Mirror
/
RoundcubeMail
mirror of https://github.com/roundcube/roundcubemail.git
1
0
Fork 0
Code Issues Releases Wiki Activity
RoundCube Webmail
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5214 Commits
57 Branches
196 Tags
151 MiB
Tree: e13ad37d89
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e13ad37d89'
${ noResults }
RoundcubeMail/index.php

306 lines
11 KiB
Raw Normal View History

Initial revision
20 years ago
-fixed disclaimer
17 years ago
- s/RoundCube/Roundcube/
15 years ago
Bump version to 0.8.4
13 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Initial revision
20 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Optimized loading time; added periodic mail check; added EXPUNGE command
20 years ago
- Fix imap_init hook broken in r3258 (#1486493)
16 years ago
More code cleanup
17 years ago
- Make the whole PHP output non-cacheable (#1487797)
14 years ago
- get rid of some hardcoded action names and move decission about output compression to the user
16 years ago
Little improvements for message parsing and encoding
19 years ago
Show appropriate error message if config files are missing
17 years ago
Improved error handling in DB connection failure
20 years ago
Merged devel-framework branch (r5746:5779) back into trunk
14 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Improved error handling in DB connection failure
20 years ago
Initial revision
20 years ago
Next step: introduce the application class 'rcmail' and get rid of some global vars
17 years ago
Initial revision
20 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Initial revision
20 years ago
Revert r3038 and allow to specify the port as value of force_https
16 years ago
- Fix $_SERVER['HTTPS'] check for SSL forcing on IIS (#1486243) + fix port check
16 years ago
- Fix 'force_https' to specified port when URL contains a port number (#1486411)
16 years ago
Revert r3038 and allow to specify the port as value of force_https
16 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Initial revision
20 years ago
- Fix setting task name according to auth state. So, any action before user is authenticated is assigned to 'login' task instead of 'mail'. Now binding plugins to 'login' task is possible and realy usefull. It's also possible to bind to all tasks excluding 'login'.
16 years ago
protect login form submission from CSRF using a request token
15 years ago
- Fix authentication when submitting form with existing session (#1485679)
17 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
- Plugin API: Add 'pass' argument in 'authenticate' hook (#1487134)
15 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
- Plugin API: Add 'pass' argument in 'authenticate' hook (#1487134)
15 years ago
Allow a plugin to disable the cookie check
16 years ago
protect login form submission from CSRF using a request token
15 years ago
- Password: Make passwords encoding consistent with core, add 'password_charset' global option (#1486473)
16 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Show explicit error message when provided hostname is invalid (#1488550) Conflicts: program/include/rcmail.php
13 years ago
- small code cleanup
15 years ago
- Performance improvement: Remove redundant DELETE query (for old session deletion) on login
15 years ago
- small code cleanup
15 years ago
- Performance improvement: Remove redundant DELETE query (for old session deletion) on login
15 years ago
New session authentication, should fix bugs #1483951 and #1484299; testing required
19 years ago
Improve session validity check with changing auth cookies; reduce writes to DB; better phpdoc
15 years ago
New session authentication, should fix bugs #1483951 and #1484299; testing required
19 years ago
Add option to log successful logins.
17 years ago
- Add HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR to successful logins log (#1486441)
15 years ago
- add file/line definitions to raise_error() calls
16 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Fix login redirect issues (#1487686)
15 years ago
Better fix for login redirect, don't force mail task
15 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
- Performance improvement: Remove redundant DELETE query (for old session deletion) on login
15 years ago
Better fix for login redirect, don't force mail task
15 years ago
- Applied fixes from trunk up to r6129
13 years ago
Better fix for login redirect, don't force mail task
15 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Better fix for login redirect, don't force mail task
15 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
Add option to log successful logins.
17 years ago
Initial revision
20 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Show explicit error message when provided hostname is invalid (#1488550) Conflicts: program/include/rcmail.php
13 years ago
- Handle situation when $IMAP object isn't initialized on log in
15 years ago
Show explicit error message when provided hostname is invalid (#1488550) Conflicts: program/include/rcmail.php
13 years ago
- Improved IMAP errors handling
15 years ago
- Handle situation when $IMAP object isn't initialized on log in
15 years ago
More code cleanup + oop-ization
17 years ago
Initial revision
20 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Also check referer on logout action
15 years ago
Merged devel-framework branch (r5746:5779) back into trunk
14 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
More code cleanup + oop-ization
17 years ago
Add some arguments to the logout_after hook
16 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
19 years ago
- Fix setting task name according to auth state. So, any action before user is authenticated is assigned to 'login' task instead of 'mail'. Now binding plugins to 'login' task is possible and realy usefull. It's also possible to bind to all tasks excluding 'login'.
