diff options
author | Meik Sievertsen <acydburn@phpbb.com> | 2008-03-21 10:47:48 +0000 |
---|---|---|
committer | Meik Sievertsen <acydburn@phpbb.com> | 2008-03-21 10:47:48 +0000 |
commit | 9a236a55d3e4802a017ee7ccd3456dba55a62e75 (patch) | |
tree | 011ed752ee27fad523abe6b4145a56cddaad9fd2 /phpBB/download | |
parent | 22deceec853f71099e9ebcc137268584599c55e0 (diff) | |
download | forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar.gz forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar.bz2 forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.tar.xz forums-9a236a55d3e4802a017ee7ccd3456dba55a62e75.zip |
#s23535
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8454 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/download')
-rw-r--r-- | phpBB/download/file.php | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 503c57ee26..0be562aadf 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -208,8 +208,32 @@ else $row['forum_id'] = false; if (!$auth->acl_get('u_pm_download')) { + header('HTTP/1.0 403 forbidden'); trigger_error('SORRY_AUTH_VIEW_ATTACH'); } + + // Check if the attachment is within the users scope... + $sql = 'SELECT user_id, author_id + FROM ' . PRIVMSGS_TO_TABLE . ' + WHERE msg_id = ' . $attachment['post_msg_id']; + $result = $db->sql_query($sql); + + $allowed = false; + while ($user_row = $db->sql_fetchrow($result)) + { + if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id']) + { + $allowed = true; + break; + } + } + $db->sql_freeresult($result); + + if (!$allowed) + { + header('HTTP/1.0 403 forbidden'); + trigger_error('ERROR_NO_ATTACHMENT'); + } } // disallowed? @@ -222,6 +246,7 @@ else if (!download_allowed()) { + header('HTTP/1.0 403 forbidden'); trigger_error($user->lang['LINKAGE_FORBIDDEN']); } |