Advertisement:

Author Topic: Email restriction code  (Read 17948 times)

Offline CA3LE

  • Semi-Newbie
  • *
  • Posts: 34
  • Gender: Male
  • CA3LE6UY!
    • testmy.net
Email restriction code
« on: March 14, 2005, 04:14:20 AM »
Okay, I recently had a new member spam my board they sent an email to almost all my members (I wonder how long it took them to populate the "to:" field... I have 4500 members, lol.

ANYWAY, I want to restrict new users to only be able to send messages to MOD's and ADMIN's ~~ I don't want to completely kill all their email and PM rights... here is what I've done...

EDIT --  Sources » InstantMessage.php

<search for>
Code: [Select]
global $txt, $sourcedir;
global $db_prefix, $ID_MEMBER, $scripturl, $modSettings, $context, $options;

isAllowedTo('pm_send');
</search for>

<replace>
Code: [Select]
global $txt, $sourcedir;
global $db_prefix, $ID_MEMBER, $scripturl, $modSettings, $context, $options;

if ($_REQUEST['u'] == '2') // 2 being the userID#of the ADMIN(s)
{
// nada!
}else{
isAllowedTo('pm_send'); // let's see if they're allowed!
}
</replace>

<search for>
Code: [Select]
global $txt, $ID_MEMBER, $context, $sourcedir;
global $db_prefix, $user_info, $modSettings, $scripturl;


isAllowedTo('pm_send');
</search for>

<replace>
Code: [Select]
global $txt, $ID_MEMBER, $context, $sourcedir;
global $db_prefix, $user_info, $modSettings, $scripturl;


// isAllowedTo('pm_send');
</replace>

Now the problem that this has is that #1: I only have myself listed there (I know I could enter the numbers of all my mods and admins.. yadi yadi -- but that isn't the best way of doing this) -- #2: this opens a security hole because "isAllowedTo('pm_send');" is commented out of the portion of "Sources » InstantMessage.php" where it's needed to validate if a user WAS allowed to have posted a message (if a user is allowed then it sends the email)... the first portion is to see if a user IS allowed (if a user is allowed then it shows the email form) 

I tried a few things... but for some reason it always gives me "You are not allowed to send personal messages. " error ~~ which is what I want..... but not when a message is sent to curtain people

The mod that I did works great but I know there is a better way to do this with-out opening that little security hole (my opinion it was a bigger hole to begin with - someone was able to send out hundreds of messages) - maybe something that limits the number of messages a new person can send in one hour or something.......

by the way, I also edited Sources » Subs-Auth.php so that if someone has insufficient permissions it will error them out if they try to search with the "Find Members" option of the PM page  (just in case someone if smart enough to open the PM page for one of the allowed members... then just populate with NON- allowed members)

Here is the mod for that

<search for>
Code: [Select]
function findMembers($names, $use_wildcards = false)
{
<search for>

</replace>
Code: [Select]
function findMembers($names, $use_wildcards = false)
{

isAllowedTo('pm_send');
</replace>

(does anyone understand what I mean... I tried to explain this easily, lol)  I know there was more I wanted to say... but this will start this thread.  ;)

COMMON UNKNOWN -- I know ya got the answer!   :P

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: Email restriction code
« Reply #1 on: March 14, 2005, 04:34:07 AM »
Well, how about this.  Find in Subs-Post.php:

Code: [Select]
// Make sure there are no duplicate 'to' members.
$recipients['to'] = array_unique($recipients['to']);

// Only 'bcc' members that aren't already in 'to'.
$recipients['bcc'] = array_diff(array_unique($recipients['bcc']), $recipients['to']);

Add after:

Code: [Select]
$admins = array(2);
foreach ($recipients['to'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}
foreach ($recipients['bcc'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}

Modify this line as desired:

$admins = array(2);

For example:

$admins = array(1, 2, 3, 4, 5);

-[Unknown]

Offline CA3LE

  • Semi-Newbie
  • *
  • Posts: 34
  • Gender: Male
  • CA3LE6UY!
    • testmy.net
Re: Email restriction code
« Reply #2 on: March 19, 2005, 02:38:48 PM »
Well, how about this.  Find in Subs-Post.php:

Code: [Select]
// Make sure there are no duplicate 'to' members.
$recipients['to'] = array_unique($recipients['to']);

// Only 'bcc' members that aren't already in 'to'.
$recipients['bcc'] = array_diff(array_unique($recipients['bcc']), $recipients['to']);

Add after:

Code: [Select]
$admins = array(2);
foreach ($recipients['to'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}
foreach ($recipients['bcc'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}

Modify this line as desired:

$admins = array(2);

For example:

$admins = array(1, 2, 3, 4, 5);

-[Unknown]

Do I have to set curtain permissions for the members I wish not to be able to send messages out??  With "Send personal messages" marked 'D' I get "You are not allowed to send personal messages."  With it marked 'A' of course it then works.. but those members are allowed to send messages to anyone, not just admins......

Offline CA3LE

  • Semi-Newbie
  • *
  • Posts: 34
  • Gender: Male
  • CA3LE6UY!
    • testmy.net
Re: Email restriction code
« Reply #3 on: March 19, 2005, 02:46:14 PM »
Noticed upon 'send' that it kicks in... but I wanted to only have this active for curtain members... not everyone.