submit_post - spoof auth?

Discussion forum for MOD Writers regarding MOD Development.
Locked
User avatar
Omen
Registered User
Posts: 124
Joined: Thu Dec 26, 2002 5:50 am

submit_post - spoof auth?

Post by Omen » Fri Feb 15, 2008 9:30 pm

http://www.phpbb.com/mods/documentation ... nsert-post

That page does not explain how to spoof the auth level of the user that is submitting the post.

Can someone tell me how to spoof the auth level so it looks as though that person was an administrator when they posted it? Or any level for that matter.

I know how to spoof the username and ID but just not the auth.

Code: Select all

	$backup_ip = $user->ip;
	$user->ip = '0.0.0.0';

	$backup_username = $user->data['username'];
	$user->data['username'] = "Some Username";

	$backup_user_id = $user->data['user_id'];
	$user->data['user_id'] = 96;

	auth?


Thanks

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51870
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: submit_post - spoof auth?

Post by Brf » Sat Feb 16, 2008 1:29 pm

Why would you need to spoof an auth level?
Auth levels are not stored with posts, only the author's user_id

User avatar
Omen
Registered User
Posts: 124
Joined: Thu Dec 26, 2002 5:50 am

Re: submit_post - spoof auth?

Post by Omen » Sat Feb 16, 2008 5:33 pm

i have areas of my site that let users fill out a form, and that information uses the submit_post api to place the info into a post in a specified forum as a "bot user" on our site. When the post is submitted, the Bot takes on the auth level of whoever filled out that form. so if an admin filled out that form, the bots name is highlighted red (admin colors) but when a normal users submits the forum, the bots name is not highlighted. and the bot account on my site IS an admin account.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51870
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: submit_post - spoof auth?

Post by Brf » Sun Feb 17, 2008 1:01 am

All you need to do is fill in the user_id of the user you are trying to spoof. That user_id is what is used to determine what color their name is shown.

User avatar
Omen
Registered User
Posts: 124
Joined: Thu Dec 26, 2002 5:50 am

Re: submit_post - spoof auth?

Post by Omen » Sun Feb 17, 2008 1:35 am

negative my friend. if i am logged in as a global mod and submit the form, the information is posted to the forums as a bot and its name is highlighted in green and is bold. if i am logged in as a normal user, its neither and as an admin its red and bold. all of this is in the forum view.

i would think it was based on id or username only but thats not the case.

it works fine with submit_pm, but not submit_post
Last edited by Omen on Sun Feb 17, 2008 1:42 am, edited 1 time in total.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51870
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: submit_post - spoof auth?

Post by Brf » Sun Feb 17, 2008 1:42 am

Ah... I see...
For speed, the topic author's colour is also saved. You would have to replace that too.

User avatar
Omen
Registered User
Posts: 124
Joined: Thu Dec 26, 2002 5:50 am

Re: submit_post - spoof auth?

Post by Omen » Sun Feb 17, 2008 2:14 am

ah i see. thanks for your help.

User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: submit_post - spoof auth?

Post by igorw » Sun Feb 17, 2008 4:59 pm

One problem that arises though is if you want to submit a post that the current user has no posting permission for. It will then submit the post, but mark it as unapproved.

For this reason, you have to backup $auth and run a new $auth->acl($user->data); ;)
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three

User avatar
Omen
Registered User
Posts: 124
Joined: Thu Dec 26, 2002 5:50 am

Re: submit_post - spoof auth?

Post by Omen » Sun Feb 17, 2008 5:11 pm

eviL<3 wrote:One problem that arises though is if you want to submit a post that the current user has no posting permission for. It will then submit the post, but mark it as unapproved.

For this reason, you have to backup $auth and run a new $auth->acl($user->data); ;)
can you exlain how i would spoof his auth to act like he has admin privs?

User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: submit_post - spoof auth?

Post by igorw » Sun Feb 17, 2008 5:26 pm

What you have to do is give the bot user posting permissions for that forum and then do that $auth->acl() trick i mentioned above. It has to do with posting permissions, not admin permissions. ;)
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three

User avatar
freejoe76
Registered User
Posts: 34
Joined: Sat Feb 08, 2003 3:41 am
Location: Denver
Contact:

Re: submit_post - spoof auth?

