[⚠️SECURITY] Staff rights changes
* XSS threats eliminated (Raw HTML allowed for admin only) * Board owners allowed to modpost
This commit is contained in:
parent
512175bc0d
commit
7bc56a9e08
14
board.php
14
board.php
|
@ -197,7 +197,7 @@ if (isset($_POST['makepost'])) { // A more evident way to identify post action,
|
||||||
$dice = ($board_class->board['dice']) ? true : false;
|
$dice = ($board_class->board['dice']) ? true : false;
|
||||||
$ipmd5 = md5($_SERVER['REMOTE_ADDR']);
|
$ipmd5 = md5($_SERVER['REMOTE_ADDR']);
|
||||||
// If they are just a normal user, or vip...
|
// If they are just a normal user, or vip...
|
||||||
if (isNormalUser($user_authority)) {
|
if ($user_authority <= 0) {
|
||||||
// If the thread is locked
|
// If the thread is locked
|
||||||
if ($thread_locked == 1) {
|
if ($thread_locked == 1) {
|
||||||
// Don't let the user post
|
// Don't let the user post
|
||||||
|
@ -206,17 +206,19 @@ if (isset($_POST['makepost'])) { // A more evident way to identify post action,
|
||||||
|
|
||||||
$post_message = $parse_class->ParsePost($_POST['message'], $board_class->board['name'], $thread_replyto, $board_class->board['id'], false, $ua, $dice, $ipmd5);
|
$post_message = $parse_class->ParsePost($_POST['message'], $board_class->board['name'], $thread_replyto, $board_class->board['id'], false, $ua, $dice, $ipmd5);
|
||||||
// Or, if they are a moderator/administrator...
|
// Or, if they are a moderator/administrator...
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
// If they checked the D checkbox, set the variable to tell the script to display their staff status (Admin/Mod) on the post during insertion
|
// If they checked the D checkbox, set the variable to tell the script to display their staff status (Admin/Mod) on the post during insertion
|
||||||
if (isset($_POST['displaystaffstatus'])) {
|
if (isset($_POST['displaystaffstatus'])) {
|
||||||
$post_displaystaffstatus = true;
|
$post_displaystaffstatus = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If they checked the RH checkbox, set the variable to tell the script to insert the post as-is...
|
// If they checked the RH checkbox, set the variable to tell the script to insert the post as-is... (admin only)
|
||||||
if (isset($_POST['rawhtml'])) {
|
if (isset($_POST['rawhtml']) && $user_authority==1) {
|
||||||
$post_message = $_POST['message'];
|
$post_message = $_POST['message'];
|
||||||
// Otherwise, parse it as usual...
|
// Otherwise, parse it as usual...
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
$post_message = $parse_class->ParsePost($_POST['message'], $board_class->board['name'], $thread_replyto, $board_class->board['id'], false, $ua, $dice, $ipmd5);
|
$post_message = $parse_class->ParsePost($_POST['message'], $board_class->board['name'], $thread_replyto, $board_class->board['id'], false, $ua, $dice, $ipmd5);
|
||||||
// (Moved) check against blacklist and detect flood
|
// (Moved) check against blacklist and detect flood
|
||||||
}
|
}
|
||||||
|
@ -291,7 +293,7 @@ if (isset($_POST['makepost'])) { // A more evident way to identify post action,
|
||||||
$lock = 0;
|
