Add whitelist as well as banlist - flooding can still ban ATM

e107_admin/banlist.php

@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_admin/banlist.php,v $
-|     $Revision: 1.4 $
+|     $Revision: 1.5 $
-|     $Date: 2007-12-11 22:48:36 $
+|     $Date: 2007-12-16 11:14:47 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -20,9 +20,12 @@
 define('BAN_TIME_FORMAT',"%d-%m-%Y %H:%M");
 define('BAN_REASON_COUNT',7);				// Update as more ban reasons added (max 10 supported)
 
+define('BAN_TYPE_MANUAL',1);				// Manually entered bans
 define('BAN_TYPE_IMPORTED',5);				// Imported bans
 define('BAN_TYPE_TEMPORARY',9);				// Used during CSV import
 
+define('BAN_TYPE_WHITELIST',100);			// Entry for whitelist
+
 require_once("../class2.php");
 if (!getperms("4")) 
 {
@@ -72,7 +75,7 @@ if (isset($_POST['update_ban_prefs']))
 if (isset($_POST['ban_ip']))
 {
   $_POST['ban_ip'] = trim($_POST['ban_ip']);
-  $new_ban_ip = preg_replace("/[^\w@\.]*/",'',urldecode($_POST['ban_ip']));
+  $new_ban_ip = preg_replace("/[^\w@\.\*]*/",'',urldecode($_POST['ban_ip']));
   if ($new_ban_ip != $_POST['ban_ip'])
   {
     $message = BANLAN_27.$new_ban_ip;
@@ -80,18 +83,25 @@ if (isset($_POST['ban_ip']))
 	$_POST['ban_ip'] = $new_ban_ip;
   }
 
-  if ((isset($_POST['add_ban']) || isset($_POST['update_ban'])) && $_POST['ban_ip'] != "" && strpos($_POST['ban_ip'], ' ') === false)
+  if (isset($_POST['entry_intent']) && (isset($_POST['add_ban']) || isset($_POST['update_ban'])) && $_POST['ban_ip'] != "" && strpos($_POST['ban_ip'], ' ') === false)
   {
+/*	$_POST['entry_intent'] says why we're here:
+		'edit' 	- Editing blacklist
+		'add'	- Adding to blacklist
+		'whedit' - Editing whitelist
+		'whadd'	- Adding to whitelist
+*/
     $new_vals = array('banlist_ip' => $_POST['ban_ip']);
 	if (isset($_POST['add_ban']))
 	{
 	  $new_vals['banlist_datestamp'] = time();
-	  $new_vals['banlist_bantype'] = 1;				// Manual ban
+	  if ($_POST['entry_intent'] == 'add') $new_vals['banlist_bantype'] = BAN_TYPE_MANUAL;				// Manual ban
+	  if ($_POST['entry_intent'] == 'whadd') $new_vals['banlist_bantype'] = BAN_TYPE_WHITELIST;
 	}
 	$new_vals['banlist_admin'] = ADMINID;
 	if (varsettrue($_POST['ban_reason'])) $new_vals['banlist_reason'] =$tp->toDB($_POST['ban_reason']);
 	$new_vals['banlist_notes'] = $tp->toDB($_POST['ban_notes']);
-	if (isset($_POST['ban_time']) && is_numeric($_POST['ban_time']))
+	if (isset($_POST['ban_time']) && is_numeric($_POST['ban_time']) && ($_POST['entry_intent']== 'edit' || $_POST['entry_intent'] == 'add'))
 	{
 	  $bt = intval($_POST['ban_time']);
 	  $new_vals['banlist_banexpires'] = $bt ? time() + ($bt*60*60) : 0;
@@ -116,15 +126,16 @@ if (isset($_POST['ban_ip']))
 }
 
 // Remove a ban
-if ($action == "remove" && isset($_POST['ban_secure'])) 
+if (($action == "remove" || $action == "whremove") && isset($_POST['ban_secure'])) 
 //if ($action == "remove") 
 {
   $sql -> db_Delete("generic", "gen_type='failed_login' AND gen_ip='{$sub_action}'");
   admin_update($sql -> db_Delete("banlist", "banlist_ip='{$sub_action}'"), 'delete');
+  if ($action == "remove") $action = 'list'; else $action = 'white';
 }
 
 
-// Update the ban expiry time/date - timed from now
+// Update the ban expiry time/date - timed from now (only done on banlist)
 if ($action == 'newtime')
 {
   $end_time = $id ? time() + ($id*60*60) : 0;
@@ -133,7 +144,7 @@ if ($action == 'newtime')
 }
 
