testing & verified bug on BTIT 1.4.3
(not tested on BTIT 1.4.4)
if the tracker is private & torrent viewing is off for guests they may still view the details of any torrent if the full URL is known.
i.e.
http://domain.tld/details.php?id=info_hash
example:
http://domain.tld/details.php?id=2ca592fa8XXXXXXXXed526c27
FIX:
find in details.php:
dbconn();
add after:
global $CURUSER;
if (!$CURUSER || $CURUSER["view_torrents"]=="no")
{
standardheader("Access Denied");
block_begin("Access Denied");
err_msg(ERROR,"You do not have permission to access this page");
block_end();
stdfoot();
exit();
}
else
{
find:
stdfoot(($GLOBALS["usepopup"]?false:true),false);
add after:
}
Logged In: YES
user_id=1294231
Originator: NO
official fix is little different ;)
svn updated...