mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-05-14 19:45:21 +02:00
Code Issues Releases Wiki Activity

Advanced user auth working, use it, abuse it

Browse Source 
git-svn-id: file:///svn/phpbb/trunk@701 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Paul S. Owen 2001-07-19 20:07:21 +00:00
parent a43e27711d
commit b69afe920c
2 changed files with 376 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
phpBB/admin/admin_userauth.php
View File

@ -135,6 +135,7 @@ $adv = (isset($HTTP_GET_VARS['adv'])) ? $HTTP_GET_VARS['adv'] : -1;
if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
{
$user_id = $HTTP_POST_VARS[POST_USERS_URL];
$adv = (isset($HTTP_POST_VARS['adv'])) ? TRUE : FALSE;
//
// This is where things become fun ...
@ -230,15 +231,6 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
}
else
{
$change_mod_ary = (isset($HTTP_POST_VARS['moderator'])) ? $HTTP_POST_VARS['moderator'] : array();
$change_prv_ary = (isset($HTTP_POST_VARS['private'])) ? $HTTP_POST_VARS['private'] : array();
if( !isset($change_prv_ary) )
{
}
//
// Pull all the auth/group
// for this user
@ -263,6 +255,38 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
$forum_access = $db->sql_fetchrowset($fa_result);
$change_prv_list = array();
$change_mod_ary = (isset($HTTP_POST_VARS['moderator'])) ? $HTTP_POST_VARS['moderator'] : array();
for($i = 0; $i < count($forum_access); $i++)
{
$forum_id = $forum_access[$i]['forum_id'];
for($j = 0; $j < count($forum_auth_fields); $j++)
{
$field = $forum_auth_fields[$j];
if( isset($HTTP_POST_VARS['private']) )
{
if( $forum_access[$i][$field] == AUTH_ACL )
{
if( isset($HTTP_POST_VARS['private'][$forum_id]) )
{
$change_prv_list[$forum_id][$field] = $HTTP_POST_VARS['private'][$forum_id];
}
}
}
else
{
if( isset($HTTP_POST_VARS[$field][$forum_id]) )
{
$change_prv_list[$forum_id][$field] = $HTTP_POST_VARS[$field][$forum_id];
}
}
}
}
//
// The data above lists access and moderator permissions
// for this user given by all the groups they belong to.
@ -284,14 +308,11 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
$warning_mod_grpname = array();
$warning_mod_frmname = array();
$valid_auth_mod_sql = array();
$valid_auth_mod_sql_val = "";
$warning_prv_grpid = array();
$warning_prv_grpname = array();
$warning_prv_frmname = array();
$valid_auth_prv_sql = array();
$valid_auth_prv_sql_fld = "";
$valid_auth_prv_sql_val = "";
for($i = 0; $i < count($forum_access); $i++)
{
@ -300,8 +321,12 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
$update_mod = FALSE;
$update_acl = FALSE;
$valid_auth_mod_sql_val = "";
$valid_auth_prv_sql_fld = "";
$valid_auth_prv_sql_val = "";
@reset($change_mod_ary);
@reset($change_mod_prv);
@reset($change_prv_list);
//
// Moderator control
@ -367,7 +392,7 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
//
// Private/ACL control
//
while(list($prv_forum_id, $new_prv_status) = @each($change_prv_ary))
while(list($prv_forum_id, $new_prv_ary) = @each($change_prv_list))
{
if($prv_forum_id == $this_forum_id && empty($valid_auth_mod_sql[$this_forum_id]) )
{
@ -388,15 +413,12 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
//
// Step through all auth fields
//
for($k = 0; $k < count($forum_auth_fields); $k++)
@reset($new_prv_ary);
while( list($this_prv_field, $new_prv_status) = each($new_prv_ary) )
{
$this_prv_field = $forum_auth_fields[$k];
//
// Is this field set to ACL?
