.forum_id
|
||||
AND u.user_id = fm.user_id";
|
||||
}
|
||||
else
|
||||
|
|
@ -78,22 +79,41 @@ if(!$total_rows = $db->sql_numrows($result))
|
|||
error_die(GENERAL_ERROR, "The forum you selected does not exist. Please go back and try again.");
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Start auth check
|
||||
//
|
||||
|
||||
//
|
||||
// End of auth check
|
||||
//
|
||||
|
||||
|
||||
$forum_row = $db->sql_fetchrowset($result);
|
||||
if(!$forum_row)
|
||||
{
|
||||
error_die(SQL_QUERY, "Couldn't obtain rowset.", __LINE__, __FILE__);
|
||||
}
|
||||
|
||||
//
|
||||
// Start auth check
|
||||
//
|
||||
$is_auth = auth(READ, $forum_id, $userdata, $forum_row['0']['auth_read']);
|
||||
|
||||
if(!$is_auth)
|
||||
{
|
||||
//
|
||||
// Ooopss, user is not authed
|
||||
// to read this forum ...
|
||||
//
|
||||
include('includes/page_header.'.$phpEx);
|
||||
|
||||
$msg = "I am sorry but you are not currently authorised to read this forum. You could try logging on and trying again. If you are logged on then this is a private forum for which you have not been granted access.";
|
||||
|
||||
$template->set_filenames(array(
|
||||
"reg_header" => "error_body.tpl"
|
||||
));
|
||||
$template->assign_vars(array(
|
||||
"ERROR_MESSAGE" => $msg
|
||||
));
|
||||
$template->pparse("reg_header");
|
||||
|
||||
include('includes/page_tail.'.$phpEx);
|
||||
}
|
||||
//
|
||||
// End of auth check
|
||||
//
|
||||
|
||||
$forum_name = stripslashes($forum_row[0]['forum_name']);
|
||||
if(empty($HTTP_POST_VARS['postdays']))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -138,10 +138,11 @@ else
|
|||
$count_sql = (!isset($post_id)) ? "" : ", COUNT(p2.post_id) AS prev_posts";
|
||||
$order_sql = (!isset($post_id)) ? "" : "GROUP BY fm.user_id, p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, f.forum_type, f.forum_name, f.forum_id, u.username, u.user_id ORDER BY p.post_id ASC";
|
||||
|
||||
$sql = "SELECT t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, f.forum_type, f.forum_name, f.forum_id, u.username, u.user_id".$count_sql."
|
||||
FROM $join_sql_table ".TOPICS_TABLE." t, ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u
|
||||
$sql = "SELECT t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, f.forum_type, f.forum_name, f.forum_id, u.username, u.user_id, fa.auth_read".$count_sql."
|
||||
FROM $join_sql_table ".TOPICS_TABLE." t, ".FORUMS_TABLE." f, ".FORUM_MODS_TABLE." fm, ".USERS_TABLE." u, ".AUTH_FORUMS_TABLE." fa
|
||||
WHERE $join_sql
|
||||
AND f.forum_id = t.forum_id
|
||||
AND fa.forum_id = f.forum_id
|
||||
AND fm.forum_id = t.forum_id
|
||||
AND u.user_id = fm.user_id
|
||||
$order_sql";
|
||||
|
|
@ -209,6 +210,36 @@ init_userprefs($userdata);
|
|||
// End session management
|
||||
//
|
||||
|
||||
//
|
||||
// Start auth check
|
||||
//
|
||||
$is_auth = auth(READ, $forum_id, $userdata, $forum_row[0]['auth_read']);
|
||||
|
||||
if(!$is_auth)
|
||||
{
|
||||
//
|
||||
// Ooopss, user is not authed
|
||||
// to read this forum ...
|
||||
//
|
||||
include('includes/page_header.'.$phpEx);
|
||||
|
||||
$msg = "I am sorry but you are not currently authorised to read this forum. You could try logging on and trying again. If you are logged on then this is a private forum for which you have not been granted access.";
|
||||
|
||||
$template->set_filenames(array(
|
||||
"reg_header" => "error_body.tpl"
|
||||
));
|
||||
$template->assign_vars(array(
|
||||
"ERROR_MESSAGE" => $msg
|
||||
));
|
||||
$template->pparse("reg_header");
|
||||
|
||||
include('includes/page_tail.'.$phpEx);
|
||||
}
|
||||
//
|
||||
// End auth check
|
||||
//
|
||||
|
||||
|
||||
for($x = 0; $x < $total_rows; $x++)
|
||||
{
|
||||
$moderators[] = array("user_id" => $forum_row[$x]['user_id'],
|
||||
|
|
@ -219,14 +250,6 @@ for($x = 0; $x < $total_rows; $x++)
|
|||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Start auth check
|
||||
//
|
||||
|
||||
//
|
||||
// End auth check
|
||||
//
|
||||
|
||||
//
|
||||
// Get next and previous topic_id's
|
||||
//
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue