some updates in regards to fetching authentication.

git-svn-id: file:///svn/phpbb/trunk@4055 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-08 15:35:11 +02:00 · 2003-05-25 13:07:19 +00:00 · 2003-05-25 13:07:19 +00:00 · 5ceeb10e99
commit 5ceeb10e99
parent f381c0d3ef
1 changed files with 18 additions and 97 deletions
--- a/phpBB/download.php
+++ b/phpBB/download.php
@ -31,91 +31,18 @@ $phpbb_root_path = './';
 include($phpbb_root_path . 'extension.inc');
 include($phpbb_root_path . 'common.'.$phpEx);
-//
+$download_id = (isset($_REQUEST['id'])) ? intval($_REQUEST['id']) : false;
 // Delete the / * to uncomment the block, and edit the values (read the comments) to
 // enable additional security to your board (preventing third site linkage)
 //
 /*
 define('ALLOWED_DENIED', 0);
 define('DENIED_ALLOWED', 1);
 //
 // From this line on you are able to edit the stuff
 //
 // Possible Values:
 // ALLOWED_DENIED <- First allow the listed sites, and then deny all others
 // DENIED_ALLOWED <- First deny the listed sites, and then allow all others
 $allow_deny_order = ALLOWED_DENIED;
 //
 // Allowed Syntax:
 // Full Domain Name -> www.phpbb.com
 // Partial Domain Names -> phpbb.com
 //
 $sites = array(
 	$config['server_name'], // This is your domain
 	'phpbb.com'
 );
 // This is the message displayed, if someone links to this site...
 $lang['Denied_Message'] = 'You are not authorized to view, download or link to this Site.';
 // End of editable area
 //
 // Parse the order and evaluate the array
 //
 $site = explode('?', $HTTP_SERVER_VARS['HTTP_REFERER']);
 $url = trim($site[0]);
 //$url = $HTTP_HOST;
 if ($url != '')
 {
 	$allowed = ($allow_deny_order == ALLOWED_DENIED) ? FALSE : TRUE;
 	for ($i = 0; $i < count($sites); $i++)
 	{
 		if (strstr($url, $sites[$i]))
 		{
 			$allowed = ($allow_deny_order == ALLOWED_DENIED) ? TRUE : FALSE;
 			break;
 		}
 	}
 }
 else
 {
 	$allowed = TRUE;
 }
 if ($allowed == FALSE)
 {
 	trigger_error($lang['Denied_Message']);
 }
 // Delete the following line, to uncomment this block
 */
 $download_id = (isset($_REQUEST['id'])) ? intval($_REQUEST['id']) : -1;
 $thumbnail = (isset($_REQUEST['thumb'])) ? intval($_REQUEST['thumb']) : false;
 function send_file_to_browser($real_filename, $mimetype, $physical_filename, $upload_dir, $attach_id)
 {
 	global $_SERVER, $HTTP_USER_AGENT, $HTTP_SERVER_VARS, $user, $db, $config;
-	if ($config['upload_dir'] == '')
+	$filename = ($config['upload_dir'] == '') ? $physical_filename : $config['upload_dir'] . '/' . $physical_filename;
 	{
 		$filename = $physical_filename;
 	}
 	else
 	{
 		$filename = $config['upload_dir'] . '/' . $physical_filename;
 	}
 	$gotit = FALSE;
-	if (!intval($config['use_ftp_upload']))
+	if (!$config['use_ftp_upload'])
 	{
 		if (@!file_exists($filename))
 		{
@ -257,10 +184,10 @@ function send_file_to_browser($real_filename, $mimetype, $physical_filename, $up
 // Start session management
 $user->start();
 $user->setup();
 $auth->acl($user->data);
 $user->setup();
-if ($download_id == -1)
+if (!$download_id)
 {
 	trigger_error('NO_ATTACHMENT_SELECTED');
 }
@ -272,7 +199,7 @@ if (!$config['allow_attachments'])
 $sql = 'SELECT *
 	FROM ' . ATTACHMENTS_DESC_TABLE . '
-	WHERE attach_id = ' . intval($download_id);
+	WHERE attach_id = ' . $download_id;
 $result = $db->sql_query($sql);
 if (!($attachment = $db->sql_fetchrow($result)))
@ -292,33 +219,27 @@ if ($row['forum_password'])
 $authorised = FALSE;
 // Additional query, because of more than one attachment assigned to posts and private messages
-$sql = "SELECT a.*, p.forum_id
+$sql = 'SELECT a.*, p.forum_id
-	FROM " . ATTACHMENTS_TABLE . " a, " . POSTS_TABLE . " p
+	FROM ' . ATTACHMENTS_TABLE . ' a, ' . POSTS_TABLE . ' p
-	WHERE a.attach_id = " . $attachment['attach_id'] . "
+	WHERE a.attach_id = ' . $attachment['attach_id'] . '
-		AND (a.post_id = p.post_id OR a.post_id = 0)";
+		AND (a.post_id = p.post_id OR a.post_id = 0)';
 $result = $db->sql_query($sql);
-$auth_pages = $db->sql_fetchrowset($result); // loop through rather than rowset if poss
+while ($row = $db->sql_fetchrow($result) && !$authorised)
 for ($i = 0; $i < count($auth_pages) && $authorised == FALSE; $i++)
 {
-	if (intval($auth_pages[$i]['post_id']) != 0)
+	if ($row['post_id'] && $auth->acl_get('f_download', $row['forum_id']))
 	{
 		$forum_id = $auth_pages[$i]['forum_id'];
 		if ($auth->acl_get('f_download', $forum_id))
 	{
 		$authorised = TRUE;
 	}
 	}
 	else
 	{
-		if ( (intval($config['allow_pm_attach'])) && ( ($user->data['user_id'] == $auth_pages[$i]['user_id_2']) || ($user->data['user_id'] == $auth_pages[$i]['user_id_1'])) )
+		if (intval($config['allow_pm_attach']) && ($user->data['user_id'] == $row['user_id_2'] || $user->data['user_id'] == $row['user_id_1']))
 		{
 			$authorised = TRUE;
 		}
 	}
 }
 $db->sql_freeresult($result);
 if (!$authorised)
 {
@ -353,16 +274,16 @@ if (!$thumbnail)
 // Determine the 'presenting'-method
 if ($download_mode == PHYSICAL_LINK)
 {
-	if (intval($config['use_ftp_upload']) && $config['upload_dir'] == '')
+	if ($config['use_ftp_upload'] && $config['upload_dir'] == '')
 	{
-		trigger_error('Physical Download not possible with the current Attachment Setting');
+		trigger_error($user->lang['PHYSICAL_DOWNLOAD_NOT_POSSIBLE']);
 	}
 	redirect($config['upload_dir'] . '/' . $attachment['physical_filename']);
 }
 else
 {
-	if (intval($config['use_ftp_upload']))
+	if ($config['use_ftp_upload'])
 	{
 		// We do not need a download path, we are not downloading physically
 		send_file_to_browser($attachment['real_filename'], $attachment['mimetype'], $attachment['physical_filename'] , '', $attachment['attach_id']);