//
if($forum_access[$i][$this_prv_field] == AUTH_ACL)
{
$cur_prv_status = $u_access[$j][$this_prv_field];
if($cur_prv_status == $new_prv_status && $is_single_user)
@ -419,7 +441,7 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
}
else if($cur_prv_status != $new_prv_status && $is_single_user)
{
if(!empty($valid_auth_prv_sql_val))
if( $valid_auth_prv_sql_val != "")
{
$valid_auth_prv_sql_val .= ", ";
}
@ -433,7 +455,6 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
}
}
}
}
if($is_single_user)
{
@ -452,37 +473,41 @@ if(isset($HTTP_POST_VARS['submit']) && !empty($HTTP_POST_VARS[POST_USERS_URL]))
}
}
if(!$update_acl && $new_prv_status)
if(!$update_acl)
{
$valid_auth_prv_sql[$this_forum_id] = "INSERT INTO " . AUTH_ACCESS_TABLE . " (forum_id, group_id, ";
//
// Step through all auth fields
//
for($k = 0; $k < count($forum_auth_fields); $k++)
{
$this_prv_field = $forum_auth_fields[$k];
$all_zeroed = TRUE;
@reset($new_prv_ary);
while( list($this_prv_field, $new_prv_status) = each($new_prv_ary) )
{
//
// Is this field set to ACL?
//
if($forum_access[$i][$this_prv_field] == AUTH_ACL)
{
if( !empty($valid_auth_prv_sql_fld) )
if( $valid_auth_prv_sql_fld != "" )
{
$valid_auth_prv_sql_fld .= ", ";
}
if( !empty($valid_auth_prv_sql_val) )
if( $valid_auth_prv_sql_val != "" )
{
$valid_auth_prv_sql_val .= ", ";
}
$valid_auth_prv_sql_fld .= "$this_prv_field";
$valid_auth_prv_sql_val .= "$new_prv_status";
if($new_prv_status)
{
$all_zeroed = FALSE;
}
}
$valid_auth_prv_sql[$this_forum_id] .= $valid_auth_prv_sql_fld . ") VALUES ($this_forum_id, " . $ug_info['group_id'] . ", " . $valid_auth_prv_sql_val . ")";
if(!$all_zeroed)
{
$valid_auth_prv_sql[$this_forum_id] = "INSERT INTO " . AUTH_ACCESS_TABLE . " (forum_id, group_id, $valid_auth_prv_sql_fld) VALUES ($this_forum_id, " . $ug_info['group_id'] . ", $valid_auth_prv_sql_val)";
}
$update_acl = TRUE;
}
@ -605,6 +630,14 @@ else
// Front end
//
$user_id = $HTTP_GET_VARS[POST_USERS_URL];
if( isset($HTTP_GET_VARS['adv']) )
{
$adv = $HTTP_GET_VARS['adv'];
}
else
{
$adv = FALSE;
}
$template_header = "admin/page_header.tpl";
include('page_header_admin.'.$phpEx);
@ -614,7 +647,7 @@ else
);
$sql = "SELECT f.forum_id, f.forum_name, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_announce, f.auth_sticky
$sql = "SELECT f.*
FROM " . FORUMS_TABLE . " f, " . CATEGORIES_TABLE . " c
WHERE c.cat_id = f.cat_id
ORDER BY c.cat_order ASC, f.forum_order ASC";
@ -622,7 +655,7 @@ else
$forum_access = $db->sql_fetchrowset($fa_result);
if($adv == -1)
if( empty($adv) )
{
for($i = 0; $i < count($forum_access); $i++)
{
@ -655,6 +688,7 @@ else
}
}
}
}
$sql = "SELECT u.user_id, u.username, u.user_level, g.group_id, g.group_name, g.group_single_user
FROM " . USERS_TABLE . " u, " . GROUPS_TABLE . " g, " . USER_GROUP_TABLE . " ug
@ -664,7 +698,7 @@ else
$u_result = $db->sql_query($sql);
$userinf = $db->sql_fetchrowset($u_result);
$sql = "SELECT aa.forum_id, aa.auth_view, aa.auth_read, aa.auth_post, aa.auth_reply, aa.auth_edit, aa.auth_delete, aa.auth_mod
$sql = "SELECT aa.*
FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug, " . GROUPS_TABLE. " g
WHERE ug.user_id = $user_id
AND g.group_id = ug.group_id
@ -710,6 +744,7 @@ else
{
$result = a_auth_check_user(AUTH_ACL, $key, $u_access[$f_forum_id], $is_admin);
$auth_user[$f_forum_id][$key] = $result['auth'];
$auth_field_acl[$f_forum_id][$key] = $result['auth'];
}
else
{
@ -738,6 +773,7 @@ else
break;
}
}
//
// Is user a moderator?