 
-if ($action == "edit") 
+if ($action == "edit" || $action == "whedit") 
 {
   $sql->db_Select("banlist", "*", "banlist_ip='{$sub_action}'");
   $row = $sql->db_Fetch();
@@ -142,7 +153,7 @@ if ($action == "edit")
 else 
 {
   unset($banlist_ip, $banlist_reason);
-  if (e_QUERY && ($action == 'add') && strpos($_SERVER["HTTP_REFERER"], "userinfo")) 
+  if (e_QUERY && ($action == 'add' || $action == 'whadd') && strpos($_SERVER["HTTP_REFERER"], "userinfo")) 
   {
 	$banlist_ip = $sub_action;
   }
@@ -246,10 +257,15 @@ switch ($action)
 
   case 'edit' :
   case 'add' :
+  case 'whedit' :
+  case 'whadd' :
+    $page_title = array('edit' => BANLAN_60, 'add' => BANLAN_9, 'whedit' => BANLAN_59, 'whadd' => BANLAN_58);
 	$rdns_warn = varsettrue($pref['enable_rdns']) ? '' : '<br />'.BANLAN_12;
+	$next = ($action == 'whedit' || $action == 'whadd') ? '?white' : '?list';
 	// Edit/add form first
 	$text .= "<div style='text-align:center'>
-		<form method='post' action='".e_SELF."'>
+		<form method='post' action='".e_SELF.$next."'>
+		<input type='hidden' name='entry_intent' value='{$action}' />
 		<table style='".ADMIN_WIDTH."' class='fborder'>
 		<tr>
 		  <td style='width:30%' class='forumheader3'>".BANLAN_5.": </td>
@@ -258,7 +274,7 @@ switch ($action)
 		  </td>
 		</tr>";
 
-	if (($action == 'add') || ($banlist_bantype <= 1))
+	if (($action == 'add') || ($action == 'whadd') || ($banlist_bantype <= 1) || ($banlist_bantype >= BAN_TYPE_WHITELIST))
 	{	// Its a manual or unknown entry - only allow edit of reason on those
 	  $text .= "
 		<tr>
@@ -268,7 +284,7 @@ switch ($action)
 		</td>
 		</tr>";
 	}
-	else
+	elseif ($action == 'edit')
 	{
 	  $text .= "
 		<tr>
@@ -292,20 +308,30 @@ switch ($action)
 		<td style='width:80%' class='forumheader3'>
 		<textarea class='tbox' name='ban_notes' cols='50' rows='4'>{$banlist_notes}</textarea>
 		</td>
-		</tr>
+		</tr>";
 
-		<tr>
+	if ($action == 'edit' || $action == 'add')
+	{
+	  $text .= "<tr>
 		<td style='width:20%' class='forumheader3'>".BANLAN_18.": </td>
 		<td style='width:80%' class='forumheader3'>".ban_time_dropdown().
 		(($action == 'edit') ? '&nbsp;&nbsp;&nbsp;('.BANLAN_26.($banlist_banexpires ? strftime(BAN_TIME_FORMAT,$banlist_banexpires) : BANLAN_21).')' : '').
 		"</td>
-		</tr>
+		</tr>";
+	}
 
+	$text .= "
 		<tr style='vertical-align:top'>
-		<td colspan='2' style='text-align:center' class='forumheader'>".
+		<td colspan='2' style='text-align:center' class='forumheader'>";
-	($action == "edit" ? "<input type='hidden' name='old_ip' value='{$banlist_ip}' /><input class='button' type='submit' name='update_ban' value='".LAN_UPDATE."' />" : "<input class='button' type='submit' name='add_ban' value='".BANLAN_8."' />")."
+	if ($action == "edit" || $action == "whedit")
-
+	{
-	</td>
+	  $text .= "<input type='hidden' name='old_ip' value='{$banlist_ip}' /><input class='button' type='submit' name='update_ban' value='".LAN_UPDATE."' />";
+	}
+	else
+	{
+	  $text .= "<input class='button' type='submit' name='add_ban' value='".($action == 'add' ? BANLAN_8 : BANLAN_53)."' />";
+	}
+	$text .= "</td>
 	</tr>
 	</table>
 	</form>
@@ -316,7 +342,7 @@ switch ($action)
 	{
 	  $text .= "<div style='text-align:center'><br />".BANLAN_12."</div>";
 	}
-	$ns->tablerender(BANLAN_9, $text);
+	$ns->tablerender($page_title[$action], $text);
     break;			// End of 'Add' and 'Edit'
 
