From 298202106c690a2f54aa0e885988b5908dd1fdfa Mon Sep 17 00:00:00 2001 From: e107steved Date: Sun, 9 Dec 2007 16:42:23 +0000 Subject: [PATCH] Update banlist handling --- class2.php | 28 +- e107_admin/banlist.php | 392 ++++++++++++++---- e107_admin/fla.php | 29 +- e107_admin/userinfo.php | 8 +- e107_admin/users.php | 185 +++++---- e107_handlers/admin_log_class.php | 242 ++++++++--- e107_handlers/e107_class.php | 58 ++- e107_handlers/login.php | 41 +- e107_languages/English/admin/help/banlist.php | 30 +- e107_languages/English/admin/lan_banlist.php | 59 ++- e107_languages/English/admin/lan_users.php | 46 +- signup.php | 118 +++--- 12 files changed, 891 insertions(+), 345 deletions(-) diff --git a/class2.php b/class2.php index 0bbdcc3c8..a76b2426c 100644 --- a/class2.php +++ b/class2.php @@ -11,9 +11,9 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/class2.php,v $ -| $Revision: 1.31 $ -| $Date: 2007-11-13 07:25:54 $ -| $Author: e107coders $ +| $Revision: 1.32 $ +| $Date: 2007-12-09 16:42:21 $ +| $Author: e107steved $ +----------------------------------------------------------------------------+ */ // @@ -1059,13 +1059,13 @@ function save_prefs($table = 'core', $uid = USERID, $row_val = '') { if ($row_val == '') { // Save old version as a backup first - $sql->db_Select_gen("REPLACE INTO #core (e107_name,e107_value) values ('SitePrefs_Backup', '".addslashes($PrefCache)."') "); + $sql->db_Select_gen("REPLACE INTO `#core` (e107_name,e107_value) values ('SitePrefs_Backup', '".addslashes($PrefCache)."') "); // Now save the updated values // traverse the pref array, with toDB on everything $_pref = $tp -> toDB($pref, true, true); // Create the data to be stored - $sql->db_Select_gen("REPLACE INTO #core (e107_name,e107_value) values ('SitePrefs', '".$eArrayStorage->WriteArray($_pref)."') "); + $sql->db_Select_gen("REPLACE INTO `#core` (e107_name,e107_value) values ('SitePrefs', '".$eArrayStorage->WriteArray($_pref)."') "); ecache::clear('SitePrefs'); } } @@ -1168,12 +1168,15 @@ class e_online { $row['online_pagecount'] = 1; } - if ($row['online_pagecount'] > $online_bancount && ($row['online_ip'] != "127.0.0.1")) { - $sql->db_Insert("banlist", "'{$ip}', '0', 'Hit count exceeded ({$row['online_pagecount']} requests within allotted time)' "); + if ($row['online_pagecount'] > $online_bancount && ($row['online_ip'] != "127.0.0.1")) + { +// $sql->db_Insert("banlist", "'{$ip}', '0', 'Hit count exceeded ({$row['online_pagecount']} requests within allotted time)' "); + $e107->add_ban(2,"Hit count exceeded ({$row['online_pagecount']} requests within allotted time)",$ip,0); $e_event->trigger("flood", $ip); exit; } - if ($row['online_pagecount'] >= $online_warncount && $row['online_ip'] != "127.0.0.1") { + if ($row['online_pagecount'] >= $online_warncount && $row['online_ip'] != "127.0.0.1") + { echo "
".LAN_WARNING."

".CORE_LAN6."
"; exit; } @@ -1310,7 +1313,14 @@ function init_session() { $currentUser['user_realname'] = $result['user_login']; // Used by force_userupdate define("USERLV", $result['user_lastvisit']); - if ($result['user_ban'] == 1) { exit; } + if ($result['user_ban'] == 1) + { + if (isset($pref['ban_messages'])) + { + echo $tp->toHTML(varsettrue($pref['ban_messages'][6])); // Show message if one set + } + exit; + } $user_pref = ($result['user_prefs']) ? unserialize($result['user_prefs']) : ''; diff --git a/e107_admin/banlist.php b/e107_admin/banlist.php index 93950141d..07c5a2ccf 100644 --- a/e107_admin/banlist.php +++ b/e107_admin/banlist.php @@ -11,84 +11,278 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_admin/banlist.php,v $ -| $Revision: 1.2 $ -| $Date: 2007-02-11 10:33:28 $ +| $Revision: 1.3 $ +| $Date: 2007-12-09 16:42:22 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ + +define('BAN_TIME_FORMAT',"%d-%m-%Y %H:%M"); +define('BAN_REASON_COUNT',7); // Update as more ban reasons added (max 10 supported) + require_once("../class2.php"); -if (!getperms("4")) { - header("location:".e_BASE."index.php"); - exit; +if (!getperms("4")) +{ + header("location:".e_BASE."index.php"); + exit; } $e_sub_cat = 'banlist'; require_once("auth.php"); require_once(e_HANDLER."form_handler.php"); $rs = new form; -if (e_QUERY) { - $tmp = explode("-", e_QUERY); - $action = $tmp[0]; - $sub_action = $tmp[1]; - $id = $tmp[2]; - unset($tmp); +$action = 'list'; +if (e_QUERY) +{ + $tmp = explode("-", e_QUERY); // Use '-' instead of '.' to avoid confusion with IP addresses + $action = $tmp[0]; + $sub_action = varset($tmp[1],''); + if ($sub_action) $sub_action = preg_replace("/[^\w@\.]*/",'',urldecode($sub_action)); + $id = intval(varset($tmp[2],0)); + unset($tmp); } -$_POST['ban_ip'] = trim($_POST['ban_ip']); -if (isset($_POST['add_ban']) && $_POST['ban_ip'] != "" && strpos($_POST['ban_ip'], ' ') === false) { - $_POST['ban_reason'] = $tp->toDB($_POST['ban_reason']); - admin_update($sql -> db_Insert("banlist", "'".$_POST['ban_ip']."', '".ADMINID."', '".$_POST['ban_reason']."'"), 'insert'); - unset($ban_ip); +if (varsettrue($imode)) +{ + $images_path = e_IMAGE.'packs/'.$imode.'/admin_images/'; +} +else +{ + $images_path = e_IMAGE.'admin_images/'; } -if (isset($_POST['update_ban']) && $_POST['ban_ip'] != "" && strpos($_POST['ban_ip'], ' ') === false) { - $_POST['ban_reason'] = $tp->toDB($_POST['ban_reason']); - admin_update($sql -> db_Update("banlist", "banlist_ip='".$_POST['ban_ip']."', banlist_admin=".ADMINID.", banlist_reason='".$_POST['ban_reason']."' WHERE banlist_ip='".$_POST['old_ip']."'")); - unset($ban_ip); + +if (isset($_POST['update_ban_prefs'])) +{ + for ($i = 0; $i < BAN_REASON_COUNT; $i++) + { + $pref['ban_messages'][$i] = $tp->toDB(varset($_POST['ban_text'][$i],'')); + $pref['ban_durations'][$i] = intval(varset($_POST['ban_time'][$i],0)); + } + save_prefs(); + $ns->tablerender(BANLAN_9, "
".BANLAN_33.'
