diff --git a/phpBB/common.php b/phpBB/common.php index 1c2668e750..1e319901aa 100644 --- a/phpBB/common.php +++ b/phpBB/common.php @@ -72,11 +72,4 @@ else include('language/lang_'.$default_lang.'.'.$phpEx); -// -// Initialise session stuff -// See file for more details ... -// - -$userdata = session_pagestart($db, $user_ip, $session_length); - ?> diff --git a/phpBB/functions/functions.php b/phpBB/functions/functions.php index cc387ecde0..6345630813 100644 --- a/phpBB/functions/functions.php +++ b/phpBB/functions/functions.php @@ -178,6 +178,101 @@ function theme_select($default, $db) return($theme_select); } +// +// Initialise user settings on page load +// +function init_userprefs($userdata) +{ + + global $override_user_theme; + global $bgcolor, $table_bgcolor, $textcolor, $category_title, $table_header; + global $color1, $color2, $header_image, $newtopic_image; + global $reply_locked_image, $reply_image, $linkcolor, $vlinkcolor; + global $default_lang, $date_format, $sys_timezone; + + if(!$override_user_theme) + { + if($userdata['user_id'] != ANONYMOUS || $userdata['user_id'] != DELETED) + { + $theme = setuptheme($userdata["user_theme"]); + } + else + { + $theme = setuptheme($default_theme); + } + } + else + { + $theme = setuptheme($override_user_theme); + } + if($theme) + { + $bgcolor = $theme["bgcolor"]; + $table_bgcolor = $theme["table_bgcolor"]; + $textcolor = $theme["textcolor"]; + $category_title = $theme["category_title"]; + $table_header = $theme["table_header"]; + $color1 = $theme["color1"]; + $color2 = $theme["color2"]; + $header_image = $theme["header_image"]; + $newtopic_image = $theme["newtopic_image"]; + $reply_locked_image = $theme["reply_locked_image"]; + $reply_image = $theme["reply_image"]; + $linkcolor = $theme["linkcolor"]; + $vlinkcolor = $theme["vlinkcolor"]; + } + if($userdata["user_lang"] != "") + { + $default_lang = $userdata["user_lang"]; + } + if($userdata["user_dateformat"] != "") + { + $date_format = $userdata["user_dateformat"]; + } + if($userdata["user_timezone"]) + { + $sys_timezone = $userdata["user_timezone"]; + } + + // Include the appropriate language file ... if it exists. + if(!strstr($PHP_SELF, "admin")) + { + if(file_exists('language/lang_'.$default_lang.'.'.$phpEx)) + { + include('language/lang_'.$default_lang.'.'.$phpEx); + } + } + else + { + if(strstr($PHP_SELF, "topicadmin")) + { + include('language/lang_'.$default_lang.'.'.$phpEx); + } + else + { + include('../language/lang_'.$default_lang.'.'.$phpEx); + } + } + + return; + +} +function setuptheme($theme) +{ + global $db; + + $sql = "SELECT * + FROM ".THEMES_TABLE." + WHERE theme_id = '$theme'"; + if(!$result = $db->sql_query($sql)) + return(0); + + if(!$myrow = $db->sql_fetchrow($result)) + return(0); + + return($myrow); +} + function tz_select($default) { global $board_tz; diff --git a/phpBB/functions/sessions.php b/phpBB/functions/sessions.php index 934f3e725f..01b5e8b7be 100644 --- a/phpBB/functions/sessions.php +++ b/phpBB/functions/sessions.php @@ -27,9 +27,10 @@ // Adds/updates a new session to the database for the given userid. // Returns the new session ID on success. // -function session_begin($db, $user_id, $user_ip, $session_length, $login = 0, $password = "") +function session_begin($user_id, $user_ip, $page_id, $session_length, $login = 0, $password = "") { + global $db; global $cookiename, $cookiedomain, $cookiepath, $cookiesecure, $cookielife; global $HTTP_COOKIE_VARS; @@ -37,52 +38,79 @@ function session_begin($db, $user_id, $user_ip, $session_length, $login = 0, $pa $expiry_time = $current_time - $session_length; $int_ip = encode_ip($user_ip); - if($user_id == ANONYMOUS) - { - $login = 0; - } - - $sql = "UPDATE ".SESSIONS_TABLE." - SET session_user_id = $user_id, session_time = $current_time, session_logged_in = $login - WHERE (session_id = ".