$lock = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$post_displaystaffstatus && $user_authority > 0 && $user_authority != 3) {
|
if (!$post_displaystaffstatus && $user_authority > 0) {
|
||||||
$user_authority_display = 0;
|
$user_authority_display = 0;
|
||||||
} elseif ($user_authority > 0) {
|
} elseif ($user_authority > 0) {
|
||||||
$user_authority_display = $user_authority;
|
$user_authority_display = $user_authority;
|
||||||
|
|
|
@ -61,10 +61,10 @@
|
||||||
{/strip}
|
{/strip}
|
||||||
{if $post.posterauthority eq 1}
|
{if $post.posterauthority eq 1}
|
||||||
<span class="admin">## {t}Admin{/t} ##</span>
|
<span class="admin">## {t}Admin{/t} ##</span>
|
||||||
{elseif $post.posterauthority eq 4}
|
|
||||||
<span class="mod">## {t}Super Mod{/t} ##</span>
|
|
||||||
{elseif $post.posterauthority eq 2}
|
{elseif $post.posterauthority eq 2}
|
||||||
<span class="mod">## {t}Mod{/t} ##</span>
|
<span class="mod">## {t}Mod{/t} ##</span>
|
||||||
|
{elseif $post.posterauthority eq 3}
|
||||||
|
<span class="admin">## {t}Board owner{/t} ##</span>
|
||||||
{/if}
|
{/if}
|
||||||
{$post.timestamp_formatted}
|
{$post.timestamp_formatted}
|
||||||
</label>
|
</label>
|
||||||
|
|
|
@ -905,7 +905,7 @@ class Manage {
|
||||||
$log .= _gettext('Moderator');
|
$log .= _gettext('Moderator');
|
||||||
break;
|
break;
|
||||||
case 3:
|
case 3:
|
||||||
$log .= _gettext('Board Owner');
|
$log .= _gettext('Userboards Owner');
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
$log .= ' '. $_POST['username'];
|
$log .= ' '. $_POST['username'];
|
||||||
|
@ -963,7 +963,7 @@ class Manage {
|
||||||
} elseif ($_POST['type'] == '0') {
|
} elseif ($_POST['type'] == '0') {
|
||||||
$logentry .= _gettext('Janitor');
|
$logentry .= _gettext('Janitor');
|
||||||
} elseif ($_POST['type'] == '3') {
|
} elseif ($_POST['type'] == '3') {
|
||||||
$logentry .= _gettext('Board Owner');
|
$logentry .= _gettext('Userboards Owner');
|
||||||
} else {
|
} else {
|
||||||
exitWithErrorPage('Something went wrong.');
|
exitWithErrorPage('Something went wrong.');
|
||||||
}
|
}
|
||||||
|
@ -994,7 +994,7 @@ class Manage {
|
||||||
$tpl_page .= ($type==1) ? '<option value="1" selected="selected">' ._gettext('Administrator'). '</option>' : '<option value="1">' ._gettext('Administrator'). '</option>';
|
$tpl_page .= ($type==1) ? '<option value="1" selected="selected">' ._gettext('Administrator'). '</option>' : '<option value="1">' ._gettext('Administrator'). '</option>';
|
||||||
$tpl_page .= ($type==2) ? '<option value="2" selected="selected">' ._gettext('Moderator'). '</option>' : '<option value="2">' ._gettext('Moderator'). '</option>';
|
$tpl_page .= ($type==2) ? '<option value="2" selected="selected">' ._gettext('Moderator'). '</option>' : '<option value="2">' ._gettext('Moderator'). '</option>';
|
||||||
$tpl_page .= ($type==0) ? '<option value="0" selected="selected">' ._gettext('Janitor'). '</option>' : '<option value="0">' ._gettext('Janitor'). '</option>';
|
$tpl_page .= ($type==0) ? '<option value="0" selected="selected">' ._gettext('Janitor'). '</option>' : '<option value="0">' ._gettext('Janitor'). '</option>';
|
||||||
$tpl_page .= ($type==3) ? '<option value="3" selected="selected">' ._gettext('Board Owner'). '</option>' : '<option value="3">' ._gettext('Board Owner'). '</option>';
