diff options
| author | Joas Schilling <nickvergessen@gmx.de> | 2014-02-08 13:53:23 +0100 |
|---|---|---|
| committer | Joas Schilling <nickvergessen@gmx.de> | 2014-02-10 12:36:01 +0100 |
| commit | 8744b0da6d050275f9f2da8f12068238fd44da3c (patch) | |
| tree | 1b2e31576e8ce5740581f5cebf05a4cf7b12e842 /phpBB/includes/functions_download.php | |
| parent | 344baf91809bbfd5a224191e13472b94f77b421c (diff) | |
| download | forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar.gz forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar.bz2 forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar.xz forums-8744b0da6d050275f9f2da8f12068238fd44da3c.zip | |
[ticket/12171] Check topic visibility before allowing to download attachments
PHPBB3-12171
Diffstat (limited to 'phpBB/includes/functions_download.php')
| -rw-r--r-- | phpBB/includes/functions_download.php | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index e7a1d2bff5..e17fe9de61 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -625,15 +625,23 @@ function phpbb_increment_downloads($db, $ids) */ function phpbb_download_handle_forum_auth($db, $auth, $topic_id) { - $sql = 'SELECT t.forum_id, f.forum_name, f.forum_password, f.parent_id - FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f - WHERE t.topic_id = " . (int) $topic_id . " - AND t.forum_id = f.forum_id"; + $sql_array = array( + 'SELECT' => 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id', + 'FROM' => array( + TOPICS_TABLE => 't', + FORUMS_TABLE => 'f', + ), + 'WHERE' => 't.topic_id = ' . (int) $topic_id . ' + AND t.forum_id = f.forum_id', + ); + + $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) + if ($row && ($row['topic_visibility'] == ITEM_APPROVED || $auth->acl_get('m_approve', $row['forum_id'])) + && $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) { if ($row && $row['forum_password']) { |