diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2003-05-25 13:07:19 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2003-05-25 13:07:19 +0000 |
| commit | 5ceeb10e99ab3a453f3ce42c294ec2189aa71224 (patch) | |
| tree | 3ee349780f3d800b78792334f0a8795e32f38ff9 /phpBB/download.php | |
| parent | f381c0d3ef39a078a21b727a07caeeeef2745fa4 (diff) | |
| download | forums-5ceeb10e99ab3a453f3ce42c294ec2189aa71224.tar forums-5ceeb10e99ab3a453f3ce42c294ec2189aa71224.tar.gz forums-5ceeb10e99ab3a453f3ce42c294ec2189aa71224.tar.bz2 forums-5ceeb10e99ab3a453f3ce42c294ec2189aa71224.tar.xz forums-5ceeb10e99ab3a453f3ce42c294ec2189aa71224.zip | |
some updates in regards to fetching authentication.
git-svn-id: file:///svn/phpbb/trunk@4055 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/download.php')
| -rw-r--r-- | phpBB/download.php | 115 |
1 files changed, 18 insertions, 97 deletions
diff --git a/phpBB/download.php b/phpBB/download.php index fc5845bb97..b2859e33b5 100644 --- a/phpBB/download.php +++ b/phpBB/download.php @@ -31,91 +31,18 @@ $phpbb_root_path = './'; include($phpbb_root_path . 'extension.inc'); include($phpbb_root_path . 'common.'.$phpEx); -// -// Delete the / * to uncomment the block, and edit the values (read the comments) to -// enable additional security to your board (preventing third site linkage) -// -/* -define('ALLOWED_DENIED', 0); -define('DENIED_ALLOWED', 1); - -// -// From this line on you are able to edit the stuff -// - -// Possible Values: -// ALLOWED_DENIED <- First allow the listed sites, and then deny all others -// DENIED_ALLOWED <- First deny the listed sites, and then allow all others -$allow_deny_order = ALLOWED_DENIED; - -// -// Allowed Syntax: -// Full Domain Name -> www.phpbb.com -// Partial Domain Names -> phpbb.com -// -$sites = array( - $config['server_name'], // This is your domain - 'phpbb.com' -); - -// This is the message displayed, if someone links to this site... -$lang['Denied_Message'] = 'You are not authorized to view, download or link to this Site.'; - -// End of editable area - -// -// Parse the order and evaluate the array -// - -$site = explode('?', $HTTP_SERVER_VARS['HTTP_REFERER']); -$url = trim($site[0]); -//$url = $HTTP_HOST; - -if ($url != '') -{ - $allowed = ($allow_deny_order == ALLOWED_DENIED) ? FALSE : TRUE; - - for ($i = 0; $i < count($sites); $i++) - { - if (strstr($url, $sites[$i])) - { - $allowed = ($allow_deny_order == ALLOWED_DENIED) ? TRUE : FALSE; - break; - } - } -} -else -{ - $allowed = TRUE; -} - -if ($allowed == FALSE) -{ - trigger_error($lang['Denied_Message']); -} - -// Delete the following line, to uncomment this block -*/ - -$download_id = (isset($_REQUEST['id'])) ? intval($_REQUEST['id']) : -1; +$download_id = (isset($_REQUEST['id'])) ? intval($_REQUEST['id']) : false; $thumbnail = (isset($_REQUEST['thumb'])) ? intval($_REQUEST['thumb']) : false; function send_file_to_browser($real_filename, $mimetype, $physical_filename, $upload_dir, $attach_id) { global $_SERVER, $HTTP_USER_AGENT, $HTTP_SERVER_VARS, $user, $db, $config; - if ($config['upload_dir'] == '') - { - $filename = $physical_filename; - } - else - { - $filename = $config['upload_dir'] . '/' . $physical_filename; - } + $filename = ($config['upload_dir'] == '') ? $physical_filename : $config['upload_dir'] . '/' . $physical_filename; $gotit = FALSE; - if (!intval($config['use_ftp_upload'])) + if (!$config['use_ftp_upload']) { if (@!file_exists($filename)) { @@ -257,10 +184,10 @@ function send_file_to_browser($real_filename, $mimetype, $physical_filename, $up // Start session management $user->start(); -$user->setup(); $auth->acl($user->data); +$user->setup(); -if ($download_id == -1) +if (!$download_id) { trigger_error('NO_ATTACHMENT_SELECTED'); } @@ -272,7 +199,7 @@ if (!$config['allow_attachments']) $sql = 'SELECT * FROM ' . ATTACHMENTS_DESC_TABLE . ' - WHERE attach_id = ' . intval($download_id); + WHERE attach_id = ' . $download_id; $result = $db->sql_query($sql); if (!($attachment = $db->sql_fetchrow($result))) @@ -292,33 +219,27 @@ if ($row['forum_password']) $authorised = FALSE; // Additional query, because of more than one attachment assigned to posts and private messages -$sql = "SELECT a.*, p.forum_id - FROM " . ATTACHMENTS_TABLE . " a, " . POSTS_TABLE . " p - WHERE a.attach_id = " . $attachment['attach_id'] . " - AND (a.post_id = p.post_id OR a.post_id = 0)"; +$sql = 'SELECT a.*, p.forum_id + FROM ' . ATTACHMENTS_TABLE . ' a, ' . POSTS_TABLE . ' p + WHERE a.attach_id = ' . $attachment['attach_id'] . ' + AND (a.post_id = p.post_id OR a.post_id = 0)'; $result = $db->sql_query($sql); -$auth_pages = $db->sql_fetchrowset($result); // loop through rather than rowset if poss - -for ($i = 0; $i < count($auth_pages) && $authorised == FALSE; $i++) +while ($row = $db->sql_fetchrow($result) && !$authorised) { - if (intval($auth_pages[$i]['post_id']) != 0) + if ($row['post_id'] && $auth->acl_get('f_download', $row['forum_id'])) { - $forum_id = $auth_pages[$i]['forum_id']; - - if ($auth->acl_get('f_download', $forum_id)) - { - $authorised = TRUE; - } + $authorised = TRUE; } else { - if ( (intval($config['allow_pm_attach'])) && ( ($user->data['user_id'] == $auth_pages[$i]['user_id_2']) || ($user->data['user_id'] == $auth_pages[$i]['user_id_1'])) ) + if (intval($config['allow_pm_attach']) && ($user->data['user_id'] == $row['user_id_2'] || $user->data['user_id'] == $row['user_id_1'])) { $authorised = TRUE; } } } +$db->sql_freeresult($result); if (!$authorised) { @@ -353,16 +274,16 @@ if (!$thumbnail) // Determine the 'presenting'-method if ($download_mode == PHYSICAL_LINK) { - if (intval($config['use_ftp_upload']) && $config['upload_dir'] == '') + if ($config['use_ftp_upload'] && $config['upload_dir'] == '') { - trigger_error('Physical Download not possible with the current Attachment Setting'); + trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']); } redirect($config['upload_dir'] . '/' . $attachment['physical_filename']); } else { - if (intval($config['use_ftp_upload'])) + if ($config['use_ftp_upload']) { // We do not need a download path, we are not downloading physically send_file_to_browser($attachment['real_filename'], $attachment['mimetype'], $attachment['physical_filename'] , '', $attachment['attach_id']); |