'); } -if ($action == "remove" && isset($_POST['ban_secure'])) { - $sql -> db_Delete("generic", "gen_type='failed_login' AND gen_ip='$sub_action'"); - admin_update($sql -> db_Delete("banlist", "banlist_ip='$sub_action'"), 'delete'); -} -if ($action == "edit") { - $sql->db_Select("banlist", "*", "banlist_ip='$sub_action'"); - $row = $sql->db_Fetch(); - extract($row); -} else { - unset($banlist_ip, $banlist_reason); - if (e_QUERY && strpos($_SERVER["HTTP_REFERER"], "userinfo")) { - $banlist_ip = $action; + +if (isset($_POST['ban_ip'])) +{ + $_POST['ban_ip'] = trim($_POST['ban_ip']); + $new_ban_ip = preg_replace("/[^\w@\.]*/",'',urldecode($_POST['ban_ip'])); + if ($new_ban_ip != $_POST['ban_ip']) + { + $message = BANLAN_27.$new_ban_ip; + $ns->tablerender(BANLAN_9, $message); + $_POST['ban_ip'] = $new_ban_ip; + } + + if ((isset($_POST['add_ban']) || isset($_POST['update_ban'])) && $_POST['ban_ip'] != "" && strpos($_POST['ban_ip'], ' ') === false) + { + $new_vals = array('banlist_ip' => $_POST['ban_ip']); + if (isset($_POST['add_ban'])) + { + $new_vals['banlist_datestamp'] = time(); + $new_vals['banlist_bantype'] = 1; // Manual ban } + $new_vals['banlist_admin'] = ADMINID; + if (varsettrue($_POST['ban_reason'])) $new_vals['banlist_reason'] =$tp->toDB($_POST['ban_reason']); + $new_vals['banlist_notes'] = $tp->toDB($_POST['ban_notes']); + if (isset($_POST['ban_time']) && is_numeric($_POST['ban_time'])) + { + $bt = intval($_POST['ban_time']); + $new_vals['banlist_banexpires'] = $bt ? time() + ($bt*60*60) : 0; + } + if (isset($_POST['add_ban'])) + { // Insert new value - can just pass an array + admin_update($sql -> db_Insert("banlist",$new_vals), 'insert'); + } + else + { // Update existing value + $qry = ''; + $spacer = ''; + foreach ($new_vals as $k => $v) + { + $qry .= $spacer."`{$k}`='$v'"; + $spacer = ', '; + } + admin_update($sql -> db_Update("banlist", $qry." WHERE banlist_ip='".$_POST['old_ip']."'")); + } + unset($ban_ip); + } } +// Remove a ban +if ($action == "remove" && isset($_POST['ban_secure'])) +//if ($action == "remove") +{ + $sql -> db_Delete("generic", "gen_type='failed_login' AND gen_ip='{$sub_action}'"); + admin_update($sql -> db_Delete("banlist", "banlist_ip='{$sub_action}'"), 'delete'); +} + + +// Update the ban expiry time/date - timed from now +if ($action == 'newtime') +{ + $end_time = $id ? time() + ($id*60*60) : 0; + admin_update($sql -> db_Update("banlist", "banlist_banexpires='".intval($end_time)."' WHERE banlist_ip='".$sub_action."'")); + $action = 'list'; +} + + +if ($action == "edit") +{ + $sql->db_Select("banlist", "*", "banlist_ip='{$sub_action}'"); + $row = $sql->db_Fetch(); + extract($row); +} +else +{ + unset($banlist_ip, $banlist_reason); + if (e_QUERY && ($action == 'add') && strpos($_SERVER["HTTP_REFERER"], "userinfo")) + { + $banlist_ip = $sub_action; + } +} + + +function ban_time_dropdown($click_js = '', $zero_text=BANLAN_21, $curval=-1,$drop_name='ban_time') +{ + $intervals = array(0,1,2,3,6,8,12,24,36,48,72,96,120,168,336,672); + $ret = "'; + return $ret; +} + + $text = ""; +switch ($action) +{ -$text .= "
-
- + case 'options' : + if ((!isset($pref['ban_messages'])) || !is_array($pref['ban_messages'])) + { + $pref['ban_messages'] = array_fill(0,BAN_REASON_COUNT-1,''); + } + if ((!isset($pref['ban_durations'])) || !is_array($pref['ban_durations'])) + { + $pref['ban_durations'] = array_fill(0,BAN_REASON_COUNT-1,0); + } + $text = $rs->form_open("post", e_SELF.'?'.e_QUERY, "ban_options")."
"; + if (!$ban_total = $sql->db_Select("banlist","*","ORDER BY banlist_ip","nowhere")) + { + $text .= "
".BANLAN_2."
"; + } + else + { + $text .= "
+ + + + + + + + + + "; + for ($i = 0; $i < BAN_REASON_COUNT; $i++) + { + $text .= " + + + + "; + } + $text .= " +
".BANLAN_28."".BANLAN_29."
".BANLAN_31."		".BANLAN_30."
".constant('BANLAN_10'.$i)." + + ".ban_time_dropdown('',BANLAN_32,$pref['ban_durations'][$i],'ban_time[]')."
\n"; + } + $text .= "
".$rs->form_close(); + $ns->tablerender(BANLAN_3, $text); + break; - - ".BANLAN_5.": {$rdns_warn} - - - - + case 'edit' : + case 'add' : + $rdns_warn = varsettrue($pref['enable_rdns']) ? '' : '
'.BANLAN_12; + // Edit/add form first + $text .= "
+ + + + + + "; - - - - + if (($action == 'add') || ($banlist_bantype <= 1)) + { // Its a manual or unknown entry - only allow edit of reason on those + $text .= " + + + + "; + } + else + { + $text .= " + + + + "; + } - - + + + "; + } + + $text .= " + + + + + + + + + + + + @@ -96,37 +290,91 @@ $text .= "
"; -$text .= "

".BANLAN_13."
"; -if(!varsettrue($pref['enable_rdns'])) -{ - $text .= "

".BANLAN_12."
"; -} + $text .= "

".BANLAN_13."
"; + if(!varsettrue($pref['enable_rdns'])) + { + $text .= "

".BANLAN_12."
"; + } + $ns->tablerender(BANLAN_9, $text); + break; // End of 'Add' and 'Edit' -$ns->tablerender(BANLAN_9, $text); - -if ($action != "edit") { - $text = $rs->form_open("post", e_SELF, "ban_form")."
".$rs->form_hidden("ban_secure", "1"); - if (!$ban_total = $sql->db_Select("banlist","*","ORDER BY banlist_ip","nowhere")) { + case 'list' : + default : + $text = $rs->form_open("post", e_SELF, "ban_form")."
".$rs->form_hidden("ban_secure", "1"); + if (!$ban_total = $sql->db_Select("banlist","*","ORDER BY banlist_ip","nowhere")) + { $text .= "
".BANLAN_2."
"; - } else { + } + else + { $text .= "
".BANLAN_5.": + {$rdns_warn} +
".BANLAN_7.": - -
".BANLAN_7.": + +
".BANLAN_7.": {$banlist_reason}
". -($action == "edit" ? "" : "")." + if ($action == 'edit') + { + $text .= " +
".BANLAN_28.": ".constant('BANLAN_10'.$banlist_bantype)." - ".constant('BANLAN_11'.$banlist_bantype)."
".BANLAN_19.": + +
".BANLAN_18.": ".ban_time_dropdown(). + (($action == 'edit') ? '   ('.BANLAN_26.($banlist_banexpires ? strftime(BAN_TIME_FORMAT,$banlist_banexpires) : BANLAN_21).')' : ''). + "
". + ($action == "edit" ? "" : "")."
+ + + + + + + + - - + + + + + + "; $count = 0; - while ($row = $sql->db_Fetch()) { - extract($row); - $banlist_reason = str_replace("LAN_LOGIN_18", BANLAN_11, $banlist_reason); - $text .= " - \n"; + while ($row = $sql->db_Fetch()) + { + extract($row); + $banlist_reason = str_replace("LAN_LOGIN_18", BANLAN_11, $banlist_reason); + $text .= " + + + + + + "; $count++; } $text .= "
".BANLAN_10."".LAN_OPTIONS."".BANLAN_17."".BANLAN_20."".BANLAN_10."".BANLAN_19."".BANLAN_18."".LAN_OPTIONS."
$banlist_ip
".BANLAN_7.": $banlist_reason		".$rs->form_button("submit", "main_edit_$count", LAN_EDIT, "onclick=\"document.getElementById('ban_form').action='".e_SELF."?edit-$banlist_ip'\"").$rs->form_button("submit", "main_delete_$count", BANLAN_4, "onclick=\"document.getElementById('ban_form').action='".e_SELF."?remove-$banlist_ip'\"")."
".($banlist_datestamp ? strftime(BAN_TIME_FORMAT,$banlist_datestamp) : BANLAN_22 )."".constant('BANLAN_10'.$banlist_bantype)."{$banlist_ip}
".BANLAN_7.": {$banlist_reason}		{$banlist_notes}".($banlist_banexpires ? strftime(BAN_TIME_FORMAT,$banlist_banexpires).(($banlist_banexpires < time()) ? ' ('.BANLAN_34.')' : '') + : BANLAN_21)."
