MODx and Vbulletin 3.8.x — peace, friendship, chewing gum

we build a house?


In our time of forum engine vbulletin is familiar to many. Someone uses it, someone quietly hates, and someone begging for his superiors finances to buy a license.
/ > And because of his fame support this engine has many CMS, but MODx I have no plugin/code snippet, and existing was enough cheese to use them.
Ladies and gentlemen, I beg to love and favor:
the Experiment was conducted at the MODx version 1.0.2 and vbulletin version 3.8.1

easy does it


First we need to prepare, and the first will be the file global.php forum.
I did this: copied it to global_modx.php (in.../forum/global_modx.php), opened for editing and deleted everything after 891 (remember, version 3.8.1) connection styles, etc., i.e. the last line in the file I have a function call verify_ip_ban();

Note: there were problems with the connection of global — he was logged out (die(); or exit();) in the middle of the script because some of their internal checks, so I advise you to do everything on a test version first.

Now, in the file index.php, the Holy of holies MODx'sa, insert this magic line of code:

$VBDIR = "../forum/"; //path to forum directory better full, not relative
$CURDIR = getcwd();
chdir($VBDIR);
require_once($VBDIR."global_modx.php");
chdir($CURDIR);

TA-da! Now MODx sees all the forum data! In any snippet, we can use (declaring it globally) standard object $vbulletin (with the command print_r($vbulletin); you can see all available fields, but there are VERY many, and most likely will only need print_r($vbulletin- > userinfo);).

Continue our research, Lord


Now we need to introduce the question of authorization on the website. Create the chunk forum_login_form, which will copy the standard login form with "rolls":

 
<!-- login form --> 
<form action="[+forumLink+]login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)"> 
<script type="text/javascript" src="[+forumLink+]clientscript/vbulletin_md5.js?v=381"></script> 
<table cellpadding="0" cellspacing="3" border="0"> 
<tr> 
<td><input type="text" value="Login" name="vb_login_username" id="navbar_username" accesskey="u" tabindex="101" onfocus="javascript: if (this.defaultValue == this.value) this.value = "; else if (this.value == ") this.value = this.defaultValue;" onblur="javascript: if (this.defaultValue == this.value) this.value = "; else if (this.value == ") this.value = this.defaultValue;" class="input" /></td> 
<td><input type="checkbox" name="cookieuser" value="1" tabindex="103" id="cb_cookieuser_navbar" accesskey="c" /></td> 
<td><label for="cb_cookieuser_navbar" > Remember?</label></td> 
</tr> 
<tr> 
<td><input type="password" value="Password" name="vb_login_password" id="navbar_password" tabindex="102" onfocus="javascript: if (this.defaultValue == this.value) this.value = "; else if (this.value == ") this.value = this.defaultValue;" onblur="javascript: if (this.defaultValue == this.value) this.value = "; else if (this.value == ") this.value = this.defaultValue;" class="input"/></td> 
<td></td> 
<td><input type="submit" class="button" value="Login" tabindex="104" title="Enter your username and password to login or click 'Register' to register." accesskey="s" /></td> 
</tr> 
</table> 
<input type="hidden" name="s" value="" /> 
<input type="hidden" name="securitytoken" value="guest" /> 
<input type="hidden" name="do" value="login" /> 
<input type="hidden" name="vb_login_md5password" /> 
<input type="hidden" name="vb_login_md5password_utf" /> 
</form> 
<!-- / login form -->

Note the [+forumLink+], the address will be inserted when the snippet call for easy control.
Note: in any case, this form is different for different styles, so cut it from your forum and paste this chunk.

Next, create the chunk forum_login_logged, displayed to logged-in users:
 
<strong>Hello <a href="[+profile+]" style="white-space:nowrap;">[+loginName+]</a>! </strong><br /> 
<a href="[+action+]" class="button">Out.</a>

Yep, made a view, now let's make a controller and create a snippet login, which later will replace the standard medicalschool WebLogin:
 
<?php 
global $vbulletin, $modx; 

$forumlink = (isset($forumlink)) ? $forumlink : 'http://PATH_TO_YOU_FORUM/'; //if not specified in the call parameter to the snippet address of the forum, take a standard 

if ($vbulletin- > userinfo['userid']==0) { //check whether the user is authorized 
//no? display the login form 
echo $modx- > parseChunk('forum_login_form', array('forumLink'=>$forumlink), '[+', '+]'); 
// do a check that the user is logged in on the website, but the forum - no. and if so, delete the session 
// todo: remove the session from the WEB user, without touching MANAGEMENT session 
if (!empty($_SESSION['webInternalKey'])) { 
session_destroy(); 
no(); 
} 
} 
else { //if the user is logged in on the forum - give information Modica 

