Enano CMS (1.1.x): comparison includes/sessions.php

equal deleted inserted replaced

-:aead4e1ce5df
+:30d8bb88572d
 $db->_die('The error seems to have occurred somewhere in the session management code.');
 }
 return $result;
 }
+/**
+* Returns true if we're currently on a page that shouldn't be blocked even if we have an inactive or banned account
+* @param bool strict - if true, whitelist of pages is even stricter (Login, Logout and CSS only). if false (default), admin access is allowed, assuming other factors allow it
+* @return bool
+*/
+function on_critical_page($strict = false)
+{
+global $title;
+list($page_id, $namespace) = RenderMan::strToPageID($title);
+list($page_id) = explode('/', $page_id);
+if ( $strict )
+{
+return $namespace == 'Special' && in_array($page_id, array('CSS', 'Login', 'Logout'));
+}
+else
+{
+return $namespace == 'Admin' || ($namespace == 'Special' && in_array($page_id, array('CSS', 'Login', 'Logout', 'Administration')));
+}
+}
 # Session restoration and permissions
 /**
 * Initializes the basic state of things, including most user prefs, login data, cookie stuff
 */
 {
 $userdata = $this->validate_session($_COOKIE['sid']);
 }
 if ( is_array($userdata) )
 {
-$data = RenderMan::strToPageID($paths->get_pageid_from_url());
-if(!$this->compat && $userdata['account_active'] != 1 && $data[1] != 'Special' && $data[1] != 'Admin')
-{
-$this->show_inactive_error($userdata);
-}
 $this->sid = $_COOKIE['sid'];
 $this->user_logged_in = true;
 $this->user_id =       intval($userdata['user_id']);
 $this->username =      $userdata['username'];
 $this->user_level =    intval($userdata['user_level']);
 }
 // make sure we aren't banned
 $this->check_banlist();
+// make sure the account is active
+if ( !$this->compat && $this->user_logged_in && $userdata['account_active'] != 1 && !$this->on_critical_page() )
+{
+$this->show_inactive_error($userdata);
+}
 // Printable page view? Probably the wrong place to control
 // it but $template is pretty dumb, it will just about always
 // do what you ask it to do, which isn't always what we want
 if ( isset ( $_GET['printable'] ) )
 {
 function show_inactive_error($userdata)
 {
 global $db, $session, $paths, $template, $plugins; // Common objects
 global $lang;
+global $title;
+$paths->init($title);
 $language = intval(getConfig('default_language'));
 $lang = new Language($language);
 @setlocale(LC_ALL, $lang->lang_code);
 $a = getConfig('account_activation');
 <p><input type="submit" name="logout" value="' . $lang->get('user_login_noact_btn_log_out') . '" /></p>
 </form>';
 }
 }
-die_semicritical($lang->get('user_login_noact_title'), '<p>' . $lang->get('user_login_noact_msg_intro') . ' '.$solution.'</p>' . $form);
+global $output;
+$output = new Output_HTML();
+$output->set_title($lang->get('user_login_noact_title'));
+die_friendly($lang->get('user_login_noact_title'), '<p>' . $lang->get('user_login_noact_msg_intro') . ' '.$solution.'</p>' . $form);
 }
 /**
 * Appends the high-privilege session key to the URL if we are authorized to do high-privilege stuff
 * @param string $url The URL to add session data to
 function check_banlist()
 {
 global $db, $session, $paths, $template, $plugins; // Common objects
 global $lang;
-$col_reason = ( $this->compat ) ? '"No reason entered (session manager is in compatibility mode)" AS reason' : 'reason';
+$col_reason = ( $this->compat ) ? '\'No reason available (session manager is in compatibility mode)\' AS reason' : 'reason';
+$remote_addr = ( strstr($_SERVER['REMOTE_ADDR'], ':') ) ? expand_ipv6_address($_SERVER['REMOTE_ADDR']) : $_SERVER['REMOTE_ADDR'];
 $banned = false;
 if ( $this->user_logged_in )
 {
 // check by IP, email, and username
 if ( ENANO_DBLAYER == 'MYSQL' )
 $regexp = parse_ip_range_regex($ban_value);
 if ( !$regexp )
 {
 continue;
 }
-if ( preg_match("/$regexp/", $_SERVER['REMOTE_ADDR']) )
+if ( preg_match("/$regexp/", $remote_addr) )
 {
 $reason = $reason_temp;
 $banned = true;
 }
 }
 if ( $ban_type == BAN_IP && $is_regex != 1 )
 {
 // check range
 $regexp = parse_ip_range_regex($ban_value);
 if ( !$regexp )
+{
+die("bad regexp for $ban_value");
 continue;
-if ( preg_match("/$regexp/", $_SERVER['REMOTE_ADDR']) )
+}
+if ( preg_match("/$regexp/", $remote_addr) )
 {
 $reason = $reason_temp;
 $banned = true;
 }
 }
 }
 }
 }
 $db->free_result();
 }
-if ( $banned && $paths->get_pageid_from_url() != $paths->nslist['Special'].'CSS' )
+if ( $banned && !$this->on_critical_page(true) )
 {
 // This guy is banned - kill the session, kill the database connection, bail out, and be pretty about it
 die_semicritical($lang->get('user_ban_msg_title'), '<p>' . $lang->get('user_ban_msg_body') . '</p><div class="error-box"><b>' . $lang->get('user_ban_lbl_reason') . '</b><br />' . $reason . '</div>');
 exit;
 }

changeset 1101	30d8bb88572d
parent 1089	16a1e8626dd9
child 1132	05fe0039d952