From f657ee51f89fcc0561155069c00957c46f31d96c Mon Sep 17 00:00:00 2001
From: Jakub Senko <jakubsenko@gmail.com>
Date: Fri, 28 Sep 2018 12:55:45 +0200
Subject: [ticket/15593] Do not allow print view with direct URL

PHPBB3-15593
---
 phpBB/includes/ucp/ucp_pm.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'phpBB/includes')

diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index d145d66f59..fa374c15c8 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -170,6 +170,12 @@ class ucp_pm
 					trigger_error('NO_AUTH_READ_MESSAGE');
 				}
 
+				if ($view == 'print' && (!$config['print_pm'] || !$auth->acl_get('u_pm_printpm')))
+				{
+					send_status_line(403, 'Forbidden');
+					trigger_error('NO_AUTH_PRINT_MESSAGE');
+				}
+
 				// Do not allow hold messages to be seen
 				if ($folder_id == PRIVMSGS_HOLD_BOX)
 				{
-- 
cgit v1.2.1