$HTTP_COOKIE_VARS[$cookiename]['sessionid'].") - AND (session_ip = $int_ip)"; + // + // Initial ban check against IP and userid + // + $sql = "SELECT ban_ip, ban_userid + FROM ".BANLIST_TABLE." + WHERE (ban_ip = '$int_ip' OR ban_userid = '$user_id') + AND (ban_start < $current_time AND ban_end > $current_time )"; $result = $db->sql_query($sql); - if(!$result || !$db->sql_affectedrows()) + if (!$result) { - mt_srand( (double) microtime() * 1000000); - $session_id = mt_rand(); - - $sql = "INSERT INTO ".SESSIONS_TABLE." - (session_id, session_user_id, session_time, session_ip, session_logged_in) - VALUES - ($session_id, $user_id, $current_time, $int_ip, $login)"; - $result = $db->sql_query($sql); - if(!$result) - { - if(DEBUG) - { - error_die($db, GENERAL_ERROR, "Error creating new session : session_pagestart"); - } - else - { - error_die($db, SESSION_CREATE); - } - } + error_die(QUERY_ERROR, "Couldn't obtain ban information.", __LINE__, __FILE__); + } + $ban_info = $db->sql_fetchrow($result); - setcookie($cookiename."[sessionid]", $session_id, $session_length, "", "", ""); + // + // Check for user and ip ban ... + // + if($ban_info['ban_ip'] || $ban_info['ban_userid']) + { + error_die(AUTH_BANNED); } else { - $session_id = $HTTP_COOKIE_VARS[$cookiename]['sessionid']; - } + if($user_id == ANONYMOUS) + { + $login = 0; + } + + $sql = "UPDATE ".SESSIONS_TABLE." + SET session_user_id = $user_id, session_time = $current_time, session_page = $page_id, session_logged_in = $login + WHERE (session_id = ".$HTTP_COOKIE_VARS[$cookiename]['sessionid'].") + AND (session_ip = '$int_ip')"; + + $result = $db->sql_query($sql); + + if(!$result || !$db->sql_affectedrows()) + { + mt_srand( (double) microtime() * 1000000); + $session_id = mt_rand(); + + $sql = "INSERT INTO ".SESSIONS_TABLE." + (session_id, session_user_id, session_time, session_ip, session_page, session_logged_in) + VALUES + ($session_id, $user_id, $current_time, '$int_ip', $page_id, $login)"; + $result = $db->sql_query($sql); + if(!$result) + { + if(DEBUG) + { + error_die($db, GENERAL_ERROR, "Error creating new session : session_begin"); + } + else + { + error_die($db, SESSION_CREATE); + } + } + + setcookie($cookiename."[sessionid]", $session_id, $session_length); + } + else + { + $session_id = $HTTP_COOKIE_VARS[$cookiename]['sessionid']; + } + + if(!empty($password) && AUTOLOGON) + { + setcookie($cookiename."[useridref]", $password, $cookielife); + } + setcookie($cookiename."[userid]", $user_id, $cookielife); + setcookie($cookiename."[sessionstart]", $current_time, $cookielife); + setcookie($cookiename."[sessiontime]", $current_time, $session_length); - if(!empty($password) && AUTOLOGON) - { - setcookie($cookiename."[useridref]", $password, $cookielife, "", "", ""); } - setcookie($cookiename."[userid]", $user_id, $cookielife, "", "", ""); - setcookie($cookiename."[sessionstart]", $current_time, $cookielife, "", "", ""); - setcookie($cookiename."