Move login check in inc/mod/auth.php to a function

This allows pages like create.php to not include inc/mod/pages.php while still being able to use the mod auth functions (like generating salts and passwords)
9 years ago · 3eb755ee7e
3 changed files with 49 additions and 33 deletions
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@ -146,39 +146,6 @@ function modLog($action, $_board=null) {
 		_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action);
 }

-// Validate session
-
-if (isset($_COOKIE[$config['cookies']['mod']])) {
-	// Should be username:hash:salt
-	$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
-	if (count($cookie) != 3) {
-		// Malformed cookies
-		destroyCookies();
-		mod_login();
-		exit;
-	}
-	
-	$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username");
-	$query->bindValue(':username', $cookie[0]);
-	$query->execute() or error(db_error($query));
-	$user = $query->fetch(PDO::FETCH_ASSOC);
-	
-	// validate password hash
-	if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {
-		// Malformed cookies
-		destroyCookies();
-		mod_login();
-		exit;
-	}
-	
-	$mod = array(
-		'id' => $user['id'],
-		'type' => $user['type'],
-		'username' => $cookie[0],
-		'boards' => explode(',', $user['boards'])
-	);
-}
-
 function create_pm_header() {
 	global $mod, $config;
 	
@ -212,4 +179,50 @@ function make_secure_link_token($uri) {
 	return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);
 }

+function check_login($prompt = false) {
+	global $config, $mod;
+	// Validate session
+	if (isset($_COOKIE[$config['cookies']['mod']])) {
+		// Should be username:hash:salt
+		$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
+		if (count($cookie) != 3) {
+			// Malformed cookies
+			destroyCookies();
+			if ($prompt) mod_login();
+			exit;
+		}
+		
+		$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username");
+		$query->bindValue(':username', $cookie[0]);
+		$query->execute() or error(db_error($query));
+		$user = $query->fetch(PDO::FETCH_ASSOC);
+		
+		// validate password hash
+		if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {
+			// Malformed cookies
+			destroyCookies();
+			if ($prompt) mod_login();
+			exit;
+		}
+		
+		$mod = array(
+			'id' => $user['id'],
+			'type' => $user['type'],
+			'username' => $cookie[0],
+			'boards' => explode(',', $user['boards'])
+		);
+	}
+
+	if ($config['debug'])
+		$parse_start_time = microtime(true);

+	// Fix for magic quotes
+	if (get_magic_quotes_gpc()) {
+		function strip_array($var) {
+			return is_array($var) ? array_map('strip_array', $var) : stripslashes($var);
+		}
+		
+		$_GET = strip_array($_GET);
+		$_POST = strip_array($_POST);
+	}
+}
--- a/mod.php
+++ b/mod.php
@ -12,6 +12,8 @@ require_once 'inc/mod/auth.php';
 if ($config['debug'])
 	$parse_start_time = microtime(true);

+check_login(true);
+
 $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';

 $pages = array(
--- a/post.php
+++ b/post.php
@ -216,6 +216,7 @@ if (isset($_POST['delete'])) {

 	if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) {
 		require 'inc/mod/auth.php';
+		check_login(false);
 		if (!$mod) {
 			// Liar. You're not a mod.
 			error($config['error']['notamod']);