From b3065423df4c10df57ba40e239d4f6fe38e7b828 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Sun, 9 Feb 2014 19:42:26 -0500 Subject: [PATCH] Add unique checks for minecraft and rsc names, hashing for minecraft passwords, and tweak other permission checks in profiles --- Sources/Profile-Modify.php | 91 +++++++++++++++++++++++++++++++++++--- Sources/Register.php | 64 +++++++++++++++++++++++++++ 2 files changed, 150 insertions(+), 5 deletions(-) diff --git a/Sources/Profile-Modify.php b/Sources/Profile-Modify.php index 7eeea3b..565d230 100644 --- a/Sources/Profile-Modify.php +++ b/Sources/Profile-Modify.php @@ -253,7 +253,9 @@ function loadProfileFields($force_reload = false) 'value' => empty($cur_profile['date_registered']) ? $txt['not_applicable'] : strftime('%Y-%m-%d', $cur_profile['date_registered'] + ($user_info['time_offset'] + $modSettings['time_offset']) * 3600), 'label' => $txt['date_registered'], 'log_change' => true, - 'permission' => 'moderate_forum', + // xxx moderators should not be allowed to change this + //orig: 'permission' => 'moderate_forum', + 'permission' => 'admin_forum', 'input_validate' => create_function('&$value', ' global $txt, $user_info, $modSettings, $cur_profile, $context; @@ -565,20 +567,23 @@ function loadProfileFields($force_reload = false) 'label' => $txt['profile_posts'], 'log_change' => true, 'size' => 7, - 'permission' => 'moderate_forum', + //xxx orig: 'permission' => 'moderate_forum', + 'permission' => 'admin_forum', 'input_validate' => create_function('&$value', ' $value = $value != \'\' ? strtr($value, array(\',\' => \'\', \'.\' => \'\', \' \' => \'\')) : 0; return true; '), ), 'real_name' => array( - 'type' => !empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum') ? 'text' : 'label', + //xxx orig: 'type' => !empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum') ? 'text' : 'label', + 'type' => !empty($modSettings['allow_editDisplayName']) || allowedTo('admin_forum') ? 'text' : 'label', 'label' => $txt['name'], 'subtext' => $txt['display_name_desc'], 'log_change' => true, 'input_attr' => array('maxlength="60"'), 'permission' => 'profile_identity', - 'enabled' => !empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'), + //xxx orig: 'enabled' => !empty($modSettings['allow_editDisplayName']) || allowedTo('moderate_forum'), + 'enabled' => !empty($modSettings['allow_editDisplayName']) || allowedTo('admin_forum'), 'input_validate' => create_function('&$value', ' global $context, $smcFunc, $sourcedir, $cur_profile; @@ -1294,8 +1299,81 @@ function makeCustomFieldChanges($memID, $area, $sanitize = true) $value = (int) $value; } elseif (substr($row['mask'], 0, 5) == 'regex' && trim($value) != '' && preg_match(substr($row['mask'], 5), $value) === 0) - $value = ''; + $value = isset($user_profile[$memID]['options'][$row['col_name']]) ? $user_profile[$memID]['options'][$row['col_name']] : ''; + // xxx changed this to above: $value = ''; } + + // xxx if we are editing our minecraft name, make sure there are no duplicates + if($area != 'register' && ($row['col_name'] == "cust_minecra" || $row['col_name'] == "cust_rscnam") && $value != '' && (!isset($user_profile[$memID]['options'][$row['col_name']]) || $user_profile[$memID]['options'][$row['col_name']] != $value)){ + $what_name = $row['col_name'] == "cust_minecra" ? 'Minecraft' : 'RSC'; + + $forum_group_banned = 86; + foreach (explode(',', $user_profile[$memID]['additional_groups']) as $group) + if($group == $forum_group_banned) + die("This $what_name account has been banned, contact staff for clarification."); + + $already_taken_memID = -1; + $already_taken_memName = 'This user'; + // first check the custom names + $mc_request = $smcFunc['db_query']('', ' + SELECT `id_member` + FROM `{db_prefix}themes` + WHERE `variable` = {string:col_name} + AND `value` = {string:value} + AND id_member != {int:id_member}', + array( + 'col_name' => $row['col_name'], + 'value' => strtolower($value), + 'id_member' => $memID, + ) + ); + if($mc_row = $smcFunc['db_fetch_assoc']($mc_request)) + $already_taken_memID = $mc_row['id_member']; + $smcFunc['db_free_result']($mc_request); + + // if custom name is not taken, compare it to account names, or just grab name + $mc_request = $smcFunc['db_query']('', ' + SELECT `id_member`, `real_name` + FROM `{db_prefix}members` + WHERE id_member = {int:already_taken_memID} OR + ( + ( + `real_name` = {string:value} + OR `member_name` = {string:value} + ) + AND id_member != {int:id_member} + )', + array( + 'already_taken_memID' => $already_taken_memID, + 'value' => strtolower($value), + 'id_member' => $memID, + ) + ); + + if($mc_row = $smcFunc['db_fetch_assoc']($mc_request)){ + $already_taken_memID = $mc_row['id_member']; + $already_taken_memName = $mc_row['real_name']; + } + $smcFunc['db_free_result']($mc_request); + + if($already_taken_memID != -1){ + // then someone already is using this name + global $boardurl; + die('Error: $already_taken_memName has already registered this $what_name name!"); + } + + //echo "success!"; exit; + } + if($area != 'register' && ($row['col_name'] == "cust_moparcr") && $value != '' && strlen($value) != 40 && (!isset($user_profile[$memID]['options'][$row['col_name']]) || $user_profile[$memID]['options'][$row['col_name']] != $value)){ + //print_r($user_info);echo("--------------------------------------------------------------\n");print_r($user_profile);exit; + //die(strlen($value)."bob"); + if(strlen($value) > 30) + die("Error: Maximum length for MoparCraft server password is 30 characters."); + $value = sha1(strtolower($user_profile[$memID]['member_name']) . htmlspecialchars_decode($value)); + if($user_info['id'] == $memID && $value == $user_info['passwd']) + die("Error: You can't set your MoparCraft server password to be the same as your forum password, if you want to use your forum password, leave this blank."); + } + //xxx end } // Did it change? @@ -2363,6 +2441,9 @@ function profileLoadSignatureData() 'max_font_size' => isset($sig_limits[7]) ? $sig_limits[7] : 0, 'bbc' => !empty($sig_bbc) ? explode(',', $sig_bbc) : array(), ); + //xxx if it is moparisthebest, increase sig max length + if($context['id_member'] == 1) + $context['signature_limits']['max_length'] *= 2; // Kept this line in for backwards compatibility! $context['max_signature_length'] = $context['signature_limits']['max_length']; // Warning message for signature image limits? diff --git a/Sources/Register.php b/Sources/Register.php index b59273c..5b04cdb 100644 --- a/Sources/Register.php +++ b/Sources/Register.php @@ -453,6 +453,66 @@ function Register2($verifiedOpenID = false) } } + // xxx if we are editing our minecraft name, make sure there are no duplicates + if(($row['col_name'] == "cust_minecra" || $row['col_name'] == "cust_rscnam") && $value != ''){ + + $already_taken_memID = -1; + $already_taken_memName = 'This user'; + // first check the custom names + $mc_request = $smcFunc['db_query']('', ' + SELECT `id_member` + FROM `{db_prefix}themes` + WHERE `variable` = {string:col_name} + AND `value` = {string:value}', + array( + 'col_name' => $row['col_name'], + 'value' => strtolower($value), + ) + ); + if($mc_row = $smcFunc['db_fetch_assoc']($mc_request)) + $already_taken_memID = $mc_row['id_member']; + $smcFunc['db_free_result']($mc_request); + + // if custom name is not taken, compare it to account names, or just grab name + $mc_request = $smcFunc['db_query']('', ' + SELECT `id_member`, `real_name` + FROM `{db_prefix}members` + WHERE id_member = {int:already_taken_memID} OR + ( + ( + `real_name` = {string:value} + OR `member_name` = {string:value} + ) + )', + array( + 'already_taken_memID' => $already_taken_memID, + 'value' => strtolower($value), + ) + ); + if($mc_row = $smcFunc['db_fetch_assoc']($mc_request)){ + $already_taken_memID = $mc_row['id_member']; + $already_taken_memName = $mc_row['real_name']; + } + $smcFunc['db_free_result']($mc_request); + + if($already_taken_memID != -1){ + // then someone already is using this name + global $boardurl; + $what_name = $row['col_name'] == "cust_minecra" ? 'Minecraft' : 'RSC'; + die('Error: $already_taken_memName has already registered this $what_name name!"); + } + } + + if(($row['col_name'] == "cust_moparcr") && $value != '' && strlen($value) != 40){ + if(strlen($value) > 30) + die("Error: Maximum length for MoparCraft server password is 30 characters."); + if($value == $regOptions['password']) + die("Error: You can't set your MoparCraft server password to be the same as your forum password, if you want to use your forum password, leave this blank."); + $value = sha1(strtolower($regOptions['username']) . htmlspecialchars_decode($value)); + $_POST['customfield'][$row['col_name']] = $value; + } + // xxx end if we are editing our minecraft name, make sure there are no duplicates + // Is this required but not there? if (trim($value) == '' && $row['show_reg'] > 1) $custom_field_errors[] = array('custom_field_empty', array($row['field_name'])); @@ -854,6 +914,10 @@ function RegisterCheckUsername() if ($smcFunc['strlen']($context['checked_username']) > 25) $context['checked_username'] = $smcFunc['htmltrim']($smcFunc['substr']($context['checked_username'], 0, 25)); + //xxx only allow these characters + if(!RegisterUserIsAllowed($context['checked_username'], "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ /-:.%0123456789_")) + $context['valid_username'] = false; + // Only these characters are permitted. if (preg_match('~[<>&"\'=\\\]~', preg_replace('~&#(?:\\d{1,7}|x[0-9a-fA-F]{1,6});~', '', $context['checked_username'])) != 0 || $context['checked_username'] == '_' || $context['checked_username'] == '|' || strpos($context['checked_username'], '[code') !== false || strpos($context['checked_username'], '[/code') !== false) $context['valid_username'] = false;