16 years ago
Improve session validity check with changing auth cookies; reduce writes to DB; better phpdoc
15 years ago
More code cleanup + oop-ization
17 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
Initial revision
20 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Next step: introduce the application class 'rcmail' and get rid of some global vars
17 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
Fix r5117: don't show error on default login page
14 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
Revert r4609 and use stateless request tokens; no need to save them in session and thus no keep-alive necessary; fixes #1487829
15 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
- Fix setting task name according to auth state. So, any action before user is authenticated is assigned to 'login' task instead of 'mail'. Now binding plugins to 'login' task is possible and realy usefull. It's also possible to bind to all tasks excluding 'login'.
16 years ago
- Fix login page loading into an iframe when session expires (#1485952)
16 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
- Fix login page loading into an iframe when session expires (#1485952)
16 years ago
Disable PHP notices + check for installer script on login page
18 years ago
More code cleanup
17 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
- s/RoundCube/Roundcube/
15 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
- Make the whole PHP output non-cacheable (#1487797)
14 years ago
Log session validation errors; keep error message when redirecting to login after session error
14 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Plugin API: Add 'unauthenticated' hook (#1488138)
13 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
- Fix (disable) request validation for spell and spell_html actions Consider action whitelist also for ajax requests Conflicts: CHANGELOG index.php
13 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Add optional referer check to prevent CSRF in GET requests
15 years ago
- Fix (disable) request validation for spell and spell_html actions Consider action whitelist also for ajax requests Conflicts: CHANGELOG index.php
13 years ago
Add optional referer check to prevent CSRF in GET requests
15 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Initial revision
20 years ago
- Plugin API: added 'ready' hook (#1488073)
14 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Moved code block to a more appropriate position + codestyle
17 years ago
Let plugins hook into keep-alive requests
14 years ago
Moved code block to a more appropriate position + codestyle
17 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
- Improve performance by including files with absolute path (#1487849)
14 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Re-design of caching (new database table added\!); some bugfixes; Postgres support
20 years ago
Initial revision
20 years ago
Simplify step inclusion in controller (index.php)
17 years ago
- Improve performance by including files with absolute path (#1487849)
14 years ago
Simplify step inclusion in controller (index.php)
17 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Allow plugins to register their own tasks
15 years ago
Default action for plugin tasks is 'index'
14 years ago
Allow plugins to register their own tasks
15 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Simplify step inclusion in controller (index.php)
17 years ago
- Move action files map from index.php to steps' func.inc files
15 years ago
- Improve performance by including files with absolute path (#1487849)
14 years ago
- Move action files map from index.php to steps' func.inc files
15 years ago
- Improve performance by including files with absolute path (#1487849)
14 years ago
Simplify step inclusion in controller (index.php)
17 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Simplify step inclusion in controller (index.php)
17 years ago
Next step: introduce the application class 'rcmail' and get rid of some global vars
17 years ago
Fix for URL injection vulnerability (Bug #1307966)
20 years ago
Initial revision
20 years ago
Fix for URL injection vulnerability (Bug #1307966)
20 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
- removed PHP closing tag
15 years ago
  1. <?php
  2. /*
  3. +-------------------------------------------------------------------------+
  4. | Roundcube Webmail IMAP Client |
  5. | Version 0.8.4 |
  6. | |
  7. | Copyright (C) 2005-2012, The Roundcube Dev Team |
  8. | |
  9. | This program is free software: you can redistribute it and/or modify |
  10. | it under the terms of the GNU General Public License (with exceptions |
  11. | for skins & plugins) as published by the Free Software Foundation, |
  12. | either version 3 of the License, or (at your option) any later version. |
  13. | |
  14. | This file forms part of the Roundcube Webmail Software for which the |
  15. | following exception is added: Plugins and Skins which merely make |
  16. | function calls to the Roundcube Webmail Software, and for that purpose |
  17. | include it by reference shall not be considered modifications of |
  18. | the software. |
  19. | |
  20. | If you wish to use this file in another project or create a modified |
  21. | version that will not be part of the Roundcube Webmail Software, you |
  22. | may remove the exception above and use this source code under the |
  23. | original version of the license. |
  24. | |
  25. | This program is distributed in the hope that it will be useful, |
  26. | but WITHOUT ANY WARRANTY; without even the implied warranty of |
  27. | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
  28. | GNU General Public License for more details. |
  29. | |
  30. | You should have received a copy of the GNU General Public License |
  31. | along with this program. If not, see http://www.gnu.org/licenses/. |
  32. | |
  33. +-------------------------------------------------------------------------+
  34. | Author: Thomas Bruederli <roundcube@gmail.com> |
  35. +-------------------------------------------------------------------------+
  37. $Id$
  39. */
  41. // include environment
  42. require_once 'program/include/iniset.php';
  44. // init application, start session, init output class, etc.
