If you want a live version of this to test and such
Index of /
Name Last modified Size Description
If you want a live version of this to test and such
Index of /
Name Last modified Size Description
Sorry, I was doing maintenance. It is working now.bonelifer wrote: ↑Mon Dec 10, 2018 12:10 am I've moved it to custom coding as that seems to me to be more appropriate. You state in your first post that people can visit a link to test it live, but there is no content on that link other than a blank directory listing. The link is fine as long as the URL it points to allows the user to test a live version as you state:If you want a live version of this to test and such
Index of /
Name Last modified Size Description
Code: Select all
<?php
include('./phpbb.php');
$fields = ['username_clean', 'db','group_ids'];
// Add session_id to enable non-registered users
// $fields []= 'session_id';
// Set 1 to automatically redirect non-registered users to phpbb login page and back
$redirect = 0;
$user = get_phpbb_user($fields);
if (!$user) {
// Not authorized
$url = get_phpbb_login_url();
if ($redirect) {
header("Location: $url");
exit;
}
print <<<EOT
<html>
<head>
</head>
<body>
<h2 align=center>Some Information</h2>
<hr>
<h2 align=center><a href="$url">Login or signup please</a></h2>
</body>
</html>
EOT;
exit;
}
printf("User: %s %s %d<br>\n", $user['username_clean'],$user['username'],$user['user_id']);
printf("Groups: %s<br>\n", join(",", $user['group_ids']));
printf("Session: %s<br>\n", $user['session_id']);
printf("DB: %s<br>\n", print_r($user['db'], TRUE));
if (@$user['username_clean'] != 'anonymous')
printf("<a href=\"%s\">Logout</a><br>\n", get_phpbb_logout_url());
?>
Code: Select all
<?php
// Based on https://www.phpbb.com/support/docs/en/3.3/kb/article/phpbb3-sessions-integration
$phpbb_root_path = '/home/webmaster/forum/';
function get_phpbb_user($fields = []) {
global $phpbb_user_info, $phpbb_root_path;
if (!isset($phpbb_user_info)) {
// Remember already created globals
$old_names = get_current_global_names();
// These vars will be used for getting info
global $user, $auth, $config, $request, $db;
// Globalisation of these vars enable phpbb to work in local scope
global $phpbb_container, $phpbb_dispatcher, $table_prefix;
// Get session info using phpBB
define('IN_PHPBB', true);
$phpEx = 'php';
$common = $phpbb_root_path . 'common.' . $phpEx;
if (!file_exists($common))
return FALSE;
include_once($common);
$user->session_begin();
$auth->acl($user->data);
$user->setup();
// Enable superglobals like $_SERVER for non-phpBB usage
$request->enable_super_globals();
$phpbb_url = get_phpbb_root_url($config);
$allow_anon = in_array('session_id', $fields);
$phpbb_user_info = array();
$base_fields = array('user_id', 'group_id', 'username', 'session_id', 'is_registered');
foreach ($base_fields as $f)
if (!in_array($f, $fields))
$fields []= $f;
// Set original root phpBB URL as phpbb_url user field
$phpbb_user_info['phpbb_url'] = $phpbb_url;
if (in_array('db', $fields)) {
$phpbb_user_info['db'] = get_phpbb_db_acc_imp($phpbb_root_path . 'config.' . $phpEx);
$fields = array_diff($fields, array('db'));
}
if (is_array($user->data)) {
// Default user fields
foreach ($fields as $field) {
$phpbb_user_info[$field] = @$user->data[$field];
}
}
if (in_array('group_ids', $fields)) {
$phpbb_user_info['group_ids'] = get_all_group_ids($db, intval($phpbb_user_info['user_id']));
$fields = array_diff($fields, array('group_ids'));
}
// Get and unset newly created globals
// Typical newly created globals:
// SID, _ENV, _EXTRA_URL, _REQUEST, _SERVER, _SID, __composer_autoload_files,
