diff options
| author | Fyorl <gaelreth@gmail.com> | 2012-08-14 12:47:10 +0100 |
|---|---|---|
| committer | Fyorl <gaelreth@gmail.com> | 2012-08-14 12:47:10 +0100 |
| commit | b96c72c156b5fd207ef0b1d1b55df037df688976 (patch) | |
| tree | b99768ef93924ff432c30c162ea87b4bab46ff4f /phpBB/includes/functions_download.php | |
| parent | b05f36b19759eae3d6e60558355698d457df5b31 (diff) | |
| download | forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar.gz forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar.bz2 forums-b96c72c156b5fd207ef0b1d1b55df037df688976.tar.xz forums-b96c72c156b5fd207ef0b1d1b55df037df688976.zip | |
[feature/attach-dl] Moved PM authentication handling into own function
PHPBB3-11042
Diffstat (limited to 'phpBB/includes/functions_download.php')
| -rw-r--r-- | phpBB/includes/functions_download.php | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index 14d39806b9..ac5e5ddd7e 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -649,6 +649,57 @@ function phpbb_download_check_forum_auth($db, $auth, $topic_id) } /** +* Handles authentication when downloading attachments from PMs +* +* @param dbal $db The database object +* @param phpbb_auth $auth The authentication object +* @param int $user_id The user id +* @param int $msg_id The id of the PM that we are downloading from +* +* @return null +*/ +function phpbb_download_handle_pm_auth($db, $auth, $user_id, $msg_id) +{ + if (!$auth->acl_get('u_pm_download')) + { + send_status_line(403, 'Forbidden'); + trigger_error('SORRY_AUTH_VIEW_ATTACH'); + } + + $allowed = phpbb_download_check_pm_auth($db, $user_id, $msg_id); + + if (!$allowed) + { + send_status_line(403, 'Forbidden'); + trigger_error('ERROR_NO_ATTACHMENT'); + } +} + +/** +* Checks whether a user can download from a particular PM +* +* @param dbal $db The database object +* @param int $user_id The user id +* @param int $msg_id The id of the PM that we are downloading from +* +* @return bool Whether the user is allowed to download from that PM or not +*/ +function phpbb_download_check_pm_auth($db, $user_id, $msg_id) +{ + // Check if the attachment is within the users scope... + $sql = 'SELECT user_id, author_id + FROM ' . PRIVMSGS_TO_TABLE . ' + WHERE msg_id = ' . $msg_id . " + AND user_id = $user_id + OR author_id = $user_id"; + $result = $db->sql_query_limit($sql, 1); + $allowed = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + return $allowed; +} + +/** * Cleans a filename of any characters that could potentially cause a problem on * a user's filesystem. * |