#9 [1.4.3] Guests can View Torrent Details on Private Tracker

[stunna]

testing & verified bug on BTIT 1.4.3
(not tested on BTIT 1.4.4)

if the tracker is private & torrent viewing is off for guests they may still view the details of any torrent if the full URL is known.

i.e.

http://domain.tld/details.php?id=info_hash

example:
http://domain.tld/details.php?id=2ca592fa8XXXXXXXXed526c27

FIX:

find in details.php:

dbconn();

add after:

global $CURUSER;
if (!$CURUSER || $CURUSER["view_torrents"]=="no")
{
standardheader("Access Denied");
block_begin("Access Denied");
err_msg(ERROR,"You do not have permission to access this page");
block_end();
stdfoot();
exit();
}
else
{

find:

stdfoot(($GLOBALS["usepopup"]?false:true),false);

add after:

}

[Lupin]

Logged In: YES
user_id=1294231
Originator: NO

official fix is little different ;)
svn updated...