+ ".ban_time_dropdown("onchange=\"urljump('".e_SELF."?newtime-{$banlist_ip}-'+this.value)\"")."		 + ".LAN_EDIT." + toJS(LAN_CONFIRMDEL." [".$banlist_ip."]")."'); + if (r) { document.getElementById('ban_form').action='".e_SELF."?remove-{$banlist_ip}'; } return r; \" />
\n"; - } - $text .= "
".$rs->form_close(); - $ns->tablerender(BANLAN_3, $text); -} + } + $text .= "".$rs->form_close(); + $ns->tablerender(BANLAN_3, $text); + // End of case 'list' and the default case +} // End switch ($action) + require_once("footer.php"); + + +function banlist_adminmenu() +{ + $action = (e_QUERY) ? e_QUERY : "list"; + + $var['list']['text'] = BANLAN_14; // List existing bans + $var['list']['link'] = e_SELF."?list"; + $var['list']['perm'] = "W"; + + $var['add']['text'] = BANLAN_25; // Add a new ban + $var['add']['link'] = e_SELF."?add"; + $var['add']['perm'] = "W"; + + if(getperms("0")) + { + $var['options']['text'] = BANLAN_15; + $var['options']['link'] = e_SELF."?options"; + $var['options']['perm'] = "0"; + } + show_admin_menu(BANLAN_16, $action, $var); +} + + ?> diff --git a/e107_admin/fla.php b/e107_admin/fla.php index 6989e8131..6bda4977b 100644 --- a/e107_admin/fla.php +++ b/e107_admin/fla.php @@ -11,9 +11,9 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_admin/fla.php,v $ -| $Revision: 1.1.1.1 $ -| $Date: 2006-12-02 04:33:22 $ -| $Author: mcfly_e107 $ +| $Revision: 1.2 $ +| $Date: 2007-12-09 16:42:22 $ +| $Author: e107steved $ +----------------------------------------------------------------------------+ */ require_once("../class2.php"); @@ -44,14 +44,15 @@ if(isset($_POST['delbanSubmit'])) $bancount = 0; foreach($_POST['flaban'] as $ban) { - if($sql -> db_Select("generic", "*", "gen_id=$ban")) - { - $at = $sql -> db_Fetch(); - $banlist_ip = $at['gen_ip']; - $sql->db_Insert("banlist", "'$banlist_ip', '".ADMINID."', '".FLALAN_4."' "); - $sql -> db_Delete("generic", "gen_id='$ban' "); - $bancount ++; - } + if($sql -> db_Select("generic", "*", "gen_id={$ban}")) + { + $at = $sql -> db_Fetch(); + $e107->add_ban(4,FLALAN_4,$at['gen_ip'],ADMINID); +// $banlist_ip = $at['gen_ip']; +// $sql->db_Insert("banlist", "'$banlist_ip', '".ADMINID."', '".FLALAN_4."' "); + $sql -> db_Delete("generic", "gen_id='$ban' "); + $bancount ++; + } } $message .= ", ".FLALAN_5.": ".$bancount; } @@ -83,7 +84,7 @@ if (isset($message)) { $gen = new convert; $fla_total = $sql->db_Count("generic", "(*)", "WHERE gen_type='failed_login'"); -if(!$sql -> db_Select("generic", "*", "gen_type='failed_login' ORDER BY gen_datestamp DESC LIMIT $from,$amount")) +if(!$sql -> db_Select("generic", "*", "gen_type='failed_login' ORDER BY gen_datestamp DESC LIMIT {$from},{$amount}")) { $text = "
".FLALAN_2."
"; } @@ -113,8 +114,8 @@ else ".str_replace(":::", "
", htmlentities($gen_chardata, ENT_QUOTES, CHARSET))." ".$fa['gen_ip']."
{$host} - ".LAN_DELETE."
- ".LAN_BAN." + ".LAN_DELETE."
+ ".LAN_BAN." "; diff --git a/e107_admin/userinfo.php b/e107_admin/userinfo.php index bd40bcf57..00989713e 100644 --- a/e107_admin/userinfo.php +++ b/e107_admin/userinfo.php @@ -11,9 +11,9 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_admin/userinfo.php,v $ -| $Revision: 1.1.1.1 $ -| $Date: 2006-12-02 04:33:30 $ -| $Author: mcfly_e107 $ +| $Revision: 1.2 $ +| $Date: 2007-12-09 16:42:22 $ +| $Author: e107steved $ +----------------------------------------------------------------------------+ */ require_once("../class2.php"); @@ -40,7 +40,7 @@ if (isset($ipd)) { $sql->db_Select("chatbox", "*", "cb_ip='$ipd' LIMIT 0,20"); $host = $e107->get_host_name($ipd); $text = USFLAN_3." ".$ipd." [ ".USFLAN_4.": $host ]
- ".USFLAN_5." + ".USFLAN_5."

"; while (list($cb_id, $cb_nick, $cb_message, $cb_datestamp, $cb_blocked, $cb_ip ) = $sql->db_Fetch()) { diff --git a/e107_admin/users.php b/e107_admin/users.php index 97df8d6e4..f49f3f84c 100644 --- a/e107_admin/users.php +++ b/e107_admin/users.php @@ -11,8 +11,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_admin/users.php,v $ -| $Revision: 1.7 $ -| $Date: 2007-11-01 22:01:38 $ +| $Revision: 1.8 $ +| $Date: 2007-12-09 16:42:22 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -153,7 +153,8 @@ if (isset($_POST['update_options'])) // ------- Prune Users. -------------- -if (isset($_POST['prune'])) { +if (isset($_POST['prune'])) +{ $e107cache->clear("online_menu_member_total"); $e107cache->clear("online_menu_member_newest"); $text = USRLAN_56." "; @@ -211,11 +212,11 @@ if (isset($_POST['adduser'])) { if ($sql->db_Count("user", "(*)", "WHERE user_email='".$_POST['email']."' AND user_ban='1' ")) { message_handler("P_ALERT", USRLAN_147); $error = TRUE; - } + } if ($sql->db_Count("banlist", "(*)", "WHERE banlist_ip='".$_POST['email']."'")) { message_handler("P_ALERT", USRLAN_148); $error = TRUE; - } + } if (!$error) { @@ -270,8 +271,9 @@ if (isset($_POST['useraction']) && $_POST['useraction'] == "ban") } else { - $sql -> db_Insert("banlist", "'".$row['user_ip']."', '".USERID."', '".$row['user_name']."' "); - $user->show_message(str_replace("{IP}", $row['user_ip'], USRLAN_137)); + $e107->add_ban(6,USRLAN_149.$row['user_name'].'/'.$row['user_loginname'],$row['user_ip'],USERID); +// $sql -> db_Insert("banlist", "'".$row['user_ip']."', '".USERID."', '".$row['user_name']."' "); + $user->show_message(str_replace("{IP}", $row['user_ip'], USRLAN_137)); } } } @@ -389,8 +391,25 @@ if (isset($_POST['useraction']) && $_POST['useraction'] == "unadmin" && getperms if (isset($_POST['useraction']) && $_POST['useraction'] == "verify") { $uid = intval($_POST['userid']); - if ($sql->db_Update("user", "user_ban='0' WHERE user_id='{$uid}' ")) + + if ($sql->db_Select("user", "*", "user_id='".$uid."' ")) { + if ($row = $sql->db_Fetch()) + { + // Add in the initial classes, if this is the time + $init_classes = ''; + if ($pref['init_class_stage'] == '2') + { + $init_classes = explode(',',varset($pref['initial_user_classes'],'')); + if ($init_classes) + { // Update the user classes + $row['user_class'] = $tp->toDB(implode(',',array_unique(array_merge($init_classes, explode(',',$row['user_class']))))); + $init_classes = ", user_class='".$row['user_class']."' "; + } + } + $sql->db_Update("user", "user_ban='0'{$init_classes} WHERE user_id='".$uid."' "); +// $e_event->trigger("userveri", $row); // We do this from signup.php - should we do it here? + $user->show_message(USRLAN_86); if(!$action){ $action = "main"; } if(!$sub_action){ $sub_action = "user_id"; } @@ -416,6 +435,7 @@ if (isset($_POST['useraction']) && $_POST['useraction'] == "verify") } } } + } } } @@ -463,21 +483,29 @@ if (isset($action) && $action == "create") { require_once("footer.php"); -class users{ - function show_existing_users($action, $sub_action, $id, $from, $amount) { - // ##### Display scrolling list of existing news items --------------------------------------------------------------------------------------------------------- + + +class users +{ + + function show_existing_users($action, $sub_action, $id, $from, $amount) + { global $sql, $rs, $ns, $tp, $mySQLdefaultdb,$pref,$unverified; // save the display choices. - if(isset($_POST['searchdisp'])){ + if(isset($_POST['searchdisp'])) + { $pref['admin_user_disp'] = implode("|",$_POST['searchdisp']); save_prefs(); } - if(!$pref['admin_user_disp']){ + if(!$pref['admin_user_disp']) + { $search_display = array("user_name","user_class"); - }else{ + } + else + { $search_display = explode("|",$pref['admin_user_disp']); } @@ -969,7 +997,7 @@ class users{ ".$rs->form_text("email", 60, "", 100)." - "; + \n"; if (!is_object($sql)) $sql = new db; @@ -978,7 +1006,7 @@ class users{ ".USRLAN_120." - "; + \n"; $c = 0; while ($row = $sql->db_Fetch()) { $class[$c][0] = $row['userclass_id']; @@ -986,10 +1014,13 @@ class users{ $class[$c][2] = $row['userclass_description']; $c++; } - for($a = 0; $a <= (count($class)-1); $a++) { + $init_classes = explode(',',varset($pref['initial_user_classes'],'')); + for($a = 0; $a <= (count($class)-1); $a++) + { + $selected = in_array($class[$a][0],$init_classes) ? " checked='checked'" : ""; $text .= " - ".$class[$a][1]." - ".$class[$a][2].""; + ".$class[$a][1]." + ".$class[$a][2]."\n"; } } $text .= " @@ -1042,7 +1073,7 @@ class users{ } else { - $this->show_message(USRLAN_141.": ".$name); + $this->show_message(USRLAN_141.": ".$name); } } @@ -1091,21 +1122,21 @@ class users{ function check_bounces($bounce_act='first_check', $bounce_arr = '') { - global $sql,$pref; - include(e_HANDLER."pop3_class.php"); + global $sql,$pref; + include(e_HANDLER."pop3_class.php"); if (!trim($bounce_act)) $bounce_act='first_check'; // echo "Check bounces. Action: {$bounce_act}; Entries: {$bounce_arr}
