#1517 Tracing of the 'unauthorized access' issue.

e107_handlers/session_handler.php

@@ -729,9 +729,14 @@ class e_session
 	 */
 	public function getFormToken($in_form = true)
 	{
-		if(!$this->has('__form_token'))
+		if(!$this->has('__form_token') && !defined('e_TOKEN_DISABLE'))  // TODO FIXME: SEF URL of Error page causes e-token refresh.
 		{
 			$this->set('__form_token', uniqid(md5(rand()), true));
+			if(deftrue('e_DEBUG_SESSION')) // XXX enable to troubleshoot "Unauthorized Access!" issues.
+			{
+				$message = date('r')."\t\t".e_REQUEST_URI."\n";
+				file_put_contents(__DIR__.'/session.log', $message, FILE_APPEND);
+			}
 		}
 		return ($in_form ? md5($this->get('__form_token')) : $this->get('__form_token'));
 	}
@@ -869,7 +874,52 @@ class e_core_session extends e_session
 		$this->end();
 	}
 
+	private function log($status, $type=E_LOG_FATAL)
+	{
+	//	$details = "USER: ".USERNAME."\n";
+		$details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
+		$details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
 
+		$details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
+		$details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";
+		$details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
+/*
+		$utoken = $this->getFormToken(false);
+		$details .= "raw token: ".$utoken."\n";
+		$details .= "checkFormToken (e-token should match this): ".md5($utoken)."\n";
+		$details .= "md5(e-token): ".md5($_POST['e-token'])."\n";*/
+/*
+		$regenerate = $this->get('__form_token_regenerate');
+		$details .= "Regenerate after: ".date('r', $regenerate)." (".$regenerate.")\n";
+*/
+
+		$details .= "has __form_token: ";
+		$details .= empty($this->has('__form_token')) ? 'false' : 'true';
+		$details .= "\n";
+
+		$details .= "_SESSION:\n";
+		$details .= print_r($_SESSION,true);
+
+		/*	if($pref['plug_installed'])
+			{
+				$details .= "\nPlugins:\n";
+				$details .= print_r($pref['plug_installed'],true);
+			}*/
+
+		$details .= $status."\n\n---------------------------------\n\n";
+
+		$log = e107::getAdminLog();
+		$log->addDebug($details);
+
+		if(deftrue('e_DEBUG'))
+		{
+			$log->toFile('Unauthorized_access','Unauthorized access Log', true);
+		}
+
+		$log->add($status, $details, $type);
+
+
+	}
 	/**
 	 * Core CSF protection, see class2.php
 	 * Could be adopted by plugins for their own (different) protection logic
@@ -886,40 +936,12 @@ class e_core_session extends e_session
 		
 		if($this->getSessionId())
 		{
+
 			if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token']))
 			|| (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token']))
 			|| (isset($_POST['e_token']) && !$this->checkFormToken($_POST['e_token']))) // '-' is not allowed in jquery. b
 			{
-			//	if(defsettrue('e_DEBUG'))
-				{
-					$details = "USER: ".USERNAME."\n";		
-					$details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
-					$details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
-					$details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
-					$details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";	
-					$details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
-				
-					$details .= "_SESSION:\n";
-					$details .= print_r($_SESSION,true);
-				//	$details .= "\n_POST:\n";
-				//	$details .= print_r($_POST,true);
-				//	$details .= "\n_GET:\n";
-				//	$details .= print_r($_GET,true);
-				/*	if($pref['plug_installed'])
-					{
-						$details .= "\nPlugins:\n";
-						$details .= print_r($pref['plug_installed'],true);
-					}*/
-					
-					$details .= "die = ".($die == true ? 'true' : 'false')."\n\n---------------------------------\n\n";
-				
-					$log = e107::getAdminLog();		
-					$log->addDebug($details);			
-					$log->toFile('Unauthorized_access','Unauthorized access Log', true);
-					$log->add('Unauthorized access!', $details, E_LOG_FATAL);	
-					// e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);				
-				}	
-
+				$this->log('Unauthorized access!');
 				// do not redirect, prevent dead loop, save server resources
 				if($die == true)
 				{
@@ -928,6 +950,11 @@ class e_core_session extends e_session
 				
 				return false;
 			}
+
+			if(deftrue('e_DEBUG'))
+			{
+				$this->log('Session Token Okay!', E_LOG_NOTICE);
+			}
 		}
 		
 		if(!defined('e_TOKEN'))

error.php

@@ -18,7 +18,7 @@ $_E107 = array(
 	'no_online',
 	'no_prunetmp',
 );
-
+define('e_TOKEN_DISABLE', true);
 require_once("class2.php");
 
