News:

Join the Facebook Fan Page.

Main Menu

Email restriction code

Started by CA3LE, March 14, 2005, 04:14:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

CA3LE

March 14, 2005, 04:14:20 AM
Okay, I recently had a new member spam my board they sent an email to almost all my members (I wonder how long it took them to populate the "to:" field... I have 4500 members, lol.

ANYWAY, I want to restrict new users to only be able to send messages to MOD's and ADMIN's ~~ I don't want to completely kill all their email and PM rights... here is what I've done...

EDIT --  Sources » InstantMessage.php

<search for>
Code Select
global $txt, $sourcedir;
global $db_prefix, $ID_MEMBER, $scripturl, $modSettings, $context, $options;

isAllowedTo('pm_send');
</search for>

<replace>
Code Select
global $txt, $sourcedir;
global $db_prefix, $ID_MEMBER, $scripturl, $modSettings, $context, $options;

if ($_REQUEST['u'] == '2') // 2 being the userID#of the ADMIN(s)
{
// nada!
}else{
isAllowedTo('pm_send'); // let's see if they're allowed!
}
</replace>

<search for>
Code Select

global $txt, $ID_MEMBER, $context, $sourcedir;
global $db_prefix, $user_info, $modSettings, $scripturl;


isAllowedTo('pm_send');
</search for>

<replace>
Code Select

global $txt, $ID_MEMBER, $context, $sourcedir;
global $db_prefix, $user_info, $modSettings, $scripturl;


// isAllowedTo('pm_send');
</replace>

Now the problem that this has is that #1: I only have myself listed there (I know I could enter the numbers of all my mods and admins.. yadi yadi -- but that isn't the best way of doing this) -- #2: this opens a security hole because "isAllowedTo('pm_send');" is commented out of the portion of "Sources » InstantMessage.php" where it's needed to validate if a user WAS allowed to have posted a message (if a user is allowed then it sends the email)... the first portion is to see if a user IS allowed (if a user is allowed then it shows the email form) 

I tried a few things... but for some reason it always gives me "You are not allowed to send personal messages. " error ~~ which is what I want..... but not when a message is sent to curtain people

The mod that I did works great but I know there is a better way to do this with-out opening that little security hole (my opinion it was a bigger hole to begin with - someone was able to send out hundreds of messages) - maybe something that limits the number of messages a new person can send in one hour or something.......

by the way, I also edited Sources » Subs-Auth.php so that if someone has insufficient permissions it will error them out if they try to search with the "Find Members" option of the PM page  (just in case someone if smart enough to open the PM page for one of the allowed members... then just populate with NON- allowed members)

Here is the mod for that

<search for>
Code Select
function findMembers($names, $use_wildcards = false)
{
<search for>

</replace>
Code Select
function findMembers($names, $use_wildcards = false)
{

isAllowedTo('pm_send');
</replace>

(does anyone understand what I mean... I tried to explain this easily, lol)  I know there was more I wanted to say... but this will start this thread.  ;)

COMMON UNKNOWN -- I know ya got the answer!   :P

[Unknown]

#1
March 14, 2005, 04:34:07 AM
Well, how about this.  Find in Subs-Post.php:

Code Select
// Make sure there are no duplicate 'to' members.
$recipients['to'] = array_unique($recipients['to']);

// Only 'bcc' members that aren't already in 'to'.
$recipients['bcc'] = array_diff(array_unique($recipients['bcc']), $recipients['to']);

Add after:

Code Select
$admins = array(2);
foreach ($recipients['to'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}
foreach ($recipients['bcc'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}

Modify this line as desired:

$admins = array(2);

For example:

$admins = array(1, 2, 3, 4, 5);

-[Unknown]

CA3LE

#2
March 19, 2005, 02:38:48 PM
Quote from: [Unknown] on March 14, 2005, 04:34:07 AM
Well, how about this.  Find in Subs-Post.php:

Code Select
// Make sure there are no duplicate 'to' members.
$recipients['to'] = array_unique($recipients['to']);

// Only 'bcc' members that aren't already in 'to'.
$recipients['bcc'] = array_diff(array_unique($recipients['bcc']), $recipients['to']);

Add after:

Code Select
$admins = array(2);
foreach ($recipients['to'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}
foreach ($recipients['bcc'] as $v)
{
if (!in_array($v['id'] , $admins))
fatal_error('Sorry, you can only send pms to admins and moderators!', false);
}

Modify this line as desired:

$admins = array(2);

For example:

$admins = array(1, 2, 3, 4, 5);

-[Unknown]

Do I have to set curtain permissions for the members I wish not to be able to send messages out??  With "Send personal messages" marked 'D' I get "You are not allowed to send personal messages."  With it marked 'A' of course it then works.. but those members are allowed to send messages to anyone, not just admins......

CA3LE

#3
March 19, 2005, 02:46:14 PM
Noticed upon 'send' that it kicks in... but I wanted to only have this active for curtain members... not everyone.
Print
Go Up Pages1
User actions
Advertisement: