diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/download/file.php | 6 | ||||
| -rw-r--r-- | phpBB/includes/functions_download.php | 18 |
2 files changed, 16 insertions, 8 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 7d39ee4821..155e77501f 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -163,17 +163,17 @@ if (!$config['allow_attachments'] && !$config['allow_pm_attach']) if ($download_id) { // Attachment id (only 1 attachment) - $sql_where = "attach_id = $download_id"; + $sql_where = 'attach_id = ' . $download_id; } else if ($post_msg_id) { // Post id or private message id (multiple attachments) - $sql_where = "post_msg_id = $post_msg_id AND is_orphan = 0"; + $sql_where = 'is_orphan = 0 AND post_msg_id = ' . $post_msg_id; } else if ($topic_id) { // Topic id (multiple attachments) - $sql_where = "topic_id = $topic_id AND is_orphan = 0"; + $sql_where = 'is_orphan = 0 AND topic_id = ' . $topic_id; } else { diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index e7a1d2bff5..e17fe9de61 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -625,15 +625,23 @@ function phpbb_increment_downloads($db, $ids) */ function phpbb_download_handle_forum_auth($db, $auth, $topic_id) { - $sql = 'SELECT t.forum_id, f.forum_name, f.forum_password, f.parent_id - FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f - WHERE t.topic_id = " . (int) $topic_id . " - AND t.forum_id = f.forum_id"; + $sql_array = array( + 'SELECT' => 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id', + 'FROM' => array( + TOPICS_TABLE => 't', + FORUMS_TABLE => 'f', + ), + 'WHERE' => 't.topic_id = ' . (int) $topic_id . ' + AND t.forum_id = f.forum_id', + ); + + $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) + if ($row && ($row['topic_visibility'] == ITEM_APPROVED || $auth->acl_get('m_approve', $row['forum_id'])) + && $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id'])) { if ($row && $row['forum_password']) { |