// auth, cache, config, db, language, msg_long_text, msg_title, phpEx, phpbb_container,
// phpbb_dispatcher, phpbb_extension_manager, phpbb_filesystem, phpbb_hook, phpbb_log,
// phpbb_path_helper, phpbb_root_path, request, symfony_request, table_prefix, template, user
$new_names = get_current_global_names(array_merge($old_names));
foreach ($new_names as $new_name)
unset($GLOBALS[$new_name]);
// phpBB handler use global objects like $phpbb_container and $phpbb_log
restore_error_handler();
}
// Allow registered users or explicit anonymous user request
return (@$phpbb_user_info['is_registered'] || @$allow_anon) ? $phpbb_user_info : FALSE;
}
// Administrator or supermoderator
function is_forum_admin($group_id) {
return in_array($group_id, ["4", "5"]);
}
function get_all_group_ids($db, $user_id) {
$result = [];
$r = $db->sql_query("SELECT group_id FROM phpbb_user_group WHERE user_id = $user_id");
while ($a = mysqli_fetch_array($r)) {
$result []= intval($a["group_id"]);
}
return $result;
}
function get_phpbb_db_acc_imp($config_file) {
// Dirty hack to get DB account
include($config_file);
$acc['host'] = $dbhost;
$acc['port'] = $dbport;
$acc['name'] = $dbname;
$acc['user'] = $dbuser;
$acc['passwd'] = $dbpasswd;
return $acc;
}
function get_phpbb_db_acc() {
global $phpbb_root_path;
$config_file = $phpbb_root_path . 'config.php';
if (file_exists($config_file))
return get_phpbb_db_acc_imp($config_file);
return NULL;
}
function get_current_url() {
return (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
}
function get_phpbb_root_url($config) {
$phpbb_url = $config['server_protocol'].$config['server_name'];
if (($config['server_protocol'] == 'https://' && $config['server_port'] != 443) ||
($config['server_protocol'] == 'http://' && $config['server_port'] != 80))
$phpbb_url .= ':'.$config['server_port'];
$phpbb_url .= $config['script_path'];
if (substr($phpbb_url, -1, 1) == '/')
$phpbb_url = substr($phpbb_url, 0, -1);
return $phpbb_url;
}
function get_phpbb_login_url() {
global $phpbb_user_info;
if (!@$phpbb_user_info)
return NULL;
return sprintf("%s/ucp.php?mode=login&redirect=%s", $phpbb_user_info['phpbb_url'], urlencode(get_current_url()));
}
function get_phpbb_logout_url() {
global $phpbb_user_info;
if (!@$phpbb_user_info)
return NULL;
return sprintf("%s/ucp.php?mode=logout&sid=%s", $phpbb_user_info['phpbb_url'], $phpbb_user_info['session_id']);
}
function get_current_global_names($exclude = NULL) {
$globals = array_keys($GLOBALS);
if (isset($exclude)) {
$globals = array_diff($globals, $exclude);
}
sort($globals);
return $globals;
}
?>
Code: Select all
--- includes/functions.php 2020-06-25 06:54:52.171427629 +0300
+++ includes/functions.php 2020-06-25 23:45:50.777356214 +0300
@@ -1737,8 +1737,8 @@
}
else if (!empty($url_parts['scheme']) && !empty($url_parts['host']))
{
- // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
- if (!$disable_cd_check && $url_parts['host'] !== $user->host)
+ // Attention: only able to redirect within the same domain or domain -> subdomain if $disable_cd_check is false
+ if (!$disable_cd_check && !($url_parts['host'] === $user->host || (substr($url_parts['host'], -strlen($user->host) - 1) === '.'.$user->host)))
{
trigger_error('INSECURE_REDIRECT', E_USER_WARNING);
}
@@ -1778,11 +1778,6 @@
// Clean URL and check if we go outside the forum directory
$url = $phpbb_path_helper->clean_url($url);
- if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
- {
- trigger_error('INSECURE_REDIRECT', E_USER_WARNING);
- }
-
// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
{