Merge pull request #2219 from MPOS/development

UPDATE : Development to Master

Author: TheSerapher

.gitignore

@@ -14,6 +14,7 @@
 /logs/*
 
 # Test configs
+/include/config/global.inc.test.php
 /include/config/global.inc.scrypt.php
 /include/config/global.inc.sha.php
 

README.md

@@ -1,4 +1,4 @@
-Description [ ![Codeship Status for TheSerapher/php-mpos](https://www.codeship.io/projects/40fa7600-61a6-0131-3fd3-367b94dc0d60/status?branch=next)](https://www.codeship.io/projects/12276)
+Description
 ===========
 
 MPOS is a web based Mining Portal for various crypto currencies. It was created by [TheSerapher](https://github.com/TheSerapher) and has hence grown quite large. Recently it was migrated into a Github Organization to make development easier. It's a community driven open source project. Support can be requested on IRC at https://webchat.freenode.net/?channels=#mpos
@@ -15,7 +15,10 @@ Donations to this project are going directly to [TheSerapher](https://github.com
 
 * LTC address: `Lge95QR2frp9y1wJufjUPCycVsg5gLJPW8`
 * BTC address: `1HuYK6WPU8o3yWCrAaADDZPRpL5QiXitfv`
-* DOGE Address: `D6YtvxFGBmaD8Yq3i8LZsBQVPvCbZwCDzF`
+* DOGE address: `DANk8bnc3vHEf7Jthaxq1Xgn1BSiArNdjG`
+* 42Coin address: `4VxA6Ht59Mj6ikhA4gDXLiHuAaDCJEvYTZ`
+* FST address: `fiRqMgZyhjTN1GSEB3ZxV35JXsE5bjEaQ2`
+* FRK address: `FDcgGZjX2B29qevSuiuQVwXhkNhtQT4cEW`
 * Cryptsy Trade Key: `6ff7292142463b7b80cbbbdfc52334ba89727b11`
 
 Website Footer
@@ -79,23 +82,22 @@ The following feature have been implemented so far:
 
 * Fully re-written GUI with [Smarty][2] templates
  * Full file based template support
- * **NEW** SQL based templates
-* Mobile WebUI
-* Scrypt, SHA256, VARDIFF Support
+* VARDIFF Support
 * Reward Systems
  * Propotional, PPS and PPLNS
 * New Theme
  * Live Dashboard
  * AJAX Support
  * Overhauled API
+ * Bootstrap
 * Web User accounts
  * Re-Captcha protected registration form
 * Worker accounts
  * Worker activity
  * Worker hashrates
 * Pool statistics
 * Block statistics
-* Pool donations, fees and block bonuses
+* Pool donations, bonuses, fees and block bonuses
 * Manual and auto payout
 * Transaction list
 * Admin Panel
@@ -105,7 +107,6 @@ The following feature have been implemented so far:
  * User Transactions
  * News Posts
  * Pool Settings
- * Templates
  * Pool Workers
  * User Reports
  * Template Overwrite
@@ -115,9 +116,11 @@ The following feature have been implemented so far:
  * Auto Payout
  * Manual Payout
 * User-to-user Invitation System
-* Support for various coins via config
+* Support for various coins via coin class and config
  * All scrypt coins
  * All sha256d coins
+ * All x11 coins
+ * Others may be supported by creating a custom coin class 
 
 Installation
 ============
@@ -131,7 +134,7 @@ This project was meant to allow users to easily customize the system and templat
 If you are just using the system, there will be no need to adjust anything. Things will work out of the box! But if you plan on creating
 your own theme, things are pretty easy:
 
