@Spuds I'm a little tired and I may be reading something wrong:
if (empty($topic) && !empty($id_attach))
{
$attachPos = getAttachmentPosition($id_attach);
if ($attachPos !== false)
{
list($id_board, $id_topic) = array_values($attachPos);
}
else
{
$id_board = 0;
}
}
else
{
$id_board = $board;
$id_topic = $topic;
}
isAllowedTo('view_attachments', $id_board);
if ($this->_req->getQuery('thumb') === null)
{
347 => $attachment = getAttachmentFromTopic($id_attach, $id_topic);
}
else
{
$this->_req->query->image = true;
352 => $attachment = getAttachmentThumbFromTopic($id_attach, $id_topic);
To have $id_topic not set, the only path I see is where it sets $id_board to 0.
But, if $id_board is set to 0, then the processing should stop at the isAllowedTo... isn't it?
But if isAllowedTo doesn't stop the processing we have some nasty stuff going around...
@gevv try changing in Attachment.controller.php the following line:
isAllowedTo('view_attachments', $id_board);
to:
try
{
isAllowedTo('view_attachments', $id_board);
}
catch (\Exception $e)
{
return $this->action_no_attach();
}