 
@@ -387,56 +413,72 @@ switch ($action)
 	$ns->tablerender(BANLAN_41, $text);
     break;
 
+
   case 'list' :
+  case 'white' :
   default :
-	  $text = $rs->form_open("post", e_SELF, "ban_form")."<div style='text-align:center'>".$rs->form_hidden("ban_secure", "1");
+	  if (($action != 'list') && ($action != 'white')) $action = 'list';
-	  if (!$ban_total = $sql->db_Select("banlist","*","ORDER BY banlist_ip","nowhere")) 
+	  $edit_action = ($action == 'list' ? 'edit' : 'whedit');
+	  $del_action = ($action == 'list' ? 'remove' : 'whremove');
+	  $col_widths = array('list' => array(10,5,35,30,10,10), 'white' => array(15,40,35,10));
+	  $col_titles = array('list' => array(BANLAN_17,BANLAN_20,BANLAN_10,BANLAN_19,BANLAN_18,LAN_OPTIONS),
+							'white' => array(BANLAN_55,BANLAN_56,BANLAN_19,LAN_OPTIONS));
+	  $no_values = array('list' => BANLAN_2, 'white' => BANLAN_54);
+	  $col_defs = array('list' => array('banlist_datestamp'=>0,'banlist_bantype'=>0,'ip_reason'=>BANLAN_7,'banlist_notes'=>0,'banlist_banexpires'=>0,'ban_options'=>0),
+						'white' => array('banlist_datestamp'=>0,'ip_reason'=>BANLAN_57,'banlist_notes'=>0,'ban_options'=>0));
+							
+	  $text = $rs->form_open("post", e_SELF.'?'.$action, "ban_form")."<div style='text-align:center'>".$rs->form_hidden("ban_secure", "1");
+	  $filter = ($action == 'white') ? 'banlist_bantype='.BAN_TYPE_WHITELIST : 'banlist_bantype!='.BAN_TYPE_WHITELIST ;
+	  if (!$ban_total = $sql->db_Select("banlist","*",$filter." ORDER BY banlist_ip")) 
 	  {
-		$text .= "<div style='text-align:center'>".BANLAN_2."</div>";
+		$text .= "<div style='text-align:center'>".$no_values[$action]."</div>";
 	  } 
 	  else 
 	  {
-		$text .= "<table class='fborder' style='".ADMIN_WIDTH."'>
+		$text .= "<table class='fborder' style='".ADMIN_WIDTH."'><colgroup>";
-			<colgroup>
+		foreach($col_widths[$action] as $fw) $text .= "<col style='width:{$fw}%' />\n";
-			<col style='width:10%' />
+		$text .= "</colgroup>\n<tr>";
-			<col style='width:5%' />
+		foreach ($col_titles[$action] as $ct) $text .= "<td class='fcaption'>{$ct}</td>";
-			<col style='width:35%' />
+		$text .= "</tr>";
-			<col style='width:30%' />
-			<col style='width:10%' />
-			<col style='width:10%' />
-			</colgroup>
-			<tr>
-			<td class='fcaption'>".BANLAN_17."</td>
-			<td class='fcaption'>".BANLAN_20."</td>
-			<td class='fcaption'>".BANLAN_10."</td>
-			<td class='fcaption'>".BANLAN_19."</td>
-			<td class='fcaption'>".BANLAN_18."</td>
-			<td class='fcaption'>".LAN_OPTIONS."</td>
-			</tr>";
-		$count = 0;
 		while ($row = $sql->db_Fetch()) 
 		{
 		  extract($row);
 		  $banlist_reason = str_replace("LAN_LOGIN_18", BANLAN_11, $banlist_reason);
-		  $text .= "<tr>
+		  $text .= "<tr>";
-		    <td class='forumheader3'>".($banlist_datestamp ? strftime(BAN_TIME_FORMAT,$banlist_datestamp) : BANLAN_22 )."</td>
+		  foreach ($col_defs[$action] as $cd => $fv)