"; - $obj= new receiveMail($pref['mail_bounce_user'],$pref['mail_bounce_pass'],$pref['mail_bounce_email'],$pref['mail_bounce_pop3'],'pop3','110'); + $obj= new receiveMail($pref['mail_bounce_user'],$pref['mail_bounce_pass'],$pref['mail_bounce_email'],$pref['mail_bounce_pop3'],'pop3','110'); $del_count = 0; - if ($bounce_act !='first_check') - { // Must do some deleting - $obj->connect(); - $tot=$obj->getTotalMails(); - $del_array = explode(',',$bounce_arr); - for($i=1;$i<=$tot;$i++) + if ($bounce_act !='first_check') + { // Must do some deleting + $obj->connect(); + $tot=$obj->getTotalMails(); + $del_array = explode(',',$bounce_arr); + for($i=1;$i<=$tot;$i++) { // Scan all emails; delete current one if meets the criteria $dodel = FALSE; switch ($bounce_act) @@ -1145,75 +1176,75 @@ class users{ $del_count++; // Keep track of number of emails deleted } } // End - Delete one email - $obj->close_mailbox(); // This actually deletes the emails + $obj->close_mailbox(); // This actually deletes the emails } // End of email deletion // Now list the emails that are left - $obj->connect(); - $tot=$obj->getTotalMails(); - $found = FALSE; - $DEL = ($pref['mail_bounce_delete']) ? TRUE : FALSE; + $obj->connect(); + $tot=$obj->getTotalMails(); + $found = FALSE; + $DEL = ($pref['mail_bounce_delete']) ? TRUE : FALSE; - $text = "
+ $text = "
\n"; - for($i=1;$i<=$tot;$i++) - { - $head=$obj->getHeaders($i); - if($head['bounce']) + for($i=1;$i<=$tot;$i++) + { + $head=$obj->getHeaders($i); + if($head['bounce']) { // Its a 'bounce' email - if (ereg('.*X-e107-id:(.*)MIME', $obj->getBody($i), $result)) - { - if($result[1]) - { + if (ereg('.*X-e107-id:(.*)MIME', $obj->getBody($i), $result)) + { + if($result[1]) + { $id[$i] = intval($result[1]); // This should be a user ID - but not on special mailers! // Try and pull out an email address from body - should be the one that failed - if (preg_match("/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i", $obj->getBody($i), $result)) - { - $emails[$i] = "'".$result[0]."'"; - } - $found = TRUE; - } - } - elseif (preg_match("/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i", $obj->getBody($i), $result)) - { - if($result[0] && $result[0] != $pref['mail_bounce_email']) - { - $emails[$i] = "'".$result[0]."'"; - $found = TRUE; - } - elseif($result[1] && $result[1] != $pref['mail_bounce_email']) - { - $emails[$i] = "'".$result[1]."'"; - $found = TRUE; - } - } + if (preg_match("/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i", $obj->getBody($i), $result)) + { + $emails[$i] = "'".$result[0]."'"; + } + $found = TRUE; + } + } + elseif (preg_match("/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i", $obj->getBody($i), $result)) + { + if($result[0] && $result[0] != $pref['mail_bounce_email']) + { + $emails[$i] = "'".$result[0]."'"; + $found = TRUE; + } + elseif($result[1] && $result[1] != $pref['mail_bounce_email']) + { + $emails[$i] = "'".$result[1]."'"; + $found = TRUE; + } + } if ($DEL && $found) { // Auto-delete bounced emails once noticed (if option set) $obj->deleteMails($i); $del_count++; } - } - else - { // Its a warning message or similar + } + else + { // Its a warning message or similar // $id[$i] = ''; // Don't worry about an ID for now // Try and pull out an email address from body - should be the one that failed - if (preg_match("/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i", $obj->getBody($i), $result)) - { - $wmails[$i] = "'".$result[0]."'"; - } - } + if (preg_match("/[\._a-zA-Z0-9-]+@[\._a-zA-Z0-9-]+/i", $obj->getBody($i), $result)) + { + $wmails[$i] = "'".$result[0]."'"; + } + } - $text .= "\n"; - } + $text .= "\n"; + } - if ($tot) + if ($tot) { // Option to delete emails - only if there are some in the list $text .= "
#e107-idemailSubjectBounce
".$i."".$id[$i]."".(isset($emails[$i]) ? $emails[$i] : $wmails[$i])."".$head['subject']."".($head['bounce'] ? ADMIN_TRUE_ICON : ADMIN_FALSE_ICON); - $text .= "
".$i."".$id[$i]."".(isset($emails[$i]) ? $emails[$i] : $wmails[$i])."".$head['subject']."".($head['bounce'] ? ADMIN_TRUE_ICON : ADMIN_FALSE_ICON); + $text .= "
\n @@ -1221,8 +1252,8 @@ class users{ \n \n "; - } - $text .= "
"; + } + $text .= ""; array_unique($id); array_unique($emails); diff --git a/e107_handlers/admin_log_class.php b/e107_handlers/admin_log_class.php index 7be1a717a..3b2399892 100644 --- a/e107_handlers/admin_log_class.php +++ b/e107_handlers/admin_log_class.php @@ -4,7 +4,7 @@ + ----------------------------------------------------------------------------+ | e107 website system | -| �Steve Dunstan 2001-2002 +| ?Steve Dunstan 2001-2002 | http://e107.org | jalist@e107.org | @@ -12,9 +12,15 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/admin_log_class.php,v $ -| $Revision: 1.3 $ -| $Date: 2007-11-04 09:10:54 $ +| $Revision: 1.4 $ +| $Date: 2007-12-09 16:42:23 $ | $Author: e107steved $ + +To do: +1. Do we need to check for presence of elements of debug_backtrace() to avoid notices? +2. Reflect possible DB structure changes once finalised +3. Ad user audit trail + +----------------------------------------------------------------------------+ */ @@ -35,6 +41,7 @@ class e_admin_log { 'log_level' => 2, 'backtrace' => false, ); + var $rldb = NULL; // Database used by logging routine /** * Constructor. Sets up constants and overwrites default options where set. @@ -42,41 +49,23 @@ class e_admin_log { * @param array $options * @return e_admin_log */ - function e_admin_log ($options = array()){ - foreach ($options as $key => $val) { - $this->_options[$key] = $val; - } + function e_admin_log ($options = array()) + { + foreach ($options as $key => $val) + { + $this->_options[$key] = $val; + } - /** - * Minmal Log Level, including really minor stuff - * - */ - - define("E_LOG_INFORMATIVE", 0); - - /** - * More important than informative, but less important than notice - * - */ - define("E_LOG_NOTICE", 1); - - /** - * Not anything serious, but important information - * - */ - define("E_LOG_WARNING", 2); - - /** - * An event so bad your site ceased execution. - * - */ - define("E_LOG_FATAL", 3); - - /* - * Plugin Information. - */ - - define("E_LOG_PLUGIN", 4); + define("E_LOG_INFORMATIVE", 0); // Minimal Log Level, including really minor stuff + define("E_LOG_NOTICE", 1); // More important than informative, but less important than notice + define("E_LOG_WARNING", 2); // Not anything serious, but important information + define("E_LOG_FATAL", 3); // An event so bad your site ceased execution. + define("E_LOG_PLUGIN", 4); // Plugin information + + // Logging actions + define("LOG_TO_ADMIN", 1); + define("LOG_TO_AUDIT", 2); + define("LOG_TO_ROLLING", 4); } /** @@ -86,43 +75,170 @@ class e_admin_log { * @param string $event_detail * @param int $event_type Log level */ - function log_event ($event_title, $event_detail, $event_type = E_LOG_INFORMATIVE) { - global $e107, $sql, $tp; - if($event_type >= $this->_options['log_level']) { - $event_title = $tp -> toDB($event_title, true,false,'no_html'); - $event_detail = $tp -> toDB($event_detail, true,false,'no_html'); - $event_type = $tp -> toDB($event_type, true,false,'no_html'); - $time_stamp = time(); - $uid = (USERID !== FALSE) ? USERID : '0'; - $ip = $e107->getip(); - if($this->_options['backtrace'] == true) { - $event_detail .