Пример #1
0
        }
    } else {
        //trigger_error('SORRY_AUTH_VIEW_ATTACH');
    }
} else {
    $row['forum_id'] = 0;
    if (!$_CLASS['auth']->acl_get('u_pm_download') || !$config['auth_download_pm']) {
        trigger_error('SORRY_AUTH_VIEW_ATTACH');
    }
}
// disallowed ?
$extensions = array();
if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions)) {
    trigger_error(sprintf($_CLASS['core_user']->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
}
if (!download_allowed()) {
    trigger_error($_CLASS['core_user']->lang['LINKAGE_FORBIDDEN']);
}
$download_mode = (int) $extensions[$attachment['extension']]['download_mode'];
// Fetching filename here to prevent sniffing of filename
$sql = 'SELECT attach_id, in_message, post_msg_id, extension, physical_filename, real_filename, mimetype
	FROM ' . FORUMS_ATTACHMENTS_TABLE . "\n\tWHERE attach_id = {$download_id}";
$result = $_CLASS['core_db']->query_limit($sql, 1);
if (!($attachment = $_CLASS['core_db']->fetch_row_assoc($result))) {
    trigger_error('ERROR_NO_ATTACHMENT');
}
$_CLASS['core_db']->free_result($result);
$attachment['physical_filename'] = basename($attachment['physical_filename']);
if ($thumbnail) {
    $attachment['physical_filename'] = 'thumb_' . $attachment['physical_filename'];
} else {
Пример #2
0
 /**
  * Check file accesibility.
  *
  * @return int Returns HTTP status code.
  */
 protected function check_accessibility()
 {
     $status = self::OK;
     // Don't allow downloads of revisions for TITANIA_CONTRIB_DOWNLOAD_DISABLED items unless on the team or an author.
     if ($this->file['object_type'] == TITANIA_CONTRIB) {
         $status = $this->check_revision_auth();
     }
     if ($status === self::OK) {
         // Only revisions can be downloaded as Composer packages
         if ($this->type == 'composer' && $this->file['object_type'] != TITANIA_CONTRIB) {
             return self::NOT_FOUND;
         }
         if ($this->file['is_orphan'] && $this->user->data['user_id'] != $this->file['attachment_user_id'] && !$this->auth->acl_get('a_attach')) {
             $status = self::NOT_FOUND;
         } else {
             if (!download_allowed()) {
                 $status = self::FORBIDDEN;
             } else {
                 if ($this->file['attachment_access'] < $this->access->get_level() && $this->access->is_team($this->file['attachment_access'])) {
                     $status = self::FORBIDDEN;
                 } else {
                     if ($this->file['attachment_access'] < $this->access->get_level() && $this->access->is_author($this->file['attachment_access'])) {
                         $status = $this->check_author_level_access();
                     }
                 }
             }
         }
     }
     return $status;
 }