//
@ -752,24 +788,15 @@ else
}
}
while(list($forumkey, $user_ary) = each($auth_user))
{
$simple_auth[$forumkey] = 1;
while(list($fieldkey, $value) = each($user_ary))
{
$simple_auth[$forumkey] = $simple_auth[$forumkey] && $value;
}
}
reset($auth_user);
$i = 0;
if($adv == -1)
{
while(list($forumkey, $user_ary) = each($auth_user))
{
if( empty($adv) )
{
if($basic_auth_level[$forumkey] == "private")
{
$allowed = 1;
for($j = 0; $j < count($basic_auth_level_fields[$forumkey]); $j++)
{
if(!$auth_user[$forumkey][$basic_auth_level_fields[$forumkey][$j]])
@ -796,15 +823,60 @@ else
{
$optionlist_acl = "&nbsp;";
}
}
else
{
@reset($forum_access);
while(list($key, $forum_row) = each($forum_access))
{
$forum_id = $forum_row['forum_id'];
for($j = 0; $j < count($forum_auth_fields); $j++)
{
$field_name = $forum_auth_fields[$j];
if( $forum_row[$field_name] == AUTH_ACL )
{
$optionlist_acl_adv[$forum_id][$j] = "<select name=\"" . $field_name . "[$forum_id]\">";
if( isset($auth_field_acl[$forum_id][$field_name]) && !($is_admin || $user_ary['auth_mod']) )
{
if(!$auth_field_acl[$forum_id][$field_name])
{
$optionlist_acl_adv[$forum_id][$j] .= "<option value=\"1\">On</option><option value=\"0\" selected>Off</option>";
}
else
{
$optionlist_acl_adv[$forum_id][$j] .= "<option value=\"1\" selected>On</option><option value=\"0\">Off</option>";
}
}
else
{
if($is_admin || $user_ary['auth_mod'])
{
$optionlist_acl_adv[$forum_id][$j] .= "<option value=\"1\">On</option>";
}
else
{
$optionlist_acl_adv[$forum_id][$j] .= "<option value=\"1\">On</option><option value=\"0\" selected>Off</option>";
}
}
$optionlist_acl_adv[$forum_id][$j] .= "</select>";
}
}
}
}
$optionlist_mod = "<select name=\"moderator[$forumkey]\">";
if($user_ary['auth_mod'])
{
$optionlist_mod .= "<option value=\"1\" selected>Is a Moderator</option><option value=\"0\">Is not a Moderator</option>";
$optionlist_mod .= "<option value=\"1\" selected>Moderator</option><option value=\"0\">Not Moderator</option>";
}
else
{
$optionlist_mod .= "<option value=\"1\">Is a Moderator</option><option value=\"0\" selected>Is not a Moderator</option>";
$optionlist_mod .= "<option value=\"1\">Moderator</option><option value=\"0\" selected>Not Moderator</option>";
}
$optionlist_mod .= "</select>";
@ -816,11 +888,26 @@ else
"U_FORUM_AUTH" => append_sid("admin_forumauth.$phpEx?f=" . $forum_access[$i]['forum_id']),
"S_ACL_SELECT" => $optionlist_acl,
"S_MOD_SELECT" => $optionlist_mod)
);
$i++;
if(!$adv)
{
$template->assign_block_vars("forums.aclvalues", array(
"S_ACL_SELECT" => $optionlist_acl)
);
}
else
{
for($j = 0; $j < count($forum_auth_fields); $j++)
{
$template->assign_block_vars("forums.aclvalues", array(
"S_ACL_SELECT" => $optionlist_acl_adv[$forumkey][$j])
);
}
}
$i++;
}
reset($auth_user);
@ -856,6 +943,30 @@ else
$s_hidden_fields = "<input type=\"hidden\" name=\"" . POST_USERS_URL . "\" value=\"$user_id\">";
$s_hidden_fields .= "<input type=\"hidden\" name=\"curadmin\" value=\"" . $is_admin ."\">";
$s_column_span = 2; // Two columns always present