 

index.php

@@ -52,7 +52,9 @@
 	
 	define('ROOT', dirname(__FILE__));
 	set_include_path(ROOT.PATH_SEPARATOR.get_include_path());
-	
+
+
+//	define('e_TOKEN_DISABLE', true);  // TODO FIXME cause of "Unauthorized Access!" message. SEF URL of Error pages causes e-token refresh.
 	require_once("class2.php");
 
 // ----------------------------

signup.php

@@ -127,11 +127,16 @@ class signup
 {
 
 	private $testMode = false;
+	private $pref = array();
 
 	function __construct()
 	{
 		$pref = e107::pref('core');
 
+		$this->pref = $pref;
+
+		$this->pref['user_reg_veri'] = intval($this->pref['user_reg_veri']);
+
 		if(getperms('0'))
 		{
 			$this->testMode = true;
@@ -143,7 +148,7 @@ class signup
 			$this->processActivationLink();
 		}
 
-		if((e_QUERY == 'resend') && (!USER || $this->testMode) && ($pref['user_reg_veri'] == 1))
+		if((e_QUERY == 'resend') && (!USER || $this->testMode) && ($this->pref['user_reg_veri'] === 1))
 		{
 			if(empty($_POST['submit_resend']))
 			{
@@ -553,7 +558,7 @@ class signup
 		}
 		else
 		{
-			$text .= ($pref['user_reg_veri'] == 2) ?  LAN_SIGNUP_37 : str_replace($srch,$repl, LAN_SIGNUP_72);
+			$text .= (intval($pref['user_reg_veri']) === 2) ?  LAN_SIGNUP_37 : str_replace($srch,$repl, LAN_SIGNUP_72);
 			$text .= "<br /><br />".$adviseLoginName;
 		}
 
@@ -564,7 +569,9 @@ class signup
 		$caption_arr[1] = LAN_SIGNUP_98; // Confirm Email (Email Confirmation)
 		$caption_arr[2] = LAN_SIGNUP_100; // Approval Pending (Admin Approval)
 
-		$caption = $caption_arr[$pref['user_reg_veri']];
+		$mode = (int) $pref['user_reg_veri'];
+
+		$caption = $caption_arr[$mode];
 
 		$ret['text']    = $text;
 		$ret['caption'] = $caption;
@@ -638,7 +645,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
 
 		// generate password if passwords are disabled and email validation is enabled.
 		$noPasswordInput = e107::getPref('signup_option_password', 2); //0 = generate it.
-		if(empty($noPasswordInput) && !isset($_POST['password1']) && intval($pref['user_reg_veri'])===1)
+		if(empty($noPasswordInput) && !isset($_POST['password1']) && $this->pref['user_reg_veri'] === 1)
 		{
 			$_POST['password1'] = $userMethods->generateRandomString("#*******#");
 			$_POST['password2'] = $_POST['password1'];
@@ -892,7 +899,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
 		if ($pref['user_reg_veri'])
 		{	
 			// ========== Send Email =========>
-			if (($pref['user_reg_veri'] != 2) && $allData['data']['user_email'])		// Don't send if email address blank - means that its not compulsory
+			if (((int) $pref['user_reg_veri'] !== 2) && $allData['data']['user_email'])		// Don't send if email address blank - means that its not compulsory
 			{
 				$allData['data']['user_id'] = $nid;					// User ID
 				// FIXME build while rendering - user::renderEmail()
@@ -1051,6 +1058,7 @@ $rs = new form;
 
 $text = $tp->parseTemplate($SIGNUP_BEGIN.$SIGNUP_BODY.$SIGNUP_END, TRUE, $signup_shortcodes);
 $ns->tablerender(LAN_SIGNUP_79, e107::getMessage()->render('default', true).$text, 'signup' );
+
 require_once(FOOTERF);
 exit;
 
@@ -1086,4 +1094,4 @@ function headerjs()
 }
 
 
-?>
+?>