|
$tpl_page .= ($type==3) ? '<option value="3" selected="selected">' ._gettext('Userboards Owner'). '</option>' : '<option value="3">' ._gettext('Userboards Owner'). '</option>';
|
||||||
$tpl_page .= '</select><br /><br />';
|
$tpl_page .= '</select><br /><br />';
|
||||||
|
|
||||||
$tpl_page .= _gettext('Moderates') . '<br />
|
$tpl_page .= _gettext('Moderates') . '<br />
|
||||||
|
@ -1025,7 +1025,7 @@ class Manage {
|
||||||
<option value="1">' ._gettext('Administrator'). '</option>
|
<option value="1">' ._gettext('Administrator'). '</option>
|
||||||
<option value="2">' ._gettext('Moderator'). '</option>
|
<option value="2">' ._gettext('Moderator'). '</option>
|
||||||
<option value="0">' ._gettext('Janitor'). '</option>
|
<option value="0">' ._gettext('Janitor'). '</option>
|
||||||
<option value="3">' ._gettext('Board Owner'). '</option>
|
<option value="3">' ._gettext('Userboards Owner'). '</option>
|
||||||
</select><br />
|
</select><br />
|
||||||
|
|
||||||
<input type="submit" value="' ._gettext('Add staff member'). '" />
|
<input type="submit" value="' ._gettext('Add staff member'). '" />
|
||||||
|
@ -1045,7 +1045,7 @@ class Manage {
|
||||||
$stafftype = 'Janitor';
|
$stafftype = 'Janitor';
|
||||||
$numtype = 0;
|
$numtype = 0;
|
||||||
} elseif ($i == 4) {
|
} elseif ($i == 4) {
|
||||||
$stafftype = 'Board Owner';
|
$stafftype = 'Userboards Owner';
|
||||||
$numtype = 3;
|
$numtype = 3;
|
||||||
}
|
}
|
||||||
$tpl_page .= '<tr><td align="center" colspan="5"><font size="+1"><strong>'. _gettext($stafftype) . '</strong></font></td></tr>'. "\n";
|
$tpl_page .= '<tr><td align="center" colspan="5"><font size="+1"><strong>'. _gettext($stafftype) . '</strong></font></td></tr>'. "\n";
|
||||||
|
@ -4500,13 +4500,14 @@ class Manage {
|
||||||
}
|
}
|
||||||
$instantban = false;
|
$instantban = false;
|
||||||
if ((isset($_GET['instant']) || isset($_GET['cp'])) && $ban_ip) {
|
if ((isset($_GET['instant']) || isset($_GET['cp'])) && $ban_ip) {
|
||||||
|
// TODO:
|
||||||
if (isset($_GET['cp'])) {
|
if (isset($_GET['cp'])) {
|
||||||
$ban_reason = "You have been banned for posting Child Pornography. Your IP has been logged, and the proper authorities will be notified.";
|
$ban_reason = "You have been banned for posting Child Pornography. Your IP has been logged, and the proper authorities will be notified.";
|
||||||
} else {
|
} else {
|
||||||
if($_GET['reason']) {
|
if($_GET['reason']) {
|
||||||
$ban_reason = urldecode($_GET['reason']);
|
$ban_reason = urldecode($_GET['reason']);
|
||||||
} else {
|
} else {
|
||||||
$ban_Reason = KU_BANREASON;
|
$ban_reason = KU_BANREASON;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$instantban = true;
|
$instantban = true;
|
||||||
|
@ -4565,6 +4566,10 @@ class Manage {
|
||||||
|
|
||||||
$ban_reason = ($instantban) ? $ban_reason : $_POST['reason'];
|
$ban_reason = ($instantban) ? $ban_reason : $_POST['reason'];
|
||||||
$ban_note = ($instantban) ? '' : $_POST['staffnote'];
|
$ban_note = ($instantban) ? '' : $_POST['staffnote'];
|
||||||
|
if (! $this->CurrentUserIsAdministrator()) {
|
||||||
|