//check that the user account on the website? 
$sql = "SELECT id FROM ".$modx- > getFullTableName("web_users")." WHERE id='".$vbulletin- > userinfo['userid']."'"; 
$rs = $modx->db->query($sql); 
$limit = $modx->db->getRecordCount($rs); 

if($limit==0) { 
// does not know modix this user 
// create 
$sql = "INSERT INTO ".$modx- > getFullTableName("web_users")." (id, username, password) 
VALUES(".$vbulletin- > userinfo['userid'].", '".$vbulletin- > userinfo['username']."', md5('empty'));"; 
$rs = $modx->db->query($sql); 

// save user attributes 
$sql = "INSERT INTO ".$modx- > getFullTableName("web_user_attributes")." (internalKey, fullname, email, zip, state, country) 
VALUES(".$vbulletin- > userinfo['userid'].", '".$vbulletin- > userinfo['username']."', '".$vbulletin- > userinfo['email']."', ", ", ");"; 
$rs = $modx->db->query($sql); 
$sql = "INSERT INTO ".$modx- > getFullTableName("web_groups")." (webgroup, webuser) 
VALUES(2, ".$vbulletin- > userinfo['userid'].");"; 
$rs = $modx->db->query($sql); 

$modx- > logEvent(998, 1, 'Created an account on the site.', 'Created an account on the site.', 'login snippet'); 
} 

if (!$modx- > userLoggedIn()) { //Now check if the user is not authorized 
//make the data of the forum in session Modica 
$_SESSION['webShortname'] = $vbulletin- > userinfo['username']; 
$_SESSION['webFullname'] = $vbulletin- > userinfo['username']; 
$_SESSION['webEmail'] = $vbulletin- > userinfo['email']; 
$_SESSION['webValidated'] = 1; 
$_SESSION['webInternalKey'] = $vbulletin- > userinfo['userid']; 
$_SESSION['webValid'] = base64_encode($vbulletin- > userinfo['password']); 
$_SESSION['webUser'] = base64_encode($vbulletin- > userinfo['username']); 
$_SESSION['webFailedlogins'] = 0; 
$_SESSION['webLastlogin'] = $vbulletin- > userinfo['lastactivity']; 
$_SESSION['webnrlogins'] = 0; 
$_SESSION['usertype'] = 'web'; 
$_SESSION['webUserGroupNames'] = "; // reset user group names 

// roughly check which groups of documents the user has access, 
// if these are changed already authenticated user, the latter will have to "reconnect" 
$dg="; 
$i=0; 
$tblug = $modx- > getFullTableName("web_groups"); 
$tbluga = $modx- > getFullTableName("webgroup_access"); 
$sql = "SELECT uga.documentgroup 
FROM $tblug ug 
INNER JOIN $tbluga uga ON uga.webgroup=ug.webgroup 
WHERE ug.webuser =".$vbulletin- > userinfo['userid']; 
$ds = $modx->db->query($sql); 
while ($row = $modx->db->getRow($ds,'num')) $dg[$i++]=$row[0]; 
$_SESSION['webDocgroups'] = $dg; 
} 
//parsim the form of "exit" 
echo $modx- > parseChunk('forum_login_logged', 
array('action' => $forumlink.'login.php?do=logout&logouthash='.$vbulletin- > userinfo['securitytoken'], 
'profile' => $forumlink.'usercp.php', 
'loginName' = > $vbulletin- > userinfo['username']), 
'[+', 
'+]' 
); 

//part of the recording user activity 
if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP"); 
else if(getenv("HTTP_X_FORWARDED_FOR")) $ip = getenv("HTTP_X_FORWARDED_FOR"); 
else if(getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR"); 
else $ip = "UNKNOWN";$_SESSION['ip'] = $ip; 

$itemid = isset($_REQUEST['id']) ? $_REQUEST['id'] : 'NULL' ;$lasthittime = time();$a = 998; 

$sql = "REPLACE INTO ".$modx- > getFullTableName("active_users")." (internalKey, username, lasthit, action, id, ip) values(-".$_SESSION['webInternalKey'].", '".$_SESSION['webShortname']."', '".$lasthittime."', '".$a."', ".$itemid.", '$ip')"; 
$rs = $modx->db->query($sql); 
} 
?>

Code is fairly commented, should not be any issues; the queries were done separately (not via the db->select db->insert) out of habit and convenience for debugging.

