Move login check in inc/mod/auth.php to a function

This allows pages like create.php to not include inc/mod/pages.php while still being able to use the mod auth functions (like generating salts and passwords)
9 years ago · 3eb755ee7e
3 changed files with 49 additions and 33 deletions
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@ -146,15 +146,49 @@ function modLog($action, $_board=null) {
 		_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action);
 }

-// Validate session
+function create_pm_header() {
+	global $mod, $config;
+	
+	if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) {
+		if ($header === true)
+			return false;
+	
+		return $header;
+	}
+	
+	$query = prepare("SELECT `id` FROM ``pms`` WHERE `to` = :id AND `unread` = 1");
+	$query->bindValue(':id', $mod['id'], PDO::PARAM_INT);
+	$query->execute() or error(db_error($query));
+	
+	if ($pm = $query->fetch(PDO::FETCH_ASSOC))
+		$header = array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1);
+	else
+		$header = true;
+	
+	if ($config['cache']['enabled'])
+		cache::set('pm_unread_' . $mod['id'], $header);
+	
+	if ($header === true)
+		return false;
+	
+	return $header;
+}

+function make_secure_link_token($uri) {
+	global $mod, $config;
+	return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);
+}
+
+function check_login($prompt = false) {
+	global $config, $mod;
+	// Validate session
 	if (isset($_COOKIE[$config['cookies']['mod']])) {
 		// Should be username:hash:salt
 		$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
 		if (count($cookie) != 3) {
 			// Malformed cookies
 			destroyCookies();
-		mod_login();
+			if ($prompt) mod_login();
 			exit;
 		}
 		
@ -167,7 +201,7 @@ if (isset($_COOKIE[$config['cookies']['mod']])) {
 		if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {
 			// Malformed cookies
 			destroyCookies();
-		mod_login();
+			if ($prompt) mod_login();
 			exit;
 		}
 		
@ -179,37 +213,16 @@ if (isset($_COOKIE[$config['cookies']['mod']])) {
 		);
 	}

-function create_pm_header() {
-	global $mod, $config;
-	
-	if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) {
-		if ($header === true)
-			return false;
+	if ($config['debug'])
+		$parse_start_time = microtime(true);

-		return $header;
+	// Fix for magic quotes
+	if (get_magic_quotes_gpc()) {
+		function strip_array($var) {
+			return is_array($var) ? array_map('strip_array', $var) : stripslashes($var);
 		}
 		
-	$query = prepare("SELECT `id` FROM ``pms`` WHERE `to` = :id AND `unread` = 1");
-	$query->bindValue(':id', $mod['id'], PDO::PARAM_INT);
-	$query->execute() or error(db_error($query));
-	
-	if ($pm = $query->fetch(PDO::FETCH_ASSOC))
-		$header = array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1);
-	else
-		$header = true;
-	
-	if ($config['cache']['enabled'])
-		cache::set('pm_unread_' . $mod['id'], $header);
-	
-	if ($header === true)
-		return false;
-	
-	return $header;
+		$_GET = strip_array($_GET);
+		$_POST = strip_array($_POST);
 	}
-
-function make_secure_link_token($uri) {
-	global $mod, $config;
-	return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);
 }
-
-
--- a/mod.php
+++ b/mod.php
@ -12,6 +12,8 @@ require_once 'inc/mod/auth.php';
 if ($config['debug'])
 	$parse_start_time = microtime(true);

+check_login(true);
+
 $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';

 $pages = array(
--- a/post.php
+++ b/post.php
@ -216,6 +216,7 @@ if (isset($_POST['delete'])) {

 	if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) {
 		require 'inc/mod/auth.php';
+		check_login(false);
 		if (!$mod) {
 			// Liar. You're not a mod.
 			error($config['error']['notamod']);