-* Create a new theme folder in `public/templates/`
+* Create a new theme folder in `templates/`
 * Create a new site_assets folder in `public/site_assets`
 * Create your own complete custom template or copy from an existing one
 * Change your theme in the `Admin Panel` and point it to the newly created folder

include/classes/api.class.php

@@ -37,8 +37,10 @@ function get_json($data, $force=false) {
       )), $force ? JSON_FORCE_OBJECT : 0
     );
     // JSONP support issue #1700
-    if (isset($_REQUEST['callback']))
+    if (isset($_REQUEST['callback']) && ctype_alpha($_REQUEST['callback'])) {
+      header('Content-type: application/json; charset=utf-8');
       return $_REQUEST['callback'] . '(' . $json . ');';
+    }
     return $json;
   }
 

include/classes/share.class.php

@@ -129,8 +129,8 @@ function getMaxArchiveShareId() {
    * return array data Returns an array with usernames as keys for easy access
    **/
   function getArchiveShares($iCount) {
-    $iMinId = $this->getMinArchiveShareId($iCount);
     $iMaxId = $this->getMaxArchiveShareId();
+    $iMinId = $this->getMinArchiveShareId($iCount);
     $stmt = $this->mysqli->prepare("
       SELECT
         a.id,

include/classes/tools.class.php

@@ -18,11 +18,11 @@ public function getOnlineVersions() {
       curl_setopt($curl, CURLOPT_HEADER, false);
       $data = curl_exec($curl);
       preg_match('/define\(\'MPOS_VERSION\', \'(.*)\'\);/', $data, $match);
-      $mpos_versions['MPOS_VERSION'] = $match[1];
+      $mpos_versions['MPOS_VERSION'] = @$match[1];
       preg_match('/define\(\'DB_VERSION\', \'(.*)\'\);/', $data, $match);
-      $mpos_versions['DB_VERSION'] = $match[1];
+      $mpos_versions['DB_VERSION'] = @$match[1];
       preg_match('/define\(\'CONFIG_VERSION\', \'(.*)\'\);/', $data, $match);
-      $mpos_versions['CONFIG_VERSION'] = $match[1];
+      $mpos_versions['CONFIG_VERSION'] = @$match[1];
       curl_close($curl);
       return $this->memcache->setCache($key, $mpos_versions, 30);
     } else {

include/classes/user.class.php

@@ -741,9 +741,11 @@ public function register($username, $coinaddress, $password1, $password2, $pin,
       $this->setErrorMessage('Username exceeding character limit');
       return false;
     }
-    if (!$this->bitcoin->validateaddress($coinaddress)) {
-      $this->setErrorMessage('Coin address is not valid');
-      return false;
+    if (!is_null($coinaddress)) {
+      if (!$this->bitcoin->validateaddress($coinaddress)) {
+        $this->setErrorMessage('Coin address is not valid');
+        return false;
+      }
     }
     if (preg_match('/[^a-z_\-0-9]/i', $username)) {
       $this->setErrorMessage('Username may only contain alphanumeric characters');
@@ -841,7 +843,7 @@ public function register($username, $coinaddress, $password1, $password2, $pin,
     } else {
       $this->setErrorMessage( 'Unable to register' );
       $this->debug->append('Failed to insert user into DB: ' . $this->mysqli->error);
-      if ($stmt->sqlstate == '23000') $this->setErrorMessage( 'Username or email already registered' );
+      if ($stmt->sqlstate == '23000') $this->setErrorMessage( 'Username, email or Coinaddress already registered' );
       return false;
     }
     return false;

include/config/global.inc.dist.php

@@ -7,14 +7,20 @@
  *  https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-config-version
  **/
 $config['version'] = '0.0.8';
-$config['version_url'] = 'https://raw.githubusercontent.com/MPOS/php-mpos/master/public/include/version.inc.php';
+$config['version_url'] = 'https://raw.githubusercontent.com/MPOS/php-mpos/master/include/version.inc.php';
 
 /**
  * Unless you disable this, we'll do a quick check on your config first.
  *  https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-config-check
  */
 $config['skip_config_tests'] = false;
 
+/**
+ * Unless you disable this, we'll do a check for a valid coin address on registration.
+ *  https://github.com/MPOS/php-mpos/wiki/Config-Setup#check-for-valid-wallet-address
+ */
+$config['check_valid_coinaddress'] = true;
+
 /**
  * Defines
  *  Debug setting and salts for hashing passwords

include/pages/admin/news.inc.php

@@ -10,23 +10,31 @@
 // Include markdown library
 use \Michelf\Markdown;
 
