# HG changeset patch # User Dan # Date 1184266835 14400 # Node ID c0c445d4a13ee1b68f63400d8a59853f557c8cb0 # Parent a8a21e1c7afa71495f9c202365a4568b92794b65 Got some basic security in there, admin panel works now, and most admin panel forms work (used regex mass search + replace) diff -r a8a21e1c7afa -r c0c445d4a13e plugins/PunBB.php --- a/plugins/PunBB.php Thu Jul 12 01:04:01 2007 -0400 +++ b/plugins/PunBB.php Thu Jul 12 15:00:35 2007 -0400 @@ -50,6 +50,7 @@ function page_Special_Forum() { + global $db, $session, $paths, $template, $plugins; // Common objects if ( getConfig('punbb_installed') != 'yes' ) { punano_installer(); @@ -58,6 +59,10 @@ { punano_upgrade(); } + else if ( preg_match('/^admin_/i', $paths->getParam(0)) ) + { + punano_admin_console(); + } else { punano_main(); @@ -226,4 +231,42 @@ } +function punano_admin_console() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + $valid = array('categories', 'censoring', 'forums', 'groups', 'index', 'loader', 'maintenance', 'options', 'permissions', 'prune', 'ranks', 'reports', 'users'); + $mod = array('bans', 'censoring', 'index', 'loader', 'reports', 'users'); + + $file = 'index'; + + if ( $x = $paths->getParam(0) ) + { + $x = preg_replace('/\.php$/', '', $x); + $x = preg_replace('/^admin_/i', '', $x); + if ( in_array(strtolower($x), $valid) ) + { + $file = strtolower($x); + } + } + + if ( in_array($file, $mod) ) + { + $need_level = USER_LEVEL_MOD; + } + else + { + $need_level = USER_LEVEL_ADMIN; + } + + if ( $session->auth_level < $need_level ) + { + redirect( makeUrlNS('Special', 'Login/' . $paths->fullpage, 'level=' . $need_level, false), 'Permission denied', 'You need to have permission level ' . $session->userlevel_to_string($need_level) . ' to use the PunBB administration console.', 2); + } + + // Don't worry. This is sanitized. + require PUN_ROOT . 'admin_' . $file . '.php'; + +} + ?> diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_bans.php --- a/punbb/admin_bans.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_bans.php Thu Jul 12 15:00:35 2007 -0400 @@ -288,7 +288,7 @@

New ban

-
+
Add ban diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_categories.php --- a/punbb/admin_categories.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_categories.php Thu Jul 12 15:00:35 2007 -0400 @@ -115,7 +115,7 @@

Category delete

- +
@@ -187,7 +187,7 @@

Add/remove/edit categories

- +
Add/delete categories @@ -197,7 +197,7 @@ Add a new category
- The name of the new category you want to add. You can edit the name of the category later (see below).Go to Forums to add forums to your new category. + The name of the new category you want to add. You can edit the name of the category later (see below). Go to Forums to add forums to your new category. diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_censoring.php --- a/punbb/admin_censoring.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_censoring.php Thu Jul 12 15:00:35 2007 -0400 @@ -97,7 +97,7 @@

Censoring

- +
Add word diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_forums.php --- a/punbb/admin_forums.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_forums.php Thu Jul 12 15:00:35 2007 -0400 @@ -110,7 +110,7 @@

Confirm delete forum

- +
Important! Read before deleting @@ -247,7 +247,7 @@

Edit forum

- +

@@ -375,7 +375,7 @@

Add forum

- +
Create a new forum @@ -405,7 +405,7 @@

Edit forums

- +

- Edit - Delete + Edit - Delete Position      diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_groups.php --- a/punbb/admin_groups.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_groups.php Thu Jul 12 15:00:35 2007 -0400 @@ -329,7 +329,7 @@

Remove group

- +
Move users currently in group @@ -376,7 +376,7 @@

Add/setup groups

- +
Add new group diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_options.php --- a/punbb/admin_options.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_options.php Thu Jul 12 15:00:35 2007 -0400 @@ -41,8 +41,9 @@ if (isset($_POST['form_sent'])) { // Custom referrer check (so we can output a custom error message) - if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/admin_options.php', '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '')))) - message('Bad HTTP_REFERER. If you have moved these forums from one location to another or switched domains, you need to update the Base URL manually in the database (look for o_base_url in the config table) and then clear the cache by deleting all .php files in the /cache directory.'); + // if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/admin_options.php', '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '')))) + // message('Bad HTTP_REFERER. If you have moved these forums from one location to another or switched domains, you need to update the Base URL manually in the database (look for o_base_url in the config table) and then clear the cache by deleting all .php files in the /cache directory.'); + confirm_referrer('admin_options.php'); $form = array_map('trim', $_POST['form']); @@ -155,7 +156,7 @@