= "\n\n".debug_backtrace(); - } - $sql->db_Insert('dblog', "'', '{$event_type}', {$time_stamp}, {$uid}, '{$ip}', '{$event_title}', '{$event_detail}' "); + // Legacy entry point (not used by much) - retained for completeness. + // (Should really only be used for admin events anyway - not debugging) + function log_event($event_title, $event_detail, $event_type = E_LOG_INFORMATIVE) + { + global $e107, $tp; + if($event_type >= $this->_options['log_level']) + { + if($this->_options['backtrace'] == true) + { + $event_detail .= "\n\n".debug_backtrace(); } + $this->e_log_event($event_type,-1,"ADMIN",$event_title,$event_detail,FALSE,LOG_TO_ADMIN); + } } - function get_log_events($count = 15, $offset) { - global $sql; - $count = intval($count); +// ***************************** START OF ADDITIONS ************************** +/* + Example call: (Deliberately pick separators that shouldn't be in file names) + e_log_event(E_LOG_NOTICE,__FILE__."|".__FUNCTION__."@".__LINE__,"ECODE","Event Title","explanatory message",FALSE,LOG_TO_ADMIN); + or: + e_log_event(E_LOG_NOTICE,debug_backtrace(),"ECODE","Event Title","explanatory message",TRUE,LOG_TO_ROLLING); + + Parameters: + $importance - importance of event - 0..4 or so + $source_call - either: string identifying calling file/routine + or: a number 0..9 identifying info to log from debug_backtrace() + or: empty string, in which case first entry from debug_backtrace() logged + or: an array, assumed to be from passing debug_backtrace() as a parameter, in which case relevant + information is extracted and the argument list from the first entry logged + or: -1, in which case no information logged + $eventcode - abbreviation listing event type + $event_title - title of event - pass standard 'LAN_ERROR_nn' defines to allow language translation + $explain - detail of event + $finished - if TRUE, aborts execution + $target_logs - flags indicating which logs to update - if entry to be posted in several logs, add (or 'OR') their defines: + LOG_TO_ADMIN - admin log + LOG_TO_AUDIT - audit log + LOG_TO_ROLLING - rolling log +*/ + function e_log_event($importance, $source_call, $eventcode = "GEN", $event_title="Untitled", $explain = "", $finished = FALSE, $target_logs = LOG_TO_AUDIT) + { + global $pref, $e107, $tp; + + list($time_usec, $time_sec) = explode(" ", microtime()); // Log event time immediately to minimise uncertainty + + if ($this->rldb == NULL) $this->rldb = new db; // Better use our own db - don't know what else is going on + + if (is_bool($target_logs)) + { // Handle the legacy stuff for now - some old code used a boolean to select admin or rolling logs + $target_logs = $target_logs ? LOG_TO_ADMIN : LOG_TO_ROLLING; } +//--------------------------------------- +// Calculations common to all logs +//--------------------------------------- + $userid = (USER === TRUE) ? USERID : 0; + $userstring = ( USER === true ? USERNAME : "LAN_ANONYMOUS"); + $userIP = $e107->getip(); + + $importance = $tp->toDB($importance,true,false,'no_html'); + $eventcode = $tp->toDB($eventcode,true,false,'no_html'); + $explain = $tp->toDB($explain,true,false,'no_html'); + $event_title = $tp->toDB($event_title,true,false,'no_html'); + $source_call = $tp->toDB($source_call,true,false,'no_html'); + + +//--------------------------------------- +// Admin Log +//--------------------------------------- + if ($target_logs & LOG_TO_ADMIN) + { // Admin log - assume all fields valid + $this->rldb->db_Insert("dblog", " 0, ".intval($time_usec).','.intval($time_sec).", '{$importance}', '{$eventcode}', {$userid}, '{$userIP}', '{$event_title}', '{$explain}' "); + } + + +//--------------------------------------- +// Audit Log +//--------------------------------------- + // Add in audit log here + + +//--------------------------------------- +// Rolling Log +//--------------------------------------- + if (($target_logs & LOG_TO_ROLLING) && varsettrue($pref['roll_log_active'])) + { // Rolling log + + // Process source_call info + //--------------------------------------- + if (is_numeric($source_call) && ($source_call >= 0)) + { + $back_count = 1; + $i = 0; + if (is_numeric($source_call) || ($source_call == '')) + { + $back_count = $source_call + 1; + $source_call = debug_backtrace(); + $i = 1; // Don't want to print the entry parameters to this function - we know all that! + } + } + + + if (is_array($source_call)) + { // Print the debug_backtrace() array + while ($i < $back_count) + { + $source_call[$i]['file'] = $e107->fix_windows_paths($source_call[$i]['file']); // Needed for Windoze hosts. + $source_call[$i]['file'] = str_replace($e107->file_path,"",$source_call[$i]['file']); // We really just want a e107 root-relative path. Strip out the root bit + $tmp = $source_call[$i]['file']."|".$source_call[$i]['class'].$source_call[$i]['type'].$source_call[$i]['function']."@".$source_call[$i]['line']; + foreach ($source_call[$i]['args'] as $k => $v) + { // Add in the arguments + $explain .= "
".$k."=".$v; + } + $i++; + if ($i < $back_count) $explain .= "
-------------------"; + if (!isset($tmp1)) $tmp1 = $tmp; // Pick off the immediate caller as the source + } + if (isset($tmp1)) $source_call = $tmp1; else $source_call = 'Root level'; + } + else + { + $source_call = $e107->fix_windows_paths($source_call); // Needed for Windoze hosts. + $source_call = str_replace($e107->file_path,"",$source_call); // We really just want a e107 root-relative path. Strip out the root bit + } + // else $source_call is a string + + // Save new rolling log record + $this->rldb->db_Insert("rl_history","0, ".intval($time_sec).', '.intval($time_usec).", '{$importance}', '{$eventcode}', {$userid}, '{$userstring}', '{$userIP}', '{$source_call}', '{$event_title}', '{$explain}' "); + + // Now delete any old stuff + $this->rldb->db_Delete("rl_history", "dblog_datestamp < '".intval(time() - (varset($pref['roll_log_days'],7)*86400))."' "); + } + + if ($finished) exit; // Optional abort for all logs + } + + + + function get_log_events($count = 15, $offset) + { + global $sql; + $count = intval($count); + return "Not implemented yet"; + } + + /** * Removes all events older than $days, or truncates the table if $days == false * * @param int $days */ - function purge_log_events($days) { + function purge_log_events($days) + { global $sql; - if($days == false) { - // $days is false, so truncate the log table - $sql->db_Select_gen("TRUNCATE TABLE #dblog "); - } else { - // $days is set, so remove all entries older than that. - $days = intval($days); - $mintime = $days * 24 * 60 * 60; - $time = time() - $mintime; - $sql->db_Delete("dblog", "WHERE `dblog_datestamp` < {$time}", true); + if($days == false) + { // $days is false, so truncate the log table + $sql->db_Select_gen("TRUNCATE TABLE #dblog "); + } + else + { // $days is set, so remove all entries older than that. + $days = intval($days); + $mintime = $days * 24 * 60 * 60; + $time = time() - $mintime; + $sql->db_Delete("dblog", "WHERE `dblog_datestamp` < {$time}", true); } } } diff --git a/e107_handlers/e107_class.php b/e107_handlers/e107_class.php index ad7cb1abc..1fb9d66c2 100644 --- a/e107_handlers/e107_class.php +++ b/e107_handlers/e107_class.php @@ -11,8 +11,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/e107_class.php,v $ -| $Revision: 1.9 $ -| $Date: 2007-08-13 19:56:35 $ +| $Revision: 1.10 $ +| $Date: 2007-12-09 16:42:23 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -192,16 +192,58 @@ class e107{ if ($ip != '127.0.0.1') { - if ($sql->db_Select("banlist", "*", "banlist_ip='".$tp -> toDB($_SERVER['REMOTE_ADDR'], true)."' OR banlist_ip='".USEREMAIL."' OR banlist_ip='{$ip}' OR banlist_ip='{$wildcard}' OR banlist_ip='{$wildcard2}' {$bhost}")) - { - header("HTTP/1.1 403 Forbidden", true); - // enter a message here if you want some text displayed to banned users ... - exit(); - } + check_ban("banlist_ip='".