diff options
| author | Fyorl <gaelreth@gmail.com> | 2012-08-14 12:47:10 +0100 |
|---|---|---|
| committer | Fyorl <gaelreth@gmail.com> | 2012-08-14 12:47:10 +0100 |
| commit | b96c72c156b5fd207ef0b1d1b55df037df688976 (patch) | |
| tree | b99768ef93924ff432c30c162ea87b4bab46ff4f | |
| parent | b05f36b19759eae3d6e60558355698d457df5b31 (diff) | |
| download | forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar.gz forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar.bz2 forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar.xz forums-b96c72c156b5fd207ef0b1d1b55df037df688976.zip | |
[feature/attach-dl] Moved PM authentication handling into own function
PHPBB3-11042
| -rw-r--r-- | phpBB/download/file.php | 33 | ||||
| -rw-r--r-- | phpBB/includes/functions_download.php | 51 |
2 files changed, 56 insertions, 28 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 0c3e0f5521..d000fc49d2 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -236,34 +236,7 @@ else if ($download_id) { // Attachment is in a private message. $row['forum_id'] = false; - if (!$auth->acl_get('u_pm_download')) - { - send_status_line(403, 'Forbidden'); - trigger_error('SORRY_AUTH_VIEW_ATTACH'); - } - - // Check if the attachment is within the users scope... - $sql = 'SELECT user_id, author_id - FROM ' . PRIVMSGS_TO_TABLE . ' - WHERE msg_id = ' . $attachment['post_msg_id']; - $result = $db->sql_query($sql); - - $allowed = false; - while ($user_row = $db->sql_fetchrow($result)) - { - if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id']) - { - $allowed = true; - break; - } - } - $db->sql_freeresult($result); - - if (!$allowed) - { - send_status_line(403, 'Forbidden'); - trigger_error('ERROR_NO_ATTACHMENT'); - } + phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']); } $extensions = array(); @@ -331,6 +304,10 @@ else { phpbb_download_check_forum_auth($db, $auth, $attachment['topic_id']); } + else + { + phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']); + } if (!class_exists('compress')) { diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index 14d39806b9..ac5e5ddd7e 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -649,6 +649,57 @@ function phpbb_download_check_forum_auth($db, $auth, $topic_id) } /** +* Handles authentication when downloading attachments from PMs +* +* @param dbal $db The database object +* @param phpbb_auth $auth The authentication object +* @param int $user_id The user id +* @param int $msg_id The id of the PM that we are downloading from +* +* @return null +*/ +function phpbb_download_handle_pm_auth($db, $auth, $user_id, $msg_id) +{ + if (!$auth->acl_get('u_pm_download')) + { + send_status_line(403, 'Forbidden'); + trigger_error('SORRY_AUTH_VIEW_ATTACH'); + } + + $allowed = phpbb_download_check_pm_auth($db, $user_id, $msg_id); + + if (!$allowed) + { + send_status_line(403, 'Forbidden'); + trigger_error('ERROR_NO_ATTACHMENT'); + } +} + +/** +* Checks whether a user can download from a particular PM +* +* @param dbal $db The database object +* @param int $user_id The user id +* @param int $msg_id The id of the PM that we are downloading from +* +* @return bool Whether the user is allowed to download from that PM or not +*/ +function phpbb_download_check_pm_auth($db, $user_id, $msg_id) +{ + // Check if the attachment is within the users scope... + $sql = 'SELECT user_id, author_id + FROM ' . PRIVMSGS_TO_TABLE . ' + WHERE msg_id = ' . $msg_id . " + AND user_id = $user_id + OR author_id = $user_id"; + $result = $db->sql_query_limit($sql, 1); + $allowed = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + return $allowed; +} + +/** * Cleans a filename of any characters that could potentially cause a problem on * a user's filesystem. * |