aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/download
diff options
context:
space:
mode:
authorMeik Sievertsen <acydburn@phpbb.com>2008-03-21 10:47:48 +0000
committerMeik Sievertsen <acydburn@phpbb.com>2008-03-21 10:47:48 +0000
commit9a236a55d3e4802a017ee7ccd3456dba55a62e75 (patch)
tree011ed752ee27fad523abe6b4145a56cddaad9fd2 /phpBB/download
parent22deceec853f71099e9ebcc137268584599c55e0 (diff)
downloadforums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar
forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar.gz
forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar.bz2
forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar.xz
forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.zip
#s23535
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8454 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/download')
-rw-r--r--phpBB/download/file.php25
1 files changed, 25 insertions, 0 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php
index 503c57ee26..0be562aadf 100644
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@@ -208,8 +208,32 @@ else
$row['forum_id'] = false;
if (!$auth->acl_get('u_pm_download'))
{
+ header('HTTP/1.0 403 forbidden');
trigger_error('SORRY_AUTH_VIEW_ATTACH');
}
+
+ // Check if the attachment is within the users scope...
+ $sql = 'SELECT user_id, author_id
+ FROM ' . PRIVMSGS_TO_TABLE . '
+ WHERE msg_id = ' . $attachment['post_msg_id'];
+ $result = $db->sql_query($sql);
+
+ $allowed = false;
+ while ($user_row = $db->sql_fetchrow($result))
+ {
+ if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
+ {
+ $allowed = true;
+ break;
+ }
+ }
+ $db->sql_freeresult($result);
+
+ if (!$allowed)
+ {
+ header('HTTP/1.0 403 forbidden');
+ trigger_error('ERROR_NO_ATTACHMENT');
+ }
}
// disallowed?
@@ -222,6 +246,7 @@ else
if (!download_allowed())
{
+ header('HTTP/1.0 403 forbidden');
trigger_error($user->lang['LINKAGE_FORBIDDEN']);
}