Options

- +

diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_prune.php --- a/punbb/admin_prune.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_prune.php Thu Jul 12 15:00:35 2007 -0400 @@ -127,7 +127,7 @@

Prune

- +
@@ -165,7 +165,7 @@

Prune

- +
diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_ranks.php --- a/punbb/admin_ranks.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_ranks.php Thu Jul 12 15:00:35 2007 -0400 @@ -125,7 +125,7 @@

Ranks

- +
Add rank diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_reports.php --- a/punbb/admin_reports.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_reports.php Thu Jul 12 15:00:35 2007 -0400 @@ -64,10 +64,10 @@

New reports

- + query('SELECT r.id, r.post_id, r.topic_id, r.forum_id, r.reported_by, r.created, r.message, t.subject, f.forum_name, u.username AS reporter FROM '.$pun_db->prefix.'reports AS r LEFT JOIN '.$pun_db->prefix.'topics AS t ON r.topic_id=t.id LEFT JOIN '.$pun_db->prefix.'forums AS f ON r.forum_id=f.id LEFT JOIN '.$pun_db->prefix.'users AS u ON r.reported_by=u.id WHERE r.zapped IS NULL ORDER BY created DESC') or error('Unable to fetch report list', __FILE__, __LINE__, $pun_db->error()); +$result = $pun_db->query('SELECT r.id, r.post_id, r.topic_id, r.forum_id, r.reported_by, r.created, r.message, t.subject, f.forum_name, u.username AS reporter FROM '.$pun_db->prefix.'reports AS r LEFT JOIN '.$pun_db->prefix.'topics AS t ON r.topic_id=t.id LEFT JOIN '.$pun_db->prefix.'forums AS f ON r.forum_id=f.id LEFT JOIN '.table_prefix.'users AS u ON r.reported_by=u.user_id WHERE r.zapped IS NULL ORDER BY created DESC') or error('Unable to fetch report list', __FILE__, __LINE__, $pun_db->error()); if ($pun_db->num_rows($result)) { @@ -115,7 +115,7 @@
query('SELECT r.id, r.post_id, r.topic_id, r.forum_id, r.reported_by, r.message, r.zapped, r.zapped_by AS zapped_by_id, t.subject, f.forum_name, u.username AS reporter, u2.username AS zapped_by FROM '.$pun_db->prefix.'reports AS r LEFT JOIN '.$pun_db->prefix.'topics AS t ON r.topic_id=t.id LEFT JOIN '.$pun_db->prefix.'forums AS f ON r.forum_id=f.id LEFT JOIN '.$pun_db->prefix.'users AS u ON r.reported_by=u.id LEFT JOIN '.$pun_db->prefix.'users AS u2 ON r.zapped_by=u2.id WHERE r.zapped IS NOT NULL ORDER BY zapped DESC LIMIT 10') or error('Unable to fetch report list', __FILE__, __LINE__, $pun_db->error()); +$result = $pun_db->query('SELECT r.id, r.post_id, r.topic_id, r.forum_id, r.reported_by, r.message, r.zapped, r.zapped_by AS zapped_by_id, t.subject, f.forum_name, u.username AS reporter, u2.username AS zapped_by FROM '.$pun_db->prefix.'reports AS r LEFT JOIN '.$pun_db->prefix.'topics AS t ON r.topic_id=t.id LEFT JOIN '.$pun_db->prefix.'forums AS f ON r.forum_id=f.id LEFT JOIN '.table_prefix.'users AS u ON r.reported_by=u.user_id LEFT JOIN '.table_prefix.'users AS u2 ON r.zapped_by=u2.user_id WHERE r.zapped IS NOT NULL ORDER BY zapped DESC LIMIT 10') or error('Unable to fetch report list', __FILE__, __LINE__, $pun_db->error()); if ($pun_db->num_rows($result)) { diff -r a8a21e1c7afa -r c0c445d4a13e punbb/admin_users.php --- a/punbb/admin_users.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/admin_users.php Thu Jul 12 15:00:35 2007 -0400 @@ -363,7 +363,7 @@

