mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-05-06 07:35:29 +02:00
Code Issues Releases Wiki Activity

[feature/attach-dl] Moved PM authentication handling into own function

Browse Source 
PHPBB3-11042
This commit is contained in:
Fyorl 2012-08-14 12:47:10 +01:00
parent b05f36b197
commit b96c72c156
2 changed files with 56 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
phpBB/download/file.php
View File

@ -236,34 +236,7 @@ else if ($download_id)
{ {
// Attachment is in a private message. // Attachment is in a private message.
$row['forum_id'] = false; $row['forum_id'] = false;
if (!$auth->acl_get('u_pm_download')) phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
{
send_status_line(403, 'Forbidden');
trigger_error('SORRY_AUTH_VIEW_ATTACH');
}
// Check if the attachment is within the users scope...
$sql = 'SELECT user_id, author_id
FROM ' . PRIVMSGS_TO_TABLE . '
WHERE msg_id = ' . $attachment['post_msg_id'];
$result = $db->sql_query($sql);
$allowed = false;
while ($user_row = $db->sql_fetchrow($result))
{
if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
{
$allowed = true;
break;
}
}
$db->sql_freeresult($result);
if (!$allowed)
{
send_status_line(403, 'Forbidden');
trigger_error('ERROR_NO_ATTACHMENT');
}
} }
$extensions = array(); $extensions = array();
@ -331,6 +304,10 @@ else
{ {
phpbb_download_check_forum_auth($db, $auth, $attachment['topic_id']); phpbb_download_check_forum_auth($db, $auth, $attachment['topic_id']);
} }
else
{
phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
}
if (!class_exists('compress')) if (!class_exists('compress'))
{ {

51
phpBB/includes/functions_download.php
View File

@ -648,6 +648,57 @@ function phpbb_download_check_forum_auth($db, $auth, $topic_id)
} }
} }
/**
* Handles authentication when downloading attachments from PMs
*
* @param dbal $db The database object
* @param phpbb_auth $auth The authentication object
* @param int $user_id The user id
* @param int $msg_id The id of the PM that we are downloading from
*
* @return null
*/
function phpbb_download_handle_pm_auth($db, $auth, $user_id, $msg_id)
{
if (!$auth->acl_get('u_pm_download'))
{
send_status_line(403, 'Forbidden');
trigger_error('SORRY_AUTH_VIEW_ATTACH');
}
$allowed = phpbb_download_check_pm_auth($db, $user_id, $msg_id);
if (!$allowed)
{
send_status_line(403, 'Forbidden');
trigger_error('ERROR_NO_ATTACHMENT');
}
}
/**
* Checks whether a user can download from a particular PM
*
* @param dbal $db The database object
* @param int $user_id The user id
* @param int $msg_id The id of the PM that we are downloading from
*
* @return bool Whether the user is allowed to download from that PM or not
*/
function phpbb_download_check_pm_auth($db, $user_id, $msg_id)
{
// Check if the attachment is within the users scope...
$sql = 'SELECT user_id, author_id
FROM ' . PRIVMSGS_TO_TABLE . '
WHERE msg_id = ' . $msg_id . "
AND user_id = $user_id
OR author_id = $user_id";
$result = $db->sql_query_limit($sql, 1);
$allowed = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
return $allowed;
}
/** /**
* Cleans a filename of any characters that could potentially cause a problem on * Cleans a filename of any characters that could potentially cause a problem on
* a user's filesystem. * a user's filesystem.