/include/admin/tokenmissing.php
https://github.com/mysnip/Core · PHP · 106 lines · 70 code · 13 blank · 23 comment · 11 complexity · 40db6f9281eff8164eb90656d947c3fe MD5 · raw file
- <?php
-
- ////////////////////////////////////////////////////////////////////////////////
- // //
- // Copyright (C) 2011 Phorum Development Team //
- // http://www.phorum.org //
- // //
- // This program is free software. You can redistribute it and/or modify //
- // it under the terms of either the current Phorum License (viewable at //
- // phorum.org) or the Phorum License that was distributed with this file //
- // //
- // This program is distributed in the hope that it will be useful, //
- // but WITHOUT ANY WARRANTY, without even the implied warranty of //
- // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. //
- // //
- // You should have received a copy of the Phorum License //
- // along with this program. //
- ////////////////////////////////////////////////////////////////////////////////
-
- // don't allow this page to be loaded directly
- if(!defined("PHORUM_ADMIN")) exit();
-
- if(count($_POST)) {
- if(!empty($_POST['phorum_admin_token']) &&
- $_POST['phorum_admin_token'] == $PHORUM["user"]['settings_data']['admin_token'] &&
- time()-PHORUM_ADMIN_TOKEN_TIMEOUT < $PHORUM["user"]['settings_data']['admin_token_time']
- ) {
-
- if(!empty($_POST['cancel'])) {
-
- $PHORUM["user"]['settings_data']['admin_token'] = "";
-
- $tmp_user = array(
- 'user_id'=>$PHORUM["user"]['user_id'],
- 'settings_data'=>$PHORUM["user"]['settings_data']
- );
- phorum_api_user_save($tmp_user);
-
- phorum_api_redirect($PHORUM['http_path']);
-
- } elseif(!empty($_POST['continue'])) {
-
- if(!empty($_POST['target'])) {
- $url = phorum_admin_build_url($_POST['target']);
- } else {
- $url = phorum_admin_build_url();
- }
-
- phorum_api_redirect($url);
- }
- exit();
- }
- }
-
- // We have no token or our token expired.
- // Generate a fresh token.
- $admin_token_time = time();
- $admin_token = phorum_api_sign(
- $PHORUM['user']['user_id'].
- microtime().
- $PHORUM['user']['username'].
- $PHORUM['user']['sessid_st']
- );
- phorum_api_user_save_settings(array(
- 'admin_token_time' => $admin_token_time,
- 'admin_token' => $admin_token
- ));
- $PHORUM['admin_token'] = $admin_token;
-
- // If there are no POST or GET variables in the request, besides
- // "module" and/or "phorum_admin_token", then we can safely load
- // the requested admin page, without bugging the admin about the
- // token timeout.
- $post = $_POST; unset($post['module']); unset($post['phorum_admin_token']);
- $get = $_GET; unset($get['module']); unset($get['phorum_admin_token']);
- if (empty($post) && empty($get)) {
- $module = '';
- if (isset($_POST['module'])) {
- $module = basename($_POST['module']);
- } elseif (isset($_GET['module'])) {
- $module = basename($_GET['module']);
- }
- $url = phorum_admin_build_url('module='.urlencode($module));
- phorum_api_redirect($url);
- }
-
- $targetargs = $_SERVER['QUERY_STRING'];
- $target_html = htmlspecialchars(phorum_admin_build_url($targetargs));
- $targs_html = htmlspecialchars($targetargs);
- $post_url = phorum_admin_build_url();
- ?>
- You are accessing the admin after a security timeout.<br /><br />
- The requested URL was:
- <pre><?php echo $target_html;?></pre><br />
- <strong>Please make sure that you really want to access this URL and weren't tricked to go to the admin.</strong><br />
- Please click on <strong>continue</strong> to go to this URL or on <strong>cancel</strong> to go to the forum homepage.
- <br /><br />
- <form action="<?php echo $post_url;?>" method="POST">
- <input type="hidden" name="module" value="tokenmissing" />
- <input type="hidden" name="phorum_admin_token" value="<?php echo $PHORUM["user"]['settings_data']['admin_token'];?>" />
- <input type="hidden" name="target" value="<?php echo $targs_html;?>" />
- <input type="submit" name="cancel" value="cancel" />
- <input type="submit" name="continue" value="continue" />
- </form>