Move login check in inc/mod/auth.php to a function

This allows pages like create.php to not include inc/mod/pages.php while still being able to use the mod auth functions (like generating salts and passwords)
This commit is contained in:
8chan 2014-12-31 22:35:21 -08:00 committed by czaks
parent 93f748e6a8
commit 3eb755ee7e
3 changed files with 49 additions and 33 deletions

View File

@ -146,39 +146,6 @@ function modLog($action, $_board=null) {
_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action); _syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action);
} }
// Validate session
if (isset($_COOKIE[$config['cookies']['mod']])) {
// Should be username:hash:salt
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
if (count($cookie) != 3) {
// Malformed cookies
destroyCookies();
mod_login();
exit;
}
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username");
$query->bindValue(':username', $cookie[0]);
$query->execute() or error(db_error($query));
$user = $query->fetch(PDO::FETCH_ASSOC);
// validate password hash
if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {
// Malformed cookies
destroyCookies();
mod_login();
exit;
}
$mod = array(
'id' => $user['id'],
'type' => $user['type'],
'username' => $cookie[0],
'boards' => explode(',', $user['boards'])
);
}
function create_pm_header() { function create_pm_header() {
global $mod, $config; global $mod, $config;
@ -212,4 +179,50 @@ function make_secure_link_token($uri) {
return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8); return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);
} }
function check_login($prompt = false) {
global $config, $mod;
// Validate session
if (isset($_COOKIE[$config['cookies']['mod']])) {
// Should be username:hash:salt
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
if (count($cookie) != 3) {
// Malformed cookies
destroyCookies();
if ($prompt) mod_login();
exit;
}
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username");
$query->bindValue(':username', $cookie[0]);
$query->execute() or error(db_error($query));
$user = $query->fetch(PDO::FETCH_ASSOC);
// validate password hash
if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {
// Malformed cookies
destroyCookies();
if ($prompt) mod_login();
exit;
}
$mod = array(
'id' => $user['id'],
'type' => $user['type'],
'username' => $cookie[0],
'boards' => explode(',', $user['boards'])
);
}
if ($config['debug'])
$parse_start_time = microtime(true);
// Fix for magic quotes
if (get_magic_quotes_gpc()) {
function strip_array($var) {
return is_array($var) ? array_map('strip_array', $var) : stripslashes($var);
}
$_GET = strip_array($_GET);
$_POST = strip_array($_POST);
}
}

View File

@ -12,6 +12,8 @@ require_once 'inc/mod/auth.php';
if ($config['debug']) if ($config['debug'])
$parse_start_time = microtime(true); $parse_start_time = microtime(true);
check_login(true);
$query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : ''; $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';
$pages = array( $pages = array(

View File

@ -216,6 +216,7 @@ if (isset($_POST['delete'])) {
if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) { if ($post['mod'] = isset($_POST['mod']) && $_POST['mod']) {
require 'inc/mod/auth.php'; require 'inc/mod/auth.php';
check_login(false);
if (!$mod) { if (!$mod) {
// Liar. You're not a mod. // Liar. You're not a mod.
error($config['error']['notamod']); error($config['error']['notamod']);