This fix will fix a bug that allow visitors download images even these which they are not allowed to view. Also will fix proper redirection to the details page for the clients with blocked referer page.
In download.php find: WHERE image_active = 1 AND image_id IN ($image_id_sql) AND cat_id NOT IN (".get_auth_cat_sql("auth_download", "NOTIN").")";
Replace it with: WHERE image_active = 1 AND image_id IN ($image_id_sql) AND cat_id NOT IN (".get_auth_cat_sql("auth_viewimage", "NOTIN").", ".get_auth_cat_sql("auth_viewcat", "NOTIN").get_auth_cat_sql("auth_download", "NOTIN").")";
Then find: if (!check_permission("auth_download", $image_row['cat_id']) || !$image_row) {
header("Location: ".$site_sess->url($url, "&"));
exit;
}
Replace it with: if (!$image_row || !check_permission("auth_viewcat", $image_row['cat_id']) || !check_permission("auth_viewimage", $image_row['cat_id'])) {
header("Location: ".$site_sess->url($url, "&"));
exit;
}
else
{
if (!check_permission("auth_download", $image_row['cat_id']))
{
// header("Location: ".$site_sess->url($url, "&"));
header("Location: ".$site_sess->url(ROOT_PATH."details.php?image_id=".$image_id, "&"));
exit;
}
}