Permission Changes

SMF Support > SMF 1.1.x Support

Permission Changes

<< < (3/9) > >>

Arantor:
*shrug*

OK, so let me provide a little bit of insight into how much effort this is really going to take.

1. You need to unprotect the queries in Display.php, Download() that actually deal with checking the attachment can be served. This is by far the easy bit, so much so that I can document it here real quick. BEFORE YOU APPLY THIS CHANGE READ THE REST OF THE POST.

--- Code: --- if (isset($_REQUEST['type']) && $_REQUEST['type'] == 'avatar')
{
$request = db_query("
SELECT filename, ID_ATTACH, attachmentType, file_hash
FROM {$db_prefix}attachments
WHERE ID_ATTACH = $_REQUEST[attach]
AND ID_MEMBER > 0
LIMIT 1", __FILE__, __LINE__);
$_REQUEST['image'] = true;
}
// This is just a regular attachment...
else
{
// This checks only the current board for $board/$topic's permissions.
isAllowedTo('view_attachments');

// Make sure this attachment is on this board.
// NOTE: We must verify that $topic is the attachment's topic, or else the permission check above is broken.
$request = db_query("
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.file_hash
FROM ({$db_prefix}boards AS b, {$db_prefix}messages AS m, {$db_prefix}attachments AS a)
WHERE b.ID_BOARD = m.ID_BOARD
AND $user_info[query_see_board]
AND m.ID_MSG = a.ID_MSG
AND m.ID_TOPIC = $topic
AND a.ID_ATTACH = $_REQUEST[attach]
LIMIT 1", __FILE__, __LINE__);
}
if (mysql_num_rows($request) == 0)
fatal_lang_error(1, false);
list ($real_filename, $ID_ATTACH, $attachmentType, $file_hash) = mysql_fetch_row($request);
mysql_free_result($request);
--- End code ---

--- Code: --- if (isset($_REQUEST['type']) && $_REQUEST['type'] == 'avatar')
{
$request = db_query("
SELECT filename, ID_ATTACH, attachmentType, file_hash, 1 AS id_owner
FROM {$db_prefix}attachments
WHERE ID_ATTACH = $_REQUEST[attach]
AND ID_MEMBER > 0
LIMIT 1", __FILE__, __LINE__);
$_REQUEST['image'] = true;
}
// This is just a regular attachment...
else
{
// Make sure this attachment is on this board.
// NOTE: We must verify that $topic is the attachment's topic, or else the permission check above is broken.
$request = db_query("
SELECT a.filename, a.ID_ATTACH, a.attachmentType, a.file_hash, m.ID_MEMBER AS id_owner
FROM ({$db_prefix}boards AS b, {$db_prefix}messages AS m, {$db_prefix}attachments AS a)
WHERE b.ID_BOARD = m.ID_BOARD
AND $user_info[query_see_board]
AND m.ID_MSG = a.ID_MSG
AND m.ID_TOPIC = $topic
AND a.ID_ATTACH = $_REQUEST[attach]
LIMIT 1", __FILE__, __LINE__);
}
if (mysql_num_rows($request) == 0)
fatal_lang_error(1, false);
list ($real_filename, $ID_ATTACH, $attachmentType, $file_hash, $id_owner) = mysql_fetch_row($request);
mysql_free_result($request);

// Apply permission checks. If it's not an avatar, it needs to apply against current $board/$topic permissions - validated above
if ((!isset($_REQUEST['type']) || $_REQUEST['type'] != 'avatar') && ($id_owner != $user_info['id']))
isAllowedTo('view_attachments');
--- End code ---

But that's the *easy* part.

The real problem is that attachments aren't even shown to people who don't have permission (unless you have done something weird in that respect in which case all bets are off)

The way it's done is to test whether the user can see attachments at all, and if not, do nothing. You'd have to figure out which messages are owned by the current user (information not available at the time of processing attachments) then only fetching the appropriate ones. That's going to be an extra database query and potentially an extra query every single time you view any page of any thread - it's not a trivial change to make.

I suppose you could, in theory, overload that information into the message getting query but speaking from experience, this is not a trade-off you should be making lightly, it has all sorts of performance concerns. We made that change in Wedge to get the posters that early in the process, but there were multiple other reasons, doing it for just this is a fairly poor reason in practical terms.

Colin:
I would consider installing this modification initially http://custom.simplemachines.org/mods/index.php?mod=406

Arantor:
With that, all you end up with is everyone seeing attachments and the download handler with the above. You don't get to be selective about who can see what.

Liam_michael:
I have altered the code currently where every can see the attachment.

In terms of that mod URL posted, that's not really what I'm looking for. I just want the member who made the attachment to have the right to download his/her attachment even if their member-group permission specifically states you can't.

Arantor:
So if everyone can see the attachments and you don't give two hoots that people can see attachments they can't download, the change I posted should allow users who are the poster, or anyone who has permission to view attachments, to be able to download.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version