[ticket/12171] Check topic visibility before allowing to download attachments

PHPBB3-12171

phpBB/download/file.php

@@ -163,17 +163,17 @@ if (!$config['allow_attachments'] && !$config['allow_pm_attach'])
 if ($download_id)
 {
 	// Attachment id (only 1 attachment)
-	$sql_where = "attach_id = $download_id";
+	$sql_where = 'attach_id = ' . $download_id;
 }
 else if ($post_msg_id)
 {
 	// Post id or private message id (multiple attachments)
-	$sql_where = "post_msg_id = $post_msg_id AND is_orphan = 0";
+	$sql_where = 'is_orphan = 0 AND post_msg_id = ' . $post_msg_id;
 }
 else if ($topic_id)
 {
 	// Topic id (multiple attachments)
-	$sql_where = "topic_id = $topic_id AND is_orphan = 0";
+	$sql_where = 'is_orphan = 0 AND topic_id = ' . $topic_id;
 }
 else
 {

phpBB/includes/functions_download.php

@@ -625,15 +625,23 @@ function phpbb_increment_downloads($db, $ids)
 */
 function phpbb_download_handle_forum_auth($db, $auth, $topic_id)
 {
-	$sql = 'SELECT t.forum_id, f.forum_name, f.forum_password, f.parent_id
-		FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f
-		WHERE t.topic_id = " . (int) $topic_id . "
-			AND t.forum_id = f.forum_id";
+	$sql_array = array(
+		'SELECT'	=> 't.topic_visibility, t.forum_id, f.forum_name, f.forum_password, f.parent_id',
+		'FROM'		=> array(
+			TOPICS_TABLE => 't',
+			FORUMS_TABLE => 'f',
+		),
+		'WHERE'	=> 't.topic_id = ' . (int) $topic_id . '
+			AND t.forum_id = f.forum_id',
+	);
+
+	$sql = $db->sql_build_query('SELECT', $sql_array);
 	$result = $db->sql_query($sql);
 	$row = $db->sql_fetchrow($result);
 	$db->sql_freeresult($result);
 
-	if ($auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
+	if ($row && ($row['topic_visibility'] == ITEM_APPROVED || $auth->acl_get('m_approve', $row['forum_id']))
+		&& $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
 	{
 		if ($row && $row['forum_password'])
 		{