$ban_reason = htmlspecialchars($ban_reason);
|
||||||
|
$ban_note = htmlspecialchars($ban_note);
|
||||||
|
}
|
||||||
$ban_appealat = 0;
|
$ban_appealat = 0;
|
||||||
if (KU_APPEAL != '' && !$instantban) {
|
if (KU_APPEAL != '' && !$instantban) {
|
||||||
$ban_appealat = intval($_POST['appealdays'] * 86400);
|
$ban_appealat = intval($_POST['appealdays'] * 86400);
|
||||||
|
@ -4583,8 +4588,31 @@ class Manage {
|
||||||
}
|
}
|
||||||
if ($bans_class->BanUser($ban_ip, $_SESSION['manageusername'], $ban_globalban, $ban_duration, $ban_boards, $ban_reason, $ban_note, $ban_appealat, $ban_type, $ban_allowread)) {
|
if ($bans_class->BanUser($ban_ip, $_SESSION['manageusername'], $ban_globalban, $ban_duration, $ban_boards, $ban_reason, $ban_note, $ban_appealat, $ban_type, $ban_allowread)) {
|
||||||
$regenerated = array();
|
$regenerated = array();
|
||||||
if (((KU_BANMSG != '' || $_POST['banmsg'] != '') && isset($_POST['addbanmsg']) && (isset($_POST['quickbanpostid']) || isset($_POST['quickmultibanpostid']))) || $instantban ) {
|
if (
|
||||||
$ban_msg = ((KU_BANMSG == $_POST['banmsg']) || empty($_POST['banmsg'])) ? KU_BANMSG : $_POST['banmsg'];
|
(
|
||||||
|
(
|
||||||
|
KU_BANMSG != ''
|
||||||
|
||
|
||||||
|
$_POST['banmsg'] != ''
|
||||||
|
)
|
||||||
|
&&
|
||||||
|
isset($_POST['addbanmsg'])
|
||||||
|
&&
|
||||||
|
(
|
||||||
|
isset($_POST['quickbanpostid'])
|
||||||
|
||
|
||||||
|
isset($_POST['quickmultibanpostid'])
|
||||||
|
)
|
||||||
|
)
|
||||||
|
||
|
||||||
|
$instantban
|
||||||
|
) {
|
||||||
|
$ban_msg = (KU_BANMSG == $_POST['banmsg'] || empty($_POST['banmsg']))
|
||||||
|
? KU_BANMSG
|
||||||
|
: $_POST['banmsg'];
|
||||||
|
if (! $this->CurrentUserIsAdministrator()) {
|
||||||
|
$ban_msg = '<br /><font color="#FF0000"><b>'.htmlspecialchars($ban_msg).'</b></font>';
|
||||||
|
}
|
||||||
if (isset($ban_post_id))
|
if (isset($ban_post_id))
|
||||||
$postids = Array($ban_post_id);
|
$postids = Array($ban_post_id);
|
||||||
else
|
else
|
||||||
|
@ -4606,7 +4634,8 @@ class Manage {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$tpl_page .= _gettext('Ban successfully placed.')."<br />";
|
$tpl_page .= _gettext('Ban successfully placed.')."<br />";
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
exitWithErrorPage(_gettext('Sorry, a generic error has occurred.'));
|
exitWithErrorPage(_gettext('Sorry, a generic error has occurred.'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -4713,6 +4742,7 @@ class Manage {
|
||||||
<input type="checkbox" name="deleteposts" id="deleteposts" />';
|
<input type="checkbox" name="deleteposts" id="deleteposts" />';
|
||||||
}
|
}
|
||||||
if($this->CurrentUserIsAdministrator()) {
|
if($this->CurrentUserIsAdministrator()) {
|
||||||
|
$banmsg = '<br /><font color="#FF0000"><b>'.KU_BANMSG.'</b></font>';
|
||||||
$tpl_page .= '<br />
|
$tpl_page .= '<br />
|
||||||
<label for="allowread">'. _gettext('Allow read') . ':</label>
|
<label for="allowread">'. _gettext('Allow read') . ':</label>
|
||||||
<select name="allowread" id="allowread"><option value="1">'._gettext('Yes').'</option><option value="0">'._gettext('No').'</option></select>
|