$tp -> toDB($_SERVER['REMOTE_ADDR'], true)."' OR banlist_ip='".USEREMAIL."' OR banlist_ip='{$ip}' OR banlist_ip='{$wildcard}' OR banlist_ip='{$wildcard2}' {$bhost}"); } } } + + // Check the banlist table. $query is used to determine the match. + // If $show_error, displays "HTTP/1.1 403 Forbidden" + // If $do_return, will always return with ban status - TRUE for OK, FALSE for banned. + // If return permitted, will never display a message for a banned user; otherwise will display any message then exit + function check_ban($query,$show_error=TRUE, $do_return = FALSE) + { + global $sql, $tp, $pref, $admin_log; +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Check for Ban",$query,FALSE,LOG_TO_ROLLING); + if ($sql->db_Select('banlist','*',$query)) + { +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","Active Ban",$query,FALSE,LOG_TO_ROLLING); + if ($show_error) header("HTTP/1.1 403 Forbidden", true); + if (isset($pref['ban_messages'])) + { // May want to display a message + $row = $sql->db_Fetch(); // Get the type of the ban + if (($row['banlist_banexpires'] > 0) && ($row['banlist_banexpires'] < time())) + { // Ban has expired - delete from DB + $sql->db_Delete('banlist', $query); + return TRUE; + } + // Ban still current here + if ($do_return) return FALSE; + echo $tp->toHTML(varsettrue($pref['ban_messages'][$row['banlist_bantype']])); // Show message if one set + } + exit(); + } +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","No ban found",$query,FALSE,LOG_TO_ROLLING); + return TRUE; // Email address OK + } + + + // Add an entry to the banlist. $bantype = 1 for manual, 2 for flooding, 4 for multiple logins + function add_ban($bantype,$ban_message='',$ban_ip='',$ban_user = 0,$ban_notes='') + { + global $sql, $pref; + if (!$ban_message) $ban_message = 'No explanation given'; + if (!$ban_ip) $ban_ip = $this->getip(); + $ban_ip = preg_replace("/[^\w@\.]*/",'',urldecode($ban_ip)); // Make sure no special characters + if (!$ban_ip) return; + // Add using an array - handles DB changes better + $sql->db_Insert('banlist',array('banlist_ip' => $ban_ip, 'banlist_bantype' => $bantype, 'banlist_datestamp' => time(), + 'banlist_banexpires' => (varsettrue($pref['ban_durations'][$bantype]) ? time() + ($pref['ban_durations'][$bantype]*60*60) : 0), + 'banlist_admin' => $ban_user, 'banlist_reason' => $ban_message, 'banlist_notes' => $ban_notes)); + } + + /** * Get the current user's IP address * diff --git a/e107_handlers/login.php b/e107_handlers/login.php index 2504c689b..f9eb2fe70 100644 --- a/e107_handlers/login.php +++ b/e107_handlers/login.php @@ -12,8 +12,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_handlers/login.php,v $ -| $Revision: 1.7 $ -| $Date: 2007-10-28 19:20:48 $ +| $Revision: 1.8 $ +| $Date: 2007-12-09 16:42:23 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -48,9 +48,9 @@ class userlogin { } $fip = $e107->getip(); - if($sql -> db_Select("banlist", "*", "banlist_ip='{$fip}' ")) { - exit; - } +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'IP: '.$fip,FALSE,LOG_TO_ROLLING); + $e107->check_ban("banlist_ip='{$fip}' ",FALSE); +// if($sql -> db_Select("banlist", "*", "banlist_ip='{$fip}' ")) { exit;} $autologin = intval($autologin); @@ -81,6 +81,7 @@ class userlogin { $userpass = md5(utf8_decode($ouserpass)); } +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'Doing final checks',FALSE,LOG_TO_ROLLING); if (!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."'")) { // Invalid user define("LOGINMESSAGE", LAN_300."

"); @@ -95,13 +96,15 @@ class userlogin { } else if(!$sql->db_Select("user", "*", "user_loginname = '".$tp -> toDB($username)."' AND user_password = '{$userpass}' AND user_ban!=2 ")) { // Banned user - define("LOGINMESSAGE", LAN_302."

"); - $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".LAN_LOGIN_15." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'"); - $this -> checkibr($fip); - return FALSE; + define("LOGINMESSAGE", LAN_302."

"); +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'User is banned: '.$tp -> toDB($username),FALSE,LOG_TO_ROLLING); + $sql -> db_Insert("generic", "0, 'failed_login', '".time()."', 0, '{$fip}', 0, '".LAN_LOGIN_15." ::: ".LAN_LOGIN_1.": ".$tp -> toDB($username)."'"); + $this -> checkibr($fip); + return FALSE; } else { // User is OK as far as core is concerned +// $admin_log->e_log_event(4,__FILE__."|".__FUNCTION__."@".__LINE__,"DBG","User login",'User passed basics',FALSE,LOG_TO_ROLLING); $ret = $e_event->trigger("preuserlogin", $username); if ($ret!='') { @@ -189,15 +192,19 @@ class userlogin { } } - function checkibr($fip) { - global $sql, $pref, $tp; - if($pref['autoban'] == 1 || $pref['autoban'] == 3){ // Flood + Login or Login Only. - $fails = $sql -> db_Count("generic", "(*)", "WHERE gen_ip='$fip' AND gen_type='failed_login' "); - if($fails > 10) { - $sql -> db_Insert("banlist", "'$fip', '1', '".LAN_LOGIN_18."' "); - $sql -> db_Insert("generic", "0, 'auto_banned', '".time()."', 0, '$fip', '$user_id', '".LAN_LOGIN_20.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' "); - } + function checkibr($fip) + { + global $sql, $pref, $tp, $e107; + if($pref['autoban'] == 1 || $pref['autoban'] == 3) + { // Flood + Login or Login Only. + $fails = $sql -> db_Count("generic", "(*)", "WHERE gen_ip='{$fip}' AND gen_type='failed_login' "); + if($fails > 10) + { + $e107->add_ban(4,LAN_LOGIN_18,$fip,1); +// $sql -> db_Insert("banlist", "'$fip', '1', '".LAN_LOGIN_18."' "); + $sql -> db_Insert("generic", "0, 'auto_banned', '".time()."', 0, '$fip', '$user_id', '".LAN_LOGIN_20.": ".$tp -> toDB($username).", ".LAN_LOGIN_17.": ".md5($ouserpass)."' "); } + } } function update_xup($user_id, $user_xup = "") { diff --git a/e107_languages/English/admin/help/banlist.php b/e107_languages/English/admin/help/banlist.php index ac3486a72..e68ac4f84 100644 --- a/e107_languages/English/admin/help/banlist.php +++ b/e107_languages/English/admin/help/banlist.php @@ -11,8 +11,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/help/banlist.php,v $ -| $Revision: 1.2 $ -| $Date: 2007-02-11 10:33:36 $ +| $Revision: 1.3 $ +| $Date: 2007-12-09 16:42:23 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -20,6 +20,17 @@ if (!defined('e107_INIT')) { exit; } $caption = "Banning users from your site"; +if (e_QUERY) list($action,$junk) = explode('.',e_QUERY); else $action = 'list'; + +switch ($action) +{ +case 'options' : + $text = "This page sets the default behaviour for various types of ban.
+ If a message is specified, this will be shown to the user (where appropriate); otherwise they will most likely get a blank screen
+ The ban will persist for the time specified; after which it will be cleared next time they access the site."; + break; +case 'edit' : +case 'add' : $text = "You can ban users from your site at this screen.
Either enter their full IP address or use a wildcard to ban a range of IP addresses. You can also enter an email address to stop a user registering as a member on your site.

Banning by IP address:
@@ -29,6 +40,19 @@ Entering the IP address 123.123.123.* will stop anyone in that IP range from vis Entering the email address foo@bar.com will stop anyone using that email address from registering as a member on your site.
Entering the email address *@bar.com will stop anyone using that email domain from registering as a member on your site.

Banning by user name
-This is done from the user administration page."; +This is done from the user administration page.

"; + break; +case 'list' : +default : +$text = "This page shows a list of all IP addresses, hostnames and email addresses which are banned. +(Banned users are shown on the user administration page)

+Automatic Bans
+E107 automatically bans individual IP addresses if they attempt to flood the site, as well as addresses with failed logins.
+These bans also appear in this list. You can select (on the options page) what to do for each type of ban.

+Removing a ban
+You can set an expiry period for each type of ban, in which case the entry is removed once the ban period expires. Otherwise the +ban remains until you remove it.
