diff options
| author | Joas Schilling <nickvergessen@gmx.de> | 2014-02-08 13:53:23 +0100 |
|---|---|---|
| committer | Joas Schilling <nickvergessen@gmx.de> | 2014-02-10 12:36:01 +0100 |
| commit | 8744b0da6d050275f9f2da8f12068238fd44da3c (patch) | |
| tree | 1b2e31576e8ce5740581f5cebf05a4cf7b12e842 /phpBB | |
| parent | 344baf91809bbfd5a224191e13472b94f77b421c (diff) | |
| download | forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar.gz forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar.bz2 forums-8744b0da6d050275f9f2da8f12068238fd44da3c.tar.xz forums-8744b0da6d050275f9f2da8f12068238fd44da3c.zip | |
[ticket/12171] Check topic visibility before allowing to download attachments
PHPBB3-12171
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/download/file.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/functions_download.php | 18 |
2 files changed, 16 insertions, 8 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 7d39ee4821..155e77501f 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -163,17 +163,17 @@ if (!$config['allow_attachments'] && !$config['allow_pm_attach']) if ($download_id) { // Attachment id (only 1 attachment) - $sql_where = "attach_id = $download_id"; + $sql_where = 'attach_id = ' . $download_id; } else if ($post_msg_id) { // Post id or private message id (multiple attachments) - $sql_where = "post_msg_id = $post_msg_id AND is_orphan = 0"; + $sql_where = 'is_orphan = 0 AND post_msg_id = ' . $post_msg_id; } else if ($topic_id) { // Topic id (multiple attachments) - $sql_where = "topic_id = $topic_id AND is_orphan = 0"; + $sql_where = 'is_orphan = 0 AND topic_id = ' . $topic_id; } else { diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index e7a1d2bff5..e17fe9de61 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -625,15 +625,23 @@ function phpbb_increment_downloads($db, $ids) */ function phpbb_download_handle_forum_auth($db, $auth, $topic_id) { - $sql = 'SELECT t.forum_id, f.forum_name, f.forum_password, f.parent_id - FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f - WHERE t.topic_id = " . (int) $topic_id . " - AND t.forum_id = f.forum_id"; + $sql_array = array( + 'SELECT' => 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id', + 'FROM' => array( + TOPICS_TABLE => 't', + FORUMS_TABLE => 'f', + ), + 'WHERE' => 't.topic_id = ' . (int) $topic_id . ' + AND t.forum_id = f.forum_id', + ); + + $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) + if ($row && ($row['topic_visibility'] == ITEM_APPROVED || $auth->acl_get('m_approve', $row['forum_id'])) + && $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) { if ($row && $row['forum_password']) { |