[feature/attach-dl] Moved PM authentication handling into own function

PHPBB3-11042
2025-02-24 12:03:21 +01:00 · 2012-08-14 12:47:10 +01:00 · 2012-08-14 12:47:10 +01:00 · b96c72c156
commit b96c72c156
parent b05f36b197
2 changed files with 56 additions and 28 deletions
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@ -236,34 +236,7 @@ else if ($download_id)
 		{
 			// Attachment is in a private message.
 			$row['forum_id'] = false;
-			if (!$auth->acl_get('u_pm_download'))
-			{
-				send_status_line(403, 'Forbidden');
-				trigger_error('SORRY_AUTH_VIEW_ATTACH');
-			}
-
-			// Check if the attachment is within the users scope...
-			$sql = 'SELECT user_id, author_id
-				FROM ' . PRIVMSGS_TO_TABLE . '
-				WHERE msg_id = ' . $attachment['post_msg_id'];
-			$result = $db->sql_query($sql);
-
-			$allowed = false;
-			while ($user_row = $db->sql_fetchrow($result))
-			{
-				if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
-				{
-					$allowed = true;
-					break;
-				}
-			}
-			$db->sql_freeresult($result);
-
-			if (!$allowed)
-			{
-				send_status_line(403, 'Forbidden');
-				trigger_error('ERROR_NO_ATTACHMENT');
-			}
+			phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
 		}

 		$extensions = array();
@ -331,6 +304,10 @@ else
 	{
 		phpbb_download_check_forum_auth($db, $auth, $attachment['topic_id']);
 	}
+	else
+	{
+		phpbb_download_handle_pm_auth($db, $auth, $user->data['user_id'], $attachment['post_msg_id']);
+	}

 	if (!class_exists('compress'))
 	{
--- a/phpBB/includes/functions_download.php
+++ b/phpBB/includes/functions_download.php
@ -648,6 +648,57 @@ function phpbb_download_check_forum_auth($db, $auth, $topic_id)
 	}
 }

+/**
+* Handles authentication when downloading attachments from PMs
+*
+* @param dbal $db The database object
+* @param phpbb_auth $auth The authentication object
+* @param int $user_id The user id
+* @param int $msg_id The id of the PM that we are downloading from
+*
+* @return null
+*/
+function phpbb_download_handle_pm_auth($db, $auth, $user_id, $msg_id)
+{
+	if (!$auth->acl_get('u_pm_download'))
+	{
+		send_status_line(403, 'Forbidden');
+		trigger_error('SORRY_AUTH_VIEW_ATTACH');
+	}
+
+	$allowed = phpbb_download_check_pm_auth($db, $user_id, $msg_id);
+
+	if (!$allowed)
+	{
+		send_status_line(403, 'Forbidden');
+		trigger_error('ERROR_NO_ATTACHMENT');
+	}
+}
+
+/**
+* Checks whether a user can download from a particular PM
+*
+* @param dbal $db The database object
+* @param int $user_id The user id
+* @param int $msg_id The id of the PM that we are downloading from
+*
+* @return bool Whether the user is allowed to download from that PM or not
+*/
+function phpbb_download_check_pm_auth($db, $user_id, $msg_id)
+{
+	// Check if the attachment is within the users scope...
+	$sql = 'SELECT user_id, author_id
+		FROM ' . PRIVMSGS_TO_TABLE . '
+		WHERE msg_id = ' . $msg_id . "
+			AND user_id = $user_id
+			OR author_id = $user_id";
+	$result = $db->sql_query_limit($sql, 1);
+	$allowed = $db->sql_fetchrow($result);
+	$db->sql_freeresult($result);
+
+	return $allowed;
+}
+
 /**
 * Cleans a filename of any characters that could potentially cause a problem on
 * a user's filesystem.