+You can modify the ban period from this page - times are calculated from now."; +} $ns -> tablerender($caption, $text); ?> \ No newline at end of file diff --git a/e107_languages/English/admin/lan_banlist.php b/e107_languages/English/admin/lan_banlist.php index 6c82a29b4..38f5d2010 100644 --- a/e107_languages/English/admin/lan_banlist.php +++ b/e107_languages/English/admin/lan_banlist.php @@ -4,8 +4,8 @@ | e107 website system - Language File. | | $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_banlist.php,v $ -| $Revision: 1.2 $ -| $Date: 2007-02-11 10:33:36 $ +| $Revision: 1.3 $ +| $Date: 2007-12-09 16:42:23 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -19,7 +19,60 @@ define("BANLAN_8", "Ban Address"); define("BANLAN_9", "Ban users from site by email, IP or host address"); define("BANLAN_10", "IP / Email / Reason"); define("BANLAN_11", "Auto-ban: More than 10 failed login attempts"); -define("BANLAN_12", "Note: Reverse DNS is currently disabled, it must be enabled to allow banning by host. Banning by IP and email will still function normally."); +define("BANLAN_12", "Note: Reverse DNS is currently disabled; it must be enabled to allow banning by host. Banning by IP and email address will still function normally."); define("BANLAN_13", "Note: To ban a user by user name, go to the users admin page: "); +define('BANLAN_14','Ban List'); +define('BANLAN_15','Options'); +define('BANLAN_16','Banning'); +define('BANLAN_17','Ban Date'); +define('BANLAN_18','Ban expires'); +define('BANLAN_19','Notes'); +define('BANLAN_20','Type'); +define('BANLAN_21','Never'); +define('BANLAN_22','Unknown'); +define('BANLAN_23','day(s)'); +define('BANLAN_24','hours'); +define('BANLAN_25','Add an entry'); +define('BANLAN_26','Currently '); +define('BANLAN_27','Invalid characters in IP address stripped - now:'); +define('BANLAN_28','Ban type'); +define('BANLAN_29','Message to show'); +define('BANLAN_30','Ban duration'); +define('BANLAN_31','(Use an empty message if you wish the user to get a blank screen)'); +define('BANLAN_32','Indefinite'); +define('BANLAN_33','Settings Updated'); +define('BANLAN_34','Expired'); +define('BANLAN_35',''); +define('BANLAN_36',''); +define('BANLAN_37',''); +define('BANLAN_38',''); +define('BANLAN_39',''); +define('BANLAN_40',''); + +// Ban types - block reserved 100-109 +define('BANLAN_100', 'Unknown'); +define('BANLAN_101','Manual'); +define('BANLAN_102','Flood'); +define('BANLAN_103','Hit count'); +define('BANLAN_104', 'Login failure'); +define('BANLAN_105', 'Imported'); +define('BANLAN_106', 'User'); +define('BANLAN_107', 'Unknown'); +define('BANLAN_108', 'Unknown'); +define('BANLAN_109', 'Unknown'); + +// Detailed explanations for ban types - block reserved 110-119 +define('BANLAN_110', 'Most likely a ban that was imposed before E107 was upgraded to 0.8'); +define('BANLAN_111', 'Entered by an admin'); +define('BANLAN_112', 'Attempts to update the site too fast'); +define('BANLAN_113', 'Attempts to access the site too frequently from the same address'); +define('BANLAN_114', 'Multiple failed login attempts from the same user'); +define('BANLAN_115', 'Added from an external list'); +define('BANLAN_116', 'IP address banned on account of user ban'); +define('BANLAN_117', 'Spare reason'); +define('BANLAN_118', 'Spare reason'); +define('BANLAN_119', 'Spare reason'); + +define('BANLAN_120', 'Unknown'); ?> \ No newline at end of file diff --git a/e107_languages/English/admin/lan_users.php b/e107_languages/English/admin/lan_users.php index 776165469..215479a40 100644 --- a/e107_languages/English/admin/lan_users.php +++ b/e107_languages/English/admin/lan_users.php @@ -4,8 +4,8 @@ | e107 website system - Language File. | | $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_users.php,v $ -| $Revision: 1.6 $ -| $Date: 2007-09-28 20:50:21 $ +| $Revision: 1.7 $ +| $Date: 2007-12-09 16:42:23 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -133,35 +133,10 @@ define("USRLAN_135", "No IP address found in user's info; IP not banned"); define("USRLAN_136", "Multiple users found with IP address of {IP}; IP not banned."); define("USRLAN_137", "Users IP address of {IP} banned."); - -define("USRLAN_138", "Unverified users"); -define("USRLAN_139", "Your account has been activated.\n\nYou can visit {SITEURL} and log into the site using the login information you provided."); - -define("USRLAN_140", "Email Re-sent to"); -define("USRLAN_141", "Failed to Re-send email to"); -define("USRLAN_142", "with the following activation link"); - -define("USRLAN_143", "Check For Bounces"); -define("USRLAN_144", "Resend Confirmation Email to All"); -define("USRLAN_145", "Bounced users"); -define("USRLAN_146", "Member information is available to"); - -define("USRLAN_147", "Email address is already used by a banned user"); -define("USRLAN_148", "Email address is banned"); - -define("USRLAN_149", "Delete checked emails"); -define("USRLAN_150", "Delete all emails"); -define("USRLAN_151", "Clear bounce, require Activation"); -define("USRLAN_152", "Clear bounce and Activate"); -define("USRLAN_153", "Delete non-bounce emails"); -define("USRLAN_154", "Clear email for checked"); -define("USRLAN_155", "Total {TOTAL} emails found. {DELCOUNT} deleted through options.
{DELUSER} users marked as 'bounced' (out of {FOUND} emails)"); - define("LAN_MAINADMIN","Main Admin"); define("LAN_ADMIN","Admin"); define("LAN_NOTVERIFIED","Not Verified"); define("LAN_BANNED","Banned"); -define("LAN_BOUNCED","Bounced"); define("DUSRLAN_1", "ID"); define("DUSRLAN_2", "Display Name"); @@ -201,4 +176,21 @@ define("DUSRLAN_35", "Picture"); define("DUSRLAN_36", "Password Change"); define("DUSRLAN_37", "XUP"); +define("USRLAN_138", "Unverified users"); +define("USRLAN_139", "Your account has been activated.\n\nYou can visit {SITEURL} and log into the site using the login information you provided."); + +define("USRLAN_140", "Email Re-sent to"); +define("USRLAN_141", "Failed to Re-send email to"); +define("USRLAN_142", "with the following activation link"); + +define("LAN_BOUNCED","Bounced"); +define("USRLAN_143", "Check For Bounces"); +define("USRLAN_144", "Resend Confirmation Email to All"); +define("USRLAN_145", "Bounced users"); +define("USRLAN_146", "Member information is available to"); + +define("USRLAN_147", "Email address is already used by a banned user"); +define("USRLAN_148", "Email address is banned"); +define('USRLAN_149', "User banned: "); + ?> \ No newline at end of file diff --git a/signup.php b/signup.php index edbbb7a54..37ee4a9a8 100644 --- a/signup.php +++ b/signup.php @@ -11,8 +11,8 @@ | GNU General Public License (http://gnu.org). | | $Source: /cvs_backup/e107_0.8/signup.php,v $ -| $Revision: 1.11 $ -| $Date: 2007-10-11 19:46:29 $ +| $Revision: 1.12 $ +| $Date: 2007-12-09 16:42:22 $ | $Author: e107steved $ +----------------------------------------------------------------------------+ */ @@ -40,7 +40,9 @@ include_once(e_FILE."shortcode/batch/signup_shortcodes.php"); $signup_imagecode = ($pref['signcode'] && extension_loaded("gd")); -// Resend Activation Email -------------------------------------------> +//------------------------------- +// Resend Activation Email +//------------------------------- if(e_QUERY == "resend" && !USER && ($pref['user_reg_veri'] == 1)) { e107_include_once(e_LANGUAGEDIR.e_LANGUAGE."/lan_".e_PAGE); @@ -273,7 +275,9 @@ if(USER) exit; } -// After clicking the activation link ------------------------- +//---------------------------------------- +// After clicking the activation link +//---------------------------------------- if (e_QUERY) { $qs = explode(".", e_QUERY); @@ -303,19 +307,30 @@ if (e_QUERY) $e107cache->clear("online_menu_totals"); if ($sql->db_Select("user", "*", "user_sess='".$tp -> toDB($qs[2], true)."' ")) { - if ($row = $sql->db_Fetch()) + if ($row = $sql->db_Fetch()) + { + // Set initial classes, and any which the user can opt to join + $init_classes = ''; + if ($pref['init_class_stage'] == '2') { - $sql->db_Update("user", "user_ban='0', user_sess='' WHERE user_sess='".$tp -> toDB($qs[2], true)."' "); - $e_event->trigger("userveri", $row); - require_once(HEADERF); - $text = LAN_401." ".LAN_SIGNUP_22." ".LAN_SIGNUP_23."