[sessiontime]", $current_time, $session_length, "", "", ""); return $session_id; @@ -93,14 +121,13 @@ function session_begin($db, $user_id, $user_ip, $session_length, $login = 0, $pa // Checks for a given user session, tidies session // table and updates user sessions at each page refresh // -function session_pagestart($db, $user_ip, $session_length) +function session_pagestart($user_ip, $thispage_id, $session_length) { - + global $db; global $cookiename, $cookiedomain, $cookiepath, $cookiesecure, $cookielife; global $HTTP_COOKIE_VARS; unset($userdata); - $current_time = time(); $int_ip = encode_ip($user_ip); @@ -132,9 +159,9 @@ function session_pagestart($db, $user_ip, $session_length) $userid = $HTTP_COOKIE_VARS[$cookiename]['userid']; $sql = "SELECT u.*, s.session_id, s.session_time, s.session_logged_in, b.ban_ip, b.ban_userid FROM ".USERS_TABLE." u - LEFT JOIN ".BANLIST_TABLE." b ON ( (b.ban_ip = $int_ip OR b.ban_userid = u.user_id) + LEFT JOIN ".BANLIST_TABLE." b ON ( (b.ban_ip = '$int_ip' OR b.ban_userid = u.user_id) AND ( b.ban_start < $current_time AND b.ban_end > $current_time ) ) - LEFT JOIN ".SESSIONS_TABLE." s ON ( u.user_id = s.session_user_id AND s.session_ip = $int_ip ) + LEFT JOIN ".SESSIONS_TABLE." s ON ( u.user_id = s.session_user_id AND s.session_ip = '$int_ip' ) WHERE u.user_id = $userid"; $result = $db->sql_query($sql); if (!$result) @@ -180,9 +207,9 @@ function session_pagestart($db, $user_ip, $session_length) { $sql = "UPDATE ".SESSIONS_TABLE." - SET session_time = '$current_time' + SET session_time = '$current_time', session_page = '$thispage_id' WHERE (session_id = ".$userdata['session_id'].") - AND (session_ip = $int_ip) + AND (session_ip = '$int_ip') AND (session_user_id = ".$userdata['user_id'].")"; $result = $db->sql_query($sql); if(!$result) @@ -202,7 +229,7 @@ function session_pagestart($db, $user_ip, $session_length) // Update was success, send current time to cookie // and return userdata // - setcookie($cookiename."[sessiontime]", $current_time, $session_length, "", "", ""); + setcookie($cookiename."[sessiontime]", $current_time, $session_length); return $userdata; } // if (affectedrows) @@ -247,7 +274,7 @@ function session_pagestart($db, $user_ip, $session_length) $password = ""; $userdata['session_logged_in'] = 0; } - $result = session_begin($db, $userdata['user_id'], $user_ip, $session_length, $autologon, $password); + $result = session_begin($userdata['user_id'], $user_ip, $thispage_id, $session_length, $autologon, $password); if(!$result) { if(DEBUG) @@ -266,53 +293,21 @@ function session_pagestart($db, $user_ip, $session_length) // // No userid cookie exists so we'll - // check for an IP ban and set up - // a new anonymous session + // set up a new anonymous session // - $int_ip = encode_ip($user_ip); - $sql = "SELECT ban_ip - FROM ".BANLIST_TABLE." - WHERE ban_ip = $int_ip"; - $result = $db->sql_query($sql); - if (!$result) + $result = session_begin(ANONYMOUS, $user_ip, $thispage_id, $session_length, 0); + if(!$result) { if(DEBUG) { - error_die($db, GENERAL_ERROR, "Error doing DB query non-userid ban_ip row fetch : session_pagestart"); + error_die($db, GENERAL_ERROR, "Error creating anonymous session : session_pagestart"); } else { error_die($db, SESSION_CREATE); } } - $banned_ip = $db->sql_fetchrow($result); - - // - // Check for user and ip ban ... - // - if($banned_ip['ban_ip']) - { - error_die($db, BANNED); - } - else - { - - $result = session_begin($db, ANONYMOUS, $user_ip, $session_length); - if(!