-		    <td class='forumheader3'><a title='".constant('BANLAN_11'.$banlist_bantype)."'>".constant('BANLAN_10'.$banlist_bantype)."</a></td>
+		  {
-		    <td class='forumheader3'>{$banlist_ip}<br />".BANLAN_7.": {$banlist_reason}</td>
+		    switch ($cd)
-		    <td class='forumheader3'>{$banlist_notes}</td>
+			{
-		    <td class='forumheader3'>".($banlist_banexpires ? strftime(BAN_TIME_FORMAT,$banlist_banexpires).(($banlist_banexpires < time()) ? ' ('.BANLAN_34.')' : '') 
+			  case 'banlist_datestamp' :
-			: BANLAN_21)."<br />
+			    $val = ($banlist_datestamp ? strftime(BAN_TIME_FORMAT,$banlist_datestamp) : BANLAN_22 );
-			".ban_time_dropdown("onchange=\"urljump('".e_SELF."?newtime-{$banlist_ip}-'+this.value)\"")."</td>
+			    break;
-			<td style='width:30%; text-align:center' class='forumheader3'>
+			  case 'banlist_bantype' :
-			<a href='".e_SELF."?edit-{$banlist_ip}'><img src='".$images_path."edit_16.png' alt='".LAN_EDIT."' title='".LAN_EDIT."' style='border:0px' /></a>
+				$val = "<a title='".constant('BANLAN_11'.$banlist_bantype)."'>".constant('BANLAN_10'.$banlist_bantype)."</a>";
-			<input name='delete_ban_entry' type='image' src='".$images_path."delete_16.png' alt='".LAN_DELETE."' title='".LAN_DELETE."' style='border:0px' 
+				break;
-			onclick=\" var r = jsconfirm('".$tp->toJS(LAN_CONFIRMDEL." [".$banlist_ip."]")."');
+			  case 'ip_reason' :
-			if (r) { document.getElementById('ban_form').action='".e_SELF."?remove-{$banlist_ip}'; } return r; \" /></td>";
+			    $val = $banlist_ip."<br />".$fv.": ".$banlist_reason;
-			$count++;
+			    break;
+			  case 'banlist_banexpires' :
+			    $val = ($banlist_banexpires ? strftime(BAN_TIME_FORMAT,$banlist_banexpires).(($banlist_banexpires < time()) ? ' ('.BANLAN_34.')' : '') 
+					: BANLAN_21)."<br />".ban_time_dropdown("onchange=\"urljump('".e_SELF."?newtime-{$banlist_ip}-'+this.value)\"");
+			    break;
+			  case 'ban_options' :
+			    $val = "<a href='".e_SELF."?{$edit_action}-{$banlist_ip}'><img src='".$images_path."edit_16.png' alt='".LAN_EDIT."' title='".LAN_EDIT."' style='border:0px' /></a>
+					<input name='delete_ban_entry' type='image' src='".$images_path."delete_16.png' alt='".LAN_DELETE."' title='".LAN_DELETE."' style='border:0px' 
+					onclick=\" var r = jsconfirm('".$tp->toJS(LAN_CONFIRMDEL." [".$banlist_ip."]")."');
+					if (r) { document.getElementById('ban_form').action='".e_SELF."?{$del_action}-{$banlist_ip}'; } return r; \" />";
+				break;
+			  case 'banlist_notes' :
+			  default : 
+			    $val = $row[$cd];
+			}
+			$text .= "<td class='forumheader3'>{$val}</td>";
+		  }
 		}
 		$text .= "</table>\n";
 	  }
 	  $text .= "</div>".$rs->form_close();
-	  $ns->tablerender(BANLAN_3, $text);
+	  $ns->tablerender(($action == 'list' ? BANLAN_3 : BANLAN_61), $text);
 	  // End of case 'list' and the default case
 }		// End switch ($action)
 
