From e070341675c155969b1b45a995a0876d00cd3078 Mon Sep 17 00:00:00 2001 From: Roman Kelesidis Date: Wed, 30 Jul 2025 19:28:37 +0300 Subject: [PATCH] feat(view_torrent.php): Added checking auth to download --- library/ajax/view_torrent.php | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/library/ajax/view_torrent.php b/library/ajax/view_torrent.php index 942a32b11..c10fd0f45 100644 --- a/library/ajax/view_torrent.php +++ b/library/ajax/view_torrent.php @@ -11,18 +11,30 @@ if (!defined('IN_AJAX')) { die(basename(__FILE__)); } -global $lang; +global $lang, $userdata; if (!isset($this->request['attach_id'])) { $this->ajax_die($lang['EMPTY_ATTACH_ID']); } $attach_id = (int)$this->request['attach_id']; -$torrent = DB()->fetch_row("SELECT attach_id, physical_filename FROM " . BB_ATTACHMENTS_DESC . " WHERE attach_id = $attach_id LIMIT 1"); +$torrent = DB()->fetch_row(" + SELECT + ad.attach_id, ad.physical_filename, + tor.forum_id + FROM " . BB_ATTACHMENTS_DESC . " ad + INNER JOIN " . BB_BT_TORRENTS . " tor ON (ad.attach_id = tor.attach_id) + WHERE ad.attach_id = $attach_id LIMIT 1"); if (!$torrent) { $this->ajax_die($lang['ERROR_BUILD']); } +// Check rights +$is_auth = auth(AUTH_ALL, $torrent['forum_id'], $userdata); +if (!$is_auth['auth_download']) { + $this->ajax_die($lang['SORRY_AUTH_VIEW_ATTACH']); +} + $file_contents = null; $filename = get_attachments_dir() . '/' . $torrent['physical_filename']; if (!is_file($filename) || !$file_contents = file_get_contents($filename)) { @@ -37,7 +49,6 @@ try { } $torrent = new TorrentPier\Legacy\TorrentFileList($tor); - $tor_filelist = $torrent->get_filelist(); $this->response['html'] = $tor_filelist;