<select name="allowread" id="allowread"><option value="1">'._gettext('Yes').'</option><option value="0">'._gettext('No').'</option></select>
|
||||||
|
@ -4720,15 +4750,18 @@ class Manage {
|
||||||
|
|
||||||
<label for="type">'. _gettext('Type') . ':</label>
|
<label for="type">'. _gettext('Type') . ':</label>
|
||||||
<select name="type" id="type"><option value="0">'. _gettext('Single IP') . '</option><option value="1">'. _gettext('IP Range') . '</option><option value="2">'. _gettext('Whitelist') . '</option></select>
|
<select name="type" id="type"><option value="0">'. _gettext('Single IP') . '</option><option value="1">'. _gettext('IP Range') . '</option><option value="2">'. _gettext('Whitelist') . '</option></select>
|
||||||
<div class="desc">'. _gettext('The type of ban. A single IP can be banned by providing the full address. A whitelist ban prevents that IP from being banned. An IP range can be banned by providing the IP range you would like to ban, in this format: 123.123.12') . '</div><br />';
|
<div class="desc">'. _gettext('The type of ban. A single IP can be banned by providing the full address. A whitelist ban prevents that IP from being banned. An IP range can be banned by providing the IP range you would like to ban, in this format: 123.123.12') . '</div>';
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$banmsg = KU_BANMSG;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($isquickban && KU_BANMSG != '') {
|
if ($isquickban && KU_BANMSG != '') {
|
||||||
$tpl_page .= '<label for="addbanmsg">'. _gettext('Add ban message') . ':</label>
|
$tpl_page .= '<br /><label for="addbanmsg">'. _gettext('Add ban message') . ':</label>
|
||||||
<input type="checkbox" name="addbanmsg" id="addbanmsg" checked="checked" />
|
<input type="checkbox" name="addbanmsg" id="addbanmsg" checked="checked" />
|
||||||
<div class="desc">'. _gettext('If checked, the configured ban message will be added to the end of the post.') . '</div><br />
|
<div class="desc">'. _gettext('If checked, the configured ban message will be added to the end of the post.') . '</div><br />
|
||||||
<label for="banmsg">'. _gettext('Ban message') . ':</label>
|
<label for="banmsg">'. _gettext('Ban message') . ':</label>
|
||||||
<input type="text" name="banmsg" id="banmsg" value="'. htmlspecialchars(KU_BANMSG) . '" size='. strlen(KU_BANMSG) . '" />';
|
<input type="text" name="banmsg" id="banmsg" value="'. htmlspecialchars($banmsg) . '" size='. strlen($banmsg) . '" />';
|
||||||
}
|
}
|
||||||
|
|
||||||
$tpl_page .='</fieldset>
|
$tpl_page .='</fieldset>
|
||||||
|
|
|
@ -220,18 +220,29 @@ class Posting {
|
||||||
if (isset($_POST['modpassword'])) {
|
if (isset($_POST['modpassword'])) {
|
||||||
|
|
||||||
$results = $tc_db->GetAll("SELECT `type`, `boards` FROM `" . KU_DBPREFIX . "staff` WHERE `username` = '" . md5_decrypt($_POST['modpassword'], KU_RANDOMSEED) . "' LIMIT 1");
|
$results = $tc_db->GetAll("SELECT `type`, `boards` FROM `" . KU_DBPREFIX . "staff` WHERE `username` = '" . md5_decrypt($_POST['modpassword'], KU_RANDOMSEED) . "' LIMIT 1");
|
||||||
|
|
||||||
if (count($results) > 0) {
|
if (count($results) > 0) {
|
||||||
$entry = $results[0];
|
$entry = $results[0];
|
||||||
if ($entry['type'] == 1) {