  45. $RCMAIL = rcmail::get_instance();
  47. // Make the whole PHP output non-cacheable (#1487797)
  48. send_nocacheing_headers();
  50. // turn on output buffering
  51. ob_start();
  53. // check if config files had errors
  54. if ($err_str = $RCMAIL->config->get_error()) {
  55. raise_error(array(
  56. 'code' => 601,
  57. 'type' => 'php',
  58. 'message' => $err_str), false, true);
  59. }
  61. // check DB connections and exit on failure
  62. if ($err_str = $RCMAIL->db->is_error()) {
  63. raise_error(array(
  64. 'code' => 603,
  65. 'type' => 'db',
  66. 'message' => $err_str), FALSE, TRUE);
  67. }
  69. // error steps
  70. if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
  71. raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
  72. }
  74. // check if https is required (for login) and redirect if necessary
  75. if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
  76. $https_port = is_bool($force_https) ? 443 : $force_https;
  77. if (!rcube_https_check($https_port)) {
  78. $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
  79. $host .= ($https_port != 443 ? ':' . $https_port : '');
  80. header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
  81. exit;
  82. }
  83. }
  85. // trigger startup plugin hook
  86. $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
  87. $RCMAIL->set_task($startup['task']);
  88. $RCMAIL->action = $startup['action'];
  90. // try to log in
  91. if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
  92. $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login');
  94. // purge the session in case of new login when a session already exists
  95. $RCMAIL->kill_session();
  97. $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
  98. 'host' => $RCMAIL->autoselect_host(),
  99. 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
  100. 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true,
  101. $RCMAIL->config->get('password_charset', 'ISO-8859-1')),
  102. 'cookiecheck' => true,
  103. 'valid' => $request_valid,
  104. ));
  106. // Login
  107. if ($auth['valid'] && !$auth['abort'] &&
  108. $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck'])
  109. ) {
  110. // create new session ID, don't destroy the current session
  111. // it was destroyed already by $RCMAIL->kill_session() above
  112. $RCMAIL->session->remove('temp');
  113. $RCMAIL->session->regenerate_id(false);
  115. // send auth cookie if necessary
  116. $RCMAIL->session->set_auth_cookie();
  118. // log successful login
  119. rcmail_log_login();
  121. // restore original request parameters
  122. $query = array();
  123. if ($url = get_input_value('_url', RCUBE_INPUT_POST)) {
  124. parse_str($url, $query);
  126. // prevent endless looping on login page
  127. if ($query['_task'] == 'login')
  128. unset($query['_task']);
  130. // prevent redirect to compose with specified ID (#1488226)
  131. if ($query['_action'] == 'compose' && !empty($query['_id']))
  132. $query = array();
  133. }
  135. // allow plugins to control the redirect url after login success
  136. $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));
  137. unset($redir['abort'], $redir['_err']);
  139. // send redirect
  140. $OUTPUT->redirect($redir);
  141. }
  142. else {
  143. if (!$auth['valid']) {
  144. $error_code = RCMAIL::ERROR_INVALID_REQUEST;
  145. }
  146. else {
  147. $error_code = $auth['error'] ? $auth['error'] : $RCMAIL->login_error();
  148. }
  150. $error_labels = array(
  151. RCMAIL::ERROR_STORAGE => 'storageerror',
  152. RCMAIL::ERROR_COOKIES_DISABLED => 'cookiesdisabled',
  153. RCMAIL::ERROR_INVALID_REQUEST => 'invalidrequest',
  154. RCMAIL::ERROR_INVALID_HOST => 'invalidhost',
  155. );
  157. $error_message = $error_labels[$error_code] ? $error_labels[$error_code] : 'loginfailed';
  159. $OUTPUT->show_message($error_message, 'warning');
  160. $RCMAIL->plugins->exec_hook('login_failed', array(
  161. 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
  162. $RCMAIL->kill_session();
  163. }
  164. }
  166. // end session (after optional referer check)
  167. else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') || rcube_check_referer())) {
  168. $userdata = array(
  169. 'user' => $_SESSION['username'],
  170. 'host' => $_SESSION['storage_host'],
  171. 'lang' => $RCMAIL->user->language,
  172. );
  173. $OUTPUT->show_message('loggedout');
  174. $RCMAIL->logout_actions();
  175. $RCMAIL->kill_session();