-if (@$_REQUEST['do'] == 'toggle_active')
-  if ($news->toggleActive($_REQUEST['id']))
-    $_SESSION['POPUP'][] = array('CONTENT' => 'News entry changed', 'TYPE' => 'alert alert-success');
+if (@$_REQUEST['do'] == 'toggle_active') {
+  if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+    if ($news->toggleActive($_REQUEST['id'])) {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'News entry changed', 'TYPE' => 'alert alert-success');
+    }
+  }
+}
 
 if (@$_REQUEST['do'] == 'add') {
-  if ($news->addNews($_SESSION['USERDATA']['id'], $_POST['data'])) {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'News entry added', 'TYPE' => 'alert alert-success');
-  } else {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to add new entry: ' . $news->getError(), 'TYPE' => 'alert alert-danger');
+  if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+    if ($news->addNews($_SESSION['USERDATA']['id'], $_POST['data'])) {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'News entry added', 'TYPE' => 'alert alert-success');
+    } else {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to add new entry: ' . $news->getError(), 'TYPE' => 'alert alert-danger');
+    }
   }
 }
 
 if (@$_REQUEST['do'] == 'delete') {
-  if ($news->deleteNews((int)$_REQUEST['id'])) {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Succesfully removed news entry', 'TYPE' => 'alert alert-success');
-  } else {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to delete entry: ' . $news->getError(), 'TYPE' => 'alert alert-danger');
+  if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+    if ($news->deleteNews((int)$_REQUEST['id'])) {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Succesfully removed news entry', 'TYPE' => 'alert alert-success');
+    } else {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to delete entry: ' . $news->getError(), 'TYPE' => 'alert alert-danger');
+    }
   }
 }
 
@@ -38,4 +46,4 @@
 }
 $smarty->assign("NEWS", $aNews);
 $smarty->assign("CONTENT", "default.tpl");
-?>
+?>

include/pages/admin/news_edit.inc.php

@@ -10,16 +10,18 @@
 // Include markdown library
 use \Michelf\Markdown;
 
-if (@$_REQUEST['do'] == 'save') {
-  if ($news->updateNews($_REQUEST['id'], $_REQUEST['header'], $_REQUEST['content'], $_REQUEST['active'])) {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'News updated', 'TYPE' => 'alert alert-success');
-  } else {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'News update failed: ' . $news->getError(), 'TYPE' => 'alert alert-danger');
+if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+  if (@$_REQUEST['do'] == 'save') {
+    if ($news->updateNews($_REQUEST['id'], $_REQUEST['header'], $_REQUEST['content'], $_REQUEST['active'])) {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'News updated', 'TYPE' => 'alert alert-success');
+    } else {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'News update failed: ' . $news->getError(), 'TYPE' => 'alert alert-danger');
+    }
   }
 }
 
 // Fetch news entry
 $aNews = $news->getEntry($_REQUEST['id']);
 $smarty->assign("NEWS", $aNews);
 $smarty->assign("CONTENT", "default.tpl");
-?>
+?>

include/pages/admin/settings.inc.php

@@ -8,11 +8,15 @@
 }
 
 if (@$_REQUEST['do'] == 'save' && !empty($_REQUEST['data'])) {
-  $user->log->log("warn", @$_SESSION['USERDATA']['username']." changed admin settings");
-  foreach($_REQUEST['data'] as $var => $value) {
-    $setting->setValue($var, $value);
+  if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+    $user->log->log("warn", @$_SESSION['USERDATA']['username']." changed admin settings");
+    foreach($_REQUEST['data'] as $var => $value) {
+      $setting->setValue($var, $value);
+    }
+    $_SESSION['POPUP'][] = array('CONTENT' => 'Settings updated', 'TYPE' => 'alert alert-success');
+  } else {
+    $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'alert alert-warning');
   }
-  $_SESSION['POPUP'][] = array('CONTENT' => 'Settings updated', 'TYPE' => 'alert alert-success');
 }
 
 // Load our available settings from configuration
@@ -23,4 +27,4 @@
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
-?>
+?>