diff --git a/inc/mod/auth.php b/inc/mod/auth.php index 7f98e8a9..8bfaea8f 100644 --- a/inc/mod/auth.php +++ b/inc/mod/auth.php @@ -146,39 +146,6 @@ function modLog($action, $_board=null) { _syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action); } -// Validate session - -if (isset($_COOKIE[$config['cookies']['mod']])) { - // Should be username:hash:salt - $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); - if (count($cookie) != 3) { - // Malformed cookies - destroyCookies(); - mod_login(); - exit; - } - - $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username"); - $query->bindValue(':username', $cookie[0]); - $query->execute() or error(db_error($query)); - $user = $query->fetch(PDO::FETCH_ASSOC); - - // validate password hash - if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) { - // Malformed cookies - destroyCookies(); - mod_login(); - exit; - } - - $mod = array( - 'id' => $user['id'], - 'type' => $user['type'], - 'username' => $cookie[0], - 'boards' => explode(',', $user['boards']) - ); -} - function create_pm_header() { global $mod, $config; @@ -212,4 +179,50 @@ function make_secure_link_token($uri) { return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8); } +function check_login($prompt = false) { + global $config, $mod; + // Validate session + if (isset($_COOKIE[$config['cookies']['mod']])) { + // Should be username:hash:salt + $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); + if (count($cookie) != 3) { + // Malformed cookies + destroyCookies(); + if ($prompt) mod_login(); + exit; + } + + $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username"); + $query->bindValue(':username', $cookie[0]); + $query->execute() or error(db_error($query)); + $user = $query->fetch(PDO::FETCH_ASSOC); + + // validate password hash + if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) { + // Malformed cookies + destroyCookies(); + if ($prompt) mod_login(); + exit; + } + + $mod = array( + 'id' => $user['id'], + 'type' => $user['type'], + 'username' => $cookie[0], + 'boards' => explode(',', $user['boards']) + ); + } + + if ($config['debug']) + $parse_start_time = microtime(true); + // Fix for magic quotes + if (get_magic_quotes_gpc()) { + function strip_array($var) { + return is_array($var) ? array_map('strip_array', $var) : stripslashes($var); + } + + $_GET = strip_array($_GET); + $_POST = strip_array($_POST); + } +} diff --git a/mod.php b/mod.php index c005dcb5..022f5408 100644 --- a/mod.php +++ b/mod.php @@ -12,6 +12,8 @@ require_once 'inc/mod/auth.php'; if ($config['debug']) $parse_start_time = microtime(true); +check_login(true); + $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : ''; $pages = array( diff --git a/post.php b/post.php index 6e893747..1c511f9c 100644 --- a/post.php +++ b/post.php @@ -216,6 +216,7 @@ if (isset($_POST['delete'])) { if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) { require 'inc/mod/auth.php'; + check_login(false); if (!$mod) { // Liar. You're not a mod. error($config['error']['notamod']);