sqlite3
utility to be installed). The admin simply adds the user via the Bash script. Then, the user needs to add their token to the Bash (curl
) script and adjust the message and title, etc. The script uses URL encoding for these values. BBCode can be used since it gets parsed by phpBB when submitted.Github: https://github.com/phpbbmodders/phpbb-p ... tion-token
Purpose
The scripts fulfill the following functions:
./submit_post_token.php:
- Enables posting to a phpBB forum as a specified user without session reliance. This script requires invocation by
submit.php
, which validates a secret token for access. The user ID associated with the token is passed from the SQLite database tosubmit_post_token.php
for post attribution.
- Manages user tokens within a SQLite database (userdata.db). It generates secure tokens for designated user IDs and updates existing tokens as needed. It uses OpenSSL, if installed, for generating these tokens, and falls back to
/dev/urandom
otherwise.
- Validates a token provided via URL against
userdata.db
. Upon successful validation,submit.php
includessubmit_post_token.php
to submit posts to the phpBB forum on behalf of authenticated users, ensuring proper token-based authorization and user identification.
- Constructs a URL for submitting a post to a phpBB forum using
curl
. It encodes parameters such as token, message content, title, and forum ID, appending them to the URL constructed from specified domain and port settings.
Session Management:
submit_post_token.php
utilizes phpBB's session management functions ($user->session_begin()
, $auth->acl($user->data)
, $user->setup('')
) to emulate user context for posting, maintaining forum integrity and permissions.Message Parsing: Before submission,
submit_post_token.php
employs parse_message
to process and format post content ($post_text
) with BBCode and other attributes ($data['message']
, $data['bbcode_bitfield']
, $data['bbcode_uid']
), ensuring proper rendering within the forum.Database Interaction:
submit.php
interacts with userdata.db
using SQLite3 to validate tokens and retrieve associated user IDs for secure post submissions.Apache .htaccess Configuration for Security
To deny access to sensitive files such as
userdata.db
, add the following configuration to your Apache setup:Code: Select all
<Files "userdata.db">
Require all denied
</Files>
<FilesMatch "\.(?i:db)$">
Require all denied
</FilesMatch>
To deny access to sensitive files such as
userdata.db
, add the following configuration to your Nginx setup:Code: Select all
# Deny access to userdata.db directly
location = /userdata.db {
deny all;
return 403;
}
# Deny access to any file ending with .db
location ~ \.db$ {
deny all;
return 403;
}
(c) 2024 phpBBmodders (phpbbmodders.com) board@phpbbmodders.com