|
if ($entry['type'] == 1) {
|
||||||
$user_authority = 1; // admin
|
$user_authority = 1; // admin
|
||||||
} elseif ($entry['type'] == 2 && in_array($board_class->board['name'], explode('|', $entry['boards']) ) ) {
|
}
|
||||||
|
elseif (
|
||||||
|
$entry['type'] == 2
|
||||||
|
&&
|
||||||
|
(
|
||||||
|
in_array($board_class->board['name'], explode('|', $entry['boards']))
|
||||||
|
||
|
||||||
|
$entry['boards'] == 'allboards'
|
||||||
|
)
|
||||||
|
) {
|
||||||
$user_authority = 2; // mod
|
$user_authority = 2; // mod
|
||||||
} elseif ($entry['type'] == 2 && $entry['boards'] == 'allboards') {
|
}
|
||||||
$user_authority = 2;
|
elseif (
|
||||||
}/* elseif ($results[0][0] == 3) {
|
$entry['type'] == 3
|
||||||
$user_authority = 3; // VIP
|
&&
|
||||||
}*/
|
in_array($board_class->board['name'], explode('|', $entry['boards']))
|
||||||
|
) {
|
||||||
|
$user_authority = 3; // 2.0 board owner
|
||||||
|
}
|
||||||
if ($user_authority < 3) { /* set posting flags for mods and admins */
|
if ($user_authority < 3) { /* set posting flags for mods and admins */
|
||||||
if (isset($_POST['displaystaffstatus'])) $flags .= 'D';
|
if (isset($_POST['displaystaffstatus'])) $flags .= 'D';
|
||||||
if (isset($_POST['lockonpost'])) $flags .= 'L';
|
if (isset($_POST['lockonpost'])) $flags .= 'L';
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
<?php
|
|
||||||
/**
|
|
||||||
* Run a greater than zero check on each ID in the array
|
|
||||||
*
|
|
||||||
* @param array $ids Array of thread IDs
|
|
||||||
*/
|
|
||||||
|
|
||||||
function isNormalUser($authority) {
|
|
||||||
if ($authority == 1 || $authority == 2) {
|
|
||||||
return false;
|
|
||||||
} else {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
?>
|
|
|
@ -1786,9 +1786,12 @@ msgstr "Мамка в комнате"
|
||||||
msgid "Expand images to full size"
|
msgid "Expand images to full size"
|
||||||
msgstr "Разворачивать картинки до исходного размера"
|
msgstr "Разворачивать картинки до исходного размера"
|
||||||
|
|
||||||
msgid "Board Owner"
|
msgid "Userboards Owner"
|
||||||
msgstr "Владелец 2.0 досок"
|
msgstr "Владелец 2.0 досок"
|
||||||
|
|
||||||
|
msgid "Board Owner"
|
||||||
|
msgstr "Владелец доски"
|
||||||
|
|
||||||
msgid "Board limit exceeded. Delete the unused boards."
|
msgid "Board limit exceeded. Delete the unused boards."
|
||||||
msgstr "Превышен лимит 2.0 досок. Удалите неиспользуемые доски."
|
msgstr "Превышен лимит 2.0 досок. Удалите неиспользуемые доски."
|
||||||
|
|
||||||
|
|
|
@ -54,7 +54,7 @@ if (!$manage_class->ValidateSession(true)) {
|
||||||
} elseif ($manage_class->CurrentUserIsModerator()) {
|
} elseif ($manage_class->CurrentUserIsModerator()) {
|
||||||
$tpl_links .= _gettext('Moderator');
|
$tpl_links .= _gettext('Moderator');
|
||||||
} elseif ($manage_class->CurrentUserIsBoardOwner()) {
|
} elseif ($manage_class->CurrentUserIsBoardOwner()) {
|
||||||
$tpl_links .= _gettext('Board Owner');
|
$tpl_links .= _gettext('Userboards Owner');
|
||||||
$includelogo20 = '1';
|
$includelogo20 = '1';
|
||||||
} else {
|
} else {
|
||||||
$tpl_links .= _gettext('Janitor');
|
$tpl_links .= _gettext('Janitor');
|
||||||
|
|
Loading…
Reference in New Issue