Post by freejoe76 » Wed Feb 20, 2008 5:04 pm

I was up against this same problem in phpbb3 -- all I wanted to do was spoof a post from the admin at the beginning of a thread.

This is the php I used to make that happen (note: on the board I'm building, the topic_id value is determined elsewhere -- I doubt that use-case is in use many other places, so you ought to adjust this to your needs).

Also, this is an adjustment of the same php I had doing this in phpbb2, so there are still a bunch of legacy commands in it.

This code should be used, if at all, as a guide, not a cut-and-paste. It deals with outside input, which is validated in another script.

Code: Select all

define('IN_PHPBB', true);
$phpbb3_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb3_root_path . 'common.'.$phpEx);
include($phpbb3_root_path . 'includes/bbcode.'.$phpEx);
include($phpbb3_root_path . 'includes/functions_posting.'.$phpEx);

//Lookup our section to pull a forum_id if the link was clicked on from a section
$section = str_replace('&section=', '', $section);
$forum_id = section_to_forumid($section);
if ( $forum_id != 16 ) $section_str = $section . '/';

$username = 'admin';
$subject = utf8_normalize_nfc('Article Discussion: ' . $article_title);
$message = utf8_normalize_nfc('[quote][i]' . trim($c_blurb) . '[/i][/quote]

Post your comments on the Denver Post article, [url=http://www.denverpost.com/' . $section_str . 'ci_' . $topic_id . '?source=bb]' . $article_title . '[/url].');
$topic_type = 0;
$current_time = time();

// variables to hold the parameters for submit_post
$poll = $uid = $bitfield = $options = ''; 

generate_text_for_storage($subject, $uid, $bitfield, $options, false, false, false);
generate_text_for_storage($message, $uid, $bitfield, $options, true, true, true);


/*
===
Automatically inserting a post into the phpbb database
===

1. Add the new post and post content
2. Get the new post's id for use later
3. Create the topic that contains the post
4. Update the appropriate forum table with the new post information
5. Load the post's page
*/

/* We make sure we're not doing this again, in case folk are hitting the back button */
$sql = "SELECT * FROM phpbb3_posts WHERE topic_id = $topic_id";
$return = $db->sql_query($sql);
if ( mysql_fetch_array($return) == '' )
{
	//Write the new posts 
	$sql = "INSERT INTO phpbb3_posts (
		topic_id, forum_id,
		poster_id, post_username,
		post_subject, post_text, post_time, poster_ip,
		bbcode_bitfield, bbcode_uid, 
		enable_bbcode, enable_smilies, enable_sig)
		VALUES (
		$topic_id, $forum_id,
		2, 'admin',
		'$subject', '$message', $current_time, '72.165.229.187',
		'$bitfield', '$uid', 
		1, 1, 1)";
	$db->sql_query($sql)
	
	//Get the insert id -- this is added to other tables that are related to the posts table
	$post_id = $db->sql_nextid();
	
	//Create the topic
	$sql = "INSERT INTO phpbb3_topics (
		topic_id, topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type,
		topic_first_post_id, topic_first_poster_name, topic_first_poster_colour,
		topic_last_post_id, topic_last_poster_id, topic_last_poster_name, topic_last_poster_colour,
		topic_last_post_subject, topic_last_post_time, topic_last_view_time )
		
		VALUES (
		$topic_id, '$subject', 2, $current_time, $forum_id, 0, 0,
		$post_id, 'admin', '',
		$post_id, 2, 'admin', '',
		'$subject', $current_time, $current_time)";
	$db->sql_query($sql)
	
	
	//Update the appropriate forum table with the new post information
	$sql = "UPDATE phpbb3_forums
		SET
			forum_posts = forum_posts + 1,
			forum_topics = forum_topics + 1,
			forum_topics_real = forum_topics_real + 1,
			forum_last_post_id = $post_id,
			forum_last_poster_id = 2,
			forum_last_post_subject = '$subject',
			forum_last_post_time = $current_time,
			forum_last_poster_name = 'admin',
			forum_last_poster_colour = ''
		WHERE forum_id = $forum_id";
	$db->sql_query($sql)
	
