From ee1c055b7048e55aed91b3ec56cca01e9fc485d3 Mon Sep 17 00:00:00 2001
From: Joas Schilling <nickvergessen@gmx.de>
Date: Mon, 10 Feb 2014 12:17:28 +0100
Subject: [PATCH] [ticket/12171] Send correct status 403 when forbidden and 404
 when not found

PHPBB3-12171
---
 phpBB/download/file.php               |  8 ++++----
 phpBB/includes/functions_download.php | 10 +++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/phpBB/download/file.php b/phpBB/download/file.php
index b3d5f25c32..163ab673b9 100644
--- a/phpBB/download/file.php
+++ b/phpBB/download/file.php
@@ -257,7 +257,7 @@ else if ($download_id)
 			if (!$post_row || ($post_row['post_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $post_row['forum_id'])))
 			{
 				// Attachment of a soft deleted post and the user is not allowed to see the post
-				send_status_line(403, 'Forbidden');
+				send_status_line(404, 'Not Found');
 				trigger_error('ERROR_NO_ATTACHMENT');
 			}
 		}
@@ -271,7 +271,7 @@ else if ($download_id)
 		$extensions = array();
 		if (!extension_allowed($row['forum_id'], $attachment['extension'], $extensions))
 		{
-			send_status_line(404, 'Forbidden');
+			send_status_line(403, 'Forbidden');
 			trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension']));
 		}
 	}
@@ -454,12 +454,12 @@ else
 	{
 		// None of the attachments had a valid extension
 		$disallowed_extension = implode($user->lang['COMMA_SEPARATOR'], $disallowed_extension);
-		send_status_line(404, 'Forbidden');
+		send_status_line(403, 'Forbidden');
 		trigger_error($user->lang('EXTENSION_DISABLED_AFTER_POSTING', $disallowed_extension));
 	}
 	else if (!$files_added)
 	{
-		send_status_line(403, 'Forbidden');
+		send_status_line(404, 'Not Found');
 		trigger_error('ERROR_NO_ATTACHMENT');
 	}
 
diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php
index e17fe9de61..c895f7b54b 100644
--- a/phpBB/includes/functions_download.php
+++ b/phpBB/includes/functions_download.php
@@ -640,10 +640,14 @@ function phpbb_download_handle_forum_auth($db, $auth, $topic_id)
 	$row = $db->sql_fetchrow($result);
 	$db->sql_freeresult($result);
 
-	if ($row && ($row['topic_visibility'] == ITEM_APPROVED || $auth->acl_get('m_approve', $row['forum_id']))
-		&& $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
+	if ($row && $row['topic_visibility'] != ITEM_APPROVED && !$auth->acl_get('m_approve', $row['forum_id']))
 	{
-		if ($row && $row['forum_password'])
+		send_status_line(404, 'Not Found');
+		trigger_error('ERROR_NO_ATTACHMENT');
+	}
+	else if ($row && $auth->acl_get('u_download') && $auth->acl_get('f_download', $row['forum_id']))
+	{
+		if ($row['forum_password'])
 		{
 			// Do something else ... ?
 			login_forum_box($row);