$result) - { - if(DEBUG) - { - error_die($db, GENERAL_ERROR, "Error creating anonymous session : session_pagestart"); - } - else - { - error_die($db, SESSION_CREATE); - } - } - $userdata['session_logged_in'] = 0; - - } - + $userdata['session_logged_in'] = 0; } return $userdata; diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 1c51163eb4..f0644b04e9 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -72,6 +72,16 @@ define(POST_USERS_URL, 'u'); // Session parameters define(AUTOLOGON, 0); +// Page numbers for session handling +define(PAGE_INDEX, 0); +define(PAGE_LOGIN, -1); +define(PAGE_SEARCH, -2); +define(PAGE_REGISTER, -3); +define(PAGE_PROFILE, -4); +define(PAGE_VIEWONLINE, -6); +define(PAGE_VIEWMEMBERS, -7); +define(PAGE_FAQ, -8); + define('BANLIST_TABLE', $table_prefix.'banlist'); define('CATEGORIES_TABLE', $table_prefix.'categories'); define('CONFIG_TABLE', $table_prefix.'config'); diff --git a/phpBB/index.php b/phpBB/index.php index 3479835749..b8cea3e80c 100644 --- a/phpBB/index.php +++ b/phpBB/index.php @@ -27,6 +27,15 @@ include('common.'.$phpEx); $pagetype = "index"; $page_title = "Forum Index"; +// +// Start session management +// +$userdata = session_pagestart($user_ip, PAGE_INDEX, $session_length); +init_userprefs($userdata); +// +// End session management +// + $total_posts = get_db_stat($db, 'postcount'); $total_users = get_db_stat($db, 'usercount'); $newest_userdata = get_db_stat($db, 'newestuser'); diff --git a/phpBB/login.php b/phpBB/login.php index 1c8d4207c6..789a9f8e04 100644 --- a/phpBB/login.php +++ b/phpBB/login.php @@ -45,7 +45,7 @@ if(isset($HTTP_POST_VARS['submit']) || isset($HTTP_GET_VARS['submit'])) { if(md5($password) == $rowresult["user_password"]) { - $session_id = session_begin($db, $rowresult["user_id"], $user_ip, $session_length, 1, $rowresult["user_password"]); + $session_id = session_begin($rowresult["user_id"], $user_ip, PAGE_INDEX, $session_length, 1, $rowresult["user_password"]); if($session_id) { header("Location: index.$phpEx"); diff --git a/phpBB/profile.php b/phpBB/profile.php index ea8fa05285..0fea4b54a2 100644 --- a/phpBB/profile.php +++ b/phpBB/profile.php @@ -25,6 +25,15 @@ include('extension.inc'); include('common.'.$phpEx); +// +// Start session management +// +$userdata = session_pagestart($user_ip, PAGE_PROFILE, $session_length); +init_userprefs($userdata); +// +// End session management +// + switch($mode) { case 'viewprofile': diff --git a/phpBB/viewforum.php b/phpBB/viewforum.php index b631cc8d55..9f8043c561 100644 --- a/phpBB/viewforum.php +++ b/phpBB/viewforum.php @@ -23,9 +23,31 @@ include('extension.inc'); include('common.'.$phpEx); +// +// Obtain which forum id is required +// +if(!isset($HTTP_GET_VARS['forum']) && !isset($HTTP_POST_VARS['forum'])) // For backward compatibility +{ + $forum_id = ($HTTP_GET_VARS[POST_FORUM_URL]) ? $HTTP_GET_VARS[POST_FORUM_URL] : $HTTP_POST_VARS[POST_FORUM_URL]; +} +else +{ + $forum_id = ($HTTP_GET_VARS['forum']) ? $HTTP_GET_VARS['forum'] : $HTTP_POST_VARS['forum']; +} + $pagetype = "viewforum"; $page_title = "View Forum - $forum_name"; +// +// Start session management +// +$userdata = session_pagestart($user_ip, $forum_id, $session_length); +init_userprefs($userdata); +// +// End session management +// + + // Check if the user has acutally sent a forum ID with his/her request // If not give them a nice error page. if(isset($forum_id)) diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index a88bb6b215..36b85407d9 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -60,6 +60,16 @@ $forum_row = $db->sql_fetchrowset($result); $topic_title = $forum_row[0]["topic_title"]; $forum_id = $forum_row[0]["forum_id"]; $forum_name = stripslashes($forum_row[0]["forum_name"]); + +// +// Start session management +// +$userdata = session_pagestart($user_ip, $forum_id, $session_length); +init_userprefs($userdata); +// +// End session management +// + for($x = 0; $x < $total_rows; $x++) { $moderators[] = array("user_id" => $forum_row[$x]["user_id"],