My site contains pages other than the MyBB forum pages, and I need to create a restricted page for admins for handling certain tasks on one of those pages. What I'm looking for is the code MyBB uses to make SQL queries to verify passwords for users, since I don't know how MyBB stores user/password data in the forum_users table.
Anyone know what file that code would be in (or if it can be simply pasted here)?
Log ins are handled in the following manner:
$hashedpassword = md5(md5($password) . $salt);
A query you could run would be this:
$query = $db->query("SELECT password, salt FROM " . TABLE_PREFIX . "users WHERE username='" . $db->escape_string($mybb->input['username']) . "'");
Also, if you are including global.php you can actually use:
if($mybb->usergroup['cancp'])
{
// Admin
}
Huh...I thought MyBB would be using something other than MD5. Does it still use the old mysql_ PHP as well?
I just thought of something else right now...If you are already logged in via MyBB, then that means that it has set a session. I think that would be a better alternative, and much simpler to create a simple if(isset) on the session to allow access to the page, right? If so, what would the session variable be?
(2014-05-21, 05:43 PM)hiig Wrote: [ -> ]Huh...I thought MyBB would be using something other than MD5. Does it still use the old mysql_ PHP as well?
I just thought of something else right now...If you are already logged in via MyBB, then that means that it has set a session. I think that would be a better alternative, and much simpler to create a simple if(isset) on the session to allow access to the page, right? If so, what would the session variable be?
The function it uses depends on what type you have your database listed as in the /inc/config.php file.
$mybb is a global variable. You can access any information about a user with $mybb->user['fieldname']. You can access permissions a user has based on the usergroups they are in with $mybb->usergroup['permission'].
To check if a person has a valid session you can do
if(!$mybb->user['uid'])
{
// Guest
}
else
{
// Member
}
Alrighty, I'll play around with that and make a quick page to see if it works. Cheers.
Okay, that was a quick failure. I'm getting:
Quote:Direct initialization of this file is not allowed.
Please make sure IN_MYBB is defined.
...when I added this:
require "forums/global.php";
Guess I'm supposed to include another file instead.
EDIT: Did a search around the forums and saw someone do:
define('IN_MYBB', 1);
Except now that I get to my if statement, I still can't get through:
if(!$mybb->user['1']||!$mybb->user['2']){
echo "You are not logged in, or otherwise authorised to view this page.";
I assume that's how I'm supposed to be using the user array. That is, I select the ID of the users I want to authorise from the database table, and type the number in as shown above.
Are you accessing the php file/plugin directly? If so that would be the case.
Yeah, just edited that after searching on the forums for a potential solution. It's probably still incorrect, since I still have problems, so what else am I supposed to do?
Your file should look something like this:
<?php
define("IN_MYBB", 1);
$templatelist = ""; /* Any templates you want to add go here. */
require_once "forums/global.php";
if($mybb->user['uid']==0) // prevent guests from viewing
{
error_no_permission();
}
if($mybb->usergroup['cancp']!=1) // Only admins can view this.
{
error_no_permission();
}
// Anything here only executes if the user is an admin.
?>
I managed to figure out that I had to actually type ['uid'], and that you didn't use that as a placeholder for the actual ID number. Also that I messed up horribly with the if statement. That was embarrassing, actually!
Good idea to use the cancp bit, so I'll include that. Thanks for your help!
Okay, turns out it didn't work. Before your reply, I had it coded so that if the uid was not equal to 1 or 2 (the two admins' user IDs), it would show an error message, else it would show the content. Problem is, this let anyone see the page, admin or not.
Now, I'm doing it your way (modified to compact the code a bit):
<?php
define('IN_MYBB',1);
require_once "forums/global.php";
if($mybb->user['uid']==0||$mybb->usergroup['cancp']!=1){
echo "Error: You are not logged in, or otherwise authorised to view this page.";
}else{?>
/*Page code goes here*/
<?php }
?>
Now it's not letting anyone access the page, admin or not.
There must be a problem with the $mybb variable. That's the only thing I can think of.