@@ -456,6 +498,14 @@ function banlist_adminmenu()
 	$var['add']['link'] = e_SELF."?add";
 	$var['add']['perm'] = "4";
 
+    $var['white']['text'] = BANLAN_52;			// List existing whitelist entries
+	$var['white']['link'] = e_SELF."?white";
+	$var['white']['perm'] = "4";
+
+    $var['whadd']['text'] = BANLAN_53;			// Add a new whitelist entry
+	$var['whadd']['link'] = e_SELF."?whadd";
+	$var['whadd']['perm'] = "4";
+
 	$var['transfer']['text'] = BANLAN_35;
 	$var['transfer']['link'] = e_SELF."?transfer";
    	$var['transfer']['perm'] = "4";

e107_handlers/e107_class.php

@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_handlers/e107_class.php,v $
-|     $Revision: 1.10 $
+|     $Revision: 1.11 $
-|     $Date: 2007-12-09 16:42:23 $
+|     $Date: 2007-12-16 11:14:47 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -206,8 +206,16 @@ class e107{
 	{
 	  global $sql, $tp, $pref, $admin_log;
 //	  $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Check for Ban",$query,FALSE,LOG_TO_ROLLING);
-	  if ($sql->db_Select('banlist','*',$query))
+	  if ($sql->db_Select('banlist','*',$query.' ORDER BY `banlist_bantype` DESC'))
 	  {
+		// Any whitelist entries will be first - so we can answer based on the first DB record read
+		define('BAN_TYPE_WHITELIST',100);			// Entry for whitelist
+		$row = $sql->db_Fetch();
+		if ($row['banlist_bantype'] >= BAN_TYPE_WHITELIST)
+		{
+//	    $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Whitelist hit",$query,FALSE,LOG_TO_ROLLING);
+		  return TRUE;
+		}
 //	    $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Active Ban",$query,FALSE,LOG_TO_ROLLING);
 		if ($show_error) header("HTTP/1.1 403 Forbidden", true);
 		if (isset($pref['ban_messages']))

e107_languages/English/admin/help/banlist.php

@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/help/banlist.php,v $
-|     $Revision: 1.4 $
+|     $Revision: 1.5 $
-|     $Date: 2007-12-11 22:48:42 $
+|     $Date: 2007-12-16 11:14:53 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -55,6 +55,17 @@ Entering the email address *@bar.com will stop anyone using that email domain fr
 <b>Banning by user name</b><br />
 This is done from the user administration page.<br /><br />";
   break;
+case 'whadd' :
+case 'whedit' :
+  $text = "You can specify IP addresses which you know to be 'friendly' here - generally those for the main site admins, to guarantee that they can
+  always gain access to the site.<br />
+  You are advised to keep the number of addresses in this list to an absolute minimum; both for security, and to minimise the impact on site performance.";
+  break;
+case 'white' :
+  $text = "This page shows a list of all IP addresses and email addresses which are explicitly permitted.<br />
+    This list takes priority over the ban list - it should not be possible for an address from this list to be banned.<br />
+	All addresses must be manually entered.";
+  break;
 case 'list' :
 default :
 $text = "This page shows a list of all IP addresses, hostnames and email addresses which are banned. 

e107_languages/English/admin/lan_banlist.php

@@ -4,13 +4,13 @@
 |     e107 website system - Language File.
 |
 |     $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_banlist.php,v $
-|     $Revision: 1.4 $
+|     $Revision: 1.5 $
-|     $Date: 2007-12-11 22:48:42 $
+|     $Date: 2007-12-16 11:14:53 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
 define("BANLAN_1", "Ban removed.");
-define("BANLAN_2", "No bans.");
+define("BANLAN_2", 'No bans in list.');
 define("BANLAN_3", "Existing Bans");
 define("BANLAN_4", "Remove ban");
 define("BANLAN_5", "Enter IP, email address, or host");
@@ -32,7 +32,7 @@ define('BANLAN_21','Never');
 define('BANLAN_22','Unknown');
 define('BANLAN_23','day(s)');
 define('BANLAN_24','hours');
-define('BANLAN_25','Add an entry');
+define('BANLAN_25','Add to Banlist');
 define('BANLAN_26','Currently ');
 define('BANLAN_27','Invalid characters in IP address stripped - now:');
 define('BANLAN_28','Ban type');
@@ -59,15 +59,17 @@ define('BANLAN_48','Error importing file');
 define('BANLAN_49','CSV import: Unbalanced quotes in line ');
 define('BANLAN_50','CSV import: Error writing banlist record at line ');
 define('BANLAN_51','CSV import: Success, --NUM-- lines imported from file ');
-define('BANLAN_52','');
+define('BANLAN_52','Whitelist');
-define('BANLAN_53','');
+define('BANLAN_53','Add to Whitelist');
-define('BANLAN_54','');
+define('BANLAN_54','No entries in whitelist');
-define('BANLAN_55','');
+define('BANLAN_55','Entry Date');
-define('BANLAN_56','');
+define('BANLAN_56','IP/Email, User');
-define('BANLAN_57','');
+define('BANLAN_57','User');
-define('BANLAN_58','');
+define('BANLAN_58','Add users to the whitelist');
-define('BANLAN_59','');
+define('BANLAN_59','Edit existing whitelist entry');
-define('BANLAN_60','');
+define('BANLAN_60','Edit existing banlist entry');
+define('BANLAN_61','Existing Whitelist entries');
+define('BANLAN_62','');
 
 // Ban types - block reserved 100-109 
 define('BANLAN_100', 'Unknown');