Downloads Mod - Permissions for Viewing

[Infinitum]

I submitted a bug to the tracker for the Downloads Mod as there seems to be a problem with the permission setting for "View".

However, I'm not sure if this is an actual bug or if I'm doing something wrong, so I'm posting here as well.

The bug report highlights the details of the problem: http://phpbb3.oxpus.net/downloads.php?v ... ion=detail

Basically, if I set the overall permissions for a set of categories to Usergroups, then set all permissions for Guests to "No" for those categories, Guests are still able to view the downloads within those categories.

In other words, the categories themselves are hidden from Guests, which is expected - but downloads in those categories can be viewed by Guests by one of the following methods:

• Entering the exact URL for the download (not likely, but it's possible)
• Viewing Statistics (downloads in restricted categories are still shown here)
• Searching all categories (downloads in restricted categories may be listed in search results)

NOTE: the other permissions (Download, Upload, Moderate, etc) ARE enforced correctly. It's just the "View" permission that isn't.

Normally this wouldn't be a problem, but I'm using this mod as a way for developers to share files that need to be hidden from regular users/guests in every way.

So is it a bug, or am I doing something wrong? Either way, I hope this makes sense - thanks

[oxpus]

Can you please post a screenshot with the permissions you've entered?

[Infinitum]

Of course, there's one in my bug report. Here it is:

http://i47.tinypic.com/976747.jpg

[oxpus]

Okay, I've tested it now on an own testboard and can see the "hidden" download, too.
Maybe the permission for viewing download in a category are not checked for this possible method to access a download.
This will be fixed in the next release.

To fix this error at the moment please replace the code block in the file downloads.php

Code: Alles auswählen

if (!$cat && $df_id)
{
	$sql = 'SELECT cat FROM ' . DOWNLOADS_TABLE . "
		WHERE id = $df_id";
	$result = $db->sql_query($sql);
	$cat_id = $db->sql_fetchfield('cat');
	$db->sql_freeresult($result);

	$tmp_nav = array();	
	$dl_mod->dl_nav($cat_id, 'url', $tmp_nav);

	for ($i = sizeof($tmp_nav['link']) - 1; $i >= 0; $i--)
	{
		$nav_string['link'][] = $tmp_nav['link'][$i];
		$nav_string['name'][] = $tmp_nav['name'][$i];
	}	
}

with

Code: Alles auswählen

if (!$cat && $df_id)
{
	$sql = 'SELECT cat FROM ' . DOWNLOADS_TABLE . "
		WHERE id = $df_id";
	$result = $db->sql_query($sql);
	$cat_id = $db->sql_fetchfield('cat');
	$db->sql_freeresult($result);

	$tmp_nav = array();	
	$dl_mod->dl_nav($cat_id, 'url', $tmp_nav);

	if (isset($tmp_nav['link']))
	{
		for ($i = sizeof($tmp_nav['link']) - 1; $i >= 0; $i--)
		{
			$nav_string['link'][] = $tmp_nav['link'][$i];
			$nav_string['name'][] = $tmp_nav['name'][$i];
		}	
	}

	$cat_auth = $dl_mod->dl_cat_auth($cat_id);
	if (!$cat_auth['auth_view'])
	{
		trigger_error($user->lang['DL_NO_PERMISSION']);
	}
}

The user will now get an error on trying to access the download directly.

[Infinitum]

Thank you, that works perfectly. Obviously the download still appears in statistics and search results, but that's much less of an issue now that the download itself is properly restricted.

P.S. on an unrelated note, while I was playing around with this mod, I noticed another issue. If you go to the "Download Favourites" section of the User Control Panel (here: http://phpbb3.oxpus.net/ucp.php?i=downl ... e=favorite) and click Submit when there are no downloads listed/selected, it returns an SQL error. I'll make a separate topic or bug report for this if you like - just thought I'd mention it.

[oxpus]

Thanks for your reply.
The statistcs and search I'll fix later in the next release.

it returns an SQL error

Can you please post the SQL error message?

[Infinitum]

Yes, here it is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND fav_user_id = 583' at line 2 [1064]

[oxpus]

This is not the complete error message.
Can you post it completely?

[Infinitum]

EDIT: this is the error I get on my own board with the same action - it's a bit more informative:

Code: Alles auswählen

SQL ERROR [ mysql4 ]

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND fav_user_id = 2' at line 2 [1064]

SQL

DELETE FROM phpbb_dl_favorites WHERE fav_id IN () AND fav_user_id = 2

BACKTRACE

FILE: includes/db/mysql.php
LINE: 174
CALL: dbal->sql_error()

FILE: includes/ucp/ucp_downloads.php
LINE: 207
CALL: dbal_mysql->sql_query()

FILE: includes/functions_module.php
LINE: 507
CALL: ucp_downloads->main()

FILE: ucp.php
LINE: 321
CALL: p_master->load_active()

[oxpus]

Okay.
Now I'll can understand the error.
This will be fixed in the next release, too.