if(!$adv)
{
$template->assign_block_vars("acltype", array(
"L_UG_ACL_TYPE" => "Simple Auth Setting")
);
$s_column_span++;
}
else
{
for($i = 0; $i < count($forum_auth_fields); $i++)
{
$template->assign_block_vars("acltype", array(
"L_UG_ACL_TYPE" => ucfirst(preg_replace("/auth_/", "", $forum_auth_fields[$i])))
);
$s_column_span++;
}
}
$switch_mode = "admin_userauth.$phpEx?" . POST_USERS_URL . "=" . $user_id . "&adv=";
$switch_mode .= ( !$adv ) ? "1" : "0";
$switch_mode_text = ( !$adv ) ? "Advanced Mode" : "Simple Mode";
$u_switch_mode = '<a href="' . $switch_mode . '">' . $switch_mode_text . '</a>';
$template->assign_vars(array(
"USERNAME" => $t_username,
"USER_GROUP_MEMBERSHIPS" => "This user is a $s_user_type and belongs to the following groups: $t_usergroup_list",
@ -864,14 +975,13 @@ else
"L_USER_OR_GROUP" => "User",
"U_USER_OR_GROUP" => append_sid("admin_userauth.$phpEx"),
"U_FORUMAUTH" => append_sid("admin_forumauth.$phpEx"),
"U_SWITCH_MODE" => $u_switch_mode,
"S_COLUMN_SPAN" => $s_column_span,
"S_USER_AUTH_ACTION" => append_sid("admin_userauth.$phpEx"),
"S_HIDDEN_FIELDS" => $s_hidden_fields)
);
} // if adv == -1
}
$template->pparse("body");

22
phpBB/templates/PSO/admin/ug_auth_body.tpl
View File

@ -11,23 +11,33 @@
<p>Remember that there are two possible places for controlling access to forums, user and group auth control. Removing access rights from a user will not affect any rights granted via group membership. You will be warned if you remove access rights from a user (or group) but access is still granted via membership of a group (or via individual user rights)</p>
<div align="center"><table cellspacing="1" cellpadding="4" border="0">
<table cellspacing="1" cellpadding="4" border="0" align="center">
<tr>
<th width="30%">Forum Name</th>
<th>Simple Access Control</th>
<!-- BEGIN acltype -->
<th>{acltype.L_UG_ACL_TYPE}</th>
<!-- END acltype -->
<th>Moderator</th>
</tr>
<!-- BEGIN forums -->
<tr>
<td class="{forums.ROW_CLASS}" align="center"><a href="{forums.U_FORUM_AUTH}" onClick="open_new_window('{forums.U_FORUM_AUTH}');return false" target="_new">{forums.FORUM_NAME}</a></td>
<td class="{forums.ROW_CLASS}" align="center">{forums.S_ACL_SELECT}</td>
<!-- BEGIN aclvalues -->
<td class="{forums.ROW_CLASS}" align="center">{forums.aclvalues.S_ACL_SELECT}</td>
<!-- END aclvalues -->
<td class="{forums.ROW_CLASS}" align="center">{forums.S_MOD_SELECT}</td>
</tr>
<!-- END forums -->
<tr>
<td colspan="4" align="center"><br clear="all">
{S_HIDDEN_FIELDS}<input type="submit" name="submit" value="Request Update">&nbsp;&nbsp;&nbsp;<input type="reset" value="Reset Changes"></td>
<td colspan="{S_COLUMN_SPAN}"><table width="100%" cellspacing="0" cellpadding="4" border="0">
<tr>
<td align="center">{U_SWITCH_MODE}</td>
</tr>
</table></div>
<tr>
<td align="center">{S_HIDDEN_FIELDS}<input type="submit" name="submit" value="Request Update">&nbsp;&nbsp;&nbsp;<input type="reset" value="Reset Changes"></td>
</tr>
</table></td>
</tr>
</table>
</form>