lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 20:17:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #190 from kongrui05/security-patch

Browse Source 
An IMPORTANT security patch 重要安全补丁
This commit is contained in:
xiaomlove
2023-05-07 16:17:45 +08:00
committed by GitHub
parent a75abb91dc 6dd1b248f7
commit 31c3be2ce8
2 changed files with 155 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/globalfunctions.php
+1 -1
View File
@@ -1088,7 +1088,7 @@ function user_can($permission, $fail = false, $uid = 0): bool
$uid = get_user_id(); $uid = get_user_id();
$log .= ", set current uid: $uid"; $log .= ", set current uid: $uid";
} }
if ($uid <= 0) { if (!$fail && $uid <= 0) {
do_log("$log, unauthenticated, false"); do_log("$log, unauthenticated, false");
return false; return false;
} }
public/ajax.php
+34 -29
View File
@@ -6,20 +6,9 @@ loggedinorreturn();
$action = $_POST['action'] ?? 'noAction'; $action = $_POST['action'] ?? 'noAction';
$params = $_POST['params'] ?? []; $params = $_POST['params'] ?? [];
function noAction() class AjaxInterface{
{
throw new \RuntimeException("no Action");
}
public static function toggleUserMedalStatus($params)
try {
$result = call_user_func($action, $params);
exit(json_encode(success($result)));
} catch (\Throwable $exception) {
exit(json_encode(fail($exception->getMessage(), $_POST)));
}
function toggleUserMedalStatus($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\MedalRepository(); $rep = new \App\Repositories\MedalRepository();
@@ -27,14 +16,14 @@ function toggleUserMedalStatus($params)
} }
function attendanceRetroactive($params) public static function attendanceRetroactive($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\AttendanceRepository(); $rep = new \App\Repositories\AttendanceRepository();
return $rep->retroactive($CURUSER['id'], $params['timestamp']); return $rep->retroactive($CURUSER['id'], $params['timestamp']);
} }
function getPtGen($params) public static function getPtGen($params)
{ {
$rep = new Nexus\PTGen\PTGen(); $rep = new Nexus\PTGen\PTGen();
$result = $rep->generate($params['url']); $result = $rep->generate($params['url']);
@@ -47,41 +36,41 @@ function getPtGen($params)
} }
} }
function addClaim($params) public static function addClaim($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\ClaimRepository(); $rep = new \App\Repositories\ClaimRepository();
return $rep->store($CURUSER['id'], $params['torrent_id']); return $rep->store($CURUSER['id'], $params['torrent_id']);
} }
function removeClaim($params) public static function removeClaim($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\ClaimRepository(); $rep = new \App\Repositories\ClaimRepository();
return $rep->delete($params['id'], $CURUSER['id']); return $rep->delete($params['id'], $CURUSER['id']);
} }
function removeUserLeechWarn($params) public static function removeUserLeechWarn($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\UserRepository(); $rep = new \App\Repositories\UserRepository();
return $rep->removeLeechWarn($CURUSER['id'], $params['uid']); return $rep->removeLeechWarn($CURUSER['id'], $params['uid']);
} }
function getOffer($params) public static function getOffer($params)
{ {
$offer = \App\Models\Offer::query()->findOrFail($params['id']); $offer = \App\Models\Offer::query()->findOrFail($params['id']);
return $offer->toArray(); return $offer->toArray();
} }
function approvalModal($params) public static function approvalModal($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\TorrentRepository(); $rep = new \App\Repositories\TorrentRepository();
return $rep->buildApprovalModal($CURUSER['id'], $params['torrent_id']); return $rep->buildApprovalModal($CURUSER['id'], $params['torrent_id']);
} }
function approval($params) public static function approval($params)
{ {
global $CURUSER; global $CURUSER;
foreach (['torrent_id', 'approval_status',] as $field) { foreach (['torrent_id', 'approval_status',] as $field) {
@@ -93,7 +82,7 @@ function approval($params)
return $rep->approval($CURUSER['id'], $params); return $rep->approval($CURUSER['id'], $params);
} }
function addSeedBoxRecord($params) public static function addSeedBoxRecord($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\SeedBoxRepository(); $rep = new \App\Repositories\SeedBoxRepository();
@@ -103,28 +92,28 @@ function addSeedBoxRecord($params)
return $rep->store($params); return $rep->store($params);
} }
function removeSeedBoxRecord($params) public static function removeSeedBoxRecord($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\SeedBoxRepository(); $rep = new \App\Repositories\SeedBoxRepository();
return $rep->delete($params['id'], $CURUSER['id']); return $rep->delete($params['id'], $CURUSER['id']);
} }
function removeHitAndRun($params) public static function removeHitAndRun($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\BonusRepository(); $rep = new \App\Repositories\BonusRepository();
return $rep->consumeToCancelHitAndRun($CURUSER['id'], $params['id']); return $rep->consumeToCancelHitAndRun($CURUSER['id'], $params['id']);
} }
function consumeBenefit($params) public static function consumeBenefit($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\UserRepository(); $rep = new \App\Repositories\UserRepository();
return $rep->consumeBenefit($CURUSER['id'], $params); return $rep->consumeBenefit($CURUSER['id'], $params);
} }
function clearShoutBox($params) public static function clearShoutBox($params)
{ {
global $CURUSER; global $CURUSER;
user_can('sbmanage', true); user_can('sbmanage', true);
@@ -132,21 +121,21 @@ function clearShoutBox($params)
return true; return true;
} }
function buyMedal($params) public static function buyMedal($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\BonusRepository(); $rep = new \App\Repositories\BonusRepository();
return $rep->consumeToBuyMedal($CURUSER['id'], $params['medal_id']); return $rep->consumeToBuyMedal($CURUSER['id'], $params['medal_id']);
} }
function giftMedal($params) public static function giftMedal($params)
{ {
global $CURUSER; global $CURUSER;
$rep = new \App\Repositories\BonusRepository(); $rep = new \App\Repositories\BonusRepository();
return $rep->consumeToGiftMedal($CURUSER['id'], $params['medal_id'], $params['uid']); return $rep->consumeToGiftMedal($CURUSER['id'], $params['medal_id'], $params['uid']);
} }
function saveUserMedal($params) public static function saveUserMedal($params)
{ {
global $CURUSER; global $CURUSER;
$data = []; $data = [];
@@ -161,3 +150,19 @@ function saveUserMedal($params)
$rep = new \App\Repositories\MedalRepository(); $rep = new \App\Repositories\MedalRepository();
return $rep->saveUserMedal($CURUSER['id'], $data); return $rep->saveUserMedal($CURUSER['id'], $data);
} }
}
$class = 'AjaxInterface';
$reflection = new ReflectionClass($class);
try {
if($reflection->hasMethod($action)&&$reflection->getMethod($action)->isStatic()) {
$result = $class::$action($params);
exit(json_encode(success($result)));
} else {
do_log("hacking attempt made by {$CURUSER['username']},uid {$CURUSER['id']}", 'error');
throw new \RuntimeException("no Action");
}
}catch(\Throwable $exception){
exit(json_encode(fail($exception->getMessage(), $_POST)));
}