mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-05 06:07:32 +02:00
Code Issues Releases Wiki Activity

#310 - Forum: added some more checks to attachment downloading

Browse Source
This commit is contained in:
Moc
2014-08-04 12:24:24 +02:00
parent 7954491fa7
commit c7a901a97d
1 changed files with 24 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
e107_plugins/forum/forum_class.php
View File

@@ -209,18 +209,34 @@ class e107forum
return $baseDir; return $baseDir;
} }
function sendFile($data) function sendFile($data)
{ {
$sql = e107::getDb(); $sql = e107::getDb();
$id = intval($data['id']); // forum (post) id $post_id = intval($data['id']); // forum (post) id
$fid = intval($data['dl']); // file id $file_id = intval($data['dl']); // file id
$forum_id = $sql->retrieve('forum_post','post_forum','post_id='.$post_id);
$array = $sql->retrieve('forum_post','post_user,post_attachments','post_id='.$id); // Check if user is allowed to download this file (has 'view' permissions to forum)
if(!$this->checkPerm($forum_id, 'view'))
{
header('Location:'.e107::getUrl()->create('forum/forum/main')); // FIXME needs proper redirect and 403 header
exit;
}
$array = $sql->retrieve('forum_post','post_user,post_attachments','post_id='.$post_id);
$attach = e107::unserialize($array['post_attachments']); $attach = e107::unserialize($array['post_attachments']);
$file = $this->getAttachmentPath($array['post_user']).varset($attach['file'][$fid]); $file = $this->getAttachmentPath($array['post_user']).varset($attach['file'][$file_id]);
e107::getFile()->send($file); // Check if file exists. Send file for download if it does, return 404 error code when file does not exist.
if(file_exists($file))
{
e107::getFile()->send($file);
}
else
{
header('Location:'.e107::getUrl()->create('forum/forum/main', TRUE, 404)); // FIXME needs proper redirect and 404 header
exit;
}
} }