Changeset 842 in ExiteCMS
- Timestamp:
- 09/27/07 19:28:36 (4 years ago)
- File:
-
- 1 edited
-
trunk/getfile.php (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/getfile.php
r834 r842 312 312 } 313 313 314 // check if authentication is valid. If not, reset it 315 if (isset($_SERVER['PHP_AUTH_USER'])) { 316 $result = auth_validate_BasicAuthentication(); 317 if ($result != 0) unset($_SERVER['PHP_AUTH_USER']); 318 } 319 314 320 // process the requested file type 315 321 switch (strtolower($type)) { … … 326 332 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>Invalid file ID.</b></div>"); 327 333 } 328 // if logged in, check if the user has access to this file. if not, redirect back to the homepage 334 $forum = dbarray(dbquery("SELECT * FROM ".$db_prefix."forums WHERE forum_id = '".$post['forum_id']."'")); 335 if (!is_array($forum)) { 336 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>Invalid file ID.</b></div>"); 337 } 338 // if logged in, check if the user has access to this file. if not, print an error and give up 329 339 if (iMEMBER && !getfilegroup($forum['forum_access'], $userdata['user_level'])) { 330 340 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>You don't have access to the requested file ID.</b></div>"); … … 332 342 // if not logged in, and authorisation required, check if userid and password is given and valid 333 343 if (!iMEMBER && $forum['forum_access'] != 0) { 334 // Not public, userid is required. Check if the URL specifies a username and password 335 // in the URL. check it against the user database 336 if (isset($_GET['user']) && isset($_GET['pass'])) { 337 $user_pass = md5($_GET['pass']); 338 $user_name = preg_replace(array("/\=/","/\#/","/\sOR\s/"), "", stripinput($_GET['user'])); 339 $result = dbquery("SELECT * FROM ".$db_prefix."users WHERE user_name='$user_name' AND user_password='$user_pass'"); 340 if (dbrows($result) != 0) { 341 $userdata = dbarray($result); 342 } else { 343 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>Authentication failed.<br />You don't have access to the requested file ID.</b></div>"); 344 } 345 } else { 346 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>Authentication required.<br />You don't have access to the requested file ID.</b></div>"); 347 } 344 // Not public, authentication is required 345 auth_BasicAuthentication(); 348 346 } 349 347 // everything ok, update the attachment download counter … … 363 361 // if not logged in, check if userid and password is given and valid (authorisation is required!) 364 362 if (!iMEMBER) { 365 // Not public, userid is required. Check if the URL specifies a username and password 366 // in the URL. check it against the user database 367 if (isset($_GET['user']) && isset($_GET['pass'])) { 368 $user_pass = md5($_GET['pass']); 369 $user_name = preg_replace(array("/\=/","/\#/","/\sOR\s/"), "", stripinput($_GET['user'])); 370 $result = dbquery("SELECT * FROM ".$db_prefix."users WHERE user_name='$user_name' AND user_password='$user_pass'"); 371 if (dbrows($result) != 0) { 372 $userdata = dbarray($result); 373 } else { 374 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>Authentication failed.<br />You don't have access to the requested file ID.</b></div>"); 375 } 376 } else { 377 die("<div style='font-family:Verdana;font-size:11px;text-align:center;'><b>Authentication required.<br />You don't have access to the requested file ID.</b></div>"); 378 } 363 // Not public, authentication is required 364 auth_BasicAuthentication(); 379 365 } 380 366 // check if this attachment belongs to a post addressed to this user
Note: See TracChangeset
for help on using the changeset viewer.
