In global.php
if($mybb->usergroup['canview'] != 1)
{
// Check pages allowable even when not allowed to view board
$allowable_actions = array(
"member.php" => array(
"register",
"do_register",
"login",
"do_login",
"logout",
"lostpw",
"do_lostpw",
"activate",
"resendactivation",
"do_resendactivation",
"resetpassword"
),
"usercp2.php" => array(
"removesubscription",
"removesubscriptions"
),
);
if(!($current_page == "member.php" && in_array($mybb->input['action'], $allowable_actions['member.php'])) && !($current_page == "usercp2.php" && in_array($mybb->input['action'], $allowable_actions['usercp2.php'])) && $current_page != "captcha.php")
{
error_no_permission();
}
unset($allowable_actions);
}
Should IMO be changed to something like this:
if($mybb->usergroup['canview'] != 1)
{
$can_perform_action = FALSE;
// Check pages allowable even when not allowed to view board
$allowable_actions = array(
"member.php" => array(
"register",
"do_register",
"login",
"do_login",
"logout",
"lostpw",
"do_lostpw",
"activate",
"resendactivation",
"do_resendactivation",
"resetpassword"
),
"usercp2.php" => array(
"removesubscription",
"removesubscriptions"
),
);
$can_perform_action = $plugins->run_hooks("global_no_permissions", $can_perform_action);
if(!($current_page == "member.php" && in_array($mybb->input['action'], $allowable_actions['member.php'])) && !($current_page == "usercp2.php" && in_array($mybb->input['action'], $allowable_actions['usercp2.php'])) && $current_page != "captcha.php" && $can_perform_action == FALSE)
{
error_no_permission();
}
unset($allowable_actions);
}
Allowing people to make plugins that will let... oh say banned users access PMs without a core file edit.
(2010-07-15, 03:16 PM)ralgith Wrote: [ -> ]Allowing people to make plugins that will let... oh say banned users access PMs without a core file edit.
You don't have to edit a core file to achieve that in a plugin. Simply hook into no_permission (found in the error_no_permission) and check against your own array of allowed pages/actions. If it action performed isn't in your array, return false - then they still see the no permission error.
I didn't see it being able to work that way, there's no check for true in that function.
function error_no_permission()
{
global $mybb, $theme, $templates, $db, $lang, $plugins, $session;
$time = TIME_NOW;
$plugins->run_hooks("no_permission");
$noperm_array = array (
"nopermission" => '1',
"location1" => 0,
"location2" => 0
);
$db->update_query("sessions", $noperm_array, "sid='{$session->sid}'", 1);
$url = htmlspecialchars_uni($_SERVER['REQUEST_URI']);
if($mybb->input['ajax'])
{
// Send our headers.
header("Content-type: text/html; charset={$lang->settings['charset']}");
echo "<error>{$lang->error_nopermission_user_ajax}</error>\n";
exit;
}
if($mybb->user['uid'])
{
$lang->error_nopermission_user_5 = $lang->sprintf($lang->error_nopermission_user_5, $mybb->user['username']);
eval("\$errorpage = \"".$templates->get("error_nopermission_loggedin")."\";");
}
else
{
eval("\$errorpage = \"".$templates->get("error_nopermission")."\";");
}
error($errorpage);
}
Not a single check for anything done by a plugin that hooks there that I can see. Essentially a wasted hook. Besides, that was just ONE example of things that could be done with my suggested hook. Though, now that I think more about it... if that hook in error_no_permission actually did something for you, everything that could be done with my suggested hook could be done with that as well. Maybe I'm just missing something here, but I really don't see anything being done via that hook.
Easy.
$plugins->add_hook("no_permission", "test_check_banned");
function test_check_banned()
{
global $mybb;
$allowed_pages = array();
$allowed_actions = array();
if($mybb->usergroup['isbannedgroup'] == 1 && in_array(THIS_SCRIPT, $allowed_pages) && in_array($mybb->input['action'], $allowed_actions)
{
// User is in a banned group, but is doing something allowed
run_a_function_that_you_want();
}
}
But looking back at what you first said though, you're wanting to perform standard MyBB actions. In that case, wouldn't hooking into a *_start plugin, and if the page and action matches your allowed actions, set their usergroup to normal registered users?
$plugins->add_hook("global_start", "test_check_banned");
function test_check_banned()
{
global $mybb;
$allowed_pages = array();
$allowed_actions = array();
if($mybb->usergroup['isbannedgroup'] == 1 && in_array(THIS_SCRIPT, $allowed_pages) && in_array($mybb->input['action'], $allowed_actions)
{
$mybb->user['usergroup'] = 2; // Normal registered user.
}
}
Just a thought. You can do pretty much whatever you want with the plugin system, it's just a toil finding out how to go about it.
Which is why the plugin hook you pointed out should actually allow some kind of return value to be used, for simple and fast...
I hadn't yet considered the convoluted way around of setting their usergroup as something it isn't to fool the system. But I don't like that, seems to be that its too open for abuse to me.
I complained about this before and I think there are changes to 1.6x.
Yes here is new code I believe.
if($mybb->usergroup['canview'] != 1)
{
// Check pages allowable even when not allowed to view board
if(defined("ALLOWABLE_PAGE"))
{
if(is_string(ALLOWABLE_PAGE))
{
$allowable_actions = explode(',', ALLOWABLE_PAGE);
if(!in_array($mybb->input['action'], $allowable_actions))
{
error_no_permission();
}
unset($allowable_actions);
}
else if(ALLOWABLE_PAGE !== 1)
{
error_no_permission();
}
}
else
{
error_no_permission();
}
}
Basically adding an "ALLOWABLE" to be defined. Not sure how this will change what you're doing but at least you know for 1.6x it's altered. Sometimes MyBB team actually listens to us.
Yeah, nice.
I think they listen a lot actually, and just don't always tell use when things are getting done
Nor do they always do them exactly as you or I would, we all have different styles. But yeah, that works. I'll let my client know that for now she'll have to do the edit on her core file for an easy and non-abusable way around it & do plugin for 1.6, or that I can do the convoluted plugin like Tomm suggested now for 1.4
(2010-07-15, 10:25 PM)labrocca Wrote: [ -> ]Quote:I think they listen a lot actually, and just don't always tell use when things are getting done
I was being cheeky.
Doh!! lol
I didn't catch it, too serious of a mood today. Everything seems to be going wrong.