ammended mod authentication system (no more $_SESSION)
This commit is contained in:
parent
313012f034
commit
c1be29ce35
111
inc/mod.php
111
inc/mod.php
@ -5,13 +5,24 @@
|
|||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Creates a small random string for validating moderators' cookies
|
// create a hash/salt pair for validate logins
|
||||||
function mkhash($length=12) {
|
function mkhash($username, $password, $salt = false) {
|
||||||
// The method here isn't really important,
|
global $config;
|
||||||
// but I think this generates a relatively
|
|
||||||
// unique string that looks cool.
|
if(!$salt) {
|
||||||
// If you choose to change this, make sure it cannot include a ':' character.
|
// create some sort of salt for the hash
|
||||||
return substr(base64_encode(sha1(rand() . time(), true)), 0, $length);
|
$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
|
||||||
|
|
||||||
|
$generated_salt = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// generate hash (method is not important as long as it's strong)
|
||||||
|
$hash = substr(base64_encode(md5($username . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20);
|
||||||
|
|
||||||
|
if(isset($generated_salt))
|
||||||
|
return Array($hash, $salt);
|
||||||
|
else
|
||||||
|
return $hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
function hasPermission($action = null, $board = null, $_mod = null) {
|
function hasPermission($action = null, $board = null, $_mod = null) {
|
||||||
@ -52,8 +63,7 @@
|
|||||||
'id' => $user['id'],
|
'id' => $user['id'],
|
||||||
'type' => $user['type'],
|
'type' => $user['type'],
|
||||||
'username' => $username,
|
'username' => $username,
|
||||||
'password' => $password,
|
'hash' => mkhash($username, $password),
|
||||||
'hash' => isset($_SESSION['mod']['hash']) ? $_SESSION['mod']['hash'] : mkhash(),
|
|
||||||
'boards' => explode(',', $user['boards'])
|
'boards' => explode(',', $user['boards'])
|
||||||
);
|
);
|
||||||
} else return false;
|
} else return false;
|
||||||
@ -61,26 +71,22 @@
|
|||||||
|
|
||||||
function setCookies() {
|
function setCookies() {
|
||||||
global $mod, $config;
|
global $mod, $config;
|
||||||
if(!$mod) error('setCookies() was called for a non-moderator!');
|
if(!$mod)
|
||||||
|
error('setCookies() was called for a non-moderator!');
|
||||||
|
|
||||||
// $config['cookies']['mod'] contains username:hash
|
setcookie($config['cookies']['mod'],
|
||||||
setcookie($config['cookies']['mod'], $mod['username'] . ':' . $mod['hash'], time()+$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true);
|
$mod['username'] . // username
|
||||||
|
':' .
|
||||||
// Put $mod in the session
|
$mod['hash'][0] . // password
|
||||||
$_SESSION['mod'] = $mod;
|
':' .
|
||||||
|
$mod['hash'][1], // salt
|
||||||
// Lock sessions to IP addresses
|
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
|
||||||
if($config['mod']['lock_ip'])
|
|
||||||
$_SESSION['mod']['ip'] = $_SERVER['REMOTE_ADDR'];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function destroyCookies() {
|
function destroyCookies() {
|
||||||
global $config;
|
global $config;
|
||||||
// Delete the cookies
|
// Delete the cookies
|
||||||
setcookie($config['cookies']['mod'], 'deleted', time()-$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true);
|
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, false, true);
|
||||||
|
|
||||||
// Unset the session
|
|
||||||
unset($_SESSION['mod']);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function create_pm_header() {
|
function create_pm_header() {
|
||||||
@ -112,33 +118,6 @@
|
|||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
}
|
}
|
||||||
|
|
||||||
if(isset($_COOKIE[$config['cookies']['mod']]) && isset($_SESSION['mod']) && is_array($_SESSION['mod'])) {
|
|
||||||
// Should be username:session hash
|
|
||||||
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
|
|
||||||
if(count($cookie) != 2) {
|
|
||||||
destroyCookies();
|
|
||||||
error($config['error']['malformed']);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Validate session
|
|
||||||
if( $cookie[0] != $_SESSION['mod']['username'] ||
|
|
||||||
$cookie[1] != $_SESSION['mod']['hash']) {
|
|
||||||
// Malformed cookies
|
|
||||||
destroyCookies();
|
|
||||||
error($config['error']['malformed']);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Open connection
|
|
||||||
sql_open();
|
|
||||||
|
|
||||||
// Check username/password
|
|
||||||
if(!login($_SESSION['mod']['username'], $_SESSION['mod']['password'], false)) {
|
|
||||||
destroyCookies();
|
|
||||||
error($config['error']['invalidafter']);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
// Generates a <ul> element with a list of linked
|
// Generates a <ul> element with a list of linked
|
||||||
// boards and their subtitles. (without the <ul> opening and ending tags)
|
// boards and their subtitles. (without the <ul> opening and ending tags)
