// Here you can change how much of an Admin CP IP address must match in a previous session for the user is validated (e.g. 3 means a.b.c need to match) define("ADMIN_IP_SEGMENTS", 0); define("ADMIN_IPV6_SEGMENTS", 0);
// Set cookie path to our admin dir temporarily, i.e. so that it affects the ACP only $loc = get_current_location('', '', true); $mybb->settings['cookiepath'] = substr($loc, 0, strrpos($loc, "/{$config['admin_dir']}/"))."/{$config['admin_dir']}/";
// Do we have the token? If so let's process it if($mybb->input['token'] && $user['uid']) { $query = $db->simple_select("awaitingactivation", "COUNT(aid) AS num", "uid='".(int)$user['uid']."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'");
$plugins->run_hooks("admin_unlock_end");
// If we're good to go if($db->fetch_field($query, "num") > 0) { $db->delete_query("awaitingactivation", "uid='".(int)$user['uid']."' AND code='".$db->escape_string($mybb->input['token'])."' AND type='l'"); $db->update_query("adminoptions", array('loginlockoutexpiry' => 0, 'loginattempts' => 0), "uid='".(int)$user['uid']."'");
// Have we attempted too many times? if($loginattempts !== false && $loginattempts['loginattempts'] > 0) { // Have we set an expiry yet? if($loginattempts['loginlockoutexpiry'] == 0) { $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='".(int)$login_user['uid']."'"); }
// Did we hit lockout for the first time? Send the unlock email to the administrator if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) { $db->delete_query("awaitingactivation", "uid='".(int)$login_user['uid']."' AND type='l'"); $lockout_array = array( "uid" => $login_user['uid'], "dateline" => TIME_NOW, "code" => random_str(), "type" => "l" ); $db->insert_query("awaitingactivation", $lockout_array);
// Create a new admin session for this user $admin_session = array( "sid" => $sid, "uid" => $mybb->user['uid'], "loginkey" => $mybb->user['loginkey'], "ip" => $db->escape_binary(my_inet_pton(get_ip())), "dateline" => TIME_NOW, "lastactive" => TIME_NOW, "data" => my_serialize(array()), "useragent" => $db->escape_string($useragent), "authenticated" => 0, ); $db->insert_query("adminsessions", $admin_session); $admin_session['data'] = array();
// Only reset the loginattempts when we're really logged in and the user doesn't need to enter a 2fa code $query = $db->simple_select("adminoptions", "authsecret", "uid='{$mybb->user['uid']}'"); $admin_options = $db->fetch_array($query); if(empty($admin_options['authsecret'])) { $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='{$mybb->user['uid']}'"); }
// Have we attempted too many times? if($loginattempts !== false && $loginattempts['loginattempts'] > 0) { // Have we set an expiry yet? if($loginattempts['loginlockoutexpiry'] == 0) { $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='".(int)$login_user['uid']."'"); }
$plugins->run_hooks("admin_login_lockout");
// Did we hit lockout for the first time? Send the unlock email to the administrator if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) { $db->delete_query("awaitingactivation", "uid='".(int)$login_user['uid']."' AND type='l'"); $lockout_array = array( "uid" => $login_user['uid'], "dateline" => TIME_NOW, "code" => random_str(), "type" => "l" ); $db->insert_query("awaitingactivation", $lockout_array);
// Update the session information in the DB if($admin_session['sid']) { $db->update_query("adminsessions", array('lastactive' => TIME_NOW, 'ip' => $db->escape_binary(my_inet_pton(get_ip()))), "sid='".$db->escape_string($admin_session['sid'])."'"); }
// Include the layout generation class overrides for this style if(file_exists(MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php")) { require_once MYBB_ADMIN_DIR."/styles/{$cp_style}/style.php"; }
// Check if any of the layout generation classes we can override exist in the style file $classes = array( "Page" => "DefaultPage", "SidebarItem" => "DefaultSidebarItem", "PopupMenu" => "DefaultPopupMenu", "Table" => "DefaultTable", "Form" => "DefaultForm", "FormContainer" => "DefaultFormContainer" ); foreach($classes as $style_name => $default_name) { // Style does not have this layout generation class, create it if(!class_exists($style_name)) { eval("class {$style_name} extends {$default_name} { }"); } }
$page = new Page; $page->style = $cp_style;
// Do not have a valid Admin user, throw back to login page. if(!isset($mybb->user['uid']) || $logged_out == true) { if($logged_out == true) { $page->show_login($lang->success_logged_out); } elseif($fail_check == 1) { $page->show_login($login_lang_string, "error"); } else { // If we have this error while retreiving it from an AJAX request, then send back a nice error if(isset($mybb->input['ajax']) && $mybb->input['ajax'] == 1) { echo json_encode(array("errors" => array("login"))); exit; } $page->show_login($login_message, "error"); } }
// Time to check for Two-Factor Authentication // First: are we trying to verify a code? if($mybb->input['do'] == "do_2fa" && $mybb->request_method == "post") { // Test whether it's a recovery code $recovery = false; $codes = my_unserialize($admin_options['recovery_codes']); if(!empty($codes) && in_array($mybb->get_input('code'), $codes)) { $recovery = true; $ncodes = array_diff($codes, array($mybb->input['code'])); // Removes our current code from the codes array $db->update_query("adminoptions", array("recovery_codes" => $db->escape_string(my_serialize($ncodes))), "uid='{$mybb->user['uid']}'");
// Either the code was okay or it was a recovery code if($test === true || $recovery === true) { // Correct code -> session authenticated $db->update_query("adminsessions", array("authenticated" => 1), "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); $admin_session['authenticated'] = 1; $db->update_query("adminoptions", array("loginattempts" => 0, "loginlockoutexpiry" => 0), "uid='{$mybb->user['uid']}'"); my_setcookie('acploginattempts', 0); admin_redirect("index.php"); } else { // Wrong code -> close session (aka logout) $db->delete_query("adminsessions", "sid='".$db->escape_string($mybb->cookies['adminsid'])."'"); my_unsetcookie('adminsid');
// Now test whether we need to lock this guy completly $db->update_query("adminoptions", array("loginattempts" => "loginattempts+1"), "uid='{$mybb->user['uid']}'", '', true);
// Have we attempted too many times? if($loginattempts !== false && $loginattempts['loginattempts'] > 0) { // Have we set an expiry yet? if($loginattempts['loginlockoutexpiry'] == 0) { $db->update_query("adminoptions", array("loginlockoutexpiry" => TIME_NOW+((int)$mybb->settings['loginattemptstimeout']*60)), "uid='{$mybb->user['uid']}'"); }
// Did we hit lockout for the first time? Send the unlock email to the administrator if($loginattempts['loginattempts'] == $mybb->settings['maxloginattempts']) { $db->delete_query("awaitingactivation", "uid='{$mybb->user['uid']}' AND type='l'"); $lockout_array = array( "uid" => $mybb->user['uid'], "dateline" => TIME_NOW, "code" => random_str(), "type" => "l" ); $db->insert_query("awaitingactivation", $lockout_array);
// Only POST actions with a valid post code can modify information. Here we check if the incoming request is a POST and if that key is valid. $post_check_ignores = array( "example/page" => array("action") ); // An array of modules/actions to ignore POST checks for.
if($post_verify == true) { // If the post key does not match we switch the action to GET and set a message to show the user if(!verify_post_check($mybb->get_input('my_post_key'), true)) { $mybb->request_method = "get"; $page->show_post_verify_error = true; } } }