".LAN_SIGNUP_24." ".SITENAME; - $ns->tablerender(LAN_402, $text); - require_once(FOOTERF); - exit; + $init_classes = explode(',',varset($pref['initial_user_classes'],'')); + if ($init_classes) + { // Update the user classes + $row['user_class'] = $tp->toDB(implode(',',array_unique(array_merge($init_classes, explode(',',$row['user_class']))))); + $init_classes = ", user_class='".$row['user_class']."' "; + } } + $sql->db_Update("user", "user_ban='0', user_sess=''{$init_classes} WHERE user_sess='".$tp -> toDB($qs[2], true)."' "); + $e_event->trigger("userveri", $row); + require_once(HEADERF); + $text = LAN_401." ".LAN_SIGNUP_22." ".LAN_SIGNUP_23."
".LAN_SIGNUP_24." ".SITENAME; + $ns->tablerender(LAN_402, $text); + require_once(FOOTERF); + exit; + } } else - { + { // Invalid activation code header("location: ".e_BASE."index.php"); exit; } @@ -323,6 +338,9 @@ if (e_QUERY) } +//---------------------------------------- +// Initial signup (registration) +//---------------------------------------- if (isset($_POST['register'])) { $_POST['xupexist'] = trim(varset($_POST['xupexist'],'')); @@ -485,7 +503,7 @@ global $db_debug; $email_confirm = ""; $email_address_OK = FALSE; } - + // Always validate an email address if entered. If its blank, that's OK if checking disabled $_POST['email'] = $tp->toDB(trim(varset($_POST['email'],''))); $do_email_validate = !varset($pref['disable_emailcheck'],FALSE) || ($_POST['email'] !=''); @@ -535,12 +553,15 @@ global $db_debug; // Check Email against banlist. $wc = $tp -> toDB("*".trim(substr($_POST['email'], strpos($_POST['email'], "@")))); - if ($do_email_validate && $sql->db_Select("banlist", "*", "banlist_ip='".$_POST['email']."' OR banlist_ip='{$wc}'")) +// if ($do_email_validate && $sql->db_Select("banlist", "*", "banlist_ip='".$_POST['email']."' OR banlist_ip='{$wc}'")) + if ($do_email_validate && !$e107->check_ban("banlist_ip='".$_POST['email']."' OR banlist_ip='{$wc}'",FALSE,TRUE)) { $email_address_OK = FALSE; $brow = $sql -> db_Fetch(); $error = TRUE; - if($brow['banlist_reason']) + $error_message = varsettrue($pref['ban_messages'][$row['banlist_bantype']]); + if (!$error_message) exit; +/* if($brow['banlist_reason']) { $repl = array("\n","\r","
"); $error_message = str_replace($repl,"\\n",$tp->toHTML($brow['banlist_reason'],"","nobreak, defs"))."\\n"; @@ -550,7 +571,7 @@ global $db_debug; { exit; } - } +*/ } // Check email address on remote server (if enabled) - but only if previous checks passed. if ($do_email_validate && $email_address_OK && varsettrue($pref['signup_remote_emailcheck']) && $error != TRUE) @@ -576,19 +597,19 @@ global $db_debug; // Check for Duplicate Email address - but only if previous checks passed. if ($do_email_validate && $email_address_OK && $sql->db_Select("user", "user_email, user_ban, user_sess", "user_email='".$_POST['email']."' ")) { - $chk = $sql -> db_Fetch(); + $chk = $sql -> db_Fetch(); if($chk['user_ban']== 2 && $chk['user_sess']) { // duplicate because unactivated - $error = TRUE; - header("Location: ".e_BASE."signup.php?resend"); - exit; + $error = TRUE; + header("Location: ".e_BASE."signup.php?resend"); + exit; } else { $email_address_OK = FALSE; - $error_message .= LAN_408."\\n"; - $error = TRUE; - } + $error_message .= LAN_408."\\n"; + $error = TRUE; + } } // Extended Field validation @@ -630,10 +651,11 @@ global $db_debug; if($error_message) { - message_handler("P_ALERT", $error_message); + message_handler("P_ALERT", $error_message); } - // ========== End of verification.. ==================================================== + // ========== End of verification.. ============== + // If no errors, we can enter the new member in the DB if (!$error) { @@ -646,7 +668,7 @@ global $db_debug; if ($_POST['email'] && $sql->db_Select("user", "*", "user_email='".$_POST['email']."' AND user_ban='1'")) { - exit; + exit; } $username = $tp -> toDB(strip_tags($_POST['name'])); @@ -664,7 +686,8 @@ global $db_debug; } $u_key = md5(uniqid(rand(), 1)); - $nid = $sql->db_Insert("user", "0, '{$username}', '{$loginname}', '', '".md5($_POST['password1'])."', '{$u_key}', '".$_POST['email']."', '".$tp -> toDB($_POST['signature'])."', '".$tp -> toDB($_POST['image'])."', '".$tp -> toDB($_POST['timezone'])."', '".$tp -> toDB($_POST['hideemail'])."', '".$time."', '0', '".$time."', '0', '0', '0', '0', '".$ip."', '2', '0', '', '', '0', '0', '".$tp -> toDB($_POST['realname'])."', '', '', '', '0', '".$tp -> toDB($_POST['xupexist'])."' "); + // ************* Possible class insert + $nid = $sql->db_Insert("user", "0, '{$username}', '{$loginname}', '', '".md5($_POST['password1'])."', '{$u_key}', '".$tp -> toDB($_POST['email'])."', '".$tp -> toDB($_POST['signature'])."', '".$tp -> toDB($_POST['image'])."', '".$tp -> toDB($_POST['timezone'])."', '".$tp -> toDB($_POST['hideemail'])."', '".$time."', '0', '".$time."', '0', '0', '0', '0', '".$ip."', '2', '0', '', '', '0', '0', '".$tp -> toDB($_POST['realname'])."', '', '', '', '0', '".$tp -> toDB($_POST['xupexist'])."' "); if(!$nid) { require_once(HEADERF); @@ -674,16 +697,16 @@ global $db_debug; if ($pref['user_reg_veri']) - { - // ==== Update Userclass =======> + { // Verification required (may be by email or by admin) - if ($_POST['class']) - { - unset($insert_class); - sort($_POST['class']); - $insert_class = implode(",",$_POST['class']); - $sql->db_Update("user", "user_class='".$tp -> toDB($insert_class)."' WHERE user_id='".$nid."' "); - } + // Set initial classes, and any which the user can opt to join + $init_classes = array(); + if ($pref['init_class_stage'] == '1') $init_classes = explode(',',varset($pref['initial_user_classes'],'')); + if (isset($_POST['class'])) $init_classes = array_unique(array_merge($init_classes, $_POST['class'])); + if (count($init_classes)) + { + $sql->db_Update("user", "user_class='".$tp -> toDB(implode(',',$init_classes))."' WHERE user_id='".$nid."' "); + } // ========= save extended fields into db table. ===== @@ -737,7 +760,7 @@ global $db_debug; exit; } else - { + { // User can be signed up immediately require_once(HEADERF); if(!$sql -> db_Select("user", "user_id", "user_name='{$username}' AND user_password='".md5($_POST['password1'])."'")) @@ -746,18 +769,17 @@ global $db_debug; require_once(FOOTERF); exit; } - $sql->db_Update("user", "user_ban = '0' WHERE user_id = '{$nid}'"); - // ==== Update Userclass ======= - if ($_POST['class']) - { - unset($insert_class); - sort($_POST['class']); - $insert_class = implode(",",$_POST['class']); - $sql->db_Update("user", "user_class='".$tp -> toDB($insert_class)."' WHERE user_id='".$nid."' "); - } + + // Set initial classes, and any which the user can opt to join + $init_classes = explode(',',varset($pref['initial_user_classes'],'')); + if (isset($_POST['class'])) $init_classes = array_unique(array_merge($init_classes, $_POST['class'])); + + // Set member as registered, update classes + $sql->db_Update("user", "user_ban = '0', user_class='".$tp -> toDB(implode(',',$init_classes))."' WHERE user_id = '{$nid}'"); + + // ======== save extended fields to DB table. - if($ue_fields) { $sql->db_Select_gen("INSERT INTO #user_extended (user_extended_id) values ('{$nid}')");