  176. $RCMAIL->plugins->exec_hook('logout_after', $userdata);
  177. }
  179. // check session and auth cookie
  180. else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
  181. if (!$RCMAIL->session->check_auth()) {
  182. $RCMAIL->kill_session();
  183. $session_error = true;
  184. }
  185. }
  187. // not logged in -> show login page
  188. if (empty($RCMAIL->user->ID)) {
  189. // log session failures
  190. if (($task = get_input_value('_task', RCUBE_INPUT_GPC)) && !in_array($task, array('login','logout')) && !$session_error && ($sess_id = $_COOKIE[ini_get('session.name')])) {
  191. $RCMAIL->session->log("Aborted session " . $sess_id . "; no valid session data found");
  192. $session_error = true;
  193. }
  195. if ($OUTPUT->ajax_call)
  196. $OUTPUT->redirect(array('_err' => 'session'), 2000);
  198. if (!empty($_REQUEST['_framed']))
  199. $OUTPUT->command('redirect', $RCMAIL->url(array('_err' => 'session')));
  201. // check if installer is still active
  202. if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
  203. $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
  204. html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
  205. html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
  206. html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .
  207. these files may expose sensitive configuration data like server passwords and encryption keys
  208. to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
  209. )
  210. );
  211. }
  213. if ($session_error || $_REQUEST['_err'] == 'session')
  214. $OUTPUT->show_message('sessionerror', 'error', null, true, -1);
  216. $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', array('task' => 'login', 'error' => $session_error));
  218. $RCMAIL->set_task($plugin['task']);
  219. $OUTPUT->send($plugin['task']);
  220. }
  221. // CSRF prevention
  222. else {
  223. $request_check_whitelist = array('login'=>1, 'spell'=>1, 'spell_html'=>1);
  225. if (!$request_check_whitelist[$RCMAIL->action]) {
  226. // check client X-header to verify request origin
  227. if ($OUTPUT->ajax_call) {
  228. if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
  229. header('HTTP/1.1 403 Forbidden');
  230. die("Invalid Request");
  231. }
  232. }
  233. // check request token in POST form submissions
  234. else if (!empty($_POST) && !$RCMAIL->check_request()) {
  235. $OUTPUT->show_message('invalidrequest', 'error');
  236. $OUTPUT->send($RCMAIL->task);
  237. }
  239. // check referer if configured
  240. if ($RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
  241. raise_error(array(
  242. 'code' => 403, 'type' => 'php',
  243. 'message' => "Referer check failed"), true, true);
  244. }
  245. }
  246. }
  248. // we're ready, user is authenticated and the request is safe
  249. $plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
  250. $RCMAIL->set_task($plugin['task']);
  251. $RCMAIL->action = $plugin['action'];
  254. // handle special actions
  255. if ($RCMAIL->action == 'keep-alive') {
  256. $OUTPUT->reset();
  257. $RCMAIL->plugins->exec_hook('keep_alive', array());
  258. $OUTPUT->send();
  259. }
  260. else if ($RCMAIL->action == 'save-pref') {
  261. include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
  262. }
  265. // include task specific functions
  266. if (is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/func.inc'))
  267. include_once $incfile;
  269. // allow 5 "redirects" to another action
  270. $redirects = 0; $incstep = null;
  271. while ($redirects < 5) {
  272. // execute a plugin action
  273. if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
  274. if (!$RCMAIL->action) $RCMAIL->action = 'index';
  275. $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
  276. break;
  277. }
  278. else if (preg_match('/^plugin\./', $RCMAIL->action)) {
  279. $RCMAIL->plugins->exec_action($RCMAIL->action);
  280. break;
  281. }
  282. // try to include the step file
  283. else if (($stepfile = $RCMAIL->get_action_file())
  284. && is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/'.$stepfile)
  285. ) {
  286. include $incfile;
  287. $redirects++;
  288. }
  289. else {
  290. break;
  291. }
  292. }
  295. // parse main template (default)
  296. $OUTPUT->send($RCMAIL->task);
  299. // if we arrive here, something went wrong
  300. raise_error(array(
  301. 'code' => 404,
  302. 'type' => 'php',
  303. 'line' => __LINE__,
  304. 'file' => __FILE__,
  305. 'message' => "Invalid request"), true, true);