Support setting management panel key to improve security
Resolves #144.
This commit is contained in:
parent
963c946eda
commit
c50c797234
12
imgboard.php
12
imgboard.php
|
|
@ -585,6 +585,13 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name'])
|
|||
$isadmin = false;
|
||||
$returnlink = basename($_SERVER['PHP_SELF']);
|
||||
|
||||
if (isset($_GET["logout"])) {
|
||||
$_SESSION['tinyib'] = '';
|
||||
$_SESSION['tinyib_key'] = '';
|
||||
session_destroy();
|
||||
die('--> --> --><meta http-equiv="refresh" content="0;url=imgboard.php">');
|
||||
}
|
||||
|
||||
list($loggedin, $isadmin) = manageCheckLogIn();
|
||||
|
||||
if ($loggedin) {
|
||||
|
|
@ -805,11 +812,8 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name'])
|
|||
} elseif (isset($_GET["rawpost"])) {
|
||||
$onload = manageOnLoad("rawpost");
|
||||
$text .= buildPostForm(0, true);
|
||||
} elseif (isset($_GET["logout"])) {
|
||||
$_SESSION['tinyib'] = '';
|
||||
session_destroy();
|
||||
die('--> --> --><meta http-equiv="refresh" content="0;url=' . $returnlink . '?manage">');
|
||||
}
|
||||
|
||||
if ($text == '') {
|
||||
$text = manageStatus();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@ define('TINYIB_WORDBREAK_IDENTIFIER', '@!@TINYIB_WORDBREAK@!@');
|
|||
if (!defined('TINYIB_LOCALE')) {
|
||||
define('TINYIB_LOCALE', '');
|
||||
}
|
||||
if (!defined('TINYIB_MANAGEKEY')) {
|
||||
define('TINYIB_MANAGEKEY', '');
|
||||
}
|
||||
if (!defined('TINYIB_INDEX')) {
|
||||
define('TINYIB_INDEX', 'index.html');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -336,6 +336,17 @@ function checkMessageSize() {
|
|||
}
|
||||
|
||||
function manageCheckLogIn() {
|
||||
$key = (isset($_GET['manage']) && $_GET['manage'] != '') ? hashData($_GET['manage']) : '';
|
||||
if ($key == '' && isset($_SESSION['tinyib_key'])) {
|
||||
$key = $_SESSION['tinyib_key'];
|
||||
}
|
||||
if (TINYIB_MANAGEKEY != '' && $key !== hashData(TINYIB_MANAGEKEY)) {
|
||||
$_SESSION['tinyib'] = '';
|
||||
$_SESSION['tinyib_key'] = '';
|
||||
session_destroy();
|
||||
fancyDie(__('Invalid key.'));
|
||||
}
|
||||
|
||||
$loggedin = false;
|
||||
$isadmin = false;
|
||||
if (isset($_POST['managepassword'])) {
|
||||
|
|
@ -343,8 +354,10 @@ function manageCheckLogIn() {
|
|||
|
||||
if ($_POST['managepassword'] === TINYIB_ADMINPASS) {
|
||||
$_SESSION['tinyib'] = hashData(TINYIB_ADMINPASS);
|
||||
$_SESSION['tinyib_key'] = hashData(TINYIB_MANAGEKEY);
|
||||
} elseif (TINYIB_MODPASS != '' && $_POST['managepassword'] === TINYIB_MODPASS) {
|
||||
$_SESSION['tinyib'] = hashData(TINYIB_MODPASS);
|
||||
$_SESSION['tinyib_key'] = hashData(TINYIB_MANAGEKEY);
|
||||
} else {
|
||||
fancyDie(__('Invalid password.'));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -542,7 +542,7 @@ EOF;
|
|||
|
||||
function buildPage($htmlposts, $parent, $pages = 0, $thispage = 0, $lastpostid = 0) {
|
||||
$cataloglink = TINYIB_CATALOG ? ('[<a href="catalog.html" style="text-decoration: underline;">' . __('Catalog') . '</a>]') : '';
|
||||
$managelink = basename($_SERVER['PHP_SELF']) . "?manage";
|
||||
$managelink = (TINYIB_MANAGEKEY == '') ? ('[<a href="' . basename($_SERVER['PHP_SELF']) . '?manage"" style="text-decoration: underline;">' . __('Manage') . '</a>]') : '';
|
||||
|
||||
$postingmode = "";
|
||||
$pagenavigator = "";
|
||||
|
|
@ -603,7 +603,6 @@ EOF;
|
|||
$js_autorefresh = '<script type="text/javascript">var autoRefreshDelay = ' . TINYIB_AUTOREFRESH . ';var autoRefreshThreadID = ' . $parent . ';var autoRefreshPostID = ' . $lastpostid . ';</script>';
|
||||
}
|
||||
|
||||
$txt_manage = __('Manage');
|
||||
$txt_style = __('Style');
|
||||
$txt_password = __('Password');
|
||||
$txt_delete = __('Delete');
|
||||
|
|
@ -612,7 +611,7 @@ EOF;
|
|||
<body>
|
||||
<div class="adminbar">
|
||||
$cataloglink
|
||||
[<a href="$managelink" style="text-decoration: underline;">$txt_manage</a>]
|
||||
$managelink
|
||||
<select id="switchStylesheet"><option value="">$txt_style</option><option value="futaba">Futaba</option><option value="burichan">Burichan</option></select>
|
||||
</div>
|
||||
<div class="logo">
|
||||
|
|
@ -848,8 +847,9 @@ function manageLogInForm() {
|
|||
<input type="text" name="captcha" id="captcha" size="6" accesskey="c" autocomplete="off"> ' . __('(enter the text below)') . '<br>
|
||||
<img id="captchaimage" src="inc/captcha.php" width="175" height="55" alt="CAPTCHA" onclick="javascript:reloadCAPTCHA()" style="margin-top: 5px;cursor: pointer;"><br><br>';
|
||||
}
|
||||
$managekey = htmlentities($_GET['manage'], ENT_QUOTES);
|
||||
return <<<EOF
|
||||
<form id="tinyib" name="tinyib" method="post" action="?manage">
|
||||
<form id="tinyib" name="tinyib" method="post" action="?manage=$managekey">
|
||||
<fieldset>
|
||||
<legend align="center">$txt_login_prompt</legend>
|
||||
<div class="login">
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@ click Rebuild All in the management panel.
|
|||
// Internationalization
|
||||
define('TINYIB_LOCALE', ''); // Locale (see README for instructions)
|
||||
|
||||
// Management panel
|
||||
define('TINYIB_MANAGEKEY', ''); // When set, the [Manage] link is hidden and the management panel may only be accessed via imgboard.php?manage=TINYIB_MANAGEKEY ['' to disable]
|
||||
|
||||
// Administrator/moderator credentials
|
||||
define('TINYIB_ADMINPASS', ''); // Administrators have full access to the board
|
||||
define('TINYIB_MODPASS', ''); // Moderators only have access to delete (and moderate if TINYIB_REQMOD is set) posts ['' to disable]
|
||||
|
|
|
|||
Loading…
Reference in New Issue