|
||||||
function ulBoards() {
|
function ulBoards() {
|
||||||
@ -288,4 +267,34 @@
|
|||||||
//}
|
//}
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
|
||||||
|
// Validate session
|
||||||
|
|
||||||
|
if(isset($_COOKIE[$config['cookies']['mod']])) {
|
||||||
|
// Should be username:hash:salt
|
||||||
|
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
|
||||||
|
if(count($cookie) != 3) {
|
||||||
|
destroyCookies();
|
||||||
|
error($config['error']['malformed']);
|
||||||
|
}
|
||||||
|
|
||||||
|
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1");
|
||||||
|
$query->bindValue(':username', $cookie[0]);
|
||||||
|
$query->execute() or error(db_error($query));
|
||||||
|
$user = $query->fetch();
|
||||||
|
|
||||||
|
// validate password hash
|
||||||
|
if($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) {
|
||||||
|
// Malformed cookies
|
||||||
|
destroyCookies();
|
||||||
|
error($config['error']['malformed']);
|
||||||
|
}
|
||||||
|
|
||||||
|
$mod = Array(
|
||||||
|
'id' => $user['id'],
|
||||||
|
'type' => $user['type'],
|
||||||
|
'username' => $cookie[0],
|
||||||
|
'boards' => explode(',', $user['boards'])
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
16
mod.php
16
mod.php
@ -171,8 +171,8 @@
|
|||||||
if($mod['type'] >= ADMIN && $config['check_updates']) {
|
if($mod['type'] >= ADMIN && $config['check_updates']) {
|
||||||
if(!$config['version'])
|
if(!$config['version'])
|
||||||
error('Could not find current version! (Check .installed)');
|
error('Could not find current version! (Check .installed)');
|
||||||
if(isset($_SESSION['update']) && time() - $_SESSION['update']['time'] < $config['check_updates_time']) {
|
if(isset($_COOKIE['update'])) {
|
||||||
$latest = unserialize($_SESSION['update']['latest']);
|
$latest = unserialize($_COOKIE['update']);
|
||||||
} else {
|
} else {
|
||||||
$ctx = stream_context_create(array(
|
$ctx = stream_context_create(array(
|
||||||
'http' => array(
|
'http' => array(
|
||||||
@ -208,7 +208,9 @@
|
|||||||
// TODO: Display some sort of warning message
|
// TODO: Display some sort of warning message
|
||||||
$latest = false;
|
$latest = false;
|
||||||
}
|
}
|
||||||
$_SESSION['update'] = Array('time' => time(), 'latest' => serialize($latest));
|
|
||||||
|
|
||||||
|
setcookie('update', serialize($latest), time() + $config['check_updates_time'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
if($latest) {
|
if($latest) {
|
||||||
@ -236,8 +238,7 @@
|
|||||||
'title'=>_('Dashboard'),
|
'title'=>_('Dashboard'),
|
||||||
'body'=>$body,
|
'body'=>$body,
|
||||||
'__mod'=>true
|
'__mod'=>true
|
||||||
)
|
));
|
||||||
);
|
|
||||||
} elseif(preg_match('/^\/logout$/', $query)) {
|
} elseif(preg_match('/^\/logout$/', $query)) {
|
||||||
destroyCookies();
|
destroyCookies();
|
||||||
|
|
||||||
@ -1221,6 +1222,9 @@
|
|||||||
|
|
||||||
if($_mod['id'] == $mod['id']) {
|
if($_mod['id'] == $mod['id']) {
|
||||||
// Changed own password. Update cookies
|
// Changed own password. Update cookies
|
||||||
|
|
||||||
|
login($mod['username'], $_POST['password']);
|
||||||
|
|
||||||
setCookies();
|
setCookies();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2248,7 +2252,7 @@
|
|||||||
|
|
||||||
openBoard($targetBoard);
|
openBoard($targetBoard);
|
||||||
foreach($replies as &$post) {
|
foreach($replies as &$post) {
|
||||||
var_dump(post($post, false));
|
post($post, false);
|
||||||
if($post['has_file']) {
|
if($post['has_file']) {
|
||||||
$clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']);
|
$clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']);
|
||||||
$clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']);
|
$clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']);
|
||||||
|
12
post.php
12
post.php
@ -164,17 +164,6 @@
|
|||||||
if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER']))
|
if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER']))
|
||||||
error($config['error']['referer']);
|
error($config['error']['referer']);
|
||||||
|
|
||||||
// TODO: Since we're now using static HTML files, we can't give them cookies on their first page view
|
|
||||||
// Find another anti-spam method.
|
|
||||||
|
|
||||||
/*
|
|
||||||
// Check if he has a valid cookie.
|
|
||||||
if(!$user['valid']) error($config['error']['bot']);
|
|
||||||
|
|
||||||
// Check how long he has been here.
|
|
||||||
if(time()-$user['appeared']<LURKTIME) error(ERROR_LURK);
|
|
||||||
*/
|
|
||||||
|
|
||||||
checkDNSBL();
|
checkDNSBL();
|
||||||
|
|
||||||
// Check if board exists
|
// Check if board exists
|
||||||
@ -597,6 +586,7 @@
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
rebuildThemes('post');
|
rebuildThemes('post');
|
||||||
header('Location: ' . $redirect, true, $config['redirect_http']);
|
header('Location: ' . $redirect, true, $config['redirect_http']);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user