further to complete euphoria


Having everything written above, we have:
the
    the
  • a Unified forum authorization — input and output
    • the
  • Access to the forum data on any page of the site
    • the
  • by logging on the website or on the forum authorization, would work everywhere (with a redirect to the page you're viewing back)
    • the
  • Creating users Ehpm, i.e., it also recognizes its users that allows you to restrict access to documents, etc.
    • the
  • Same user ID on the website/forum

    • Destroying session authorization if no auth on the forum



And to put the bun remained in the site's templates to prescribe the snippet call [[login]], and then will only enjoy the work done. One drawback of this approach is: while a user of the forum without going to the site to limit its access rights to the pages will be impossible, unless you create handles in the database of this user.
In contrast to the method of BanzaiTokyo on the basis of which began to develop and from which there is only the introduction index.php global file on the forum, you do not need to create a product and modules to it, to control the output from the forum and registration — everything happens automatically.

the July 28, 2010 UPD:
Programmers who used this solution on their websites! ATTENTION! Then allowed the vulnerability that allows you to perform blind-SQL:
$itemid = isset($_REQUEST['id'])? $_REQUEST['id']: 'NULL' ;$lasthittime = time();$a = 998;
$sql = "REPLACE INTO ".$modx- > getFullTableName("active_users")." (internalKey, username, lasthit, action, id, ip) values(-".$_SESSION['webInternalKey'].", '".$_SESSION['webShortname']."', '".$lasthittime."', '".$a."', ".$itemid.", '$ip')";
$rs = $modx->db->query($sql);

If you substitute a specific id in the subquery, you can perform the comparison operation and easy to brothersit any data. Unfortunately using this vulnerability and hacked me(( Decided to just:
$itemid = isset($_REQUEST['id'])? the (is_numeric($_REQUEST['id'])?$_REQUEST['id']:'NULL'): 'NULL' ;$lasthittime = time();$a = 998;
$sql = "REPLACE INTO ".$modx- > getFullTableName("active_users")." (internalKey, username, lasthit, action, id, ip) values(-".$_SESSION['webInternalKey'].", '".$_SESSION['webShortname']."', '".$lasthittime."', '".$a."', ".$itemid.", '$ip')";
$rs = $modx->db->query($sql);
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Integration of PostgreSQL with MS SQL Server for those who want faster and deeper

Изображение
Recently habré was already published integration PostgreSQL and MSSQL. But, items there is categorically not enough. Therefore, the objectives of this publication are the following: the the to broaden and deepen publicly available information about FDW for MSSQL-called tds_fdw to tell the difference in major versions and describe basic compatibility issues; the to talk about the possibilities of optimization of queries that use the foreign table; the to address the subject of caching external data in a materialized view; the to say a few words about the exotic ways to integrate PostgreSQL and MSSQL. the Installing and configuring TDS FDW The guys from PostgresPro already sufficiently said about this process, I will not repeat. Will leave a few links to the official PostgreSQL documentation and examples from tds_fdw: the the creating an extension (extension) in PG: off.dokumentacija ; the server: off.documentation , example of tds_fdw ; the creating
Далее...

Custom database queries in MODx Revolution

This topic will certainly be useful for those who have quite a lot of projects on MODx Revolution, as with the usual sites of business cards is enough and the standard working methods of a La $modx- > getObject() , $modx->getCollection() , etc., and these methods are inherently not just a job database, but also with the objects of MODx. When working with large projects methods a La $modx- > getCollection() for us is not the best solution for two reasons: 1. The overexpenditures. These methods are not just getting data from DB, but also create instance of the retrieved objects. In this case, getting information about 10000 documents, we get 10000 objects of modResource that it is not very cool. 2. The task is complicated by the count of records. In addition to the direct difficulties of counting even at the query level, even if you get 10 records of the same document (for example), MODx will return as a result only one object modResource. Although often that will su
Далее...

Parse URL in Zend Framework 2

Objective: the Have a method to disassemble the components of the string containing the URL. The string can contain both absolute and relative URLS and both these options should be correctly parsed. the And in the drain, let's say the "wrong" format absolute links without "http://". Further in the text links to the "wrong" format will be called partial absolute references . the Implement support for the "RF" domain. the Example: site.ru/page.php /page.php site.ru/page.php the scheme http the host site.ru site.ru the path page.php page.php page.php Implementation of paragraphs 1 and 2 of our problem In this we should help the class Zend\Uri\Http . He has we need methods parse($uri) , getHost() , getPath() , etc. But! When we parse the URL and type " site.ru/page.php " (without the " http:// ") getHost() will return an empty string and getPath()
Далее...