Don't allow downloads form non-accessible directories.

Double-check that the user has access to both the directory and the containing library before allowing a download a file.

Don't allow downloads form non-accessible directories.
ef16c941 · Rob Swindell · f127fa29 · ef16c941
Commit ef16c941 authored 4 years ago by Rob Swindell
--- a/web/root/api/files.ssjs
+++ b/web/root/api/files.ssjs
@@ -16,6 +16,8 @@ if ((http_request.method === 'GET' || http_request.method === 'POST') &&
 		case 'download-file':
 			if (typeof http_request.query.dir !== 'undefined' &&
 				typeof file_area.dir[http_request.query.dir[0]] !== 'undefined'	&&
+                file_area.dir[http_request.query.dir[0]].lib_index >= 0 &&
+                file_area.dir[http_request.query.dir[0]].index >= 0 &&
 				file_area.dir[http_request.query.dir[0]].can_download &&
 				typeof http_request.query.file !== 'undefined'
 			) {