User search

- +

diff -r a8a21e1c7afa -r c0c445d4a13e punbb/header.php --- a/punbb/header.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/header.php Thu Jul 12 15:00:35 2007 -0400 @@ -58,7 +58,30 @@ // Load the template if (defined('PUN_ADMIN_CONSOLE')) { - $tpl_main = file_get_contents(PUN_ROOT.'include/template/admin.tpl'); + $inner = '
+
+ +
+
+
+ + +
+ + +
+
+ + + + + + + +
+
'; + + $tpl_main = $template->getHeader() . $inner . $template->getFooter(); } else if (defined('PUN_HELP')) { diff -r a8a21e1c7afa -r c0c445d4a13e punbb/help.php --- a/punbb/help.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/help.php Thu Jul 12 15:00:35 2007 -0400 @@ -148,7 +148,7 @@ } } - echo ' '.$lang_help['produces'].' '.$cur_text.'
'."\n"; + echo ' '.$lang_help['produces'].' '.$cur_text.'
'."\n"; } ?> diff -r a8a21e1c7afa -r c0c445d4a13e punbb/include/common.php --- a/punbb/include/common.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/include/common.php Thu Jul 12 15:00:35 2007 -0400 @@ -23,11 +23,11 @@ ************************************************************************/ // Enable DEBUG mode by removing // from the following line -//define('PUN_DEBUG', 1); +define('PUN_DEBUG', 1); // This displays all executed queries in the page footer. // DO NOT enable this in a production environment! -//define('PUN_SHOW_QUERIES', 1); +define('PUN_SHOW_QUERIES', 1); if (!defined('PUN_ROOT')) exit('The constant PUN_ROOT must be defined and point to a valid PunBB installation root directory.'); diff -r a8a21e1c7afa -r c0c445d4a13e punbb/include/common_admin.php --- a/punbb/include/common_admin.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/include/common_admin.php Thu Jul 12 15:00:35 2007 -0400 @@ -43,19 +43,19 @@ diff -r a8a21e1c7afa -r c0c445d4a13e punbb/include/enano_dbal.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/punbb/include/enano_dbal.php Thu Jul 12 15:00:35 2007 -0400 @@ -0,0 +1,170 @@ +prefix = table_prefix . 'pun_'; + } + + function start_transaction() + { + return; + } + + function end_transaction() + { + return; + } + + function query($sql, $unbuffered = false) + { + global $db; + if (defined('PUN_SHOW_QUERIES')) + $q_start = get_microtime(); + + if ($unbuffered) + $this->query_result = $db->sql_unbuffered_query($sql); + else + $this->query_result = $db->sql_query($sql); + + if ($this->query_result) + { + if (defined('PUN_SHOW_QUERIES')) + $this->saved_queries[] = array($sql, sprintf('%.5f', get_microtime() - $q_start)); + + ++$this->num_queries; + + return $this->query_result; + } + else + { + if (defined('PUN_SHOW_QUERIES')) + $this->saved_queries[] = array($sql, 0); + + return false; + } + } + + function result($query_id = 0, $row = 0) + { + return ($query_id) ? @mysql_result($query_id, $row) : false; + } + + function fetch_assoc($query_id = 0) + { + global $db; + return ($query_id) ? $db->fetchrow($query_id) : false; + } + + function fetch_row($query_id = 0) + { + global $db; + return ($query_id) ? $db->fetchrow_num($query_id) : false; + } + + + function num_rows($query_id = 0) + { + global $db; + return ($query_id) ? @mysql_num_rows($query_id) : false; + } + + function affected_rows() + { + global $db; + return ($db->_conn) ? @mysql_affected_rows($db->_conn) : false; + } + + function insert_id() + { + global $db; + $ret = ($db->_conn) ? @mysql_insert_id($db->_conn) : false; + return $ret; + } + + function get_num_queries() + { + return $this->num_queries; + } + + function get_saved_queries() + { + return $this->saved_queries; + } + + function free_result($query_id = false) + { + global $db; + return ($query_id) ? $db->free_result($query_id) : false; + } + + function escape($str) + { + global $db; + if (is_array($str)) + return ''; + else if (function_exists('mysql_real_escape_string')) + return $db->escape($str); + else + return mysql_escape_string($str); + } + + + function error() + { + $result['error_sql'] = @current(@end($this->saved_queries)); + $result['error_no'] = @mysql_errno($this->link_id); + $result['error_msg'] = @mysql_error($this->link_id); + + return $result; + } + + + function close() + { + return false; + } + +} + diff -r a8a21e1c7afa -r c0c445d4a13e punbb/include/functions.php --- a/punbb/include/functions.php Thu Jul 12 01:04:01 2007 -0400 +++ b/punbb/include/functions.php Thu Jul 12 15:00:35 2007 -0400 @@ -41,7 +41,7 @@ if($session->user_logged_in) { $result = $pun_db->query( - 'SELECT eu.*, u.*, eu.real_name AS realname, eu.user_level AS g_id, g.*, o.logged, o.idle + 'SELECT eu.*, u.*, eu.real_name AS realname, g.*, eu.user_level AS g_id, o.logged, o.idle FROM '.$pun_db->prefix.'users AS u LEFT JOIN '.table_prefix.'users AS eu ON eu.user_id=u.id @@ -238,6 +238,7 @@ function generate_navlinks() { global $pun_config, $lang_common, $pun_user; + global $db, $session, $paths, $template, $plugins; // Common objects // Index and Userlist should always be displayed $links[] = '