Enano CMS (1.1.x): comparison plugins/admin/UserManager.php

equal deleted inserted replaced

-:b25d34fbc7ab
+:e0787bb6285b
 'job' => $occupation,
 'hobbies' => $hobbies
 );
 $form->email_public = ( isset($_POST['email_public']) );
 $form->account_active = ( isset($_POST['account_active']) );
+// This is SAFE. The smartform calls is_valid_ip() on this value, thus preventing XSS
+// attempts from making it into the form HTML. Badly coded templates may still be
+// affected, but if have_reg_ip is checked for, then you're fine.
+$form->reg_ip_addr = $_POST['user_registration_ip'];
 echo $form->render();
 return false;
 }
 #
 else
 {
 echo 'No username provided';
 return false;
 }
-$q = $db->sql_query('SELECT u.user_id AS authoritative_uid, u.username, u.email, u.real_name, u.signature, u.account_active, u.user_level, u.user_has_avatar, u.avatar_type, x.* FROM '.table_prefix.'users AS u
+$q = $db->sql_query('SELECT u.user_id AS authoritative_uid, u.username, u.email, u.real_name, u.signature, u.account_active, u.user_level, u.user_has_avatar, u.avatar_type, u.user_registration_ip, x.* FROM '.table_prefix.'users AS u
 LEFT JOIN '.table_prefix.'users_extra AS x
 ON ( u.user_id = x.user_id OR x.user_id IS NULL )
 WHERE ( ' . ENANO_SQLFUNC_LOWERCASE . '(u.username) = \'' . $db->escape(strtolower($username)) . '\' OR u.username = \'' . $db->escape($username) . '\' ) AND u.user_id != 1;');
 if ( !$q )
 $db->_die();
 'location' => $row['user_location'],
 'job'      => $row['user_job'],
 'hobbies'  => $row['user_hobbies'],
 );
 $form->email_public = ( $row['email_public'] == 1 );
+$form->reg_ip_addr = ( $row['user_registration_ip'] ) ? $row['user_registration_ip'] : '';
 $html = $form->render();
 if ( !$html )
 {
 echo 'Internal error: form processor returned false';
 }
 */
 var $avi_type = 'png';
 /**
+* The IP address of the user during registration
+* @var string
+*/
+var $reg_ip_addr = '';
+/**
 * Constructor.
 */
 function Admin_UserManager_SmartForm()
 {
 <option value="{USER_LEVEL_ADMIN}"<!-- BEGIN ul_admin --> selected="selected"<!-- END ul_admin -->>{lang:userfuncs_ml_level_admin}</option>
 </select>
 </td>
 </tr>
+<!-- BEGIN have_reg_ip -->
+<tr>
+<td class="row2">
+{lang:acpum_field_reg_ip}
+</td>
+<td class="row1">
+{REG_IP_ADDR}
+<input type="hidden" name="user_registration_ip" value="{REG_IP_ADDR}" />
+</td>
+</tr>
+<!-- BEGINELSE have_reg_ip -->
+<input type="hidden" name="user_registration_ip" value="" />
+<!-- END have_reg_ip -->
 <tr>
 <td class="row2">
 {lang:acpum_field_deleteaccount_title}
 </td>
 <td class="row1">
 'IM_XMPP' => $im_xmpp,
 'HOMEPAGE' => $homepage,
 'LOCATION' => $location,
 'JOB' => $job,
 'HOBBIES' => $hobbies,
-'FORM_ACTION' => $form_action
+'FORM_ACTION' => $form_action,
+'REG_IP_ADDR' => $this->reg_ip_addr
 ));
 if ( $this->has_avatar )
 {
 $parser->assign_vars(array(
 'ul_mod' => ( $this->user_level == USER_LEVEL_MOD ),
 'ul_admin' => ( $this->user_level == USER_LEVEL_ADMIN ),
 'account_active' => ( $this->account_active === true ),
 'email_public' => ( $this->email_public === true ),
 'same_user' => ( $this->user_id == $session->user_id ),
-'user_has_avatar' => ( $this->has_avatar )
+'user_has_avatar' => ( $this->has_avatar ),
+'have_reg_ip' => ( intval(@strlen($this->reg_ip_addr)) > 0 && is_valid_ip($this->reg_ip_addr) )
 ));
 $parsed = $parser->run();
 return $parsed;
 }

changeset 359	e0787bb6285b
parent 345	4ccdfeee9a11
child 362	02d315d1cc58