From f657ee51f89fcc0561155069c00957c46f31d96c Mon Sep 17 00:00:00 2001
From: Jakub Senko <jakubsenko@gmail.com>
Date: Fri, 28 Sep 2018 12:55:45 +0200
Subject: [ticket/15593] Do not allow print view with direct URL

PHPBB3-15593
---
 phpBB/includes/ucp/ucp_pm.php   | 6 ++++++
 phpBB/language/en/ucp.php       | 1 +
 phpBB/language/en/viewtopic.php | 1 +
 phpBB/viewtopic.php             | 6 ++++++
 4 files changed, 14 insertions(+)

(limited to 'phpBB')

diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index d145d66f59..fa374c15c8 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -170,6 +170,12 @@ class ucp_pm
 					trigger_error('NO_AUTH_READ_MESSAGE');
 				}
 
+				if ($view == 'print' && (!$config['print_pm'] || !$auth->acl_get('u_pm_printpm')))
+				{
+					send_status_line(403, 'Forbidden');
+					trigger_error('NO_AUTH_PRINT_MESSAGE');
+				}
+
 				// Do not allow hold messages to be seen
 				if ($folder_id == PRIVMSGS_HOLD_BOX)
 				{
diff --git a/phpBB/language/en/ucp.php b/phpBB/language/en/ucp.php
index 5056e23d24..64b624ff3f 100644
--- a/phpBB/language/en/ucp.php
+++ b/phpBB/language/en/ucp.php
@@ -377,6 +377,7 @@ $lang = array_merge($lang, array(
 	'NO_AUTH_PROFILEINFO'			=> 'You are not authorised to change your profile information.',
 	'NO_AUTH_READ_HOLD_MESSAGE'		=> 'You are not authorised to read private messages that are on hold.',
 	'NO_AUTH_READ_MESSAGE'			=> 'You are not authorised to read private messages.',
+	'NO_AUTH_PRINT_MESSAGE'			=> 'You are not authorised to print private messages.',
 	'NO_AUTH_READ_REMOVED_MESSAGE'	=> 'You are not able to read this message because it was removed by the author.',
 	'NO_AUTH_SEND_MESSAGE'			=> 'You are not authorised to send private messages.',
 	'NO_AUTH_SIGNATURE'				=> 'You are not authorised to define a signature.',
diff --git a/phpBB/language/en/viewtopic.php b/phpBB/language/en/viewtopic.php
index 5890eecdb6..5d127acb3d 100644
--- a/phpBB/language/en/viewtopic.php
+++ b/phpBB/language/en/viewtopic.php
@@ -88,6 +88,7 @@ $lang = array_merge($lang, array(
 	'NO_UNREAD_POSTS'		=> 'There are no new unread posts for this topic.',
 	'NO_VOTE_OPTION'		=> 'You must specify an option when voting.',
 	'NO_VOTES'				=> 'No votes',
+	'NO_AUTH_PRINT_TOPIC'	=> 'You are not authorised to print topics.',
 
 	'POLL_ENDED_AT'			=> 'Poll ended at %s',
 	'POLL_RUN_TILL'			=> 'Poll runs till %s',
diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php
index 79852330d9..ba30fa9c58 100644
--- a/phpBB/viewtopic.php
+++ b/phpBB/viewtopic.php
@@ -342,6 +342,12 @@ if (($topic_data['topic_type'] != POST_NORMAL) && $topic_data['topic_time_limit'
 // Setup look and feel
 $user->setup('viewtopic', $topic_data['forum_style']);
 
+if ($view == 'print' && !$auth->acl_get('f_print', $forum_id))
+{
+	send_status_line(403, 'Forbidden');
+	trigger_error('NO_AUTH_PRINT_TOPIC');
+}
+
 $overrides_f_read_check = false;
 $overrides_forum_password_check = false;
 $topic_tracking_info = isset($topic_tracking_info) ? $topic_tracking_info : null;
-- 
cgit v1.2.1