}
$location = "http://" . $_SERVER['SERVER_NAME'] . "/phpbb3/phpBB3original/posting.php?mode=reply&f=" . $forum_id . "&t=" . $topic_id . "&c_comment=" . $i_comment;



//Load the posting page and include the variables passed (if necessary)
header("Location: $location");
exit;

KFCSpike
Registered User
Posts: 26
Joined: Wed May 18, 2005 11:27 am

Re: submit_post - spoof auth?

Post by KFCSpike » Fri Feb 29, 2008 7:52 pm

eviL<3 wrote:One problem that arises though is if you want to submit a post that the current user has no posting permission for. It will then submit the post, but mark it as unapproved.

For this reason, you have to backup $auth and run a new $auth->acl($user->data); ;)
I'm trying that in my script but posts still show as unapproved (unless an admin triggers it).
The post shows as my 'bot' posting, correct name, correct ip, correct colour etc but always unapproved.
And yes, the 'bot' does have full access to the forum as I can log him in manually and post with no probs.

This part of my code is used inside a function (hence the Global declarations)...

Code: Select all

global $user, $auth;

//Save all the old values
$old_user_id=$user->data['user_id'];
$old_username=$user->data['username'];
$old_user_colour=$user->data['user_colour'];
$old_user_ip=$user->ip;
$old_auth = $auth;

$user->data['username']='MyBotName';
$user->data['user_id']= 1317;
$user->data['user_colour']= 'FF0000';
$user->ip= '0.0.0.0';
$auth->acl($user->data);

//All the usual posting stuff here, sets up data and calls submit_post() etc.
//Haven't included this as it works fine when admin logged in and calls the script

//Set all the old stuff back
$user->data['user_id'] = $old_user_id;
$user->data['username'] = $old_username;
$user->data['user_colour'] = $old_user_colour;
$user->ip = $old_user_ip;
$auth = $old_auth;
Hopefully I'm missing something obvious - I'm at the tearing hair out stage so any help will be appreciated :lol:

User avatar
Omen
Registered User
Posts: 124
Joined: Thu Dec 26, 2002 5:50 am

Re: submit_post - spoof auth?

Post by Omen » Sun Mar 02, 2008 2:32 am

yeah, i still havent fully grasped the whole auth spoofing thing so if anyone can give an example that would be great

KFCSpike
Registered User
Posts: 26
Joined: Wed May 18, 2005 11:27 am

Re: submit_post - spoof auth?

Post by KFCSpike » Fri Mar 07, 2008 7:17 pm

I finally managed to get this working - it looks like you have to set $user->data['user_permissions'] as well as the other details before calling $auth->acl($user->data)

The only way I could see to achieve this was to include an sql query to grab those permissions for the 'bot'.
My updated code is shown here (I use this within a function so need the globals)...

Code: Select all

	global $user, $auth, $db;
	
	$old_user = $user;
	$old_auth = $auth;
	
	$user->data['username']='My_bots_name';
	$user->data['user_id']= 1317;
	$user->data['user_colour']= 'FF0000';
	$user->ip= '0.0.0.0';
	
	//We need to grab the bot's user_permissions from the table
	$sql = 'SELECT user_permissions
	FROM ' . USERS_TABLE . '
	WHERE user_id = ' . (int) $user->data['user_id'];
	$dbresult = $db->sql_query($sql);
	$row = $db->sql_fetchrow($dbresult);
	$db->sql_freeresult($result);
	$user->data['user_permissions'] = $row['user_permissions'];
	
	//Now set up the permissions properly for phpBB3
	$auth->acl($user->data);

	//The rest of the posting stuff follows....	
	// note that multibyte support is enabled here 

	//After posting stuff

	$user = $old_user;
	$auth = $old_auth;

Locked

Return to “[3.0.x] MOD Writers Discussion”